Press ReleaseThe U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced another large HIPAA-related settlement last week with Memorial Hermann Health System (Memorial Hermann), the largest not-for-profit health system in southeast Texas.  Memorial Hermann agreed to pay $2.4 million and to comply with a corrective action plan after publicly disclosing a patient’s name in the title of a press release regarding an incident at one of its clinics.  In a week that has been filled with high-tech cybersecurity issues (see our recent blog posts on the WannaCry attack here and here), this settlement is a good reminder of HIPAA obligations unrelated to technology.

Continue Reading Memorial Hermann’s Use of Patient Name in Press Release Leads to $2.4 Million HIPAA Settlement

The OIG recently issued a favorable advisory opinion permitting a health system (the “Health System”) to become the sole owner of a Group Purchasing Organization (“GPO”), some of whose members were also owned by the Health System (the “Proposed Arrangement”).

Despite determining that the Proposed Arrangement does not qualify for protection under the GPO safe harbor, the OIG considered whether allowing the GPO to be wholly owned by the same entity that also owns almost 1% of the member pool increases the risk of fraud and abuse to Federal health care programs.

The GPO Structure

The GPO has over 84,000 members nationwide, many of which are hospitals, nursing facilities, clinics, physician practices, laboratories, home care, and equipment organizations. It operates by negotiating products and pricing with vendors on behalf of its members and receives administrative fees from the vendors based on a percentage of the value of sales to the members.  The GPO provides annual written disclosures to the members regarding purchases made on behalf of each member and maintains records regarding discounts and vendor administrative fee distributions to members.

The Proposed Arrangement

To increase efficiencies, the GPO underwent a series of mergers and stock sales (not at issue here), after which the Health System owned 95% of the GPO, with an unrelated entity owning the remaining 5%. About 800 of the 84,000 members (just under 1%) are owned by the Health System.  Under the Proposed Arrangement, the Health System would purchase the remaining 5% of the GPO to become the sole owner. Continue Reading OIG Issues Favorable GPO Advisory Opinion

In a chain of events that should be a wake-up call to any entity using and storing critical health information, Hollywood Presbyterian Medical Center (“HPMC”) has announced that it paid hackers $17,000 to end a malware attack on the hospital’s computer systems. On February 5, HPMC fell victim to an attack that locked access to the medical center’s electronic medical record (“EMR”) system and blocked the electronic exchange of patient information. Earlier reports indicated that the hackers had originally demanded $3,400,000.

Such “ransomware” attacks are caused by computer viruses that wall off or encrypt data to prevent user access. Hackers hold the data ransom, demanding payment for the decryption key necessary to unlock the data. The attacks are often caused by email phishing scams. The scams may be random or target particular businesses or entities. In the case of HPMC, the medical center’s president and CEO indicated to media outlets that the attack was random, though Brian Barrett, writing for Wired, questioned that assertion.

The medical center’s announcement of the resolution of the incident indicates that there is no evidence that patient or employee information was accessed by the hackers as part of the attack. Even if the data was not compromised, the attack led to enormous hassles at the hospital, returning it to a pre-electronic record-keeping system. Continue Reading Hollywood Presbyterian Concedes to Hacker’s Demands in Ransomware Attack

The Federal Trade Commission (FTC) recently submitted comments to Virginia and Tennessee regarding proposed laws in each state relating to Cooperative Agreements between hospitals and the granting of Certificates of Public Advantage (COPA). This continues the FTC’s active monitoring of state regulations potentially affecting competition in the health care market. In response to the states’ calls for public comments, the FTC reiterated its long-standing position that legislation purporting to grant antitrust immunity is unnecessary to encourage pro-competitive collaborations among health care providers.

The regulations under consideration in each state grant the state health departments authority to approve applications for consolidation of assets between hospitals by merger or other combination if the benefits of such Cooperative Agreement outweigh the disadvantages likely to result from a reduction of competition. The FTC highlighted in its comments that the factors to be considered by the health departments in weighing the potential benefits and harms from proposed Cooperative Agreements are already considered by the FTC when it reviews proposed hospital and health care provider mergers. The FTC asserted that it has significant expertise and experience in evaluating such mergers, and it has the ability to devote significant resources to fully investigate and analyze the potential competitive impact of such transactions. Continue Reading FTC Submits Public Comments to States Considering Regulations of Cooperative Agreements Between Hospitals