Photo of Kate Stewart

Kate Stewart is the Associate Editor of Health Law & Policy Matters and is an Associate in the firm’s Boston office. Kate’s practice involves a variety of regulatory and transactional matters for healthcare providers, including hospitals, physician groups, clinical laboratories, retail health clinics, and pharmacies.  Kate counsels health care clients on HIPAA compliance, telemedicine practice, licensure and scope of practice issues, clinical trial compliance, physician contracting and the federal Physician Payments Sunshine Act.

Earlier this week, the Mintz Levin privacy team  updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws, with updates from New Mexico, Tennessee, and Virginia.  As the privacy team reports, with New Mexico enacting a data breach notification law, only Alabama and South Dakota remain the only states without data breach notification laws.  Their full blog post on the updates is available here.

In addition to complying with HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches.  These states laws are often broader than HIPAA and apply may apply to personally identifiable information that is not protected health information.

Our quick disclaimer: The Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.

Phishing Scam ImageEarlier this week, the HHS Office for Civil Rights (“OCR”) announced a $400,000 settlement with Metro Community Provider Network (“MCPN”) related to a 2012 HIPAA breach caused by a phishing scam.  The phishing scam, carried out by accessing MCPN employees’ email accounts, gave a hacker access to the electronic protected health information (“ePHI”) of 3,200 individuals.  In investigating the breach, OCR determined that, prior to the breach, MCPN had not conducted a security risk analysis (a requirement under HIPAA).  Further, OCR found that even after MCPN conducted a risk analysis, its analysis was insufficient to meet the requirements of the HIPAA Security Rule.

In addition to the $400,000 fine, MCPN agreed to a corrective action plan with OCR.  That plan requires MCPN to conduct a comprehensive risk analysis and to submit a written report on the risk analysis to OCR.  Additionally, MCPN will be required to develop an organization-wide risk management plan, to review and revise its Security Rule policies and procedures, to review and revise its Security Rule training materials, and to report to OCR any instance of a workforce member failing to comply with its Security Rule policies and procedures. Continue Reading Gone Phishin’: Hack Leads to HIPAA Settlement

Last week, the FBI issued guidance specifically applicable to medical and dental facilities regarding the cybersecurity risk of File Transfer Protocol (“FTP”) servers operating in “anonymous” mode.  FTPs are routinely used to transfer information between network hosts.  As further described in the guidance, when an FTP server can be configured to permit anonymous users (through the use of a common user name like “anonymous” and without the use of a password) to gain access to the information stored on the server, which might include sensitive information about patients.  In addition to potentially directly compromising the security of the stored information, a hacker could use the FTP server in anonymous mode to launch a cyber attack on the entity. Continue Reading FBI Warns of Cybersecurity Risk from FTPs

Last week, our antitrust colleagues Bruce Sokler, Robert Kidwell, and Farrah Short, published a Health Care Antitrust Alert on the recent settlement with the Federal Trade Commission by a Puerto Rican ophthalmologist cooperative on charges that the cooperative orchestrated an illegal boycott of a health plan.

As noted in the alert, the case represents the risks of concerted action among competitors, even when that concerted action is facilitated by an otherwise lawful trade association or membership organization.

The full alert can be found here and additional details about the settlement are available on the FTC’s website.

Today, our colleagues at ML Strategies released their first look at what the results of Tuesday’s election mean for health care.  The client alert addresses both the lame duck session and what to expect in 2017 and beyond.  Key issues areas include the future of the Affordable Care Act, MACRA, drug pricing, and FDA User Fee Act reauthorization.

In the coming days, ML Strategies will be sharing further insight into what the election means for health care and what to expect from the new administration and Congress.

Pharmaceutical industry enforcement has been one of the hottest topics in the news in the past month.  Last week, Ellyn Sternfield and Rodney Whitlock were quoted by cnbc.com regarding the recent Mylan settlement:

[T]he Justice Department ‘does not have the authority to settle states’ individual drug rebate claims against Mylan, which means any potential ‘global’ settlement with the states raises a variety of issues.’  Those issues include the fact ‘Medicaid Drug Rebate settlement terms for each individual state will have to be agreed to by each individual participating state’s Attorney General and in many states, also by the State Medicaid Agency.’

For more insight from Ellyn, Theresa Carnegie, and Larry Freedman, please join us this Wednesday, October 26 at 1pm (ET) for a webinar discussing health care fraud enforcement in the pharmacy and pharmaceutical industry.  In addition to covering topics related to pharmaceutical manufacturers, the webinar will cover topics related to pharmacies, pharmacy benefit managers (PBMs), and health insurers.

The webinar is approved for CLE credit in California and New York.

You can register for the webinar here.

The Massachusetts Department of Public Health (DPH) has released proposed amended regulations for the licensure of hospitals, clinics, and out-of-hospital dialysis units, proposed the rescission of separate birth center regulations, and proposed amended regulations for medical marijuana. At a very busy September 14, 2016 Public Health Council Meeting, senior DPH staff presented the proposed regulations, highlighting key objectives and fielding questions and comments from Council members.  Commissioner Monica Bharel, MD, MPH, commended DPH staff for their hard work on the amendments.

In the proposed facility licensing regulations, key themes across all facility types included:

  • Removing outdated regulations;
  • Updating standards to give additional flexibility while protecting patient safety and tying regulatory standards to nationally recognized, evidence-based guidelines;
  • Aligning state and federal requirements; and
  • Providing clearer timelines and guidance for initial license applications, change of ownership or location, and facility closure.

The proposed regulations and the presentations are available below, along with public hearing dates and comment deadlines.  As discussed in a recent post regarding proposed amendments to the Determination of Need Regulations, consistent with Governor Baker’s Executive Order 562, DPH is reviewing and, where possible, streamlining, simplifying and improving its regulations. These proposals are sure to generate much discussion and comment.  In the meanwhile, please stay tuned for more detailed posts on these amendments.

Topic Citation Proposed Amended Regulations DPH Presentation Public Hearing Date Comment Deadline
Hospitals 105 CMR 130.00 Link Link October 24, 9:30AM October 28
Clinics 105 CMR 140.000 Link Link October 25, 9:30AM October 28
Dialysis Units 105 CMR 145.000 Link Link October 25, 9:30AM October 28
Birth Centers 105 CMR 142.000 Link Link October 24, 9:30AM October 28
Medical Marijuana 105 CMR 725.000 Link Link

Our colleagues at ML Strategies, Eli Greenspan and Alexander Hecht, recently published an article in HFMA Advisor, the newsletter of the Massachusetts-Rhode Island chapter of the Healthcare Financial Management Association, on the impact of state Medicaid program transitions to managed care on brain injury waiver populations.  ML Strategies has reprinted the article here.

The article provides case studies from managed care transitions in Kansas, Kentucky, and New York, examining issues of service delivery and care disruption.  The article highlights the importance of stakeholder advocacy for vulnerable populations during managed care transitions.

Our colleagues at ML Strategies recently published their Outlook for Fall & Lame Duck, summarizing what to expect from Washington for the remainder of 2016.  The full Outlook is available here, and the portion related to health care is excerpted below.

Congress returns after Labor Day for a four-week sprint that will likely be centered on funding the government by way of a continuing resolution. Since Congress was last in session, the landscape on a number of health care issues remains unchanged. The Senate version of the House-passed Cures package is still in limbo, and mental health reform is no closer to the finish line than it was after the House finally passed its package after months of negotiating. Congress will have an opportunity to advance some issues in September before returning its focus to the 2016 election. After which there will be a, post-election, “lame duck” legislative session – the scope of potential activity for which are uncertain at this point – to put the finishing touches on the 114th Congress. Here’s a look at issues that will likely come up in September: Continue Reading ML Strategies Provides Outlooks for Fall & Lame Duck

Last week, in Deborah Heart & Lung Center v. Virtua Health, Inc., the Third Circuit affirmed a lower court’s dismissal of a suit filed by a hospital alleging an illegal exclusive dealing arrangement by a competing hospital and physician group for referrals made by the defendants to a third hospital rather than to the plaintiff hospital.  In its decision, the court emphasized the importance of market definitions in antitrust cases, and clarified an antitrust plaintiff’s burden when alleging a Sherman Act Section 1 claim with no allegation of market power.  The court held that anticompetitive effects in those cases must then be shown on the relevant market as a whole, not only on a small subset of the market.  In a Health Care Antitrust Alert, our antitrust colleagues Bruce Sokler and Farrah Short analyze the Third Circuit’s decision.