Last week, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) released new guidance on reporting and monitoring cyber threats. The guidance urges covered entities and business associates to report suspicious activity, including cybersecurity incidents, to the United States Computer Emergency Readiness Team (US-CERT). US-CERT is an organization within the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) that is responsible for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities. It is operational 24 hours a day, and accepts, triages, and collaboratively responds to incidents. Continue Reading OCR Releases Guidance on Reporting and Monitoring Cyber Threats
Jordan Cohen is an Associate in the Health Law Practice and is based in the firm’s New York office. He provides clients with advice and counsel relating to federal health care laws and regulations, including the Stark Law, the Anti-Kickback Law, the Anti-Markup Rule, and state health care laws and regulations. Jordan also counsels clients on compliance with HIPAA’s Privacy Rule and Security Rule, including new requirements under the HITECH Act and 2013 Omnibus Regulations.
On February 16, 2017, the HHS Office for Civil Rights (OCR) disclosed a $5.5 million settlement with Memorial Healthcare Systems (MHS) for HIPAA violations affecting the protected health information (PHI) of 115,143 individuals. The Resolution Agreement, which can be found here, also contains a detailed corrective action plan (CAP).
The Florida-based health system reported to OCR that the PHI had been impermissibly accessed by MHS employees and impermissibly disclosed to affiliated physician office staff. The PHI consisted of names, dates of birth, and social security numbers.
Earlier this week, the U.S. Department of Homeland Security (DHS) updated a prior advisory revealing cybersecurity vulnerabilities in St. Jude Medical’s Merlin@home transmitter.
The Merlin@home transmitter is used by patients with St. Jude implantable cardiac devices to wirelessly transmit data from the patient’s cardiac device to the Merlin.net Patient Care Network. The uploaded data can then be monitored by a physician to determine whether the device is functioning properly. This past January, DHS released an advisory detailing a vulnerability that could allow an unauthorized user to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered transmitter could then be used to modify the implanted device to rapidly deplete its battery and/or administer inappropriate pacing or shocks to the patient. St. Jude quickly made an update available to patch this vulnerability.
The updated advisory extends the vulnerability to Merlin transmitters that are used by providers. These transmitters contain the same hardware and software as the models used by patients in their home, but have an additional functionality called MerlinOnDemand that allows providers to use one transmitter in their office to obtain device data from multiple patients. According to the advisory, the endpoints between the implanted device and the Merlin.net website are not verified. This makes the transmission vulnerable to a “man-in-the-middle” that would allow an attacker to remotely access the device. St. Jude has said that the MerlinOnDemand-enabled devices will receive the same patch that was provided to the home-based models.
The new vulnerability comes on the heels of the U.S. Food and Drug Administration’s release of final guidance on the postmarket management of cybersecurity in medical devices.
While 2016 marked one of the least productive years in the history of Congress, the same cannot be said of health care enforcement and regulatory agencies. Perhaps motivated by the impending change in administration, these agencies promulgated a number of notable regulations in 2016, including:
- A Department of Justice (DOJ) Interim Final Rule that significantly increases penalties under the False Claims Act (FCA), making already high stakes litigation even higher.
- An Interim Final Rule from the Office of Inspector General for the U.S. Department of Health and Human Services (OIG) and other agencies increasing civil penalties for violations of various statutes and regulations, including the Civil Monetary Penalties Law (CMPL) and its implementing regulations.
- A Final Rule that addresses the OIG’s expanded authority under the CMPL.
- A long-awaited Final Rule from the Center for Medicare & Medicaid Services (CMS) concerning the “60 Day Rule” for returning overpayments.
- A Final Rule from the OIG that amends the safe harbors under the federal Anti-Kickback Statute (AKS) and adds exceptions under the CMPL’s beneficiary inducement prohibition.
Below we discuss the highlights of each rule and how we expect each to impact the enforcement environment in 2017 and beyond. Continue Reading Health Care Enforcement Review and 2017 Outlook: Significant Regulatory Developments
Last week, the Office of Inspector General (OIG) of the U.S. Department of Health and Human Services released a report analyzing CMS’ readiness to implement major parts of the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA). The report provides an inside look at the steps CMS is taking to implement MACRA’s Quality Payment Program (QPP), which is an ambitious transformation of the way in which the federal government reimbursements health care providers. The report highlights two key vulnerabilities for the MACRA transition, a process that will hopefully be smoother than the troubled roll out of HealthCare.gov.
On Wednesday, the U.S. Senate overwhelmingly passed the 21st Century Cures Act (the “Act”) by a vote of 94 to 5. Spearheaded by Michigan Representative Frank Upton, the bill now heads to President Obama who has promised to sign it. The Act is ambitious, and will impact a wide swath of the U.S. health care system. The Act provides, among other things:
- $4.8 billion over 10 years to support NIH research on precision medicine, neuroscience, cancer and regenerative medicine.
- $1 billion in state grants to increase opioid abuse prevention and treatment services, including prescription drug monitoring programs, training programs and treatment programs.
- Substantial changes to FDA regulations to accelerate the pace of bringing pharmaceuticals and medical devices to market.
- New obligations on the part of both FDA and industry stakeholders to implement the research initiatives and regulatory changes mentioned above.
- Other health care initiatives addressing health information technology, vaccines, national security and health care delivery.
At 996 pages, the Act cannot be summarized in one post. Instead, we plan to analyze the various aspects of the Act in multiple posts over the coming weeks. The remainder of this post will highlight provisions that support one of the Act’s primary objectives: the acceleration of drugs and devices to market. Continue Reading Senate Passes 21st Century Cures Act, but Can It Cure an Ailing FDA?
As we reported earlier this week, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights described a phishing campaign that is attempting to convince recipients of their inclusion in OCR’s Phase 2 audit program. The email, which was disguised as an official communication, suggests that recipients click on a link. This link takes recipients to a non-governmental website marketing cybersecurity services.
On Wednesday, OCR followed up their alert with additional details about the phishing campaign. According to OCR, the phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. OCR points out the subtle difference from the official email address for its HIPAA audit program, OSOCRAudit@hhs.gov, noting that such subtlety is typical in phishing scams.
OCR also took the opportunity to confirm that it has notified select business associates of their inclusion in the Phase 2 HIPAA audits. For more information about the Phase 2 audit program please visit our earlier post.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published an alert on Monday describing a phishing campaign disguised as an email from OCR. The email is being circulated on mock HHS letterhead under the signature of OCR’s Director Jocelyn Samuels and is being sent to HIPAA covered entities and their business associates. The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. When clicked, the link takes the recipient to a non-governmental website marketing a firm’s cybersecurity services. In its alert, HHS clarified that it is in no way associated with the firm.
Covered Entities and Business Associates should be aware of this email and should make their workforces aware of it. This can also serve as an important reminder of the importance of being vigilant about phishing campaigns and not clicking links in any email that seems suspicious or unexpected.
While the firm’s specific claims of inclusion in the audit program are not based in fact, OCR’s audit program is itself quite real. This past July we discussed the audit letters that were sent to health care providers and health care clearinghouses alerting them to their inclusion in the audit. We also described how OCR would be auditing businesses associates during the fall season. Given that fall is upon us, it is now more critical than ever for business associates to review their compliance efforts.
Most of the post-election discussion of the ACA has focused on how promises to repeal the law could impact the newly insured. But one priority area of the ACA that has received very little discussion is the federal government’s strategy to try to reign in health care costs by reducing volume and promoting quality. Complicating the push to fully repeal the ACA is the fact that key elements of the ACA’s cost control strategy have found their way into the Medicare and CHIP Reauthorization Act (MACRA) passed by Congress in 2015.
MACRA was passed on a bipartisan, bicameral basis, creating a two-track system for Medicare provider reimbursement incentive payments. On one track is the more traditional fee-for-service reimbursement structure that will be subject to payment adjustments under a consolidated quality reporting system called the Merit-Based Incentive Payment System (MIPS). The second track, which entails greater incentive payments, addresses reimbursement for providers participating in alternative payment models (APMs) like accountable care organizations (ACOs) and other demonstration programs that have been created under CMS’s Center for Medicare & Medicaid Innovation (CMMI). We discussed these changes at length in our post last month.
While the sweeping Republican election victory portends extensive changes in many areas of health care, MACRA is not likely to see extensive changes–at least not directly. Moving payment policy away from volume and towards quality was a goal for all the Congressional offices participating in the construction of MACRA. However, the implementation of MACRA could still face challenges if Congressional Republicans decide to repeal or constrain the ACA sections that give CMS the authority to operate the CMMI. Such a move would not be outside the realm of possibility; as we previously discussed, the CMMI has been a frequent target of criticism by Congressional Republicans. A full repeal of the ACA, or even limitations to the CMMI’s authority or budget, could cripple the government’s ability to operate the demonstration projects that are the cornerstones of MACRA.
Stakeholders need to engage with CMS moving forward, albeit a CMS under new management, to ensure that changes to the ACA do not have unintended consequences on MACRA’s implementation. CMS may seek to streamline the numerous payment policies that have been proposed under the current Administration. Alternatively, it is possible that CMS will be active in creating its own versions of alternative payment models. One area of potential focus for further reform might be the so-called ACO Track 2 and 3 under the Medicare Shared Savings Program (MSSP), participation in which will now make providers eligible to receive APM incentive payments. Yet CMMI to date has struggled to find the right mix of payment reform, such as requiring two-sided risk, with payment incentives to show significant MSSP savings. In either case, the provider community will be closely watching the developments related to this already complex and daunting transition.
On October 7, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) published guidance to assist cloud service providers (CSPs) and their customers with HIPAA compliance. As discussed below, the guidance clarifies important questions about operating in the cloud, including the role of encryption when determining whether a cloud service provider is a business associate. Continue Reading HHS Publishes Guidance on HIPAA and Cloud Computing