It was a busy April for the Office for Civil Rights (“OCR”) (see our prior post on a settlement from earlier in April). On April 20, OCR announced a Resolution Agreement with Center for Children’s Digestive Health, S.C. (“CCDH”) related to CCDH’s failure to enter into a business associate agreement with a paper medical records storage vendor. The cost of that missing agreement? $31,000. Then, on April 24, OCR announced a settlement with CardioNet, a remote monitoring company for cardiac arrhythmias, related to CardioNet’s failure to implement compliant HIPAA policies and procedures and failure to conduct a sufficient risk assessment. The price of those failures? $2.5 million! Continue Reading Two HIPAA Mistakes Lead to Fines from OCR
Earlier this week, the Mintz Levin privacy team updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws, with updates from New Mexico, Tennessee, and Virginia. As the privacy team reports, with New Mexico enacting a data breach notification law, only Alabama and South Dakota remain the only states without data breach notification laws. Their full blog post on the updates is available here.
In addition to complying with HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches. These states laws are often broader than HIPAA and apply may apply to personally identifiable information that is not protected health information.
Our quick disclaimer: The Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.
Earlier this week, the HHS Office for Civil Rights (“OCR”) announced a $400,000 settlement with Metro Community Provider Network (“MCPN”) related to a 2012 HIPAA breach caused by a phishing scam. The phishing scam, carried out by accessing MCPN employees’ email accounts, gave a hacker access to the electronic protected health information (“ePHI”) of 3,200 individuals. In investigating the breach, OCR determined that, prior to the breach, MCPN had not conducted a security risk analysis (a requirement under HIPAA). Further, OCR found that even after MCPN conducted a risk analysis, its analysis was insufficient to meet the requirements of the HIPAA Security Rule.
In addition to the $400,000 fine, MCPN agreed to a corrective action plan with OCR. That plan requires MCPN to conduct a comprehensive risk analysis and to submit a written report on the risk analysis to OCR. Additionally, MCPN will be required to develop an organization-wide risk management plan, to review and revise its Security Rule policies and procedures, to review and revise its Security Rule training materials, and to report to OCR any instance of a workforce member failing to comply with its Security Rule policies and procedures. Continue Reading Gone Phishin’: Hack Leads to HIPAA Settlement
Last week, the FBI issued guidance specifically applicable to medical and dental facilities regarding the cybersecurity risk of File Transfer Protocol (“FTP”) servers operating in “anonymous” mode. FTPs are routinely used to transfer information between network hosts. As further described in the guidance, when an FTP server can be configured to permit anonymous users (through the use of a common user name like “anonymous” and without the use of a password) to gain access to the information stored on the server, which might include sensitive information about patients. In addition to potentially directly compromising the security of the stored information, a hacker could use the FTP server in anonymous mode to launch a cyber attack on the entity. Continue Reading FBI Warns of Cybersecurity Risk from FTPs
As we’ve previously discussed on Health Law and Policy Matters, agencies within the Department of Health and Human Services (DHHS) pushed through several final rules towards the end of the Obama Administration (see here and here). However, since taking office, President Trump has followed through on his campaign promise to significantly roll back Federal regulations and has taken several actions aimed at slowing and reversing agency regulatory processes, including processes at the DHHS sub-agencies CMS and FDA. These executive actions are creating a climate of uncertainty for regulated industries and their stakeholders. Continue Reading Trump Executive Orders Create Uncertainty for Health Care & Pharmaceutical Industries
The waiver of copayments, coinsurance, and deductibles owed by patients treated by out-of-network laboratories and other providers is a hot topic in the health care industry. Despite the near absence of clear legal prohibitions on this practice, commercial insurers are aggressively pursuing out-of-network providers who fail to collect amounts owed by their members under a variety of statutory and common law theories.
For example, in 2015, Aetna filed suit against Health Diagnostic Laboratory (HDL), Tonya Mallory (HDL’s former CEO), and BlueWave Health Care Consultants (an independent sales group), alleging that they engaged in a variety of illegal actions, including the failure to collect any amounts owed by Aetna’s members, and that Aetna overpaid for services provided by HDL as a result. While HDL settled, Aetna continues to pursue its claims against Ms. Mallory, who recently failed in her efforts to have the case against her dismissed. However, a recent court decision may give providers some comfort. In June 2016, a Texas federal district court prevented Cigna from recovering funds paid to Humble Surgical Hospital, which allegedly waived amounts owed by Cigna’s members and engaged in other misconduct. The court dismissed all of Cigna’s claims and found that Cigna owed $13 million to Humble. Continue Reading Lessons Learned from FCA Settlement Involving Waiver of Medicare Coinsurance Amounts
The civil monetary penalties for violations of myriad health care laws continue to rise. In June, we discussed the enormous increase in penalties under the federal False Claims Act (“FCA”). Through an interim final rule, the Department of Justice nearly doubled the per-claim FCA penalty. The minimum per-claim FCA penalty increased from $5,500 to $10,781 and the maximum per-claim FCA penalty increased from $11,000 to $21,563. The FCA penalties nearly doubled because the Federal Civil Penalties Inflation Adjustment Act of 2015 (the “2015 Adjustment Act”) required federal agencies to update civil monetary penalties (“CMPs”) within their jurisdiction by August 1, 2016 to catch-up with inflation.
Because of the 2015 Adjustment Act, numerous other CMPs—in addition to the FCA—recently have increased or likely will increase. Continue Reading Penalties For Health Care Law Violations Surge
Mintz Levin’s TCPA & Consumer Calling Practice team has issued its first monthly newsletter with legal updates and trends in this area. As we have pointed out before, the healthcare industry is not immune from litigation and enforcement based on the Telephone Consumer Protection Act (TCPA). Pharmacies and providers have been subject to settlement payments resulting from calls to consumers, and the FCC has addressed so-called “robocalls” made by healthcare providers in its rulings.
We are excited to present this inaugural Monthly TCPA Digest – Part I highlights TCPA Regulatory updates and considerations (including information about an FCC Public Notice seeking comment on a petition relating to the interaction between FCC rules and HIPAA), and then Part II explores TCPA Litigation developments. You can also learn more about our TCPA & Consumer Calling Practice from the newsletter.
With the continuing compliance challenges faced by health care industry participants and the overlay of sometimes competing regulatory frameworks, we hope this TCPA newsletter helps keep you informed of the risks and opportunities in this area. In an industry where timely and confidential communication is key, many providers and other industry participants are trying to navigate the legal landscape and keep an open line of communication with their patients and customers.
HHS Office for Civil Rights will cast a wider net and increase its investigations into smaller HIPAA privacy breaches starting this month. OCR announced a new initiative to increase its efforts examining breaches that affect fewer than 500 individuals. OCR Regional Offices already investigate every reported breach affecting 500 or more individuals, and will continue to do so, but now they will intensify efforts to scrutinize smaller breaches.
Investigations into the root cause of even a small breach can discover system- and enterprise-wide noncompliance and security and privacy shortcomings. An investigation into a single stolen laptop that held PHI of 80 individuals may uncover an entity’s failure to encrypt any of the data it stores and uses. And just as easily as a larger breach, a small breach can reveal that a covered entity has not completed a full risk assessment of its organization and its PHI protections. Continue Reading OCR to Increase Investigations of Smaller HIPAA Breaches
Expanding on our recent blog post discussing CMS’s final rule (the “Final Rule”) implementing portions of the Protecting Access to Medicare Act of 2014 related to clinical laboratories, my colleague Karen Lovitch and I published an article in BNA’s Medicare Report entitled CMS Regulations Overhaul Medicare Clinical Laboratory Fee Schedule. The article discusses the reporting obligations of clinical laboratories, the impact of the Final Rule on reimbursement for clinical laboratory tests, and areas in which laboratories should expect further sub-regulatory guidance from CMS.