Mobile health application developers, manufacturers, investors, healthcare providers and others received welcome news late last month when the U.S. Food and Drug Administration published its long-awaited final guidance on mobile medical applications under the Federal Food, Drug, and Cosmetic Act. It is vital for any app developer to understand whether the guidance applies to their product from the initial design stage. Those who are already marketing software and apps that involve healthcare should also review the guidance with care to try to determine how FDA’s new regime impacts both business plans and continuing operations.
FDA Issues Proposed Rules That Give FDA Administrative Detention Authority with Respect to Drugs
The U.S. Food and Drug Administration (FDA) on July 15, 2013, released proposed rules implementing sections of the Food and Drug Administration Safety and Innovation Act (FDASIA) and the FDA’s new authority to protect the integrity of the drug supply chain—specifically, Section 709 of the FDASIA [amending section 304(g) of the Food, Drug, and Cosmetic Act (FDCA)]. The proposed rules provide the FDA with the administrative authority to detain drugs the FDA believes are either adulterated or misbranded. The FDA will detain the drugs until it considers what action it should take concerning the drugs, whether legal or otherwise. The goal of this detention authority has been stated by the FDA as follows: “to protect the public by preventing distribution or subsequent of use of drugs … that are believed to be adulterated or misbranded … .” Comments on the proposed rule are due no later than September 13, 2013.
Click here to read the full Alert.
WellPoint Pays HHS $1.7 Million to Settle HIPAA Security Violations
Covered Entities Cautioned Regarding Use of Business Associates
On July 8, 2013, health insurer WellPoint, Inc. entered into a Resolution Agreement with the U.S. Department of Health and Human Services, Office for Civil Rights (HHS), agreeing to pay HHS $1.7 million to resolve an HHS complaint regarding violations of the HIPAA Privacy and Security Rules during the period of October 23, 2009, through March 7, 2010. WellPoint reported a breach of electronic protected health information (ePHI) on June 18, 2010, leading to an HHS investigation that commenced on September 9, 2010.
The WellPoint matter serves as a reminder to HIPAA-covered entities and subcontractors that are business associates to comply with the HIPAA Security Rule and to prudently oversee the services provided by these business associates.
Click here to read the full Alert.
IRS Publishes Notice Providing Transition Relief in Response to ACA Delay
As outlined in our prior Alert, the Obama administration recently announced a one-year delay in the effective date of three key provisions of the Patient Protection and Affordable Care Act (ACA): (1) the annual information reporting requirements applicable to insurers, self-insuring employers and certain other providers of minimum essential coverage, (2) the annual information reporting requirements applicable to large employers (i.e., those with 50 or more full-time equivalent employees); and (3) the employer shared responsibility provisions. These provisions of the ACA will now be fully effective for 2015.
Click here to read the full Alert, which provides highlights from the IRS Notice 2013-45.
Obama Administration Delays ACA Employer Reporting and Penalties for 2014
In a July 2, 2013, blog posting on the U.S. Department of the Treasury website titled “Continuing to Implement the ACA in a Careful, Thoughtful Manner” the Obama administration announced that it will provide an additional year before the Patient Protection and Affordable Care Act’s (ACA) mandatory employer and insurer reporting requirements begin. These reporting requirements, which were originally scheduled to go into effect on January 1, 2014, will now be delayed until January 1, 2015. More significant is the fact that the Obama administration acknowledges that the delay in the reporting requirements will make it impractical to determine which employers owe shared responsibility payments for 2014. Therefore, the employer shared responsibility provisions will also not be applicable until 2015.
Click here to read the full Alert.
Duane Morris Co-Hosted “The 2013 mHealth Prognosis: Converging Business and Legal Trends”
Duane Morris, in conjunction with the Wharton Health Care Management Alumni Association and Locust Walk Partners, presented a networking reception and panel discussion of the key legal and business issues for mHealth app developers and entrepreneurs on Wednesday, June 26, 2013, at the University of Pennsylvania’s Bodek Lounge. Panelists discussed topics including healthcare industry trends and mHealth growth; investment and business trends; legal and regulatory issues; and healthcare IT and reimbursement issues.
Click here to see pictures of the event.
State Medicaid Fraud Control Units’ Data Mining Likely to Increase Through Federal Funding
Effective June 17, 2013, state Medicaid fraud control units (MFCU) will be permitted to use federal matching funds to pay for data mining activities to detect potentially fraudulent utilization and billing patterns. Historically, MFCUs have been prohibited from using federal matching funds to pay for the cost of data mining. Given the financial constraints facing MFCUs, this funding is likely to result in a substantial increase in activities by MFCUs across the United States. While this rule in and of itself is noteworthy, it is likely to have a more significant impact on healthcare providers when coupled with the regulation implementing the Patient Protection and Affordable Care Act (ACA) that requires states to suspend all Medicaid payments to a provider upon credible allegation of fraud during, or triggering, a Medicaid investigation.
Click here to read the full Alert.
Final HIPAA Wellness Program Regulations Issued Under Affordable Care Act
On June 3, 2013, the U.S. Department of Labor, Department of Health and Human Services, Internal Revenue Service, Employee Benefits Security Administration and Department of the Treasury published in the Federal Register final guidance regarding nondiscriminatory wellness programs under employer-sponsored group health plans. This final guidance was issued in the form of much-anticipated joint final regulations on such wellness programs (the “Final Regulations”). It is important to note that the Final Regulations will apply to wellness programs offered under all group health plans [regardless of whether the plan is “grandfathered” under the Patient Protection and Affordable Care Act (the “Affordable Care Act”)]. Moreover, these Final Regulations will be effective for plan years beginning on or after January 1, 2014.
Continue reading “Final HIPAA Wellness Program Regulations Issued Under Affordable Care Act”
Increased Spotlight on Emergency Department Facility Coding by CMS, HHS and DOJ
Although the professional component of coding for evaluation and management services (“E&M Services”) has been scrutinized over the years, until recently, little attention has been given to coding practices for the facility component of these services—including emergency department facility services. In a September 24, 2012, letter written by Kathleen Sebelius, Secretary, U.S. Department of Health and Human Services (HHS); and Eric Holder, Jr., Attorney General, U.S. Department of Justice, to hospital leadership throughout the United States, HHS and the Justice Department expressed their concern that hospitals may be inappropriately coding E&M Services. Specifically, the letter notes that “CMS is initiating more extensive medical reviews to ensure that providers are coding evaluation and management services accurately.” In light of the recent attention on emergency department facility component coding practices, an area that so far has largely been overlooked by the regulators, any facility that has not reviewed its coding practices for the facility component of E&M Services may want to consider doing so at this time.
Click here to read the full Alert.
HIPAA Marketing and Sale Provisions: Legal Potholes for Providers, Payors, Advertisers, Data Aggregators, Market Researchers and Others
The 2013 HIPAA Amendments directly apply to healthcare providers, plans and clearinghouses as “covered entities,” as well as their subcontractors and vendors as “business associates” (including their downstream subcontractors and agents). However, it is not just covered entities and business associates that need to understand the 2013 Amendments. Advertisers, data aggregators, market researchers and others that want access to PHI, even data that appear to be de-identified, will be impacted.