As the Federal Government has moved to more aggressive enforcement of the Health Insurance Portability and Accountability Act ("HIPAA") privacy provisions, providers and payers are experiencing significant challenges responding to and addressing privacy violations. A subset of aggressive enforcement efforts is the effort in specific circumstances to bring criminal prosecutions.[Read More]
23 Jul · Wed 2014
HIPAA Enforcement on the Rise, Criminal Prosecutions Become More Prevalent
08 May · Thu 2014
Duane Morris Special Counsel Michael E. Clark to Present on "The Physician and Attorney Relationship in a Fraud Audit"
21 Apr · Mon 2014
Duane Morris Partner Mitch Goldman to Speak at Digital Health Innovation in Context 2014 Conference
Duane Morris partner C. Mitchell Goldman will speak at the Digital Health Innovation in Context 2014 Conference, to be held on April 24, 2014 from 8 a.m. to 6 p.m. at the Westin Forrestal Village in Princeton, New Jersey.
Digital Health Innovation in Context 2014 is a one-day conference focused on the world of digital health: strategy, opportunities and innovation. The intimate conference setting accompanied by the roster of healthcare executives, entrepreneurs, and investors will not only expose you to the ideas shaping the digital health landscape, but also provide you with the opportunity to meet the people reshaping the healthcare industry.
Mr. Goldman will moderate the discussion on "Big Data: Can New Technology Drive New Insights and Monetization Possibilities?" at 3:40 p.m. With the rapid digitization of records, new data streams and the demand for greater understanding of populations, big data reigns supreme. Hear from industry veterans and new entrants on how they are taking advantage of these opportunities.
For more information, please visit the Duane Morris event page.
16 Apr · Wed 2014
Duane Morris' Mark J. Silberman and Michael E. Clark Quoted in Physician Risk Management
Duane Morris partner Mark Silberman in the firm's Chicago office and special counsel Michael E. Clark in the firm's Houston office are quoted in two articles in the May 1, 2014, issue of Physician Risk Management.[Read More]
Duane Morris' Michael E. Clark Quoted in Modern Healthcare
Duane Morris special counsel Michael E. Clark of the firm's Houston office, is quoted in "AHA Lawsuit over 'Two-Midnight' Rule Called Uphill Battle," which appeared in Modern Healthcare on April 15, 2014.[Read More]
29 Jan · Wed 2014
CMS Seeks To Fight Prescription Drug Abuse With Proposed New Rules
The problem of prescription drug abuse is a growing national problem, and one that can have serious consequences for any physician that may be implicated. Earlier this month, the Centers for Medicare and Medicaid Services (“CMS”) announced proposed new rules to fight fraud and abuse in the federal Medicare Advantage and Part D prescription drug program. One of the goals of these proposed new rules is to identify Part D enrollees that have “potential opioid or acetaminophen over utilization issues that indicate the need to implement appropriate controls on these drugs for the identified beneficiaries.”[Read More]
10 Jan · Fri 2014
OIG Criticizes CMS For Lack Of Adequate Fraud Detection Practices in Electronic Health Records
In early January, 2014, the Office of Inspector General (“OIG”) for the Department of Health and Human Services (“HHS”) issued a report criticizing HHS’s Centers for Medicare and Medicaid Services (“CMS”) for failing to adopt stronger integrity practices governing electronic health records (“EHRs”). “CMS And Its Contractors Have Adopted Few Program Integrity Practices To Address Vulnerabilities In EHRs,” oig.hhs.gov/oei/reports/oei-01-11-00571.pdf. Here are some of the OIG’s challenges and concerns: “…clues within the progress notes, handwriting styles, and other attributes that help corroborate the authenticity of paper medical records are largely absent in EHRs. Further, tracing authorship and documentation in an EHR may not be as straightforward as tracing in a paper record. Health care providers can use EHR software features that may mask true authorship of the medical record and distort information in the record to inflate health care claims.” These are legitimate issues for EHR users. Government health care programs such as Medicare and Medicaid, many insurance laws, and private payer contracts require prior documentation for every encounter as a matter of patient safety and proper billing. Also, under recent federal law, providers are receiving $22.5 billion in incentive payments to adopt EHRs and must attest to their compliance with EHR standards. The OIG recommends that CMS, working with their fraud detection contractors, develop more sophisticated EHR integrity and fraud detection standards and tools, and issue best practices and guidance. The OIG specifically recommends that CMS and contractors look at providers’ EHR audit logs to help authenticate records, and develop approaches to detecting inappropriate cutting-and-pasting. In its response, CMS indicates that it is aware of these issues and is working diligently to address them. The agency has also initiated investigations of a number of providers on the grounds that the attestations they provided in order to obtain the EHR incentive monies were not sufficient, which could result in takebacks. Most hospitals, physicians and others have deployed EHR systems that have been designed and are maintained by third party vendors. Many providers may not have the sophistication to determine whether, for instance, an audit log system is adequate to detect abuse. Nevertheless, it is incumbent on all providers with EHRs to be aware of potentially unlawful uses; to work with EHR vendors that will represent that their products are fully compliant and that they have installed tools, such as audit logs, access controls and export controls and others as may be required by CMS; and to properly train all staff and clinicians that use EHRs.
04 Dec · Wed 2013
mHealth App Use: Is Data Truly Protected?
One of the reasons why consumers, healthcare providers, investors, the government and others have been slow to adopt mobile health applications and software (apps), are concerns about the privacy and security of data collected through the apps. For instance, Appthority, a service provider that offers an app risk management solution, recently reported that the iPharmacy Drug Guide and Pill ID app “is playing fast and loose with your personal info.” www.appthority.com/news/mobile-threat-monday-android-app-leaks-your-medical-info-online. iPharmacy is a free app that allows consumers to maintain a personal health record on their prescription drugs, look up information on a drug, provide reminders, and maintain pharmacy discount cards. Appthority found that while the app description states that it encrypts personal information, it only uses a common encoding scheme and does not protect user info when the consumer searches for information about a drug through the app. Appthority also claims that the app sends personal information to advertising networks. Another example of a legitimate privacy and security concern relates to cloud storage. Many mHealth apps collect physiological data through sensors affixed to the body, store the data in the cloud, and provide the data to a physician or other provider. If the cloud storage vendor does not provide adequate security protections, the provider could be implicated as a party to the app’s use. mHealth apps offer tremendous opportunities to advance a more sophisticated and connected healthcare environment – but the modes of connection need to be solid from a data protection perspective. Good risk management is key.
04 Nov · Mon 2013
Duane Morris Attorneys Frederick Ball and Erin Duffy to Present "Introduction to Drug Law and Regulation: The Legal Framework for Drug Regulation"
Duane Morris partner Frederick Ball and associate Erin Duffy will present at the "Introduction to Drug Law and Regulation: The Legal Framework for Drug Regulation" program on Thursday, November 7, 2013 at the Hyatt Regency New Brunswick in New Brunswick, New Jersey.
This introductory program provides a comprehensive overview of the laws and Food and Drug Administration regulations affecting the drug industry, and will help you and your organization get products approved and navigate regulatory problems. Experts will review the essential elements of FDA drug regulation in a systematic and comprehensive way. From the definition of “drug” to the different regulatory schemes for over-the-counter (OTC) and prescription (Rx) drugs, speakers walk you through key regulations and policies and will help you determine how those regulations and policies are applied.
For more information please visit the Food and Drug Law Institute website.
18 Oct · Fri 2013
Moody's report: Exchanges negatively impacting non-profit hospitals revenue
07 Oct · Mon 2013
Mobile Medical Apps Guidance
25 Sep · Wed 2013
All Nursing Homes Must be Fully Sprinklered by August 13, 2013
Nursing homes that participate in Medicare or Medicaid have had five years to achieve full sprinkler compliance since CMS published the final rule on August 13, 2008 entitled Fire Safety Requirements for Long Term Care Facilities, Automatic Sprinkler Systems.[i] At present there are no extensions. Any facility that is not fully sprinklered at the time of its routine recertification survey will be cited with a life-safety code deficiency (tag K056). Such facilities will be required to submit a plan of correction to come into compliance within three months. After three months, facilities that are still out of compliance will be subject to a denial of payment for new admissions (DPNA), and at the end of six months, non-compliant facilities will be subject to termination from the Medicare program.
Although CMS proposed a rule on February 7, 2013 that would permit time-limited extensions of the due date for facilities that were replacing a building or undergoing major modifications, no final rule for extensions has yet been promulgated. In reviewing plans of correction, however, CMS has said it will take note of facilities that are undergoing major building or renovation projects. CMS does not at this time have the statutory authority to grant extensions, but they are working on the issue.
The scope and severity of deficiency citations for sprinkler deficiencies are usually at a minimum level of D, E or F, “potential for harm.” The complete absence of a sprinkler system would always be cited at the F level or higher. Citation at the “harm” level of G, H or I is rare unless there has been a recent fire or other sprinkler issue causing actual harm. Selection between levels D, E and F will be based on how many facility residents face potential harm as a result of the deficiency.
If a facility is fully sprinklered but there are minor problems with the functioning of the system, such as improper coverage by some of the sprinkler heads, a deficiency at the level of D, E or F would be cited but K056 would not need to be cited. Time-limited waivers of less than six months may be granted to correct such systems. If there are major problems with a fully sprinklered facility, such as missing multiple sprinkler heads in rooms that were subdivided, or missing sprinklers in outside overhangs or on a loading dock, the facility would be considered partially sprinklered and K056 would apply. If a facility is partially sprinklered, for example in new wings but not in older parts of the building, or only in hazardous areas, K056 also applies.
Exceptions to the sprinkler requirement include:
· Out buildings that are not accessed by residents
· Parts of non-certified buildings that residents may pass through as long as they do not live or sleep there
· Certain awnings and overhangs that are constructed of non-combustible or limited combustible material
· Free standing wardrobes and closets that are considered to be furniture
CMS estimates that almost 1300 facilities nationwide are not fully sprinklered, with approximately 1150 partially sprinklered (or unknown) and about 140 unsprinklered. To promote the most rapid improvement in fire protection, CMS has said it will not impose a civil monetary penalty (CMP) if the plan of correction shows that the facility is making a timely investment, has contracts in place, and has completed plans for installation that will allow for completion of the sprinkler project within three months after the survey date. CMPs may be imposed, however, if the noncompliance is serious, and particularly if at the time of the survey the necessary plans have not been completed. The CMS Regional Office may issue other remedies and demand earlier compliance for facilities that do not show a clear commitment to, and reasonable timeframe for, sprinklering the facility.
Any facilities that have not already obtained any necessary state approvals and entered into contracts for installation of fully compliant sprinkler systems should be urged to do so now. In my experience, engineers who do this work are in heavy demand at this time, and the planning and installation process can easily take longer than three months, putting the facility at financial risk for a DPNA, or even termination. Facilities that wait until they are cited on survey may be in for a rude awakening.
For more information contact Kathleen Carver Cheney, Partner, 212-692-1097, firstname.lastname@example.org
Copyright 2013, American Health Lawyers Association, Washington, DC. Reprint permission granted.
[i] See 42 CFR 483.70(a)(8).
17 Jul · Wed 2013
FDA Issues Proposed Rules That Give FDA Administrative Detention Authority with Respect to Drugs
16 Jul · Tue 2013
Business Associate Agreements (“BAAs”) Under the New HIPAA/HITECH Omnibus Final Rule ("Final Rule")
Earlier this month, I attended the annual meeting of the American Health Lawyers Association in San Diego. This meeting was excellent from a networking perspective and the substantive information imparted during the various break-out sessions. A number of these sessions were devoted to or touched upon the Final Rule that was published on January 25, 2013, those terms that must now be included in BAAs under such Final Rule, and the effect of such Final Rule upon a business associate (“BA”) – someone the Final Rule defines as a person acting on behalf of a covered entity (“CE”) who (i) creates, receives, maintains or transmits protected health information (“PHI”); (ii) for a function or activity regulated by HIPAA; and (iii) provides certain identified services to such CE.
The provisions of the Final Rule are especially important to a BA, considering (a) a BA is now independently liable for violations of HIPAA’s privacy and security requirements, and (b) BAs shall be subject to future audits by the Office of Civil Rights to insure compliance with HIPAA, including those amended privacy, security, enforcement and breach notification provisions that are part of the Final Rule. Essentially, under the Final Rule, BAs must comply with HIPAA’s privacy and security rules in the same manner as a CE, including with respect to breach notification requirements that may represent the greatest risk when negotiating a BAA.[Read More]
15 Jul · Mon 2013
WellPoint Pays HHS $1.7 Million to Settle HIPAA Security Violations
The WellPoint matter serves as a reminder to HIPAA-covered entities and subcontractors that are business associates to comply with the HIPAA Security Rule and to prudently oversee the services provided by these business associates.[Read More]