It was a busy April for the Office for Civil Rights (“OCR”) (see our prior post on a settlement from earlier in April). On April 20, OCR announced a Resolution Agreement with Center for Children’s Digestive Health, S.C. (“CCDH”) related to CCDH’s failure to enter into a business associate agreement with a paper medical records storage vendor. The cost of that missing agreement? $31,000. Then, on April 24, OCR announced a settlement with CardioNet, a remote monitoring company for cardiac arrhythmias, related to CardioNet’s failure to implement compliant HIPAA policies and procedures and failure to conduct a sufficient risk assessment. The price of those failures? $2.5 million! Continue Reading Two HIPAA Mistakes Lead to Fines from OCR
Kate Stewart is the Associate Editor of Health Law & Policy Matters and is an Associate in the firm’s Boston office. Kate’s practice involves a variety of regulatory and transactional matters for healthcare providers, including hospitals, physician groups, clinical laboratories, retail health clinics, and pharmacies. Kate counsels health care clients on HIPAA compliance, telemedicine practice, licensure and scope of practice issues, clinical trial compliance, physician contracting and the federal Physician Payments Sunshine Act.
Regular readers of our blog know that we’ve been following developments related to biosimilar products for some time (see our past coverage here). On April 26, 2017, the U.S. Supreme Court heard oral argument in its first case involving the Biologics Price Competition and Innovation Act (“BPCIA”), Amgen v. Sandoz. Our Intellectual Property colleague Thomas Wintner attended the Court’s oral argument (in the “good seats,” no less, as a member of the Supreme Court bar) and prepared a client alert that recaps the argument. The full client alert is available here. Stay tuned for further analysis and updates on this important biosimilar case and other developments in the field.
Today, our colleagues at ML Strategies provided another installment of their Health Care Weekly Preview. The preview highlights upcoming activity in the House and Senate and other hot topics on the Hill. Highlights this week include the potential of a government shutdown, uncertainty around cost-sharing reductions for the 2018 plan year, and scheduled mark-ups by the Senate HELP Committee.
For an outlook on health care policy in the coming months in Congress, ML Strategies provided their insight in our prior post.
Earlier this week, the Mintz Levin privacy team updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws, with updates from New Mexico, Tennessee, and Virginia. As the privacy team reports, with New Mexico enacting a data breach notification law, only Alabama and South Dakota remain the only states without data breach notification laws. Their full blog post on the updates is available here.
In addition to complying with HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches. These states laws are often broader than HIPAA and apply may apply to personally identifiable information that is not protected health information.
Our quick disclaimer: The Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.
Earlier this week, the HHS Office for Civil Rights (“OCR”) announced a $400,000 settlement with Metro Community Provider Network (“MCPN”) related to a 2012 HIPAA breach caused by a phishing scam. The phishing scam, carried out by accessing MCPN employees’ email accounts, gave a hacker access to the electronic protected health information (“ePHI”) of 3,200 individuals. In investigating the breach, OCR determined that, prior to the breach, MCPN had not conducted a security risk analysis (a requirement under HIPAA). Further, OCR found that even after MCPN conducted a risk analysis, its analysis was insufficient to meet the requirements of the HIPAA Security Rule.
In addition to the $400,000 fine, MCPN agreed to a corrective action plan with OCR. That plan requires MCPN to conduct a comprehensive risk analysis and to submit a written report on the risk analysis to OCR. Additionally, MCPN will be required to develop an organization-wide risk management plan, to review and revise its Security Rule policies and procedures, to review and revise its Security Rule training materials, and to report to OCR any instance of a workforce member failing to comply with its Security Rule policies and procedures. Continue Reading Gone Phishin’: Hack Leads to HIPAA Settlement
Last week, the FBI issued guidance specifically applicable to medical and dental facilities regarding the cybersecurity risk of File Transfer Protocol (“FTP”) servers operating in “anonymous” mode. FTPs are routinely used to transfer information between network hosts. As further described in the guidance, when an FTP server can be configured to permit anonymous users (through the use of a common user name like “anonymous” and without the use of a password) to gain access to the information stored on the server, which might include sensitive information about patients. In addition to potentially directly compromising the security of the stored information, a hacker could use the FTP server in anonymous mode to launch a cyber attack on the entity. Continue Reading FBI Warns of Cybersecurity Risk from FTPs
Last week, our antitrust colleagues Bruce Sokler, Robert Kidwell, and Farrah Short, published a Health Care Antitrust Alert on the recent settlement with the Federal Trade Commission by a Puerto Rican ophthalmologist cooperative on charges that the cooperative orchestrated an illegal boycott of a health plan.
As noted in the alert, the case represents the risks of concerted action among competitors, even when that concerted action is facilitated by an otherwise lawful trade association or membership organization.
Today, our colleagues at ML Strategies released their first look at what the results of Tuesday’s election mean for health care. The client alert addresses both the lame duck session and what to expect in 2017 and beyond. Key issues areas include the future of the Affordable Care Act, MACRA, drug pricing, and FDA User Fee Act reauthorization.
In the coming days, ML Strategies will be sharing further insight into what the election means for health care and what to expect from the new administration and Congress.
Pharmaceutical industry enforcement has been one of the hottest topics in the news in the past month. Last week, Ellyn Sternfield and Rodney Whitlock were quoted by cnbc.com regarding the recent Mylan settlement:
[T]he Justice Department ‘does not have the authority to settle states’ individual drug rebate claims against Mylan, which means any potential ‘global’ settlement with the states raises a variety of issues.’ Those issues include the fact ‘Medicaid Drug Rebate settlement terms for each individual state will have to be agreed to by each individual participating state’s Attorney General and in many states, also by the State Medicaid Agency.’
For more insight from Ellyn, Theresa Carnegie, and Larry Freedman, please join us this Wednesday, October 26 at 1pm (ET) for a webinar discussing health care fraud enforcement in the pharmacy and pharmaceutical industry. In addition to covering topics related to pharmaceutical manufacturers, the webinar will cover topics related to pharmacies, pharmacy benefit managers (PBMs), and health insurers.
The webinar is approved for CLE credit in California and New York.
You can register for the webinar here.
The Massachusetts Department of Public Health (DPH) has released proposed amended regulations for the licensure of hospitals, clinics, and out-of-hospital dialysis units, proposed the rescission of separate birth center regulations, and proposed amended regulations for medical marijuana. At a very busy September 14, 2016 Public Health Council Meeting, senior DPH staff presented the proposed regulations, highlighting key objectives and fielding questions and comments from Council members. Commissioner Monica Bharel, MD, MPH, commended DPH staff for their hard work on the amendments.
In the proposed facility licensing regulations, key themes across all facility types included:
- Removing outdated regulations;
- Updating standards to give additional flexibility while protecting patient safety and tying regulatory standards to nationally recognized, evidence-based guidelines;
- Aligning state and federal requirements; and
- Providing clearer timelines and guidance for initial license applications, change of ownership or location, and facility closure.
The proposed regulations and the presentations are available below, along with public hearing dates and comment deadlines. As discussed in a recent post regarding proposed amendments to the Determination of Need Regulations, consistent with Governor Baker’s Executive Order 562, DPH is reviewing and, where possible, streamlining, simplifying and improving its regulations. These proposals are sure to generate much discussion and comment. In the meanwhile, please stay tuned for more detailed posts on these amendments.
|Topic||Citation||Proposed Amended Regulations||DPH Presentation||Public Hearing Date||Comment Deadline|
|Hospitals||105 CMR 130.00||Link||Link||October 24, 9:30AM||October 28|
|Clinics||105 CMR 140.000||Link||Link||October 25, 9:30AM||October 28|
|Dialysis Units||105 CMR 145.000||Link||Link||October 25, 9:30AM||October 28|
|Birth Centers||105 CMR 142.000||Link||Link||October 24, 9:30AM||October 28|
|Medical Marijuana||105 CMR 725.000||Link||Link|