Posted by Chris Raphaely
on September 22, 2015
Earlier this month, the Deputy Attorney General of the Department of Justice (“DOJ”) released a memorandum (“Guidance”) setting forth six key steps to which DOJ attorneys should adhere in the investigation of corporate misconduct. At the same time, the Guidance underscores the importance of having corporate compliance policies and procedures that stress individual accountability and provides critical information for any organization that finds itself under investigation by the DOJ.
The overarching theme of the Guidance is that every act of a corporation or other organization is carried out by one or more individuals and that by focusing on individual conduct and holding specific individuals accountable for corporate misconduct when it is found to have occurred, the DOJ will investigate and combat corporate wrongdoing more effectively. The six key steps contained in the Guidance are as follows:
- “to qualify for any cooperation credit, corporations must provide to the [DOJ] all relevant facts relating to the individuals responsible for the misconduct;
- criminal and civil corporate investigations should focus on individuals from the inception of the investigation;
- criminal and civil attorneys handling corporate investigations should be in routine communication with one another;
- absent extraordinary circumstances or approved departmental policy, the [DOJ] will not release culpable individuals from civil or criminal liability when resolving a matter with a corporation;
- [DOJ] attorneys should not resolve matters with a corporation without a clear plan to resolve related individual cases, and should memorialize any declinations as to individuals in such cases; and
- civil attorneys should consistently focus on individuals as well as the company and evaluate whether to bring suit against an individual based on considerations beyond that individual’s ability to pay.”
The Guidance will apply to matters that are pending as of September 9, 2015 as well as all future DOJ investigations of corporate wrongdoing.
For more information on this Guidance, contact Chris Raphaely, Nicole Martin, or any member of Cozen O’Connor’s Healthcare law team.
Posted by Chris Raphaely
on September 14, 2015
Updated requirements for hospitals to maintain their tax-exempt status under Section 501(r) of the Internal Revenue Code are nothing new. They were enacted as part of the Affordable Care Act in 2010. However, at the end of 2014, the IRS issued a final rule (“Final Rule”) interpreting, clarifying and updating these requirements. As we’ve seen before with other enforcement agencies, after passing final regulations, it is expected that the IRS will devote more attention to enforcement and be more exacting when it measures compliance.
Hospitals will be subject to the Final Rule beginning with tax years starting after December 29, 2015. Prior to such time “reasonable, good faith interpretations” of the 501(r) requirements will suffice, but thereafter strict compliance with the specific terms of the Final Rule, which contain several changes from the proposed rule, will be required. Consequently, now is an opportune time for hospitals to take what is likely to be at least a second look at 501(r) compliance in the last four or five years.
Briefly, the significant changes under the Final Rule involve the following:
- Translation requirements for financial assistance policies (FAPs), as well as the FAP applications and FAP summaries;
- Rules regarding application of the requirements to partnership that operate hospitals;
- FAP eligibility determinations;
- Notices regarding potential extraordinary collection actions;
- Contractual provisions for transactions involving the sale or third-party collection of hospital receivables; and
- Changes to methodologies used to determine “amounts generally billed”, which are the 501(r) imposed limits on the amounts individuals qualifying for financial assistance can be billed for emergency care or other medically necessary care.
For more information on these important requirements, contact Chris Raphaely, Nicole Martin, or any member of Cozen O’Connor’s Healthcare law team.
Posted by J. Nicole Martin
on September 03, 2015
In August 2012, a Physician Group—comprising of nearly 20 physicians—reported its HIPAA breach to HHS, which resulted from a laptop bag containing the employee’s laptop and a computer server backup being stolen from an employee’s car in July 2012. According to the Resolution Agreement between HHS and the Physician Group, the laptop did not contain ePHI, but the portable, unencrypted server backup in the employee’s bag did. The backup contained ePHI for 55,000 individuals. To settle this matter, the Physician Group has agreed to pay $750,000.
Although stolen laptops and lack of encryption is nothing new in the world of HIPAA breaches, this situation stands out for a few reasons:
- The Physician Group did not conduct “an accurate and thorough” risk assessment;
- The significance of encryption extends not only to desktop computers and laptops, but also to portable devices, including but not limited to computer server backups; and
- This is a notable fine for a Physician Group of less than 20 physicians.
For more information regarding this incident and HIPAA compliance, including the importance of encryption and risk assessments, contact J. Nicole Martin or any member of Cozen O’Connor’s healthcare law team.