Last week, the Congressional Budget Office (CBO) concluded that a key piece of telehealth legislation, the CHRONIC Care Act of 2017, would not, overall, increase or decrease Medicare spending. This score is significant as it marks the first time that CBO has concluded that providing enhanced Medicare coverage for telehealth services would be budget neutral and clears the path for Congress to pass the legislation in a tough political climate. Continue Reading CBO Greenlights Telehealth Provisions in Senate’s CHRONIC Care Act
Last week, the Department of Justice (DOJ) entered into a $34 million settlement with Mercy Hospital Springfield (“Hospital”) of Springfield, Missouri, and its affiliate Mercy Clinic (“Clinic”). The settlement resolves an allegation that the Clinic violated the Stark Law by compensating twelve Clinic physicians in a manner that took into account the volume and value of the physicians’ referrals to the Hospital’s infusion center. The U.S. contended that the defendants’ Stark Law violations caused their reimbursement claims to Medicare for infusion services to violate the False Claims Act. Continue Reading Hospital and its Clinic Agree to $34 Million Settlement to False Claims Act Allegation that Compensation to Oncologists Violated the Stark Law
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced another large HIPAA-related settlement last week with Memorial Hermann Health System (Memorial Hermann), the largest not-for-profit health system in southeast Texas. Memorial Hermann agreed to pay $2.4 million and to comply with a corrective action plan after publicly disclosing a patient’s name in the title of a press release regarding an incident at one of its clinics. In a week that has been filled with high-tech cybersecurity issues (see our recent blog posts on the WannaCry attack here and here), this settlement is a good reminder of HIPAA obligations unrelated to technology.
By now, you may have heard about the global ransomware attacks affecting health care and other organizations throughout the world, in particular the United Kingdom, but also in the United States. The ransomware variant, called “Wanna Decryption” or “WannaCry” works like any other ransomware: once it is inadvertently installed, it locks up the organization’s data until ransom is paid. Here are some quick facts about the WannaCry attack and suggestions for avoiding it. Continue Reading Ransomware Attack – Quick Facts
It was a busy April for the Office for Civil Rights (“OCR”) (see our prior post on a settlement from earlier in April). On April 20, OCR announced a Resolution Agreement with Center for Children’s Digestive Health, S.C. (“CCDH”) related to CCDH’s failure to enter into a business associate agreement with a paper medical records storage vendor. The cost of that missing agreement? $31,000. Then, on April 24, OCR announced a settlement with CardioNet, a remote monitoring company for cardiac arrhythmias, related to CardioNet’s failure to implement compliant HIPAA policies and procedures and failure to conduct a sufficient risk assessment. The price of those failures? $2.5 million! Continue Reading Two HIPAA Mistakes Lead to Fines from OCR
Next week, the Massachusetts House will continue the budget process and debate over 1000 amendments that members filed to the House Ways and Means Committee’s proposed $40.3 billion FY2018 budget. The Committee’s budget includes some notable departures from Governor Baker’s proposed budget, including changes to budget items impacting the health care industry. In an Alert released earlier this week, my ML Strategies colleagues Julie Cox, Steven Baddour, Dan Connelly, Caitlin Beresin, Max Fathy and Haejin Hwang describe some of the variances in health care and public health spending proposals. Continue Reading Massachusetts Budget Process Continues with Impact on Health Care
Earlier this week, the Mintz Levin privacy team updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws, with updates from New Mexico, Tennessee, and Virginia. As the privacy team reports, with New Mexico enacting a data breach notification law, only Alabama and South Dakota remain the only states without data breach notification laws. Their full blog post on the updates is available here.
In addition to complying with HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches. These states laws are often broader than HIPAA and apply may apply to personally identifiable information that is not protected health information.
Our quick disclaimer: The Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.
Earlier this week, the HHS Office for Civil Rights (“OCR”) announced a $400,000 settlement with Metro Community Provider Network (“MCPN”) related to a 2012 HIPAA breach caused by a phishing scam. The phishing scam, carried out by accessing MCPN employees’ email accounts, gave a hacker access to the electronic protected health information (“ePHI”) of 3,200 individuals. In investigating the breach, OCR determined that, prior to the breach, MCPN had not conducted a security risk analysis (a requirement under HIPAA). Further, OCR found that even after MCPN conducted a risk analysis, its analysis was insufficient to meet the requirements of the HIPAA Security Rule.
In addition to the $400,000 fine, MCPN agreed to a corrective action plan with OCR. That plan requires MCPN to conduct a comprehensive risk analysis and to submit a written report on the risk analysis to OCR. Additionally, MCPN will be required to develop an organization-wide risk management plan, to review and revise its Security Rule policies and procedures, to review and revise its Security Rule training materials, and to report to OCR any instance of a workforce member failing to comply with its Security Rule policies and procedures. Continue Reading Gone Phishin’: Hack Leads to HIPAA Settlement
On March 30, 2017, in a closely watched case, a federal district court denied the Motion for Judgment on the Pleadings filed by Carolinas Healthcare against a Complaint filed by the DOJ Antitrust Division and the State of North Carolina. The Complaint alleged that Carolinas Healthcare insisted on contract provisions with payors that limited or prohibited steering to lower-cost providers. In its motion, Carolinas Healthcare relied heavily on the Second Circuit decision in United States v. American Express Co., 838 F.3d 179 (2d Cir. 2016), where the Second Circuit had reversed a trial verdict condemning steering restrictions in Amex’s contracts with merchants. This alert reviews the court’s ruling and considers its implications for future health care antitrust cases.
The Stark Law has caused angst for many a physician and many a health care lawyer over the years. The Stark Law has also troubled hospital and health system CEOs looking for ways to align incentives with physicians. Some stakeholders say Congress should do away with the myriad statutes and regulations that comprise the strict liability federal law banning physician self-referral. Those stakeholders suggest either repealing it altogether and letting other fraud and abuse laws do the work, or – as its namesake former-Representative Pete Stark has suggested – replace it with a much simpler prohibition on soliciting referrals for kickbacks or other special treatment.
My colleague, Tom Crane, suggests another approach – revamp the Stark Law’s advisory opinion process so the Centers for Medicare and Medicaid Services (“CMS”) can protect arrangements from sanctions, similar to the Office of the Attorney General’s (“OIG’s) Anti-Kickback Statute (“AKS”) advisory opinion process. Continue Reading Changes Needed to Stark Law Advisory Opinion Process