Health Law Informer

Recently, the American Medical Association (AMA) released a report on telemedicine (Report) that, among other things, (i) outlines coverage and payment rules; (ii) summarizes various specialty society practice guidelines/position statements; and (iii) presents its own position and recommendations regarding the role of telemedicine in the provision of health care. The Report provides a current overview of barriers (e.g., reimbursement and licensure) that prevent further implementation of telemedicine in the provision of health care in our society, and it also emphasizes the importance of ensuring quality of care, patient safety, and coordination of care. The AMA’s publication of this Report will hopefully continue the important dialogue regarding the promise of telemedicine.

Look for an upcoming more detailed client alert analyzing this Report, other updates concerning telemedicine, and the general role of telemedicine in our healthcare system.

J. Nicole Martin

More Posts

The Pennsylvania Department of Health (“DOH”) Bureau of Laboratories (“Bureau”) recently announced that it will begin to phase-in enforcement of Act 122, which amended the Pennsylvania Clinical Laboratory Act (“Lab Act”), even though Act 122 became effective on December 18, 2013. The Bureau also issued additional guidance regarding Act 122 in its Frequently Asked Questions, Volume 1 and Volume 2 (“FAQs”).

According to its Senate Co-Sponsorship Memoranda, the purpose of Act 122 was to: (1) prohibit the “placing of phlebotomists or specimen collectors in physician and other health care provider offices in the Commonwealth;” and (2) afford Pennsylvania laboratories “the ability to compete on a level playing field with out-of-state labs” who had been able to place staff in providers’ offices “without fear of sanction.” However, the broad language of Act 122 will also affect laboratories’ ability to collect specimens from skilled nursing facilities (“SNFs”). Continue reading…

J. Nicole Martin

More Posts

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is not the only government arm that enforces data breaches. The Federal Trade Commission (FTC) has broad authority to regulate the security of consumer information and hold companies liable for a failure to use adequate data security practices. In August 2013, the FTC targeted LabMD, a medical testing laboratory, which maintains personal financial and health information for nearly one million consumers. The FTC alleged that LabMD failed to “provide reasonable and appropriate security for personal information on its computer networks,” which resulted in the data of thousands of consumers being leaked on to the peer-to-peer file-sharing network LimeWire, the black-market and in the hands of illegal data brokers.

Until recently the FTC enforced its breach authority under the Act without pushback, so a company facing allegations would simply settle. However, LabMD became the second company to challenge the FTC’s enforcement of data breaches (a hotel chain company was the first to challenge the FTC’s authority). LabMD attempted to stop the investigation by filing appeals to federal district and appellate courts and the FTC. The appeals were based primarily on two arguments: (i) the FTC does not have the statutory authority to set data security standards for companies; and (ii) LabMD is already subject to the OCR’s enforcement authority under HIPAA’s security regulations, so it should not also be subject to the FTC’s enforcement authority.

Despite LabMD’s best efforts, two Eleventh Circuit judges refused to intervene before the FTC issued its final order, the FTC rejected LabMD’s motion to dismiss and it moved forward with the administrative proceedings. However, LabMD continues to fightback. Recently, LabMD filed a motion to dismiss with the FTC, and contended that the FTC had not proven that the data breach caused injury, specifically, that it did not present evidence that there was substantial harm or likely to be substantial harm to consumers as a result of the breach.

During trial, Michael Daugherty, CEO of LabMD, testified that the effect of the FTC’s allegations and subsequent probe has placed the company in a “very deep coma” and that he “can’t understate how damaging and confusing and sideswiping [the matter is] to the attitude, energy and morale of [LabMD’s] management staff.”

Interestingly, the trial has been on recess since May 30 when the administrative law judge delayed the proceeding until June 12 in response to an announcement that the House Committee on Oversight and Government Reform was investigating Tiversa Inc., the cyber-intelligence firm that played a central role in the FTC’s case against LabMD. In a separate lawsuit, LabMD is alleging that Tiversa provided the FTC with patient information files that it stole from LabMD.

When trial resumes on June 12, the focus will continue to be on whether LabMD’s data security standards that it used to protect consumers’ personal information were reasonable. It will be interesting whether developments from the Tiversa investigation impact the outcome of the trial. For more information about this proceeding go to the FTC website.

Practice Tip: Ensure that your security policies and procedures are being implemented and followed in accordance with HIPAA security requirements because inadequate security safeguards may lead to enforcement actions by the OCR and the FTC.

J. Nicole Martin

More Posts

A report recently released by the Federal Trade Commission (FTC) concludes that data brokers currently operate so far below the radar screen that most consumers are unable to exercise any real control over the collection and use of their personal information. In addition to shedding light on the data broker marketplace and its practices, the report also provides recommendations to Congress about legislation that could better protect consumers and begin to regulate this poorly understood industry.

Data Brokers: A Call for Transparency and Accountability is based on an in-depth study of nine leading data brokers, companies that collect consumers’ personal information and resell or share that information with others in the form of marketing, risk management, or people search products. Combined, data brokers currently collect and store billions of bits of data about nearly every consumer in the United States. According to the FTC, “Because few consumers know about the existence of data brokers, meaningful notice from the data source provides an important opportunity for consumers to learn that their data is shared with data brokers and how to exercise control over the use of their data.”

In order to promote transparency, the Commission recommended that Congress consider legislation:

– Enabling consumers to easily identify which data brokers may have data about them and where they should go to access such information and exercise opt-out rights.

– Requiring data brokers to clearly disclose to consumers that they not only use raw data (such as a person’s name, address, age, and income range), but that they also use data they derive with that information.

– Requiring data brokers to disclose the names and/or categories of their sources of data, so that consumers are better able to determine if they need to correct their data with an original public record source; require data brokers to allow consumers to correct erroneous information in their private databases.

– Mandating that consumer-facing entities to provide a prominent notice to consumers that they share consumer data with data brokers and provide consumers with choices about the use of their data, such as the ability to opt-out of sharing their information with data brokers.

More generally, the Commission called on the data broker industry to adopt several best practices:

– Implement privacy-by-design, considering privacy issues at every stage of product development.

– Refrain from collecting information from children and teens, particularly in marketing products.

– Take reasonable precautions to ensure that downstream users of their data do not use it for eligibility determinations or for unlawful discriminatory purposes.

Cozen O’Connor’s Health Law Informer will continue to monitor Congress and the data broker industry’s response to the FTC report.

J. Nicole Martin

More Posts

In May and within a week of the Office of Inspector General of the Department of Health and Human Services (OIG) releasing a proposed rule to expand its exclusion authority, the agency also released a proposed rule (Rule) expanding its authority to impose civil monetary penalties (CMPs). OIG anticipates that “CMP collections may increase in the future in light of the new CMP authorities and other changes proposed in this [R]ule.” Over the last decade, OIG has collected more than $165 million in CMPs (between $10.2 million to $26.2 million per year).

Health care providers, suppliers and related institutions should pay particular attention to five proposed key changes:

(1) The focus on an expansion in the range of conduct for which OIG could assess CMPs to include: failing to provide OIG timely access to documents, ordering or prescribing medication or services while excluded from participation in federal health care programs, making false statements on enrollment applications to participate in federal health care programs, failing to report and return known overpayments, and making or using a false statement that is material to a false or fraudulent claim.

(2) Interpretation of the penalty as a per day penalty—for example, up to $10,000 for each day a person fails to report and return an overpayment.

(3) Imposition of CMPs on Medicare Advantage and Medicare Part D organizations (if any of their employees or contractors engaged in fraudulent activity). This broadens the general liability of these organizations for misconduct to include contracted providers or suppliers, employees and agents. Medicare Advantage and Part D organizations would also be eligible for CMPs if they enroll an individual (or his or her designee) without consent; transfer an enrollee to another plan without the enrollee’s (or his or her designee’s) consent; transfer an enrollee to make a commission; fail to comply with marketing restrictions; or employ or contract with any person who engages in prohibited conduct.

(4) Revision to the current structure of 42 C.F.R. Part 1003 because it is “cumbersome and potentially confusing for the reader” in order to “add clarity and improve transparency in OIG’s decision-making processes.” The bases for CMP assessments would be grouped into subsections by subject matter. OIG would provide a single list of factors to be considered when determining the amount of a CMP to include: the nature and circumstances of the violation, the degree of culpability of the person, the history of prior offenses, other wrongful conduct, and other matters as justice may require.

(5) An increase of the claims-mitigating factor from $1,000 to $5,000. The claims-mitigating factor acts as a threshold to help OIG determine the severity of a program violation. OIG believes that the $1,000 threshold is “lower than appropriate . . . given the changes in the costs of health care since this regulation was last updated in 2002.”

Other notable proposed changes include: the addition of a mitigating factor for “appropriate and timely corrective action” taken by a person under OIG’s Self-Disclosure Protocol; clarification that a single aggravating circumstance may result in the maximum amount allowed penalty, assessment, or exclusion; and the delegation of authority from the Department of Health and Human Services Secretary to OIG at Part 1003.150.

Comments to the Rule are due by July 11, 2014.

J. Nicole Martin

More Posts

In May, the Office of Inspector General of the Department of Health and Human Services (OIG) proposed a new rule (Rule) that would implement changes included in the ACA. The Rule would expand OIG’s authority to exclude individuals and entities from participation in federal health care programs, among other changes.

The Rule would build on OIG’s existing authority, but enable the agency to impose penalties for a broader array of conduct. OIG currently has the authority to exclude individuals and entities from participation in federal health care programs who are deemed “untrustworthy.” Certain bases for exclusion require OIG to impose a mandatory exclusion period of at least five years. Other bases allow OIG broad discretion to determine whether to impose an exclusion and for how long.

The Rule change includes three proposed bases for permissive exclusion: (1) conviction related to the obstruction of an audit; (2) failure to supply payment information for items or services; and (3) to make, or cause to be made, false statements, omissions, or misrepresentations of material facts in an application to participate in a federal health care program.

In addition, the Rule would give OIG the power to issue testimonial subpoenas during exclusion investigations, and remove any statute of limitations on exclusion actions stemming from false claims proceedings. The proposed removal of the statute of limitations would give the authority to impose exclusions at any time, even when the exclusion is due to violations of another statute that might have a specified time limit. OIG considered but did not finalize a similar provision in 2002. The Rule also includes a proposition to modify exclusion reinstatement rules such that individuals excluded as a result of losing their licenses could rejoin the federal health care programs earlier if they meet certain criteria.

Comments to the Rule are due on July 8, 2014.

J. Nicole Martin

More Posts

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) settled for the collective amount of $1,975,220 with Concentra Health Services (Concentra) and QCA Health Plan, Inc. (QCA). The settlements stem from OCR investigations in 2011 and 2012 related to each of the companies reporting a single stolen laptop; Concentra also had a laptop stolen in 2009.

In its press release, HHS stated that after further investigating Concentra it found that Concentra was aware prior to the most recent laptop theft that not all of its laptops, desktop computers, medical equipment, tablets and other devices that contained ePHI were encrypted. But despite Concentra’s discoveries as a result of risk analyses that it had conducted, it failed to remedy the critical risks and did not encrypt all of the devices. OCR also found that Concentra had insufficient security management processes. OCR’s investigation of QCA revealed that in addition to the unencrypted laptop, QCA failed to comply with numerous HIPAA privacy and security requirements for several years.

Susan McAndrew, OCR’s Deputy Director of Health Information Privacy, reiterated the significance of encryption and the obligations of covered entities and business associates to adequately secure mobile devices when she stated that OCR’s message to covered entities and business associates is simple: “encryption is your best defense against these incidents.” Ms. McAndrew’s statement is significant and a shift from the view that although security is an obligation, encryption is not required under the HIPAA Security Rule. In light of these two settlements and the Deputy Director’s commentary it is evident that OCR views encryption as an essential security safeguard for laptops, desktop computers, medical equipment, tablets and other mobile devices. In light of these two settlements and the Deputy Director’s commentary it is evident that OCR views encryption as an essential security safeguard for laptops, desktop computers, medical equipment, tablets and other mobile devices.

Concentra has agreed to pay HHS a monetary settlement of $1,725,220 and QCA has agreed to pay $250,000. Both entities have also agreed to each undertake a corrective action plan (CAP),  which CAPs include risk analyses, development of risk management plans, policy and procedure revisions, staff training and certification of staff training. Concentra’s CAP contains more onerous requirements, including the continued submission of additional documents, reports and encryption status updates to HHS. Concentra’s CAP may be more extensive than QCA’s because it already had a laptop that contained ePHI stolen in 2009 and because it failed to remedy the encryption issue it discovered during the risk analyses it performed prior to the second laptop being stolen. OCR also noted that QCA did encrypt its devices after the laptop was stolen and it discovered the breach.

For more information about the settlements and the CAPs, see the Concentra Resolution Agreement and the QCA Resolution Agreement.

Practice Tip: Audit your encryption policies and practices for all mobile devices to adequately secure your company’s mobile devices.

J. Nicole Martin

More Posts

In the largest HIPAA enforcement action to date, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) extracted $4.8 million from two leading New York institutions, New York-Presbyterian Hospital (NYP) and Columbia University (CU), despite NYP and CU’s self-disclosure of the breach. OCR charged NYP and CU jointly with failing to secure 6,800 patients’ electronic protected health information (ePHI), which resulted in a 2010 breach. NYP and CU did not learn of the breach until a complaint was filed by a representative of a deceased former NYP patient whose ePHI was found on the Internet. The patient data included status, vital signs, medications and laboratory results.

Larger, more frequent fines may be the new normal as OCR launches its major new audit program. In its press release, HHS wrote that “neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI.” OCR has made clear that risk assessment will be a priority in the upcoming audits. OCR will not be satisfied with “glossy” HIPAA policies and procedures if they are not followed in practice.

To make the point even more explicit, Christina Heide, Acting Deputy Director of Health Information Privacy for OCR, said, “Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.”

OCR’s investigation began after NYP and CU self-disclosed an inadvertent leakage of certain ePHI to Internet search engines when a computer server was errantly reconfigured. The source of the breach was a CU physician who had tried to deactivate a personally owned computer server on the network containing information on hospital patients. NYP and CU failed to implement technical safeguards for the deactivation of computer servers, so the attempted deactivation resulted in ePHI being posted online.

NYP has agreed to pay HHS a monetary settlement of $3.3 million and CU has agreed to pay $1.5 million. Both entities have also agreed to each undertake a substantive corrective action plan (CAP), which includes a risk analysis, development of a risk management plan, policy and procedure revisions, staff training and regular progress reports. For more information about the settlements and the CAPs, see the NYP Resolution Agreement and the CU Resolution Agreement.

HIPAA Practice Tip: Now is the time to ensure that your HIPAA policies and procedures are being implemented and followed.

J. Nicole Martin

More Posts