On January 13, 2017, the Centers for Medicare and Medicaid Services (“CMS”) sent a Memorandum (“Memo”) to State survey agency directors encouraging long-term care providers to “consider cybersecurity when developing or reviewing their emergency preparedness plans.” The Memo was a follow-up to the CMS long-term care emergency preparedness rule published in the Federal Register on September 16, 2016: “Medicare and Medicaid Programs; Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers.” Under that final rule, long-term care facilities were held to additional standards, including requirements to have emergency and standby power systems in place. Nursing homes were also required to create plans regarding missing residents that could be activated regardless of whether the facility has activated its full-scale emergency plan. The rule was spurred on by recent flooding in Baton Rouge, Louisiana, and other emergency disasters, such as Hurricane Sandy and the 2009 H1N1 pandemic, according to CMS.
Whether State surveyors will actually enforce lack of cybersecurity plans for emergency preparedness as violations remains to be seen from this Memo. But certainly, a State survey agency could impose deficiencies for failure to have a proper cybersecurity plan and/or a proper cybersecurity back‑up plan as part of a facility’s emergency preparedness going forward. It is not clear why CMS decided to send this encouragement Memo three months after the Final Rule on emergency preparedness, but it likely has something to do with the fact that 2016 was a banner year for HIPAA privacy infractions and HIPAA enforcement by the Office for Civil Rights (“OCR”), the entity responsible for HIPAA compliance. In 2016, payouts for HIPAA violations skyrocketed to record heights of $23.51 million from OCR enforcers against health care providers. That number was triple the previous record of almost $7.94 million in payouts in 2014, followed by $6.19 million in payouts in 2015.
Continue reading Cybersecurity and Emergency Preparedness for Long-Term Care
The Stark Law, 42 U.S.C. 1395nn, places restrictions on lease arrangements between physician groups and hospitals for equipment owned by the physicians, leased to the hospitals and then used by the same physicians to treat patients at the hospital. Under the Stark Law, such leases are prohibited unless the arrangement complies with the equipment rental exception, 42 U.S.C. 1395nn(e)(1)(B).
One requirement of the equipment rental exception, which is both statutory and regulatory (42 C.F.R. 411.357(b)), is that the rental charges be “set in advance.” In a recent case from the D.C. Circuit Court of Appeals, Council for Urological Interests v. Burwell, the court considered whether a “per-click” or “per-use” fee could be considered “set in advance” and otherwise meet the criteria for the exception. In an oddly constructed opinion, the court struck down a regulatory prohibition on per-click arrangements, but remanded under terms that would permit the restriction to be re-instated. Continue reading “Per-click” fees OK but don’t count on it
Health systems attempting to fulfill the mandate of integrating hospitals and physicians may find themselves accused of going too far. Although the Affordable Care Act, shared savings, gainsharing and other alternative payment methodologies have made integration of physicians, hospitals and other providers an operational goal, success in reaching that goal may be challenged by private antitrust actions.
In a recent Florida federal court decision, the antitrust complaint of “several of Southern Brevard County’s physicians and physicians practice groups” was held to have stated a monopolization claim against Health First, Inc. and three of its wholly-owned subsidiaries — an insurer, a hospital and a physician practice group. Essentially, by fully integrating its business, and incentivizing in-network referrals and managed care pricing, Health First became vulnerable to claims of tying, exclusive dealing, price discrimination and monopolization.
Continue reading Health System Integration and Antitrust Laws on Collision Course
1. Since most text messaging is not a secure form of communication, it raises HIPAA concerns if any protected health information is included in the text message. There is the possibility of a data breach in the transmission of the text message, as well as in the event of a lost or stolen phone.
2. Relevant information about a patient may be omitted from the patient’s medical chart if it is communicated via text message. Text messages are difficult to print or archive, resulting in the information being lost or deleted. This can have adverse consequences in the patient’s care due failure to communicate important information regarding the patient to everyone who needs the information.
3. Important evidence may be lost, resulting in adverse consequences in the event of a lawsuit. Any time a lawsuit is anticipated, all relevant evidence must be preserved, including text messages. However, since the messages reside on individual employees’ phones, they may be omitted from the document preservation efforts, or accidentally (or intentionally) deleted by the employee. Such loss of evidence could result in the court’s imposition of an “adverse inference,” meaning that the jury must determine that lost evidence would have been adverse to the health care facility (even if that is not true).
The safest course is to ban text messaging in a health care setting. Health care facilities which allow the use of text messaging should implement policies and procedures to ensure that they avoid these problems.
One arrow in the quiver for healthcare providers sued for violations of false claims and anti-kickback statutes is pressing for discovery from the whistleblower/relator, including a deposition of the relator. The failure of the whistleblower to comply with the discovery obligations could result in meaningful sanctions, including dismissal.
In Guthrie v. A Plus Home Health Care, Inc. et al, 0:12-cv-60629-WPD (S.D. FL), the relator, William Guthrie, sued a home health care provider, its seven doctors, and their spouses, alleging that the doctors and their spouses implemented a fraudulent scheme of compensation and referral payments resulting in violations of the False Claims Act, the Stark Act, and the federal Anti-Kickback Statute. Continue reading False Claims and Anti-Kickback Defendants Should Insist on Discovery from the Whistleblower/Relator
Employers that sponsor group health plans for their employees should pay careful attention to the newly announced final omnibus rule amending HIPAA in accordance with the HITECH Act of 2009. This final rule under the HITECH Act, issued on January 17, 2013, impacts group health plans in two significant ways. Group health plan sponsors should act now to make changes to existing plan documents, including HIPAA procedures and business associate agreements, in response to the Final Rule.
Click here for an overview of how HIPAA generally applies in the context of employer-sponsored group health plans and these significant changes impacting group health plans.
Continue reading Employers Take Note: Final HIPAA Rules Mandate New Obligations for Group Health Plans
The HIPAA Rules require that when a HIPAA-covered entity (a provider, plan or clearinghouse) or a business associate of a covered entity uses or discloses protected health information (“PHI”), or when it requests PHI from another covered entity or business associate, the covered entity or business associate must make “reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”
Click here to read more about the HIPAA “minimum necessary” standard—one of the most essential, yet vague, aspects of the HIPAA Rules.
Continue reading HIPAA Minimum Necessary Standard Should Be Key Component of Policies and Procedures, Now More Than Ever
The 2013 Amendments include a number of sweeping changes to the HIPAA Rules, including the expansion of the definition of a business associate to include their subcontractors that handle protected health information (“PHI”); a lower threshold for determining whether a breach has occurred for reporting purposes; and restrictions on “marketing” activities and the “sale” of PHI.
Click here to read this Overview Summary of the 2013 Amendments. Duane Morris is issuing a series of Alerts on the 2013 Amendments. Please see the in-depth Alerts already distributed by the firm on changes under the 2013 Amendments to the definition of a business associate and changes to the breach notification requirements. We will continue to issue Alerts on discrete HIPAA topics.
One of the most significant changes in the final HIPAA amendments is the Breach Notification Rule, which modifies and clarifies the definition of “breach” and the risk-assessment approach required for breach notification. In light of this heightened standard, covered entities, business associates and downstream contractors should consider carefully reviewing their breach notification policies and procedures, training materials and contractual arrangements in an effort to avoid potential liability under the Breach Notification Rule.
Click here for more information on the most significant changes to the Breach Notification Rule.
Among the most significant changes of the Final HIPAA amendments are the provisions that extend the Privacy and Security Rules’ stringent compliance obligations to business associates (BA) and expand the definition of BAs to include subcontractors of BAs. Why the changes? The HITECH Act of 2009 specifically extends direct liability to BAs and expands the list of obligations for BAs. The Department of Health & Human Services extends BA obligations even further to ensure the privacy and security of all PHI throughout the HIPAA ecosystem.
Click here to read a summary of the key provisions under the 2013 amendments, as well as factors that may be worthwhile for covered entities and business associates to consider in light of these amendments.