Photo of Ryan Cuthbertson

Back in late 2015, we blogged about the interesting twist in the $125 million Warner Chilcott settlement that a Massachusetts physician had been criminally charged with violating the Health Insurance Portability and Accountability Act (HIPAA).   See HERE for that previous post.

That physician has now been convicted of the HIPAA violation, as well as an unrelated charge of obstructing a federal health care investigation.  The US Attorney’s Office in Boston made the announcement late last month.

The Warner Chilcott settlement involved illegal drug promotion.  Specifically, sales reps were accused of flagging patient medical records with product brochures and filling out the provider’s prior authorization forms in advance for specific patients.  All of this required impermissible access to patient records.  The physician’s criminal liability stems from providing these sales reps with access to her patients’ records.  In some cases, the reps were even allowed to take the records home with them!

We are often reminded through settlements with the HHS Office for Civil Rights that HIPAA violations are taken seriously and can include hefty fines and corrective action plans (see HERE, HERE and HERE for just a few examples).  This case serves as fair warning that intentional misuse of protected patient information can lead to jail time.  When this physician is sentenced, she could be looking at up to a year in prison, a $50,000 fine, and a year of supervised release.  If you picture a sales rep combing through your personal health issues in his or her living room to determine whether you might be a sales target, it shouldn’t be so surprising that this conduct can rise to the level of criminal liability.

Earlier this week, Mintz Levin’s Privacy & Security Matters blog posted an update that Alabama has become the 50th state to enact a data breach notification law.

Although HIPAA is often a key focus, healthcare organizations must not lose sight of the various state reporting requirements applicable to their business.  For those healthcare organizations that store data about Alabama residents, take a look here for some key provisions of the newly minted “Alabama Data Breach Notification Act of 2018,” such as scope, notice requirements, and potential penalties.

 

On Monday, our colleagues Bruce Sokler and Farrah Short released a client alert: Attempted Monopolization Suit Based on Alleged Referral Steering Moves Forward with Court’s Acceptance as Plausible of a Geographic Market Limited to a Single Hospital.

The client alert discusses the holding in a recent monopolization suit brought by a private home health agency against a dominant public hospital system and its own home health agency. In its suit, the plaintiff alleges, among other things, that the hospital’s computer discharge system is set up to favor a home health agency owned by the hospital system.

The alert provides insight into how the plaintiff overcame procedural challenges, as well as an analysis of the substantive issues related to intra-system referrals.

The Department of Health and Human Services Office of the Inspector General (OIG) has issued an Advisory Opinion (Opinion) in connection with a hospital’s gainsharing arrangement (Arrangement) with a designated group of neurosurgeons who perform spinal fusion surgeries at the hospital. According to the Opinion, the OIG would not impose sanctions because the Arrangement, when viewed in its entirety, is not designed or likely to induce the neurosurgeons to (i) reduce or limit medically necessary services to their Medicare or Medicaid patients, or (ii) increase referrals to the hospital. This Opinion is the latest in a line of earlier advisory opinions to “bless” gainsharing arrangements that meet certain criteria for minimizing the risk of fraud and abuse. Continue Reading OIG Reaffirms Permissibility of Certain Gainsharing Arrangements

A draft bill recently introduced in the U.S. Senate serves as a good reminder that compliance with data breach reporting requirements is critical. This bill follows significant, high-profile data breaches by Uber and Equifax, both of which involved millions of individuals (87 million and 145 million, respectively) and both of which went unreported for a significant period of time following discovery by the companies. Equifax took more than a month to notify the public, while Uber took more than a year. Continue Reading Proposed Law Would Criminalize Failures to Report Data Breaches

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) released its October Cybersecurity Newsletter last week with a focus on mobile devices. Given the amount of work conducted on mobile devices (odds are that at least some of you are reading this on a smart phone), the newsletter is practical for many in the health care industry. It is also timely in light of the increasing development and use of health apps. (For those developers interested in HIPAA and mobile devices, see our recent post here.)

The key HIPAA risk faced by those in the health care sector using mobile devices is the compromise of electronic protected health information (ePHI); a risk that is compounded by the portability and lack of robust security on these devices. In its newsletter, OCR advises organizations to take some important steps to ensure that ePHI is well-protected on mobile devices. According to OCR, organizations should:

  • Ensure that mobile devices are properly configured before accessing/storing ePHI
  • Train employees on the secure use of mobile devices and the risks of malware infecting mobile devices
  • Implement policies and procedures for mobile devices
  • Take certain IT-related precautions such as:
    • Automatic lock/logoff
    • Logon authentication
    • Regular software/security patch updates
    • Encryption, anti-virus and remote wipe capabilities
    • Use ONLY secure Wi-Fi connections
    • Use Virtual Private Networks (VPNs)
    • Limit downloads to only verified third-party apps

Depending on the size of your organization, some of these recommendations might sound a bit involved, but any efforts now can go a long way to saving you from a data breach. This is particularly true when considering that a breach involving health records can cost upwards of $350 per record.

The newsletter also contains links to much more detailed guidance and information for how to minimize cybersecurity risk on mobile devices.

Correction: An earlier version of this post incorrectly noted that the American Medical Association opposed the rule. The post has been updated to include the AMA’s full statement expressing support for proposed rule. [October 10, 2017]

The U.S. Department of Veterans Affairs (“VA”) is taking a significant step towards expanding needed services to Veterans by proposing a rule to preempt state restrictions on telehealth.

Most states currently restrict providers (including VA employees) from treating patients that are located in that state if the provider is not licensed there. As a result, the VA has had difficulty getting a sufficient number of providers to furnish services via telemedicine for fear that they will face discipline from those states for the unlicensed practice of medicine. Continue Reading Department of Veterans Affairs Aims to Trump State Telemedicine Rules

A New Jersey Supreme Court case earlier this summer has New Jersey lawyers re-examining their clients’ business structures under the State’s corporate practice of medicine doctrine.

Many states prohibit the corporate practice of medicine (“CPOM”) in order to prevent or limit a lay person from interfering with a physician’s independent medical judgment. In New Jersey, for example, the State Board of Medical Examiners’ regulations prohibit a licensee with a more limited scope of practice (e.g., physical therapists, chiropractors, nurse practitioners, etc.) from employing physicians.

In Allstate Ins. Co. v. Northfield Med. Ctr., P.C., 2017 BL 148804 (N.J. May 4, 2017), the New Jersey Supreme Court  ruled that a chiropractor (and his attorney that advised on the structure) may have violated the Insurance Fraud Prevention Act because, under the structure,  a chiropractor could terminate a physician’s employment at any time and had more control over the practice’s profits than the physician (who is required to own a majority interest of the practice in New Jersey).  Thus, the court ruled that the medical practice was controlled by the chiropractor instead of the physician in violation of the New Jersey CPOM prohibition.

Submitting claims while a practice is structured in violation of the CPOM doctrine can lead to insurers recouping payments as false claims. Individual physicians, corporations, and attorneys can also face disciplinary action for their involvement in setting up or operating the fraudulent entity.

It is important that the organizational documents are set up to give the physician control over the practice, but this control should be exercised in reality and not just on paper. Physicians often have managers run many of the business aspects of the practice, but the physician should have the final say with respect to the medical and financial decisions of the practice and the hiring and firing of professionals.  Courts may look past the face of the documents to see who is really calling the shots on a daily basis.

While this recent case is spurring attorneys to evaluate their clients’ structures in New Jersey, this is a good reminder to take a fresh look at CPOM restrictions in other states as well.  Make sure your structure works at the outset and re-examine every so often to adapt with evolving laws and court interpretations of such laws.

In the recently published proposed rule related to the CY 2018 Hospital Outpatient Prospective Payment System (OPPS), the Centers for Medicare & Medicaid Services (CMS) announced that it is considering changes to the regulation governing the date of service (DOS) for clinical laboratory and pathology specimens.  The DOS rules are important to laboratories and hospitals because they dictate which party must bill Medicare for certain laboratory testing performed on stored specimens collected during a hospital procedure but ordered after the patient has left the hospital.  If revisions are ultimately finalized, the proposal could have significant business implications for independent laboratories and hospitals.

Continue Reading CMS May Decide to Permit Labs to Bill for Certain Tests Provided to Outpatients

Last week, the HHS Office for Civil Rights (OCR) launched an improved version of their HIPAA Breach Reporting Tool (HBRT), commonly referred to by OCR and regulated entities alike as the HIPAA “Wall of Shame.” OCR has also made minor changes to the interface for breach reporting.

The HBRT now makes it easy to navigate and mine information on all reported data breaches (breaches must be reported when they involve the protected health information of 500 or more people). Continue Reading The HIPAA “Wall of Shame” is Now Easier to Navigate