Photo of Sarah Beth S. Kuyers

Privacy and security compliance obligations for health care companies remain hot topics this spring. Health care companies must now contend with data breach laws in all 50 states as well as keeping on top of federal HIPAA developments.

New Colorado Data Breach Law

Our Privacy and Security colleagues recently blogged about a new Colorado law that imposes strict requirements on entities that maintain, own, or license personal identifying information of Colorado residents. The law broadly defines “personal identifying information” as a Social Security number; a person identification number; a password or passcode; a driver’s license or identification card number; a passport number; biometric data; an employer, student, or military identification number; or a financial transaction device. In addition, the law requires entities to report breaches of such data within 30 days of discovery.

Continue Reading Privacy and Security Round-up – Colorado Data Breach Law, Guidance from OCR

The May 2018 cyber security newsletter from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) focused on a topic often overlooked by covered entities and their business associates: physical security. The HIPAA Security Rule requires covered entities and business associates to implement “physical safeguards for all workstations that access ePHI to restrict access to authorized users.”

Continue Reading OCR Highlights Importance of Physical Safeguards to Protect PHI

Mintz Levin’s Health Care Enforcement Defense Group released its most recent Health Care Qui Tam Update yesterday.  This Update analyzes 56 qui tam cases unsealed in October and November of last year. None of the 56 cases in this Update were unsealed within the statutorily-mandated 60 days, but one case was unsealed in 71 days. Additional trends include:

  • Cases were most often brought against hospitals, health systems, pharmaceutical manufacturers, and pharmacies;
  • The government intervened in 20% of the cases;
  • Of the cases in which the government declined to intervene, 60% continued to be litigated (at least initially) by the relators; and
  • Cases continue to be brought most often by former or current employees.

Click here to read the full Update.

 

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced a $100,000 settlement with a company that is no longer in business. Filefax, Inc. (Filefax) was an Illinois company that provided storage and delivery services for medical records held by covered entities. OCR had been investigating Filefax since 2015 for allegedly leaving medical records containing PHI of approximately 2,150 patients in an unlocked vehicle in a Filefax parking lot and/or allowing an unauthorized person to remove the files from the facility.

A court-ordered receiver liquidated Filefax’s assets in 2016.  As part of the settlement with OCR, the receiver agreed to pay $100,000 and properly dispose of all medical records and PHI remaining in Filefax’s possession. The settlement amount may be small, but the circumstances are striking. OCR’s pursuit of a settlement against a defunct company serves as a lesson to other health care companies that no one is off limits to HIPAA enforcement actions.

OCR’s press release about the settlement is available here.

Mintz Levin’s Health Care Enforcement Defense Group recently published its most recent Health Care Qui Tam Update. This Update analyzes the 47 health care-related qui tam cases unsealed in August and September 2017.  Highlights from this Update include:

  • a relatively high rate of intervention;
  • cases filed in 30 different courts;
  • cases brought against a variety of different health care providers;
  • almost half of the cases filed by current or former employees; and
  • faster times for unsealing cases.

Continue Reading Mintz Levin’s Health Care Enforcement Defense Group Releases New Qui Tam Update

As we look back on 2017, one message is clear: don’t be a Scrooge when it comes to HIPAA compliance. With ever-evolving security threats and unrelenting enforcement, regulated entities must maintain a spirit of compliance that lasts the whole year through.  It is in that spirit – and with apologies to Charles Dickens – that our HIPAA year in review is brought to you by the ghosts of HIPAA Past, HIPAA Present and HIPAA Yet to Come.

The Ghost of HIPAA Past

2017 continued to be haunted by large-scale data breaches.  As reported by our Privacy & Security colleagues, Equifax announced one of the largest breaches in US history in September, which involved highly sensitive information such as social security numbers and birth dates.  The Equifax breach didn’t involve health information, but in July, OCR sent a clear message regarding the importance of health information security and ratcheted up the fear factor associated with its HIPAA Breach Reporting Tool (HBRT), commonly referred to as the HIPAA “Wall of Shame.” The updates make it easier to search and view information about data breaches and make it harder for offenders to hide in the aftermath of a breach.  Continue Reading Bah, Humbug! HIPAA Compliance Isn’t Getting Any Easier

Earlier this week we released a Health Care Enforcement Advisory about a recent decision from the U.S. Court of Appeals for the Fifth Circuit that may have a significant impact on the element of “materiality” in False Claims Act (FCA) cases.  A panel of judges on the Fifth Circuit overturned a district court decision after a jury found the defendant, Trinity Industries, Inc. (Trinity), liable under the FCA for changing its highway guardrail design without disclosing such changes to the Federal Highway Administration (“FHWA”).  The Fifth Circuit decided as a matter of law that the case lacked the element of “materiality” required in FCA cases. Continue Reading Fifth Circuit Limits FCA Liability Due to Lack of “Materiality” in Highway Guardrails Case

Irma over the Southeastern U.S. – Courtesy of NOAA

As Texas, Florida, and the Caribbean rebuild after the latest string of deadly hurricanes and prepare for the possibility of future storms, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reminded health care providers of the importance of ensuring the availability and security of health information during and after natural disasters.  OCR’s guidance is a good reminder to all health care providers – regardless of where they are located – of the applicability of the HIPAA Privacy and Security Rules during natural disasters and other emergencies.

Continue Reading In the Wake of Harvey and Irma, OCR Reminds Providers of HIPAA Rules

A court in the Southern District of New York (“SDNY” or the “Court”) recently released an important decision applying the Supreme Court’s landmark Escobar ruling to a qui tam action involving percentage fee arrangements for billing agents.  Among other claims, the City of New York (“the City”) and its billing agent, Computer Sciences Corporation (“CSC”) allegedly used an illegal incentive-based compensation arrangement for CSC’s services when billing New York Medicaid for services provided to eligible children under New York’s Early Intervention Program (“EIP”).   EIP provides “early intervention services” to certain children with development delays using federal funds provided under the Individuals with Disabilities Education Act.  EIP allows municipalities like the City to pay providers directly for EIP services and then seek reimbursement from other payors, like third party payors and New York Medicaid.

Continue Reading Implied False Certification Theory Fails in FCA Case Against Billing Agent

Continuing its annual tradition, the U.S. Department of Justice (“DOJ”) and the U.S. Department of Health and Human Services (“HHS”) announced last week the largest ever health care fraud enforcement action by the Medicare Fraud Strike Force.  As part of the national health care fraud takedown, the government charged 412 defendants with approximately $1.3 billion in alleged fraud. In addition to these charges, HHS Office of Inspector General (“OIG”) is in the process of excluding 295 health care providers from participating in federal health care programs.

Continue Reading DOJ and OIG Announce Largest Ever National Health Care Fraud Takedown; Focus on Opioids