In the wake of recent gun violence and in a concerted effort to protect public safety, the Department of Health and Human Services (HHS) released a final rule published in the Federal Register January 6, 2016, that modifies the HIPAA Privacy Rule to expressly permit certain HIPAA covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of persons who are subject to a Federal “mental health prohibitor” that would prevent such individuals from possessing a firearm (“Final Rule”). The covered entities are those that have “lawful authority to make the adjudications or commitment decisions that make individuals subject to the Federal mental health prohibitor, or that serve as repositories of NICS reporting purposes.”

The Final Rule, which will appear at 42 C.F.R § 164.512(k)(7), adopted what HHS had initially proposed in April 2013 in its proposed rule. The purpose of the Final Rule is to afford the NICS with the ability to identify individuals subject to this prohibitor for the purpose of disqualifying them from shipping, transporting, possessing or receiving a firearm. Individuals subject to the Federal mental health prohibitor include those who have been involuntarily committed to a mental health institution, found incompetent to stand trial or not guilty by reason of insanity, or have been determined by a court or other lawful authority to be a danger to themselves or others or being unable to manage their own affairs. The disclosures to the NICS will be restricted to limited demographic and other information required by the NICS. Further, the Final Rule specifically prohibits the disclosure of any diagnostic or clinical information and “any mental health information beyond the indication that the individual is subject to the Federal mental health prohibitor.”

Importantly, the Final Rule’s express permission to disclose/report is narrowly tailored. Specifically, it does not extend to covered entities permission to report to the NICS the protected health information of individuals who are subject to the State-only mental health prohibitors. Additionally, the permission is not extended to “most treating providers”, which emphasizes HHS’ intention to protect the privacy of the patient-provider relationship.

A key tension at the heart of the gun control issue for years has been how to adequately protect individual privacy, in particular, mental health information, and maintain public safety. Not surprisingly, the Final Rule’s publication comes at a time of heightened tension between these issues, and President Obama announced yesterday that under his executive actions on guns, the administration will, among other actions, seek to expand mandatory background checks for certain private gun sales.

The Final Rule is effective February 5, 2016, 30 days from its publication in the Federal Register. To learn more about reporting under the Final Rule and the amended HIPAA regulation, please contact Greg Fliszar, J. Nicole Martin or any member of Cozen O’Connor’s Health Care team.

Last June we wrote about the FTC’s enforcement action against LabMD, a medical testing laboratory, which was forced to wind down its business because of the costs associated with challenging the FTC since 2013. Using its broad enforcement authority under Section 5 of the FTC Act, the FTC alleged that LabMD failed to “provide reasonable and appropriate security for personal information on its computer networks,” which the FTC claimed lead to the data of thousands of consumers being leaked.

On November 13, 2015, Chief Administrative Law Judge D. Michael Chappell ruled in favor of LabMD, dismissing the FTC’s complaint because the FTC “fail[ed] to prove that [LabMD’s] alleged unreasonable data security caused, or is likely to cause, substantial consumer injury, as required by Section 5(n) of the FTC Act, [LabMD’s] alleged unreasonable data security cannot properly be declared an unfair act or practice in violation of Section 5(a) of the FTC Act.” Notably, Judge Chappell concluded that Continue reading…

Earlier this month, the Deputy Attorney General of the Department of Justice (“DOJ”) released a memorandum (“Guidance”) setting forth six key steps to which DOJ attorneys should adhere in the investigation of corporate misconduct. At the same time, the Guidance underscores the importance of having corporate compliance policies and procedures that stress individual accountability and provides critical information for any organization that finds itself under investigation by the DOJ.

The overarching theme of the Guidance is that every act of a corporation or other organization is carried out by one or more individuals and that by focusing on individual conduct and holding specific individuals accountable for corporate misconduct when it is found to have occurred, the DOJ will investigate and combat corporate wrongdoing more effectively.  The six key steps contained in the Guidance are as follows:

• “to qualify for any cooperation credit, corporations must provide to the [DOJ] all relevant facts relating to the individuals responsible for the misconduct;

• criminal and civil corporate investigations should focus on individuals from the inception of the investigation;

• criminal and civil attorneys handling corporate investigations should be in routine communication with one another;

• absent extraordinary circumstances or approved departmental policy, the [DOJ] will not release culpable individuals from civil or criminal liability when resolving a matter with a corporation;

• [DOJ] attorneys should not resolve matters with a corporation without a clear plan to resolve related individual cases, and should memorialize any declinations as to individuals in such cases; and

• civil attorneys should consistently focus on individuals as well as the company and evaluate whether to bring suit against an individual based on considerations beyond that individual’s ability to pay.”

The Guidance will apply to matters that are pending as of September 9, 2015 as well as all future DOJ investigations of corporate wrongdoing.

For more information on this Guidance, contact Chris Raphaely, Nicole Martin, or any member of Cozen O’Connor’s Healthcare law team.

Updated requirements for hospitals to maintain their tax-exempt status under Section 501(r) of the Internal Revenue Code are nothing new. They were enacted as part of the Affordable Care Act in 2010. However, at the end of 2014, the IRS issued a final rule (“Final Rule”) interpreting, clarifying and updating these requirements. As we’ve seen before with other enforcement agencies, after passing final regulations, it is expected that the IRS will devote more attention to enforcement and be more exacting when it measures compliance.

Hospitals will be subject to the Final Rule beginning with tax years starting after December 29, 2015. Prior to such time “reasonable, good faith interpretations” of the 501(r) requirements will suffice, but thereafter strict compliance with the specific terms of the Final Rule, which contain several changes from the proposed rule, will be required. Consequently, now is an opportune time for hospitals to take what is likely to be at least a second look at 501(r) compliance in the last four or five years.

Briefly, the significant changes under the Final Rule involve the following:

• Translation requirements for financial assistance policies (FAPs), as well as the FAP applications and FAP summaries;

• Rules regarding application of the requirements to partnership that operate hospitals;

• FAP eligibility determinations;

• Notices regarding potential extraordinary collection actions;

• Contractual provisions for transactions involving the sale or third-party collection of hospital receivables; and

• Changes to methodologies used to determine “amounts generally billed”, which are the 501(r) imposed limits on the amounts individuals qualifying for financial assistance can be billed for emergency care or other medically necessary care.

For more information on these important requirements, contact Chris Raphaely, Nicole Martin, or any member of Cozen O’Connor’s Healthcare law team.

In August 2012, a Physician Group—comprising of nearly 20 physicians—reported its HIPAA breach to HHS, which resulted from a laptop bag containing the employee’s laptop and a computer server backup being stolen from an employee’s car in July 2012. According to the Resolution Agreement between HHS and the Physician Group, the laptop did not contain ePHI, but the portable, unencrypted server backup in the employee’s bag did. The backup contained ePHI for 55,000 individuals. To settle this matter, the Physician Group has agreed to pay $750,000.

Although stolen laptops and lack of encryption is nothing new in the world of HIPAA breaches, this situation stands out for a few reasons:

•  The Physician Group did not conduct “an accurate and thorough” risk assessment;
•  The significance of encryption extends not only to desktop computers and laptops, but also to portable devices, including but not limited to computer server backups; and
• This is a notable fine for a Physician Group of less than 20 physicians.

For more information regarding this incident and HIPAA compliance, including the importance of encryption and risk assessments, contact J. Nicole Martin or any member of Cozen O’Connor’s healthcare law team.

On July 7, 2015, U.S. Reps. Mike Thompson, Gregg Harper, Diane Black, and Peter Welch announced the introduction of a new version of the July 2014 telehealth legislation (H.R. 5380) called the Medicare Telehealth Parity Act of 2015 (H.R. 2948) (the “Act”). The Act has already been referred to each of the House Energy and Commerce Committee and the House Committee on Ways and Means.

According to Congressman Thompson’s press release, this Act would phase in and expand upon existing telehealth services under Medicare, by, among other changes:

• Removing the geographic barriers under current law and allowing the provision of telehealth services in rural, underserved, and metropolitan areas;

• Expanding the list of providers and related covered service that are eligible to provide telehealth services to include respiratory therapists, physical therapists, occupational therapists, speech language pathologists, and audiologists;

• Allowing remote patient monitoring for patients with chronic conditions such as heart failure, chronic obstructive pulmonary disease, and diabetes; and

• Allowing the beneficiary’s home to serve as a site of care for home dialysis, hospice care, eligible outpatient mental health services, and home health services.

For quite some time reimbursement barriers prevented the expanded use of telehealth/telemedicine under Medicare beyond reimbursement for limited services, limited modes of telehealth, and the “originating site” restriction. Over the last few years, legislation expanding access and reimbursement under Medicare for telemedicine/telehealth services has been introduced, but never passed. This time could be different as the legislation has not only bipartisan support, but also the support of industry groups, including among others, the American Telemedicine Association and the American Heart Association. Stay tuned for additional updates regarding the Act. For further information, contact J. Nicole Martin or any member of Cozen O’Connor’s healthcare law team.

We wrote in late March about the U.S. House of Representatives passing SGR legislation intended to be a permanent cure to Medicare’s “doc fix” legislation. Yesterday evening, the Senate finally passed the SGR legislation to avoid a rate cut. Congress anticipates President Obama will sign the SGR legislation into law fairly quickly. Among other measures, the SGR legislation will amend Title XVIII of the Social Security Act, pertaining to Medicare, to:

• “remove sustainable growth rate (SGR) methodology from the determination of annual conversion factors in the formula for payment for physicians’ services; and
• revise the update in rates for 2015 and subsequent years.”

Notably, the SGR legislation extends the two-midnight Medicare rule through FY2015. The two-midnight Medicare rule only provides coverage for hospital stays when a beneficiary remains in a hospital over two midnights because the beneficiary requires care over this minimum period of time. Medicare generally denies coverage for care provided during shorter length hospital stays. The SGR legislation also extends the CHIP program through FY2017.

For further information contact Cozen O’Connor’s health care team.

In a historic bipartisan moment, the U.S. House of Representatives passed a nearly 300-page bill that is intended to “repeal the Medicare sustainable growth rate [“SGR”] and strengthen Medicare access by improving physician payments and making other improvements.” The legislation, titled the Medicare Access and CHIP Reauthorization Act of 2015, which is referred to as the Medicare “doc fix”, is the result of ongoing bipartisan efforts to resolve an unpopular physician reimbursement system that if not overridden each year would cut Medicare doctor’s pay by a notable percentage. The annual reimbursement cut would occur as required under the federal Balanced Budget Act of 1997 (the “BBA”), if not for the annual fixes set into motion by Congress. In a March 25, 2015 letter from the Congressional Budget Office (“CBO”) to House Speaker Boehner, the CBO explained that the BBA established the SGR formula “to ensure that real—that is, adjusted for inflation—spending per [Medicare] beneficiary for physicians’ services would grow on average at a rate of increase in gross domestic protect per capita minus the expected rate of increase in productivity for the economy as a whole.”

According to news outlets and press conferences, President Obama is ready to sign the bill once the Senate passes it. In the CBO’s letter to House Speaker Boehner, it estimated that this bill will increase:

• The federal budget deficits by $141 billion;
• Direct spending by approximately $145 billon; and
• Revenues by approximately $4 billion.

Under the Bill, Medicare’s payment rates for services on the physician fee schedule would increase by 0.5 percent a year for services furnished through 2019.  From 2019 through 2025 payments will remain the same but Medicare doctors will be eligible for merit-based bonus payments consistent with Medicare initiatives such as care models that shift away from fee for services.

Many expected the Bill to pass the Senate on Friday, March 27th but the Bill was not put up for a vote and Senate Minority Leader Harry Reid and Majority Leader Mitch McConnell said the bill will not get a vote until mid-April when the Senate returns from its recess.  CMS has provided notice that they will be able to hold payment for 14 calendar days to avoid a rate cut.

For further information contact Cozen O’Connor’s health care team.  We will continue to monitor and provide updates.

The FDA released draft guidelines (“Guidelines”) on Monday, March 9, 2015 establishing recommendations on the use of e-media and processes to obtain informed consent for clinical investigations (trials) of medical products including human drug and biological products, medical devices and combinations. The Guidelines provide useful insight for how the FDA recommends clinical investigators, sponsors and institutional review boards (“IRB”) should use e-informed consent for a clinical trial.

The FDA defines e-informed consent as “using electronic systems and processes that may employ multiple electronic media (e.g., text, graphics, audio, video, podcasts and interactive Web sites, biological recognition devices, and card readers) to convey information related to the study and to obtain and document informed consent.” The FDA reminds clinical investigators and sponsors that informed consent is more than just a subject’s signature.  Informed consent – whether completed electronically or in paper form – includes providing prospective clinical trial participants with enough information regarding the research to enable them to make an informed decision regarding whether to participate in the study. The subjects must have “adequate information” about the research.  Clinical investigators and sponsors may use video conferencing (i.e. Skype) to answer a subject’s questions about the clinical trial.

The Guidelines also include a question and answer section containing 14 inquires such as:

• How information in an e-informed consent should be presented to subjects;
• How/where e-informed consent processes should be conducted; and
• How/when questions from subjects should be answered.

Similar to CMS and states recognizing the authenticity of e-signatures, this guidance demonstrates the FDA’s desire to digitize health care and respond to the increased patient access to clinical trials in states passing “right-to-try” bills.  Right-to-try bills generally permit doctors and terminally ill patients to negotiate directly with drug companies to obtain experimental drugs that have passed Phase-I trials. Stay tuned for a forthcoming Health Law Informer blog announcing the FDA’s release of the e-informed consent final guidelines, which clinical investigators, sponsors and IRBs will want to consider implementing.

For further information contact the Cozen O’Connor’s health care team or the authors Ryan P. Blaney (Washington, DC) and J. Nicole Martin (Philadelphia, PA).

This month, Governor Chris Christie signed into law a New Jersey bill requiring health insurance carriers (e.g., insurance companies, health service corporations, hospital service corporations, medical service corporations, HMOs that issue health benefits plans in New Jersey) to encrypt or otherwise secure  computerized records of personal information (e.g., SSN, address, identifiable health information, driver’s license number) (“Bill”). The Bill provides an alternative to encryption if the carrier uses, a “method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.” However, password protection for computer programs, which is commonly used in the industry, is inadequate under the Bill if “the program only prevents general unauthorized access to the personal information, but does not render the information itself unreadable, undecipherable, or otherwise unusable by an unauthorized person operating, altering, deleting, or bypassing the password protection computer program.”

The Bill does not address the ramifications for insurance carriers that fail to adhere to its requirements. However, in a statement by the Bill’s sponsors, the lawmakers explained that health insurance carriers that violate the Bill would be subject to penalties under the New Jersey consumer fraud statute, such as a monetary penalty up to $10,000 for an initial offense, and no more than $20,000 for each subsequent offense(s). Lawmakers further explained that “a violation can result in cease and desist orders issued by the Attorney General and the awarding of treble damages and costs to the injured party.”

Interestingly, this Bill only applies to health insurance carriers and not to healthcare providers, such as hospitals or physician group practices. However, it is anticipated that New Jersey will follow the industry enforcement trend that although encryption is not technically required under HIPAA it is considered a “reasonable” technical safeguard and therefore becoming an industry standard best practice. The timing of the Bill is also interesting as President Obama and the Federal Government discuss potential Federal legislation on cybersecurity, student privacy, and a national breach standard.  Tune back in to the Health Law Informer for future blogs on these issues.