Data Breach Regulatory Settlements Update

Regulatory bodies are upping the ante when it comes to settling with companies that have suffered data breaches. In addition to the below settlements, see also the settlement between the OCR and Dignity Health.

Community Health Systems, Inc. Settles for $5 M in Multi-State Settlement

On October 8, 2020, New Jersey Attorney General Gurbir Grewal (AG) announced that his office has entered into a multi-state settlement agreement with Community Health Systems, Inc. (CHS) stemming from an investigation of a 2014 data breach that exposed personal information of approximately 6.1 million patients, including 45,000 New Jersey residents. This is after CHS agreed to pay $2.3 million in settlement for HIPAA violations alleged by the Office for Civil Rights. Read article

Morgan Stanley Settles with OCC for $60 Million

Morgan Stanley has settled claims by the Office of the Comptroller of the Currency (OCC) that it failed to properly decommission data centers that housed client data of its wealth-management operations two times—once in 2016 and once in 2019 for $60 million. Read article


This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

CMS Announces New Telehealth Services Covered by Medicare and Provides States with Medicaid and CHIP Telehealth Expansion Assistance

On October 14, 2020, the Centers for Medicare & Medicaid Services (CMS) expanded the list of telehealth services covered by Medicare during the COVID-19 Public Health Emergency. CMS also announced it would be providing additional support to state Medicaid and Children’s Health Insurance Program (CHIP) agencies in delivering telehealth services. CMS added the telehealth services using, for the first time, an expedited process that does not involve rulemaking which had been established by CMS in May 2020. Continue Reading

HIPAA Business Associate Pays $2.3 Million Settlement After Hackers Target PHI of Over 6 Million Individuals

Health care providers and contractors continue to be a popular target for hackers. Recently, CHSPSC LLC (CHSPSC), which provides various services to hospitals and clinics indirectly owned by Community Health Systems, Inc. of Tennessee, agreed to pay $2,300,000 to the Office for Civil Rights (OCR) in settlement of potential violations of HIPAA’s Privacy and Security Rules. The OCR investigation and settlement stemmed from a data breach affecting over six million people. Continue Reading

OCR Settles Five Investigations Under Right of Access Initiative

The Office for Civil Rights (OCR) announced yesterday that it has settled five investigations in its HIPAA Rights to Access Initiative (Initiative), which it announced would be an enforcement priority for it starting in 2019. The Initiative is “to support individuals’ right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule.”

The addition of the five recent settlements brings the total to seven for OCR’s enforcement of the Initiative. The OCR’s press release states that the recent settlement involve five entities: Housing Works, Inc., All Inclusive Medical Services, Inc., Beth Israel Lahey Health Behavioral Sciences and King MD. Continue Reading

CMS Extends Timeline for Finalizing Changes to Physician Self-Referral (Stark) Law Regulations to August 2021

On August 24, 2020, the Centers for Medicare & Medicaid Services (CMS) announced an “extension of the timeline” for publication of a final rule addressing changes to the Physician Self-Referral Law (or Stark Law) regulations.  In its announcement, CMS set a new deadline of August 31, 2021 for publication of a final rule. Continue Reading

COVID-19 Pandemic Brings Telehealth into U.S. Homes

Excerpt of a contributed article published in Medical Economics on August 13, 2020.

The public health emergency (PHE) caused by the COVID-19 pandemic has resulted in systemic changes throughout the nation’s health care system. Almost overnight, health systems, providers and the government were forced to collaborate to ‘stand up’ field hospitals, testing sites, and quarantine procedures, while postponing or cancelling certain elective procedures and ceasing in-person encounters. One of the most significant developments in the response to COVID-19 has been government support for the expansion of telehealth services, which represents a significant departure from longstanding resistance – in the form of regulatory restrictions, payment policies, licensure restrictions, and privacy concerns – to the provision of health care via telehealth. Most recently, the President issued an Executive Order that directs the Secretary of the Department of Health and Human Services (HHS) to propose regulations to codify some of the key telehealth changes, and notes that almost half of Medicare fee-for-service primary care visits during the month of April were provided via telehealth.

This article provides a high-level overview of those changes, highlights key issues for health care providers to monitor as federal and state governments, physicians and patients continue to battle the COVID-19 pandemic, and considers how the post-COVID-19 health care landscape will look for telehealth services. Read the full article.

Connecticut Authorizes Out-of-State Health Care Practitioners to Render Assistance for Remainder of COVID-19 Pandemic

On July 14, 2020 Connecticut Governor Lamont issued Executive Order No. 7HHH, in which the Governor modified state law to enable the Commissioner of the Department of Public Health (DPH) to temporarily suspend licensure, registration and certification requirements for certain DPH-regulated practitioners for the duration of the state public health and civil preparedness emergency.  Notably, in that Executive Order, the Governor stated that “healthcare providers from outside Connecticut have greatly enhanced the provision of healthcare services in Connecticut during the COVID-19 pandemic and thereby fundamentally improved the state’s ability to protect public health at critical time.” Continue Reading

Health Care Providers Continue to Be Hit with Ransomware and Phishing

It doesn’t matter in which  state you are located, how many patients you treat, what kind of medicine you practice or how many employees you have, if you are a health care provider, you are being targeted and hackers are successful in victimizing you.

That’s my take on the recent Becker’s Health IT article that lists 66 healthcare providers around the country that have suffered a cyber-attack in the form of malware, ransomware or a phishing attack in the first six months of 2020. Although we know that health care providers are being targeted, the list of incidents is sobering.

The only thing that the 66 companies have in common is that they are healthcare providers and the attacks were successful. The list confirms the stark reality of the risk healthcare providers face from cyber-attacks.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

CMS Releases Guidance on the Allowance of Telehealth Encounters in eCQMs

On July 2, 2020, the Centers for Medicare and Medicaid Services (CMS) released guidance documents on the allowance of telehealth encounters for the Eligible Professional and Eligible Clinician electronic clinical quality measures (eCQMs) used in CMS quality reporting programs for the 2020 and 2021 performance periods. The guidance applies to eCQMs used in the:

  • Quality Payment Program: The Merit-based Incentive Payment System (MIPS) and Advanced Alternative Payment Models (Advanced APMs)
  • APM: Comprehensive Primary Care Plus (CPC+)
  • APM: Primary Care First (PCF)
  • Medicaid Promoting Interoperability Program for Eligible Professionals

Continue Reading

CMS Proposes 2021 End-Stage Renal Disease Prospective Payment System Rule

On July 6, 2020, the Centers for Medicare and Medicaid Services (CMS) proposed its calendar year 2021 End-Stage Renal Disease (ESRD) Prospective Payment System (PPS) rule. ESRD PPS rules are promulgated on an annual basis, providing updates to payment policies and rates for renal dialysis services furnished to beneficiaries. The 2021 proposed rule also proposes to update the acute kidney injury (AKI) dialysis payment rate for renal dialysis services furnished by ESRD facilities to individuals with AKI, and proposes changes to the ESRD Quality Incentive Program. In addition to the annual technical updates, the 2021 rule proposes, at a high level:

  • Changes to the eligibility criteria and determination process for the transitional add-on payment adjustment for new and innovative equipment and supplies (TPNIES), and defining “new” to be within three years, beginning on the date of the FDA marketing authorization;
  • Expansion of the TPNIES to include new and innovative capital-related assets that are home dialysis machines, used in the home for a single patient;
  • Updates to the outlier policy and outlier services fixed-dollar loss amounts as well as the Medicare allowable payment amounts;
  • An addition to the ESRD PPS base rate to include calcimimetics in the ESRD PPS bundled payment;
  • A change to the low-volume payment adjustment eligibility criteria and attestation requirement to account for the COVID-19 public health emergency; and
  • An update to the ESRD PPS wage index to adopt the new Office of Management and Budget (OMB) delineations with a transition period.

Continue Reading

LexBlog