In both civil and criminal enforcement proceedings, 2017 was perhaps most notable for the cases brought against individual health care providers and small physician practice owners. Among the factors that may have resulted in the uptick in cases against individuals are the Yates Memo issued in late 2015, improved and increased reliance on sophisticated data analytics, and the aggressive focus on opioid addiction and its causes. Continue Reading Health Care Enforcement Review and 2018 Outlook: Criminal and Civil Enforcement Trends
Earlier this week, Mintz Levin’s Health Care Enforcement Defense Group published its most recent Health Care Qui Tam Update. This Update covers 34 health care-related qui tam cases that were unsealed in July 2017.
Here are some of the highlights:
– Of the 34 cases unsealed in July 2017, the government intervened (in whole or in part) in six cases and declined to intervene in 28.
– These 34 unsealed cases were filed in 21 different courts, including:
- Five in the Southern District of Ohio;
- Three in the District of Arizona; and
- Three in the Western District of Virginia.
In the recently published proposed rule related to the CY 2018 Hospital Outpatient Prospective Payment System (OPPS), the Centers for Medicare & Medicaid Services (CMS) announced that it is considering changes to the regulation governing the date of service (DOS) for clinical laboratory and pathology specimens. The DOS rules are important to laboratories and hospitals because they dictate which party must bill Medicare for certain laboratory testing performed on stored specimens collected during a hospital procedure but ordered after the patient has left the hospital. If revisions are ultimately finalized, the proposal could have significant business implications for independent laboratories and hospitals.
Last week, Mintz Levin’s Health Care Enforcement Defense Group published a new Qui Tam Update, which analyzes 21 health care-related False Claims Act qui tam cases unsealed in May 2017, and the findings include:
- long delays in unsealing remain the norm;
- relators overwhelmingly consisted of current and former employees (and physicians); and
- the most common alleged violation was billing fraud (which was claimed in two-thirds of the 21 unsealed cases).
Also of note in this Update:
- The targeted entities in these 21 cases included outpatient medical and psychological providers, laboratory testing companies, inpatient hospitals, and home health care providers.
- Of the 21 cases, the government intervened, in whole or in part, in seven cases and declined to intervene in 10. (Intervention status could not be determined from the docket in four cases.)
- The cases were filed in 17 different courts (including the Central District of California, the District of South Carolina, the Eastern District of Michigan, and the Northern District of California).
This Update provides in-depth analysis of three of the unsealed cases, which involve allegations regarding (1) “up coding” by a hospital that allegedly billed routine transport as emergency transport, which was reimbursed at a higher rate; (2) billing for medically unnecessary tests that purported to identify susceptibility to opioid addiction and engaging in a kickback scheme; and (3) processing prior authorization requests for MCOs using automated procedures to expedite processing and circumvent medical necessity determinations, resulting in submission of false claims.
It was a busy April for the Office for Civil Rights (“OCR”) (see our prior post on a settlement from earlier in April). On April 20, OCR announced a Resolution Agreement with Center for Children’s Digestive Health, S.C. (“CCDH”) related to CCDH’s failure to enter into a business associate agreement with a paper medical records storage vendor. The cost of that missing agreement? $31,000. Then, on April 24, OCR announced a settlement with CardioNet, a remote monitoring company for cardiac arrhythmias, related to CardioNet’s failure to implement compliant HIPAA policies and procedures and failure to conduct a sufficient risk assessment. The price of those failures? $2.5 million! Continue Reading Two HIPAA Mistakes Lead to Fines from OCR
Earlier this week, the Mintz Levin privacy team updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws, with updates from New Mexico, Tennessee, and Virginia. As the privacy team reports, with New Mexico enacting a data breach notification law, only Alabama and South Dakota remain the only states without data breach notification laws. Their full blog post on the updates is available here.
In addition to complying with HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches. These states laws are often broader than HIPAA and apply may apply to personally identifiable information that is not protected health information.
Our quick disclaimer: The Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.
Earlier this week, the HHS Office for Civil Rights (“OCR”) announced a $400,000 settlement with Metro Community Provider Network (“MCPN”) related to a 2012 HIPAA breach caused by a phishing scam. The phishing scam, carried out by accessing MCPN employees’ email accounts, gave a hacker access to the electronic protected health information (“ePHI”) of 3,200 individuals. In investigating the breach, OCR determined that, prior to the breach, MCPN had not conducted a security risk analysis (a requirement under HIPAA). Further, OCR found that even after MCPN conducted a risk analysis, its analysis was insufficient to meet the requirements of the HIPAA Security Rule.
In addition to the $400,000 fine, MCPN agreed to a corrective action plan with OCR. That plan requires MCPN to conduct a comprehensive risk analysis and to submit a written report on the risk analysis to OCR. Additionally, MCPN will be required to develop an organization-wide risk management plan, to review and revise its Security Rule policies and procedures, to review and revise its Security Rule training materials, and to report to OCR any instance of a workforce member failing to comply with its Security Rule policies and procedures. Continue Reading Gone Phishin’: Hack Leads to HIPAA Settlement
Last week, the FBI issued guidance specifically applicable to medical and dental facilities regarding the cybersecurity risk of File Transfer Protocol (“FTP”) servers operating in “anonymous” mode. FTPs are routinely used to transfer information between network hosts. As further described in the guidance, when an FTP server can be configured to permit anonymous users (through the use of a common user name like “anonymous” and without the use of a password) to gain access to the information stored on the server, which might include sensitive information about patients. In addition to potentially directly compromising the security of the stored information, a hacker could use the FTP server in anonymous mode to launch a cyber attack on the entity. Continue Reading FBI Warns of Cybersecurity Risk from FTPs
As we’ve previously discussed on Health Law and Policy Matters, agencies within the Department of Health and Human Services (DHHS) pushed through several final rules towards the end of the Obama Administration (see here and here). However, since taking office, President Trump has followed through on his campaign promise to significantly roll back Federal regulations and has taken several actions aimed at slowing and reversing agency regulatory processes, including processes at the DHHS sub-agencies CMS and FDA. These executive actions are creating a climate of uncertainty for regulated industries and their stakeholders. Continue Reading Trump Executive Orders Create Uncertainty for Health Care & Pharmaceutical Industries
The waiver of copayments, coinsurance, and deductibles owed by patients treated by out-of-network laboratories and other providers is a hot topic in the health care industry. Despite the near absence of clear legal prohibitions on this practice, commercial insurers are aggressively pursuing out-of-network providers who fail to collect amounts owed by their members under a variety of statutory and common law theories.
For example, in 2015, Aetna filed suit against Health Diagnostic Laboratory (HDL), Tonya Mallory (HDL’s former CEO), and BlueWave Health Care Consultants (an independent sales group), alleging that they engaged in a variety of illegal actions, including the failure to collect any amounts owed by Aetna’s members, and that Aetna overpaid for services provided by HDL as a result. While HDL settled, Aetna continues to pursue its claims against Ms. Mallory, who recently failed in her efforts to have the case against her dismissed. However, a recent court decision may give providers some comfort. In June 2016, a Texas federal district court prevented Cigna from recovering funds paid to Humble Surgical Hospital, which allegedly waived amounts owed by Cigna’s members and engaged in other misconduct. The court dismissed all of Cigna’s claims and found that Cigna owed $13 million to Humble. Continue Reading Lessons Learned from FCA Settlement Involving Waiver of Medicare Coinsurance Amounts