Thousands of laboratories nationwide will be happy to hear that Florida, which licenses in-state as well as out-of-state laboratories, has repealed its laboratory licensure requirements. As of July 1, 2018, laboratories doing business in Florida need only maintain CLIA certification. Continue Reading Florida Repeals Laboratory Licensure Requirements Effective July 1st
Privacy and security compliance obligations for health care companies remain hot topics this spring. Health care companies must now contend with data breach laws in all 50 states as well as keeping on top of federal HIPAA developments.
New Colorado Data Breach Law
Our Privacy and Security colleagues recently blogged about a new Colorado law that imposes strict requirements on entities that maintain, own, or license personal identifying information of Colorado residents. The law broadly defines “personal identifying information” as a Social Security number; a person identification number; a password or passcode; a driver’s license or identification card number; a passport number; biometric data; an employer, student, or military identification number; or a financial transaction device. In addition, the law requires entities to report breaches of such data within 30 days of discovery.
Earlier this week, our colleague Don Davis addressed the increasing amount of disability discrimination litigation against health care entities on the Employment Matters Blog. In the blog post, Don provides an overview of the Americans with Disabilities Act (“ADA), describes employment disability discrimination litigation and enforcement trends in the health care industry, and highlights the recent spike in accessibility-related litigation (including issues related to both facility accessibility and website accessibility).
The full post is available here.
Mintz Levin has updated the Mintz Matrix, a comprehensive summary of the data breach notification laws that now exist in all 50 states (South Dakota and Alabama finally caved and enacted their own laws). It’s critical that HIPAA-regulated entities monitor these state laws because they apply simultaneously, and often conflict with, HIPAA. In the event of a data breach, regulated entities must fulfill HIPAA’s breach notification requirements and the requirements of applicable state law. Large-scale data breaches, affecting individuals from multiple states, require the rapid analysis of multiple state laws along with HIPAA requirements. But don’t wait for a crisis to review the Matrix. HIPAA covered entities and business associates should use it to familiarize themselves with the breach notification requirements of the states in which they do business, and use the Matrix to inform incident response planning activities. The Matrix is also useful for monitoring patterns and trends among state laws in this area. For example, state data breach notification laws have historically been implicated by the loss of information that could be used for identity theft, such as name coupled with social security, debit or credit card numbers. However, many states now require breach notification when health care information is used or disclosed without authorization, even if it is not associated with a social security number and even if HIPAA does not apply. You can learn more about the Matrix and download a copy on our Privacy and Security Matters blog.
In both civil and criminal enforcement proceedings, 2017 was perhaps most notable for the cases brought against individual health care providers and small physician practice owners. Among the factors that may have resulted in the uptick in cases against individuals are the Yates Memo issued in late 2015, improved and increased reliance on sophisticated data analytics, and the aggressive focus on opioid addiction and its causes. Continue Reading Health Care Enforcement Review and 2018 Outlook: Criminal and Civil Enforcement Trends
Earlier this week, Mintz Levin’s Health Care Enforcement Defense Group published its most recent Health Care Qui Tam Update. This Update covers 34 health care-related qui tam cases that were unsealed in July 2017.
Here are some of the highlights:
– Of the 34 cases unsealed in July 2017, the government intervened (in whole or in part) in six cases and declined to intervene in 28.
– These 34 unsealed cases were filed in 21 different courts, including:
- Five in the Southern District of Ohio;
- Three in the District of Arizona; and
- Three in the Western District of Virginia.
In the recently published proposed rule related to the CY 2018 Hospital Outpatient Prospective Payment System (OPPS), the Centers for Medicare & Medicaid Services (CMS) announced that it is considering changes to the regulation governing the date of service (DOS) for clinical laboratory and pathology specimens. The DOS rules are important to laboratories and hospitals because they dictate which party must bill Medicare for certain laboratory testing performed on stored specimens collected during a hospital procedure but ordered after the patient has left the hospital. If revisions are ultimately finalized, the proposal could have significant business implications for independent laboratories and hospitals.
Last week, Mintz Levin’s Health Care Enforcement Defense Group published a new Qui Tam Update, which analyzes 21 health care-related False Claims Act qui tam cases unsealed in May 2017, and the findings include:
- long delays in unsealing remain the norm;
- relators overwhelmingly consisted of current and former employees (and physicians); and
- the most common alleged violation was billing fraud (which was claimed in two-thirds of the 21 unsealed cases).
Also of note in this Update:
- The targeted entities in these 21 cases included outpatient medical and psychological providers, laboratory testing companies, inpatient hospitals, and home health care providers.
- Of the 21 cases, the government intervened, in whole or in part, in seven cases and declined to intervene in 10. (Intervention status could not be determined from the docket in four cases.)
- The cases were filed in 17 different courts (including the Central District of California, the District of South Carolina, the Eastern District of Michigan, and the Northern District of California).
This Update provides in-depth analysis of three of the unsealed cases, which involve allegations regarding (1) “up coding” by a hospital that allegedly billed routine transport as emergency transport, which was reimbursed at a higher rate; (2) billing for medically unnecessary tests that purported to identify susceptibility to opioid addiction and engaging in a kickback scheme; and (3) processing prior authorization requests for MCOs using automated procedures to expedite processing and circumvent medical necessity determinations, resulting in submission of false claims.
It was a busy April for the Office for Civil Rights (“OCR”) (see our prior post on a settlement from earlier in April). On April 20, OCR announced a Resolution Agreement with Center for Children’s Digestive Health, S.C. (“CCDH”) related to CCDH’s failure to enter into a business associate agreement with a paper medical records storage vendor. The cost of that missing agreement? $31,000. Then, on April 24, OCR announced a settlement with CardioNet, a remote monitoring company for cardiac arrhythmias, related to CardioNet’s failure to implement compliant HIPAA policies and procedures and failure to conduct a sufficient risk assessment. The price of those failures? $2.5 million! Continue Reading Two HIPAA Mistakes Lead to Fines from OCR
Earlier this week, the Mintz Levin privacy team updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws, with updates from New Mexico, Tennessee, and Virginia. As the privacy team reports, with New Mexico enacting a data breach notification law, only Alabama and South Dakota remain the only states without data breach notification laws. Their full blog post on the updates is available here.
In addition to complying with HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches. These states laws are often broader than HIPAA and apply may apply to personally identifiable information that is not protected health information.
Our quick disclaimer: The Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.