HHS

Heads-up! HIPAA Phase Two Audits Begin – Business Associates Included!

Posted by Gregory M. Fliszar on March 22, 2016
HHS, OCR / No Comments

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) finally announced on March 21 that it is ready to begin Phase Two of its HIPAA audit program, which will include business associates. These audits, mandated by HITECH, will primarily be comprised of desk audits, scheduled for completion by the end of December 2016, followed by onsite audits.

OCR explained it will immediately commence Phase Two by verifying, via email, cover entities’ and business associates’ contact information. The OCR is requesting timely responses, so that it can send pre-audit questionnaires out in order to gather data from covered entities and business associates for the creation of potential audit subject pools. The data will relate to the entities’ size, type and operations. Should covered entities and business associates fail to respond to OCR’s requests, they may still be part of OCR’s potential subject pools because OCR plans to compile publicly available information about covered entities and business associates that do not respond to its requests.

The first round of desk audits will focus on covered entities, and the second round will focus on business associates. The third round will be onsite audits, with a greater focus on the HIPAA requirements. OCR explains that some covered entities and business associates who are subject to desk audits may also be subject to onsite audits. According to OCR, all covered entities and business associates are eligible to be audited. The audits will focus on identifying compliance with specific privacy and security requirements under HIPAA/HITECH, and OCR will notify auditees by letter, regarding the subject(s) of their specific audits. On the HHS website, OCR provides a sample letter for review. Subsequent to the audits, OCR will review and analyze information from audit final reports.

Importantly, if an audit report uncovers significant noncompliance with HIPAA, it could prompt an investigation by OCR. The areas of interest for OCR in Phase Two will become clearer as the Phase Two audit program gets underway, but for now, we know OCR will focus on assessing covered entities’ and business associates’ HIPAA compliance, identifying best practices and discovering risks and vulnerabilities.

More information about the Phase Two audits is available here, and you can also contact Greg Fliszar, Ryan Blaney, J. Nicole Martin or another member of Cozen O’Connor’s Health Law team.

About The Authors

Tags: , , , , , , , , , , , , , , , ,

OCR Announces Two Significant HIPAA Breach Settlements

Posted by Gregory M. Fliszar on March 21, 2016
HHS, OCR / No Comments

shutterstock_62667685On consecutive days, the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) recently announced two large HIPAA breach settlements. On March 16, 2016, OCR announced that it entered into a Resolution Agreement with North Memorial Health Care of Minnesota for $1.55 million plus a two-year corrective action plan. On March 17, 2016 OCR followed by announcing that Feinstein Institute for Medical research, a New York biomedical research institute, agreed to pay to OCR $3.9 million and enter into a three-year corrective action plan to settle potential HIPAA violations. Both cases resulted from the all too familiar scenario of breaches resulting from stolen, unencrypted laptops.

In the Minnesota hospital breach, the unencrypted laptop containing the PHI of over 9,000 individuals was stolen from the locked car of an employee of a business associate of the hospital. According to the OCR’s investigation, the hospital failed to have a business associate agreement in place with that particular business associate. OCR also alleged that the hospital had not previously performed a risk analysis to identify and address potential risks and vulnerabilities to the ePHI it maintained, accessed or transmitted.

In the New York research corporation breach, OCR alleged that the institution did not have policies and procedures in place, including a policy on encryption and one that addressed use and access of electronic devices (e.g., the removal of the devices from the institution’s facility), nor did it have in place a security management process that sufficiently addressed potential security risks and vulnerabilities to ePHI, namely, its confidentiality, vulnerability or integrity. Notably, the stolen, unencrypted laptop contained the PHI of approximately 13,000 individuals.

As above, both OCR settlements also include multiple year corrective action plans requiring the hospital and research facility to conduct risk analyses/assessments, train their employees, and have HIPAA compliant policies and procedures in place. The Resolution Agreement for the Minnesota hospital breach is available here, and the Resolution Agreement for the New York research institute breach is available here.

Takeaways: The OCR’s 2016 breach enforcement is off to a very strong start with two high dollar settlements. Lessons learned from both breaches include the significance of encrypting electronic devices, conducting and updating on a regular basis security risk assessments and analyses, having adequate safeguards in place to protect PHI, having business associate agreements with all business associates, and having and implementing HIPAA policies and procedures to protect the security and privacy of PHI, including for example, policies related to encryption, authorized access to ePHI/PHI, and removal of electronic devices from facilities.

 

For more information, contact Greg Fliszar, J. Nicole Martin, or a member of Cozen O’Connor’s Health Law team.

 

About The Authors

Tags: , , , , , , , , , , , , , , , , ,

Gun Control and HIPAA

Posted by J. Nicole Martin on January 06, 2016
HHS, OCR / No Comments

shutterstock_320073545In the wake of recent gun violence and in a concerted effort to protect public safety, the Department of Health and Human Services (HHS) released a final rule published in the Federal Register January 6, 2016, that modifies the HIPAA Privacy Rule to expressly permit certain HIPAA covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of persons who are subject to a Federal “mental health prohibitor” that would prevent such individuals from possessing a firearm (“Final Rule”). The covered entities are those that have “lawful authority to make the adjudications or commitment decisions that make individuals subject to the Federal mental health prohibitor, or that serve as repositories of NICS reporting purposes.”

The Final Rule, which will appear at 42 C.F.R § 164.512(k)(7), adopted what HHS had initially proposed in April 2013 in its proposed rule. The purpose of the Final Rule is to afford the NICS with the ability to identify individuals subject to this prohibitor for the purpose of disqualifying them from shipping, transporting, possessing or receiving a firearm. Individuals subject to the Federal mental health prohibitor include those who have been involuntarily committed to a mental health institution, found incompetent to stand trial or not guilty by reason of insanity, or have been determined by a court or other lawful authority to be a danger to themselves or others or being unable to manage their own affairs. The disclosures to the NICS will be restricted to limited demographic and other information required by the NICS. Further, the Final Rule specifically prohibits the disclosure of any diagnostic or clinical information and “any mental health information beyond the indication that the individual is subject to the Federal mental health prohibitor.”

Importantly, the Final Rule’s express permission to disclose/report is narrowly tailored. Specifically, it does not extend to covered entities permission to report to the NICS the protected health information of individuals who are subject to the State-only mental health prohibitors. Additionally, the permission is not extended to “most treating providers”, which emphasizes HHS’ intention to protect the privacy of the patient-provider relationship.

A key tension at the heart of the gun control issue for years has been how to adequately protect individual privacy, in particular, mental health information, and maintain public safety. Not surprisingly, the Final Rule’s publication comes at a time of heightened tension between these issues, and President Obama announced yesterday that under his executive actions on guns, the administration will, among other actions, seek to expand mandatory background checks for certain private gun sales.

The Final Rule is effective February 5, 2016, 30 days from its publication in the Federal Register. To learn more about reporting under the Final Rule and the amended HIPAA regulation, please contact Greg Fliszar, J. Nicole Martin or any member of Cozen O’Connor’s Health Care team.

About The Authors

Tags: , , , , , , ,

Physician Group to Pay $750,000 to Settle a HIPAA Violation

Posted by J. Nicole Martin on September 03, 2015
HHS, HIPAA, OCR / No Comments

In August 2012, a Physician Group—comprising of nearly 20 physicians—reported its HIPAA breach to HHS, which resulted from a laptop bag containing the employee’s laptop and a computer server backup being stolen from an employee’s car in July 2012. According to the Resolution Agreement between HHS and the Physician Group, the laptop did not contain ePHI, but the portable, unencrypted server backup in the employee’s bag did. The backup contained ePHI for 55,000 individuals. To settle this matter, the Physician Group has agreed to pay $750,000.

Although stolen laptops and lack of encryption is nothing new in the world of HIPAA breaches, this situation stands out for a few reasons:

  •  The Physician Group did not conduct “an accurate and thorough” risk assessment;
  •  The significance of encryption extends not only to desktop computers and laptops, but also to portable devices, including but not limited to computer server backups; and
  • This is a notable fine for a Physician Group of less than 20 physicians.

For more information regarding this incident and HIPAA compliance, including the importance of encryption and risk assessments, contact J. Nicole Martin or any member of Cozen O’Connor’s healthcare law team.

 

 

About The Author

Tags: , , , , , , ,

Third Circuit Invalidates HHS’ Medicare Wage Index Reclassification Rule

Posted by Robert A. Chu on August 04, 2015
HHS, Hospital, Medicare / No Comments

shutterstock_182426978On July 23, 2015, the Third Circuit invalidated, as being contrary to the Medicare statute, the U.S. Department of Health and Human Services’ (HHS) Medicare wage index “reclassification rule,” 42 C.F.R. § 412.230(a)(5)(iii). That rule was designed to prevent (and did prevent) urban hospitals that had strategically reclassified as being rural from being reclassified again (based on their newly acquired rural status) to a particular urban area, to benefit from a higher Medicare standardized amount and wage index.

In Geisinger Community Medical Center v. Secretary United States Department of Health and Human Services, the hospital first reclassified, successfully, as a Section 401 hospital (i.e., an urban hospital that elects to be treated as rural). It then sought to reclassify, based on its newly acquired rural status, to the Allentown urban wage index area. The hospital estimated that such a reclassification would increase its Medicare reimbursements by approximately $2.6 million per year. The Allentown urban area is 27 miles from the hospital. To be reclassified to that area, the hospital had to rely on the relaxed 35 mile maximum distance applicable to rural hospitals; it would not qualify under the maximum 15 mile distance applicable to urban hospitals. The reclassification rule, however, prohibited Section 401 hospitals from reclassifying based on their acquired rural status.

The Third Circuit panel majority, under a Chevron Step One analysis, agreed with the hospital that HHS’ reclassification rule is unlawful. It specifically held that the statutory text of Section 401 unambiguously requires HHS, through broad and mandatory language, to treat Section 401 hospitals like hospitals that are actually located in rural areas. The reclassification rule, therefore, unlawfully prevented the Section 401 hospital from being considered as a rural hospital in its application to reclassify to a different wage index area.

About The Author

Tags: , , , , , ,

Largest Criminal Health Care Fraud Takedown – 243 Charged and $712 Million in False Billings

Posted by Ryan Blaney on June 18, 2015
DOJ, FBI, Fraud and Abuse, HHS, Hospital, Medicare / No Comments

shutterstock_156007331

On June 18, 2015, HHS Secretary Sylvia M. Burwell and DOJ Attorney General Loretta E. Lynch announced nationwide arrests in Medicare fraud schemes amounting to approximately $712 million in false billings.  Attorney General Lynch described the strike as “the largest criminal health care fraud takedown in the history of the Department of Justice, and it adds to an already remarkable record of enforcement.”

According to the Department of Justice Press Release the takedown was led by the Medicare Fraud Strike Force and resulted in 243 individuals, including 46 doctors, nurses and licensed medical professionals, being charged with Medicare fraud.  This Strike Force targeted false billings for the following services:

  • Home Health
  • Psychotherapy
  • Physical and Occupational Therapy
  • DME
  • Pharmacy Fraud

The nationwide sweep included Florida, Texas, California, Louisiana, New York and Michigan.  Miami was a particular focus with 73 defendants charged and $263 million of false billings for home health, mental health and pharmacy services.

This nationwide sweep involved significant coordination between multiple government enforcement agencies and illustrates the government’s joint efforts to target health care fraud.  Included in the press conference were FBI Director James B. Comey, Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, Inspector General Daniel R. Levinson of the HHS Office of Inspector General (HHS-OIG) and Deputy Administrator and Director of CMS Center for Program Integrity Dr. Shantanu Agrawal.

Assistant Attorney General Caldwell spoke and emphasized the Criminal Division’s increased focus on Medicare fraud stating,  “Every day, the Criminal Division is more strategic in our approach to prosecuting Medicare Fraud.  We obtain and analyze billing data in real-time.  We target hot spots – areas of the country and the types of health care services where the billing data shows the potential for a high volume of fraud – and we are speeding up our investigations.  By doing this, we are increasingly able to stop schemes at the developmental stage, and to prevent them from spreading to other parts of the country.”

For further information contact Ryan P. Blaney or any member of Cozen O’Connor’s health care team.

About The Author

Tags: ,

OCR Announces Another HIPAA Settlement and Warns Not to Forget About Paper Records

Posted by Gregory M. Fliszar on May 04, 2015
HHS, HIPAA, OCR / No Comments

On April 27, 2015, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that Cornell Prescription Pharmacy (“Cornell Pharmacy”) had entered into a resolution agreement to settle, without an admission of liability or wrongdoing, potential HIPAA violations. As part of the resolution agreement Cornell Pharmacy will pay $125,000 and enter into a two-year corrective action plan (“CAP”) focused on correcting the alleged deficiencies in its HIPAA compliance program.

Cornell Pharmacy is a small, single store pharmacy located in Denver, Colorado that specializes in compound medications and providing services for local hospice agencies. OCR began an investigation into the pharmacy after it received a media report from a Denver news agency that protected health information (“PHI”) belonging to Cornell Pharmacy was apparently disposed of and found in an unlocked, publicly accessible dumpster. The documents were not shredded and contained the PHI of approximately 1,610 of Cornell Pharmacy’s patients.   After conducting its investigation, OCR concluded that Cornell Pharmacy failed to implement any written policies and procedures as required by HIPAA’s Privacy Rule, and further failed to provide training on the Privacy Rule to its workforce members.

This settlement is instructive as OCR again highlights the importance of having updated and comprehensive HIPAA policies and procedures in place, including policies on the proper disposal of PHI, and on training all staff on those policies and procedures.   Further, in this year of massive cyber-attacks and other breaches of electronic data, this HIPAA settlement serves to remind covered entities and business associates not to forget about protecting their paper records as well.   As stated by OCR in its press release, “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.” As discovered by Cornell Pharmacy, a breach or other improper disclosure of paper PHI can also result in significant consequences.

For further information please contact the author, Gregory M. Fliszar (Philadelphia, PA), or other members of Cozen O’Connor’s healthcare team.

About The Author

Tags: , , , , , , , , , , , ,

Another Health Plan Hit By Massive CyberAttack and Class Actions Follow

Coming fresh off the heels of the Anthem data breach Premera Blue Cross announced on March 17th that it was the victim of a “sophisticated” cyberattack that may have exposed the personal information of approximately 11 million of its members.  Premera has approximately 6 million members residing in the State of Washington, 250,000 members residing in Oregon and 80,000 members residing in Alaska.  Premera stated that the cyberattack began sometime in May of 2014 but was not discovered until the end of January 2015.   According to Premera, the information exposed may include social security numbers, bank account information, and medical and financial information, including clinical information.

Three state insurance commissioners (Washington, Oregon and Alaska) have already launched a joint investigation and a market conduct examination of Premera related to the breach.  The joint investigation will include on-site reviews of Premera’s financial books, records, transactions, and Premera’ cybersecurity.  The Washington Insurance Commissioner has expressed concern over the length of time (approximately six weeks) it took for Premera to notify his office of the attack.  Alaska’s governor ordered all state agencies to review their online security safeguards as well as those put in play by their business associates.  Premera is also conducting an internal forensic investigation by a cybersecurity firm and is cooperating with the FBI in a criminal investigation.

Combined with the cyberattacks on Community Health Systems and Anthem, this is the third large attack on a member of the health care industry announced in the last seven months, and these three breaches may have collectively impacted approximately 95.5 million people.   As these attacks illustrate, health information is now a high priority target for cybercriminals.  Currently a complete health record may be worth at least ten times more than credit card information on the black market as health records often include a wealth of personal information that can be used for identity theft and to file false health insurance claims.  Further, the data security protections currently in place in the health care industry tend to lag behind those in the banking and financial sector, which makes the information vulnerable to attack by those who view the valuable information as “low hanging fruit.”

Similar to the Anthem and the Community Health Systems breaches, Premera was immediately hit by a proposed class action accusing Premera of negligence and inadequate security.  The March 26, 2015 Complaint alleges that Premera breached its duty of care by failing to secure and safeguard the personal and health information of its members and negligently maintaining a system that it knew was vulnerable to a security breach.  The Complaint further alleges that Premera has a duty to secure and safeguard the personal health information of its members under HIPAA and its failure to implement security and privacy safeguards was a violation of HIPAA.  The Complaint also alleges violations of state consumer protection laws and data disclosure laws.

As evident by the Anthem and Premera breaches, a single security incident resulting in a data breach can have significant consequences for health care companies and business associates that include government investigations, class action lawsuits, and a hit to the organization’s reputation.  To manage this risk, we encourage all companies handling health information to conduct comprehensive risk assessments and to create, review and update their data security policies and procedures to ensure that they are doing enough to adequately protect the health information maintained on their IT systems and elsewhere in their organization.

About The Authors

Tags: , , ,

HHS Ups The Ante: Announces Percentages And Time Frames On Goals For Medicare Pay-For-Value Efforts

Posted by Chris Raphaely on January 27, 2015
Accountable Care Organizations, Affordable Care Act, CMS, HHS, Medicaid, Medicare / No Comments

On January 26, 2015, the Secretary of the United States Department of Health and Human Services (“HHS”), Sylvia Mathews Burwell, announced two important goals for the Department:

  1. Increase the percentage of Medicare provider payments that are made through alternative payment models based on how well the providers care for patients, rather than the amount of care provided. The percentage goals for these alternative payment models are 30% by 2016 and 50% by 2018.
  2. Tie virtually all Medicare fee-for-service payments (85% in 2016 and 90% in 2018) to quality and value.

This announcement puts hard numbers on the goal to move away from traditional fee-for-service Medicare payments that has been stated generally since at least 2010 when the Affordable Care Act was enacted. By clearly delineating specific figures for alternative payment models, such as accountable care organizations and bundled payment arrangements, from those figures for payment methods, HHS has made it clear that providers should be thinking not just about different forms of payment but different forms of organizations and relationships with other providers. Alternative payment models generally require coordination among different types of providers who may not otherwise be related to each other.

While the announced goals focus on the Medicare fee-for-service system, it is clear that HHS intends the impact of these goals to be far broader. Ms. Burwell also announced the creation of a Health Care Payment Learning and Action Network to facilitate a public-private sector partnership to “continue to build on our work with state Medicaid agencies, private payers, employers, consumers and other partners,” while welcoming the fact that “our partners in the private sector have the opportunity to be even more aggressive” in establishing alternative payment models and pay-for-value compensation systems. On the same day as Ms. Burwell’s announcement, the Centers for Medicare and Medicaid Services released a fact sheet stating that it is taking action with a goal to spend “our health dollars” more wisely, citing the importance of the goal for patients, families, providers, tax payers, employers, states and insurance companies, and making it clear that HHS and CMS fully intend to have their efforts to transform health care delivery and payment systems to reverberate well beyond the Medicare program.

About The Authors

Tags: , , , , , , ,

CMS Releases Final Rule That Increases Difficulty of Medicare Enrollment

Posted by J. Nicole Martin on December 16, 2014
CMP, HHS, Medicaid, Medicare / No Comments

In early December, CMS released a final rule that implements certain provider (i.e., Hospitals, SNFs, physicians, etc.) and supplier (i.e., DME companies, etc.) enrollment requirements  (“Rule”). The goal of CMS’ implementation of the Rule is two-fold: to (i) “[s]trengthen program integrity;” and (ii) “help ensure that fraudulent entities and individuals do not enroll in or maintain their enrollment in the Medicare program.” The new requirements make obtaining and maintaining Medicare billing privileges for providers and suppliers more cumbersome.

For providers or suppliers treating Medicare patients, enrollment in the Medicare program is required in order to obtain Medicare billing privileges. A provider or supplier may enroll electronically using the Provider Enrollment, Chain, and Ownership System, known as PECOS, or by submitting a paper CMS enrollment form. CMS provides specific enrollment forms for institutional providers (CMS Form-855A: i.e., hospitals, SNFs); other providers (CMS Form 855-B: i.e., clinics/group practices); and physicians and other practitioners (CMS Form 855-I). Further, under Section 6401(a) of the Affordable Care Act, Medicare providers and suppliers that enrolled prior to March 25, 2011 are required to undergo a revalidation process in order to maintain their Medicare billing privileges, wherein the providers or suppliers essentially complete the applicable Medicare enrollment application as if they are a “new” provider or supplier enrollee. However, new enrollee providers and suppliers that submitted their enrollment applications on or after March 25, 2011 are exempt from this revalidation process. MACs are continuing to send out revalidation “requests” on a regular basis to enrollees until March 23, 2015.

The following selected updates to the provider and supplier enrollment requirements in the Rule parallel the recent trend of the federal government expanding its existing authority (i.e., the proposed rule to expand the OIG of the HHS’ exclusion authority) and cracking down on impermissible practices:

  •  “[a]llowing revocation of Medicare billing privileges if the provider or supplier has a pattern or practice of submitting claims that fail to meet Medicare requirements”;
  •  “expanding the instances in which a felony conviction can serve as a basis for denial or revocation of a provider[’s] or supplier’s enrollment”;
  • “if certain criteria are met, enabling [Medicare] to deny enrollment if the enrolling provider, supplier, or owner thereof had an ownership relationship with a previously enrolled provider or supplier that had a Medicare debt”;  and
  • “enabling [Medicare] to revoke Medicare billing privileges if [Medicare] determine[s] that the provider or supplier has a pattern or practice of submitting claims that fail to meet Medicare requirements.”

In addition, CMS clarified in the Rule that any final decision regarding the revocation of a provider’s or supplier’s Medicare billing privileges would come from the “CMS central office” rather than the provider’s or supplier’s MAC. CMS further explained that the re-enrollment bar does not apply to a provider’s or supplier’s failure to timely respond to a revalidation request or request for other information.

The regulations implementing this Rule will be effective February 3, 2015. For additional information regarding the new provider and supplier enrollment requirements under the Rule, contact Cozen O’Connor’s health law team.

About The Author

Tags: , , ,