As Texas, Florida, and the Caribbean rebuild after the latest string of deadly hurricanes and prepare for the possibility of future storms, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reminded health care providers of the importance of ensuring the availability and security of health information during and after natural disasters. OCR’s guidance is a good reminder to all health care providers – regardless of where they are located – of the applicability of the HIPAA Privacy and Security Rules during natural disasters and other emergencies.
Sarah Beth S. Kuyers is an Associate in the Health Law Practice and is based in the firm’s Washington, DC office. She advises health care providers, pharmacy benefit managers, and laboratories on regulatory issues. Before joining the firm, Sarah Beth was a law clerk with the health staff of the Senate Committee on Finance, where her research focused on commercial insurance reform, health IT, Medicare, Medicaid, and the Affordable Care Act.
A court in the Southern District of New York (“SDNY” or the “Court”) recently released an important decision applying the Supreme Court’s landmark Escobar ruling to a qui tam action involving percentage fee arrangements for billing agents. Among other claims, the City of New York (“the City”) and its billing agent, Computer Sciences Corporation (“CSC”) allegedly used an illegal incentive-based compensation arrangement for CSC’s services when billing New York Medicaid for services provided to eligible children under New York’s Early Intervention Program (“EIP”). EIP provides “early intervention services” to certain children with development delays using federal funds provided under the Individuals with Disabilities Education Act. EIP allows municipalities like the City to pay providers directly for EIP services and then seek reimbursement from other payors, like third party payors and New York Medicaid.
Continuing its annual tradition, the U.S. Department of Justice (“DOJ”) and the U.S. Department of Health and Human Services (“HHS”) announced last week the largest ever health care fraud enforcement action by the Medicare Fraud Strike Force. As part of the national health care fraud takedown, the government charged 412 defendants with approximately $1.3 billion in alleged fraud. In addition to these charges, HHS Office of Inspector General (“OIG”) is in the process of excluding 295 health care providers from participating in federal health care programs.
OCR released a simple checklist and infographic last week to assist Covered Entities and Business Associates with responding to potential cyber attacks. As cybersecurity remains a pressing concern for health care entities, these guidance documents are a useful reminder of best practices that health care entities should have in place in case of a cybersecurity incident.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced another large HIPAA-related settlement last week with Memorial Hermann Health System (Memorial Hermann), the largest not-for-profit health system in southeast Texas. Memorial Hermann agreed to pay $2.4 million and to comply with a corrective action plan after publicly disclosing a patient’s name in the title of a press release regarding an incident at one of its clinics. In a week that has been filled with high-tech cybersecurity issues (see our recent blog posts on the WannaCry attack here and here), this settlement is a good reminder of HIPAA obligations unrelated to technology.
On May 11, 2017, the Senate Health, Education, Labor and Pension (HELP) Committee voted in support of the FDA Reauthorization Act of 2017, or FDARA, now formally moving through the legislative process as S. 934. The committee voted almost unanimously to move the bipartisan bill forward, with only Senator Bernie Sanders (I-Vt.) and Senator Rand Paul (R-Ky.) voting against it. And in an interesting overlap of FDA-related news, the Agency’s brand-new Commissioner, Dr. Scott Gottlieb, was also sworn in on May 11th following a speedy (albeit politically controversial and party-line) confirmation process and Senate vote. With less than a week on the job, Dr. Gottlieb is already receiving pressure from varied stakeholders to ensure the user fee legislation is enacted in a timely manner in order to avoid disrupting the Agency’s work. Continue Reading FDA User Fee Legislation Moves Forward in Senate with Multiple Policy Riders On-Board
We recently updated our chart that tracks state biosimilar substitution laws to include new laws in Iowa and Montana. These new laws bring the total number of states with biosimilar substitution laws to 27, plus Puerto Rico. The latest version of our chart can be found here. As with the laws we’ve seen before, both the Iowa and Montana biosimilar amendments mirror the state’s existing generic drug substitution laws. More specifically, they amend state pharmacy laws to allow, and in some situations require, the substitution of interchangeable biosimilars. Continue Reading New State Substitution Laws, and a Busy Spring for Biosimilars
As we’ve previously discussed on Health Law and Policy Matters, agencies within the Department of Health and Human Services (DHHS) pushed through several final rules towards the end of the Obama Administration (see here and here). However, since taking office, President Trump has followed through on his campaign promise to significantly roll back Federal regulations and has taken several actions aimed at slowing and reversing agency regulatory processes, including processes at the DHHS sub-agencies CMS and FDA. These executive actions are creating a climate of uncertainty for regulated industries and their stakeholders. Continue Reading Trump Executive Orders Create Uncertainty for Health Care & Pharmaceutical Industries
As reported on the Privacy and Security Matters blog last week, the Mintz Levin privacy team recently updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws that we update on a quarterly basis, or more frequently as needed. In addition to HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches. The Mintz Matrix is available here.
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently announced the first ever settlement related to a Covered Entity’s untimely breach notification in violation of HIPAA. Presence Health, a health care network in Illinois, discovered a breach of unsecured personal health information (PHI) on October 22, 2013. After reporting the breach to OCR over three months later on January 31, 2014, OCR determined that Presence Health failed to notify OCR, each of the affected individuals, and prominent media outlets of the breach without unreasonable delay and within 60 days of learning of the breach, as required of Covered Entities under HIPAA. The violation resulted in a $475,000 settlement between OCR and Presence Health.