By now, you may have heard about the global ransomware attacks affecting health care and other organizations throughout the world, in particular the United Kingdom, but also in the United States. The ransomware variant, called “Wanna Decryption” or “WannaCry” works like any other ransomware: once it is inadvertently installed, it locks up the organization’s data until ransom is paid. Here are some quick facts about the WannaCry attack and suggestions for avoiding it. Continue Reading Ransomware Attack – Quick Facts
The Trump administration is considering releasing a rule to ease the burden that small practices are facing in trying to comply with the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), according to a recent report in The Hill.
By way of background, MACRA consolidates a number of existing reporting programs into a two-track system under which eligible clinicians will receive incentive reimbursement payments through either the Merit-Based Incentive Payment Systems (MIPS) or through certain alternative payment models (APMs). Under MIPS, eligible clinicians can receive incentive payment (or penalties) based on their reporting of various measures. (For a detailed discussion of MACRA and these reporting requirements, see our prior post.) Alternatively, clinicians can be reimbursed under the second track if they participate in an “Advanced APM,” which include certain accountable care organizations (ACOs) and patient-centered medical homes. Continue Reading Insiders Say New MACRA Rule Likely as Providers Look to Sec. Price to Ease Burden
It was a busy April for the Office for Civil Rights (“OCR”) (see our prior post on a settlement from earlier in April). On April 20, OCR announced a Resolution Agreement with Center for Children’s Digestive Health, S.C. (“CCDH”) related to CCDH’s failure to enter into a business associate agreement with a paper medical records storage vendor. The cost of that missing agreement? $31,000. Then, on April 24, OCR announced a settlement with CardioNet, a remote monitoring company for cardiac arrhythmias, related to CardioNet’s failure to implement compliant HIPAA policies and procedures and failure to conduct a sufficient risk assessment. The price of those failures? $2.5 million! Continue Reading Two HIPAA Mistakes Lead to Fines from OCR
Earlier this week, the Mintz Levin privacy team updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws, with updates from New Mexico, Tennessee, and Virginia. As the privacy team reports, with New Mexico enacting a data breach notification law, only Alabama and South Dakota remain the only states without data breach notification laws. Their full blog post on the updates is available here.
In addition to complying with HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches. These states laws are often broader than HIPAA and apply may apply to personally identifiable information that is not protected health information.
Our quick disclaimer: The Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.
Earlier this week, the HHS Office for Civil Rights (“OCR”) announced a $400,000 settlement with Metro Community Provider Network (“MCPN”) related to a 2012 HIPAA breach caused by a phishing scam. The phishing scam, carried out by accessing MCPN employees’ email accounts, gave a hacker access to the electronic protected health information (“ePHI”) of 3,200 individuals. In investigating the breach, OCR determined that, prior to the breach, MCPN had not conducted a security risk analysis (a requirement under HIPAA). Further, OCR found that even after MCPN conducted a risk analysis, its analysis was insufficient to meet the requirements of the HIPAA Security Rule.
In addition to the $400,000 fine, MCPN agreed to a corrective action plan with OCR. That plan requires MCPN to conduct a comprehensive risk analysis and to submit a written report on the risk analysis to OCR. Additionally, MCPN will be required to develop an organization-wide risk management plan, to review and revise its Security Rule policies and procedures, to review and revise its Security Rule training materials, and to report to OCR any instance of a workforce member failing to comply with its Security Rule policies and procedures. Continue Reading Gone Phishin’: Hack Leads to HIPAA Settlement
In 2016 and now in early 2017, state legislatures and regulatory boards continue to enact laws and rules setting telemedicine practice standards. Such standards generally include clarifying the definition of telemedicine as well as providing standards related to prescribing in an online setting, patient informed consent, treatment of medical records generated during a telemedicine encounter, and confidentiality. A recent survey conducted by the Federation of State Medical Boards (FSMB) found that telemedicine standards are the number one priority for state medical boards going into 2017. Continue Reading States Continue Trend to Reduce Telemedicine Barriers
The Stark Law has caused angst for many a physician and many a health care lawyer over the years. The Stark Law has also troubled hospital and health system CEOs looking for ways to align incentives with physicians. Some stakeholders say Congress should do away with the myriad statutes and regulations that comprise the strict liability federal law banning physician self-referral. Those stakeholders suggest either repealing it altogether and letting other fraud and abuse laws do the work, or – as its namesake former-Representative Pete Stark has suggested – replace it with a much simpler prohibition on soliciting referrals for kickbacks or other special treatment.
My colleague, Tom Crane, suggests another approach – revamp the Stark Law’s advisory opinion process so the Centers for Medicare and Medicaid Services (“CMS”) can protect arrangements from sanctions, similar to the Office of the Attorney General’s (“OIG’s) Anti-Kickback Statute (“AKS”) advisory opinion process. Continue Reading Changes Needed to Stark Law Advisory Opinion Process
Last week, the FBI issued guidance specifically applicable to medical and dental facilities regarding the cybersecurity risk of File Transfer Protocol (“FTP”) servers operating in “anonymous” mode. FTPs are routinely used to transfer information between network hosts. As further described in the guidance, when an FTP server can be configured to permit anonymous users (through the use of a common user name like “anonymous” and without the use of a password) to gain access to the information stored on the server, which might include sensitive information about patients. In addition to potentially directly compromising the security of the stored information, a hacker could use the FTP server in anonymous mode to launch a cyber attack on the entity. Continue Reading FBI Warns of Cybersecurity Risk from FTPs
The Federal Trade Commission (“FTC”) and the State of Illinois successfully concluded their challenge to the proposed merger of Advocate Health Care and NorthShore University Health System earlier this month, when the U.S. District Court for the Northern District of Illinois granted the plaintiffs’ request for a preliminary injunction enjoining the health systems from consummating their proposed merger. The parties subsequently abandoned the transaction without appealing the district court’s decision.
The district court had previously denied the motion for a preliminary injunction. It believed that the geographic market proposed by the plaintiffs was too narrow and found the evidence “equivocal” regarding the importance of patients having access to hospitals close to their homes. As such, it held that the plaintiffs had not met their burden of proving a relevant geographic market and thus, did not demonstrate a likelihood of success on the merits. However, in October 2016, the U.S. Court of Appeals for the Seventh Circuit reversed and remanded for further proceedings on the issue of geographic market definition, holding that the lower court erred in its factual findings regarding critical aspects of the geographic market, as well as the remaining preliminary injunction elements that the district court did reach in its first decision.
This alert examines the court’s decision, which not only supports the FTC’s hospital merger enforcement program but continues to up the ante for merging parties attempting to persuade a court that the proposed efficiencies are sufficient to offset alleged anticompetitive effects.
A series of recoupment letters from the New York State Medicaid Fraud Control Unit (MFCU) to healthcare providers who have management or billing company arrangements based on a percentage of collections has prompted the Medical Society of the State of New York (MSSNY) to warn its members that such arrangements are fraudulent under Medicaid law. The warning, posted on its blog on February 10, 2017, also urged members to review their billing arrangements to make sure the compensation is based either on time or a fixed, flat fee.
In a redacted MFCU recoupment letter linked to the post, MFCU states that as a result of an audit and investigation, it has determined that the percentage based contract violates state and federal Medicaid regulations, including Section 360.7.5(c), which permits Medicaid providers to contract with billing agents if the compensation paid to the agent is “reasonably related to the cost of the services” and “unrelated, directly or indirectly, to the dollar amounts billed and collected.” The audit period was five years, and MFCU sought to collect the overpayment amount plus an additional nine percent (9%) interest. Continue Reading New York Medical Society Warns Providers to Avoid Percentage-Based Fees