A New Jersey district court recently denied a motion to dismiss Talone, et. al. v. The American Osteopathic Association, an antitrust class action. The suit alleges that the physician association violated the Sherman Act by illegally tying osteopaths’ board certification to association membership.  The defendant association moved to dismiss, arguing that plaintiffs, a group of affected doctors, had failed to allege sufficient facts to demonstrate foreclosure of competition or antitrust injury.  This alert reviews plaintiffs’ claims, the association’s arguments against them, and the court’s denial of the association’s motion to dismiss.

In an opinion written by Judge Posner, the Seventh Circuit on Friday, June 9, 2017, affirmed OSF Saint Francis Medical Center’s summary judgment win in a $300 million antitrust suit brought by a smaller competitor alleging unlawful exclusive dealing and attempted monopolization.  This alert discusses the Court’s decision in this case, which is a notable precedent for hospitals and provider networks — particularly those with substantial market shares — that wish to negotiate narrow and exclusive network agreements with payors.

By now, you may have heard about the global ransomware attacks affecting health care and other organizations throughout the world, in particular the United Kingdom, but also in the United States. The ransomware variant, called “Wanna Decryption” or “WannaCry” works like any other ransomware: once it is inadvertently installed, it locks up the organization’s data until ransom is paid.  Here are some quick facts about the WannaCry attack and suggestions for avoiding it. Continue Reading Ransomware Attack – Quick Facts

HealthLaw_stethoscope2The Trump administration is considering releasing a rule to ease the burden that small practices are facing in trying to comply with the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), according to a recent report in The Hill.

By way of background, MACRA consolidates a number of existing reporting programs into a two-track system under which eligible clinicians will receive incentive reimbursement payments through either the Merit-Based Incentive Payment Systems (MIPS) or through certain alternative payment models (APMs). Under MIPS, eligible clinicians can receive incentive payment (or penalties) based on their reporting of various measures. (For a detailed discussion of MACRA and these reporting requirements, see our prior post.) Alternatively, clinicians can be reimbursed under the second track if they participate in an “Advanced APM,” which include certain accountable care organizations (ACOs) and patient-centered medical homes. Continue Reading Insiders Say New MACRA Rule Likely as Providers Look to Sec. Price to Ease Burden

It was a busy April for the Office for Civil Rights (“OCR”) (see our prior post on a settlement from earlier in April).  On April 20, OCR announced a Resolution Agreement with Center for Children’s Digestive Health, S.C. (“CCDH”) related to CCDH’s failure to enter into a business associate agreement with a paper medical records storage vendor.  The cost of that missing agreement?  $31,000.  Then, on April 24, OCR announced a settlement with CardioNet, a remote monitoring company for cardiac arrhythmias, related to CardioNet’s failure to implement compliant HIPAA policies and procedures and failure to conduct a sufficient risk assessment.  The price of those failures?  $2.5 million! Continue Reading Two HIPAA Mistakes Lead to Fines from OCR

Earlier this week, the Mintz Levin privacy team  updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws, with updates from New Mexico, Tennessee, and Virginia.  As the privacy team reports, with New Mexico enacting a data breach notification law, only Alabama and South Dakota remain the only states without data breach notification laws.  Their full blog post on the updates is available here.

In addition to complying with HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches.  These states laws are often broader than HIPAA and apply may apply to personally identifiable information that is not protected health information.

Our quick disclaimer: The Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.

Phishing Scam ImageEarlier this week, the HHS Office for Civil Rights (“OCR”) announced a $400,000 settlement with Metro Community Provider Network (“MCPN”) related to a 2012 HIPAA breach caused by a phishing scam.  The phishing scam, carried out by accessing MCPN employees’ email accounts, gave a hacker access to the electronic protected health information (“ePHI”) of 3,200 individuals.  In investigating the breach, OCR determined that, prior to the breach, MCPN had not conducted a security risk analysis (a requirement under HIPAA).  Further, OCR found that even after MCPN conducted a risk analysis, its analysis was insufficient to meet the requirements of the HIPAA Security Rule.

In addition to the $400,000 fine, MCPN agreed to a corrective action plan with OCR.  That plan requires MCPN to conduct a comprehensive risk analysis and to submit a written report on the risk analysis to OCR.  Additionally, MCPN will be required to develop an organization-wide risk management plan, to review and revise its Security Rule policies and procedures, to review and revise its Security Rule training materials, and to report to OCR any instance of a workforce member failing to comply with its Security Rule policies and procedures. Continue Reading Gone Phishin’: Hack Leads to HIPAA Settlement

In 2016 and now in early 2017, state legislatures and regulatory boards continue to enact laws and rules setting telemedicine practice standards. Such standards generally include clarifying the definition of telemedicine aTelemedicine Visits well as providing standards related to prescribing in an online setting, patient informed consent, treatment of medical records generated during a telemedicine encounter, and confidentiality. A recent survey conducted by the Federation of State Medical Boards (FSMB) found that telemedicine standards are the number one priority for state medical boards going into 2017. Continue Reading States Continue Trend to Reduce Telemedicine Barriers

The Stark Law has caused angst for many a physician and many a health care lawyer over the years. The Stark Law has also troubled hospital and health system CEOs looking for ways to align incentives with physicians. Some stakeholders say Congress should do away with the myriad statutes and regulations that comprise the strict liability federal law banning physician self-referral. Those stakeholders suggest either repealing it altogether and letting other fraud and abuse laws do the work, or – as its namesake former-Representative Pete Stark has suggested – replace it with a much simpler prohibition on soliciting referrals for kickbacks or other special treatment.

My colleague, Tom Crane, suggests another approach – revamp the Stark Law’s advisory opinion process so the Centers for Medicare and Medicaid Services (“CMS”) can protect arrangements from sanctions, similar to the Office of the Attorney General’s (“OIG’s)  Anti-Kickback Statute (“AKS”) advisory opinion process. Continue Reading Changes Needed to Stark Law Advisory Opinion Process

Last week, the FBI issued guidance specifically applicable to medical and dental facilities regarding the cybersecurity risk of File Transfer Protocol (“FTP”) servers operating in “anonymous” mode.  FTPs are routinely used to transfer information between network hosts.  As further described in the guidance, when an FTP server can be configured to permit anonymous users (through the use of a common user name like “anonymous” and without the use of a password) to gain access to the information stored on the server, which might include sensitive information about patients.  In addition to potentially directly compromising the security of the stored information, a hacker could use the FTP server in anonymous mode to launch a cyber attack on the entity. Continue Reading FBI Warns of Cybersecurity Risk from FTPs