On Wednesday, March 8, James B. Comey, Director of the FBI, was at Boston College to deliver the keynote address for the inaugural Boston Conference on Cyber Security (BCCS 2017). Director Comey addressed various industry, cyber security, FBI, law enforcement and military experts in attendance regarding current cyber threats to both industry and government assets and the FBI’s approach to confronting them. During his remarks, Director Comey was asked to opine on the biggest cyber threat to healthcare providers, to which Comey quickly responded, “ransomware.” Continue Reading Advice to Healthcare Providers on Ransomware from the Head of the FBI
Last week, the Massachusetts Department of Public Health issued another round of proposed amendments to its regulations, continuing the Baker Administration’s regulatory reform efforts. Today, we take a closer look at the proposed amendments to the proposed regulations governing the licensure of hospice programs.
As expected, many of the proposed changes are aimed at making the hospice regulations consistent with the rules that govern other health facilities such as hospitals and clinics. For example, consistent with the hospital and clinic regulations, the Commissioner would be given broad authority to determine under what circumstances a change in control of the operation of the hospice rises to the level of a “transfer of ownership”. Another change for consistency purposes is the proposed revision to the rules governing incident reporting. Under the proposed rule, a hospice inpatient facility must report unanticipated deaths and any serious incidents or accidents as defined in guidelines of the Department. Continue Reading Massachusetts Licensure of Hospice Programs Proposed Regulations – Key Take-Aways
At yesterday’s Public Health Council meeting, the Massachusetts Department of Public Health (DPH) released yet another round of proposed regulatory amendments. On deck were regulations concerning Long Term Care Facilities, Hospice Programs, and Temporary Nursing Service Agencies, as well as requirements for Training of Nurses’ Aides in Long-Term Care Facilities. Also presented were updated regulations on the Drug Formulary Commission (formerly List of Interchangeable Drug Products regulations). Senior DPH staff presented the proposed regulations, highlighting key objectives. Council members were highly engaged in the discussions, asking numerous questions and offering comments. Commissioner Monica Bharel, MD, MPH, commended DPH staff for their hard work on the amendments and the Council for its support of these ongoing efforts. Continue Reading Massachusetts Regulatory Overhaul Continues
The Massachusetts Department of Public Health (DPH) has released for public comment proposed amendments to DPH’s Medical Marijuana Regulations (105 CMR 725) (the “regulations”). DPH believes that the proposed amendments will streamline the Medical Use of Marijuana Program (the “Program”) by updating existing processes, providing additional clarity, and creating consistency with changes made to related laws, all with the goal of promoting patient access while assuring public safety is maintained. At a meeting of the Public Health Council (PHC) held on September 14, 2016, DPH representatives, including Program Director Bryan Harter, MBA, LICSW, presented the proposed amendments. DPH’s presentation to the PHC at the meeting includes a summary of the proposed amendments, as well as a brief history of the Program, including applications received, provisional Certificates of Registration to operate a Registered Marijuana Dispensary (RMD) (41), and number of RMDs currently open and dispensing marijuana for medical use (7).
Amendments are undoubtedly necessary. The current regulations, which became effective on May 24, 2013, were implemented in connection the creation of the Program, and DPH now has the benefit of experience with the RMD process to amend its regulations to reflect, in some cases, lessons learned. As with proposed amendments to other regulations (see our prior posts here and here), these amendments are also necessary to comply with Governor Baker’s Executive Order 562, which directed all executive branch state agencies to review and, where possible, streamline, simplify and improve their regulations. Continue Reading Medical Marijuana in Massachusetts – DPH Proposes Amendments to Regulations
Mintz Levin’s TCPA & Consumer Calling Practice team has issued its first monthly newsletter with legal updates and trends in this area. As we have pointed out before, the healthcare industry is not immune from litigation and enforcement based on the Telephone Consumer Protection Act (TCPA). Pharmacies and providers have been subject to settlement payments resulting from calls to consumers, and the FCC has addressed so-called “robocalls” made by healthcare providers in its rulings.
We are excited to present this inaugural Monthly TCPA Digest – Part I highlights TCPA Regulatory updates and considerations (including information about an FCC Public Notice seeking comment on a petition relating to the interaction between FCC rules and HIPAA), and then Part II explores TCPA Litigation developments. You can also learn more about our TCPA & Consumer Calling Practice from the newsletter.
With the continuing compliance challenges faced by health care industry participants and the overlay of sometimes competing regulatory frameworks, we hope this TCPA newsletter helps keep you informed of the risks and opportunities in this area. In an industry where timely and confidential communication is key, many providers and other industry participants are trying to navigate the legal landscape and keep an open line of communication with their patients and customers.
HHS Office for Civil Rights will cast a wider net and increase its investigations into smaller HIPAA privacy breaches starting this month. OCR announced a new initiative to increase its efforts examining breaches that affect fewer than 500 individuals. OCR Regional Offices already investigate every reported breach affecting 500 or more individuals, and will continue to do so, but now they will intensify efforts to scrutinize smaller breaches.
Investigations into the root cause of even a small breach can discover system- and enterprise-wide noncompliance and security and privacy shortcomings. An investigation into a single stolen laptop that held PHI of 80 individuals may uncover an entity’s failure to encrypt any of the data it stores and uses. And just as easily as a larger breach, a small breach can reveal that a covered entity has not completed a full risk assessment of its organization and its PHI protections. Continue Reading OCR to Increase Investigations of Smaller HIPAA Breaches
Capping off a busy month of HIPAA settlements, on August 4, the Office for Civil Rights (“OCR”) announced a $5.55 million settlement with Advocate Health Care Network (“Advocate”), the largest fully-integrated healthcare system in Illinois. The settlement is the largest HIPAA settlement ever by a single entity. The settlement comes on the heels of two July settlement announcements with Oregon Heath & Sciences University (“OHSU”) ($2.7 million) and the University of Mississippi Medical Center ($2.75 million). In total, OCR has reached nine HIPAA settlements in 2016, in addition to the imposition of civil monetary penalties against Lincare, Inc. (which we covered here). In contrast, the office entered into only six settlements in all of 2015. As Jocelyn Samuels, the Director of OCR, indicated in a press release regarding the Advocate settlement, the settlements should be a wake-up call to HIPAA Covered Entities and Business Associates:
We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure. This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.
Last week, the OIG issued a favorable opinion to a hospice provider seeking to make supplemental payments to skilled nursing facilities. Under the proposed arrangement, the hospice provider would make a supplemental payment to the nursing facility for dual-eligible individuals electing the hospice benefit that would be in addition to and separate from what the managed care organization (“MCO”) pays the nursing facility.
This supplemental payment by the hospice provider is different than the traditional payments that hospice providers make to nursing facilities for dual-eligible individuals. Traditionally, when a dual-eligible individual residing in a nursing facility elects the hospice benefit, Medicare pays the hospice provider a per diem rate that does not include room and board. Medicaid is responsible for paying the individual’s room and board. Medicaid pays room and board to the hospice provider and the hospice provider pays the nursing facility the negotiated rate. In a 1998 Special Fraud Alert on nursing home arrangements with hospices, the OIG specifically stated that this payment arrangement, in which the hospice provider pays the nursing facility only after receiving payment from Medicaid, is acceptable. Continue Reading OIG Gives Green Light to Hospice Provider’s Payment to Nursing Facilities
Last week, the Department of Health and Human Services (“HHS”) released new materials for covered entities to use to comply with Section 1557, the nondiscrimination provision of the Affordable Care Act. Section 1557 strengthens protections for populations that have been most vulnerable to discrimination in the health care setting by stating that individuals cannot be subject to discrimination based on race, color, national origin, sex, age, or disability.
Health care providers and other HIPAA-regulated entities should take note of the story on our companion blog, Employment Matters, regarding the augmented reality video game craze Pokémon Go. For those unfamiliar with the most downloaded smartphone video game ever, it involves players chasing adorable computer-generated characters that randomly appear in the player’s immediate surroundings. How could something as delightful as Pikachu present a security risk? When the game is played in camera mode, the player records the Pokémon character, as well as the player’s surroundings – think computer monitors, whiteboards, patients, providers, procedure suites . . .
As with all HIPAA security risks, the best approach is to learn about the risk and take proactive steps to mitigate harm. A great place to start is to read the Mintz Levin overview of Pokémon Go in the Workplace.