As a service to our readers, we have distilled last week’s joint HHS Office of Civil Rights (OCR) and National Institute of Standards in Technology (NIST) conference, “Safeguarding Health Information: Building Assurance through HIPAA Security” into three phrases: (i) risk assessment, (ii) workforce training, and (iii) adequate encryption. For those of you willing to read more than three phrases, we elaborate on them below and provide our view on the important takeaways from the conference. Continue Reading
A False Claims Act suit can be a company’s worst nightmare, as it may potentially result in large settlements and awards on account of the statute’s trebled damages provision. However, the nightmare for AmerisourceBergen was compounded by the fact that the company’s insurer, ACE, denied coverage for the claim based on the “prior or pending litigation exclusion.” Even worse, a Pennsylvania appellate court upheld ACE’s disclaimer based upon the exclusion. The impact of this recent ruling is very unsettling for many companies who may not know about a qui tam suit for several years after it is filed, which is typically the case in the qui tam context, where the complaint is filed under seal to allow the government to investigate the relator’s claims. Continue Reading
Written by: Rachel Irving Pitts
Earlier this week, my colleague Dianne Bourque commented on a small medical practice’s inability to access its patients’ medical records one July day after its EHR vendor blocked the practice from pulling the data stored in the EHR. In the Boston Globe article, the EHR vendor compared the situation to an electric company turning off the power after months of nonpayment. As technology advances, we abandon “outdated” ways of doing things – our cordless phones won’t work when our power is shut off, and a doctor who has switched to an EHR can’t grab the paper chart off the stacks when its EHR shuts down. A main purpose of the push for providers to adopt EHR is to streamline patient care – a doctor at the hospital doesn’t have to wait for the primary care provider’s chart with the relevant medical history to be delivered or faxed, but just uploads the relevant data set with the patient’s history so they can diagnose and treat the patient. But that all goes out the window if your EHR goes dark, and you can’t get to the records. Continue Reading
On September 16, 2014, the Centers for Medicare & Medicaid Services (CMS) announced key shared savings and losses results of Accountable Care Organizations (ACOs) that began participating in the Medicare Shared Savings Program (MSSP) or the Pioneer ACO Program (PACO) in 2012 and 2013. Thus far, of the ACOs still participating in the MSSP or PACO at the time the data was collected:
- Fifty-three out of the 204 ACOs generated shared savings totaling more than $300 million during their first performance year;
- Nine out of the 34 ACOs participating in the Advanced Payment model option of the MSSP generated gross shared savings of $58.53 million, but over a third (34.5%) of that gross amount was generated by one ACO;
- One ACO participating in the risk-sharing/shared-losses option (Track 2) of the MSSP generated losses of $9.97 million and will have to repay $3.96 million to CMS;
- Two ACOs participating in Track 2 of the MSSP generated gross shared savings and will receive performance payments from CMS of nearly $17 million; and
- During the second year of the PACO, 11 out of the 23 Pioneer ACOs earned $68 million in financial bonuses.
Written by: Kimberly J. Gold
The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) released guidance last Wednesday to help covered entities and business associates understand the privacy implications of the 2013 Supreme Court decision in United States v. Windsor (“Windsor”).
The Supreme Court ruled in Windsor that Section 3 of the Defense of Marriage Act (“DOMA”), which provided that federal law would recognize only opposite-sex marriages, was unconstitutional. Since Windsor, HHS has already extended Medicare coverage to same-sex couples.
The HIPAA Privacy Rule provides some protections to family members, including spouses, of patients. For example, Protected Health Information relating to the patient’s care may sometimes be shared with family members of patients. In addition, the protections against the use of individuals’ genetic information for underwriting purposes under the Genetic Information Nondiscrimination Act (“GINA”) extend to certain information about family members.
Written by: Tara E. Swenson
Last week CMS announced that it would not execute its option to terminate its 2015 contracts with Medicare Advantage Plans and Part D plans that had scored three stars or less for three consecutive years. At the same time, CMS announced that it was seeking information from insurers and others in the industry regarding how serving a disproportionate share of dual eligible enrollees causes Medicare Advantage and Part D plans to receive lower quality measure scores. In the alternative, CMS is also seeking information regarding how certain Medicare plans that serve dual eligible achieve high performance levels. In order to be considered, comments must be received by November 3, 2014.
While CMS seeks this information, it is continuing to confront a variety of challenges to its Duals Demonstration Project under which it is attempting to partner with states to coordinate providing care through managed care entities able to provide both Medicare and Medicaid services. Since the start of the Duals Demonstration, CMS has seen some states exhibit interest in participating but ultimately decline to engage and some managed care organizations go through the process to be approved to provide the plans and then pull out of participating. The Duals Demonstration is currently facing legal challenges in California where a variety of groups are claiming that the passive enrollment process violates individuals’ due process rights.
CMS’ RFI provides a good opportunity for industry participants to explain the challenges of serving and providing managed care to a low income population that can be more difficult to contact and engage than the traditional Medicare population.
Written by Laurence J. Freedman and Samantha P. Kingsbury
On Wednesday, during a speech before the Taxpayers Against Fraud Education Fund conference in Washington, D.C., Leslie R. Caldwell, Assistant Attorney General for the Department of Justice’s (DOJ) Criminal Division, announced that her office will be stepping up its review of False Claims Act (FCA) qui tam complaints for potential criminal prosecution. She also invited potential qui tam relators (whistleblowers) to contact criminal authorities prior to filing qui tam complaints in the event there is potential criminal conduct.
Ms. Caldwell stated that the Criminal Division has implemented a procedure so that all new qui tam complaints are shared by the Civil Division with the Criminal Division as soon as the cases are filed. Under this process, she said, experienced prosecutors in the Criminal Fraud Section are immediately reviewing these qui tam complaints to determine whether to open a parallel criminal investigation. Ms. Caldwell noted that the Criminal Division has “unparalleled experience prosecuting health care fraud, procurement fraud and financial fraud” and that it will “bring that expertise to bear by increasing [its] commitment to criminal investigations and prosecutions that stem from allegations in False Claims Act lawsuits.” Beyond its expertise, the Criminal Division has relationships with foreign governmental agencies and criminal investigative tools (e.g., search warrants, wire taps, undercover operations and confidential informants) that it will be able to contribute to FCA cases.
By reviewing FCA qui tam complaints immediately, the Criminal Division will be able to streamline the process of assessing these cases for possible criminal charges. Ms. Caldwell also indicated that her division’s deeper involvement in FCA cases will mean a shift in priorities with respect to the types of defendants on which DOJ focuses its attention. Specifically, Ms. Caldwell commented that “cases involving fraud by executives at health care providers, such as hospitals, are [ ] a high priority” and that DOJ may increasingly bring criminal charges against corporate entities.
ML Strategies has posted its weekly Health Care Update. This publication provides timely information on implementation of the Affordable Care Act, Congressional initiatives affecting the health care industry, and federal and state health regulatory developments.
This week is National Health IT Week. While Congress has stalled on various health care legislative initiatives, Health IT and related policy areas, such as telehealth, have received growing attention and support as policymakers focus on the exploding industry’s ability to broaden access, lower costs, and re-define privacy.
Click here to read this week’s full Health Care Update.
Written by: Stephanie D. Willis
The mobile app and wearables market in health care is booming, most recently evidenced by Apple’s entry into the market with its widely-anticipated “HealthKit,” a purportedly secure platform that allows mHealth apps to share user’s health and fitness data with the new Health app and with each other. But mobile apps, particularly those used by health care organizations, can allow unauthorized access to patients’ Protected Health Information if not evaluated for security and privacy risks. For guidance on how to address these risks, click here to see our post at Privacy & Security Matters on the draft Technical Considerations for Vetting 3rd Party Mobile Applications (the Vetting Report) issued by National Institute of Standards and Technology (NIST) in August 2014.
NIST is seeking comments on the Vetting Report until September 18th, so there is still time for organizations contemplating a third party mobile app vetting process to inform NIST of any gaps that remain to be addressed in the Vetting Report. Regardless, all organizations, especially those in the health care industry, that want to use mobile app technologies in their operations should use the Vetting Report and NIST’s other guidance publications, in conjunction with the advice of experienced health care privacy counsel, to develop their own privacy and security evaluation processes to help weed out the mobile apps that may create risks of security incidents and breaches.
Please join us on September 23rd, 2014 at 1:00 p.m. for a webinar where we’ll discuss the recent statements from the Department of Justice and the U.S. Securities and Exchange Commission describing the susceptibility of pharmaceutical and medical device companies in regards to FCPA enforcement. Key questions that will be addressed include:
- Why does the FCPA seem to attract government investigations into the practices of health care companies specifically, and what should my company be worried about?
- What FCPA enforcement actions have the DOJ and SEC brought against health care companies in recent years, and what are the lessons learned from these actions?
- Does the increased level of focus on China indicate a new trend of global anti-bribery enforcement?
- What simple best practices can health care companies implement to reduce the chances of governmental FCPA scrutiny?
We hope you can join us. Please click here to register.