Health Law Informer

Google has confirmed that it is working with Ascension, one of the nation’s largest health systems in a project that will involve the health data of millions of Americans.  Google and Ascension have partnered in a project to store and analyze patient data with the intended goal of using Google’s artificial intelligence tools to enhance patient care and medical decision making.  As a result of this partnership, it has been estimated that over 100 Google employees may have access to sensitive patient data such as name, birth date, diagnoses and treatments.  Such access by Google to millions of patient’s health data has resulted in some concern over how the data will be protected, including a recently announced inquiry into the relationship by the U.S. Department of Health and Human Services’ Office of Civil Rights (“OCR”).  OCR has stated that it “would like to learn more information about this mass collection of individuals’ medical records with respect to the implication for patient privacy under HIPAA.”  Ascension has said that the project with Google has complied with the law and followed the healthcare organization’s “strict requirements for data handling.” 

We will continue to follow this important story.  Several other tech companies continue to try to gain a bigger share of America’s health care market, which will all have to be balanced with patient data privacy and security concerns.

CMS today issued its Price Transparency Requirements for Hospitals Final Rule, which will go into effect on January 1, 2021. (CMS had initially proposed that it go into effect January 1, 2020, but agreed that that deadline was too “challenging”).  Hospitals will be required to post on a public website, among other things, the “payer-specific negotiated charges” for each payer and plan.  These negotiated rates have typically been subject to lock and key treatment through confidentiality agreements.  Noncompliance with the rules may result in corrective action plans (CAPs), civil monetary penalties (CMPs) of $300 per day (indexed to an inflation factor), and a public notice of the CMP on a CMS website. Under the rules, CMS can issue “subsequent” CMPs for continued noncompliance. A link to the Final Rule is here: https://www.hhs.gov/sites/default/files/cms-1717-f2.pdf.

The Trump Administration has also issued a proposed “Transparency in Coverage” rule that would require plans to give consumers access to a tool providing an estimate of their cost-sharing liability for all covered healthcare items and services.  It would also require plans to list on a website their negotiated rates for in-network providers and the allowed amounts paid for out-of-network providers.  A link to the Proposed Rule is here: https://www.hhs.gov/sites/default/files/cms-9915-p.pdf. 

We will continue to analyze and monitor these rules.  Stay tuned.

As US companies continue to spend time and effort complying and responding to all of the new privacy laws and regulations both in the United States and aboard (i.e. GDPR and California Consumer Privacy Act of 2018) companies cannot forget the basics.  If you represent something in your Privacy Policy it better be accurate, up to date, and not misleading!

On July 2, 2018, the Federal Trade Commission (FTC) issued a number of press releases and a proposed settlement with California-based employee training company ReadyTech Corporation.  In announcing the settlement, FTC Chairman Joe Simons said, “Today’s settlement demonstrates the FTC’s continuing commitment to vigorous enforcement of the Privacy Shield.”  According to the FTC, this is the 4th case enforcing the Privacy Shield and 47th case enforcing international privacy frameworks such as the Safe Harbor framework and the Asia Pacific Economic Cooperation Cross Border Privacy Rules.

The ReadyTech settlement should be a warning for other companies that make representations in their Privacy Policies about the Privacy Shield, GDPR, CCPA and other data security and privacy frameworks.  By way of background, the Privacy Shield framework allows companies to transfer personal data lawfully from the EU to the United States.  To join the Privacy Shield framework, a company must self-certify to the U.S. Department of Commerce that it complies with the Privacy Shield Principles and related requirements that have been deemed to meet the EU’s adequacy standard.  A company, like ReadyTech, that claims it has self-certified to the Privacy Shield Principles, but failed to self-certify to the U.S. Department of Commerce, may be subject to an enforcement action by the FTC. Continue reading…

Hospitals that have emergency departments should call upon their “available resources” to screen and stabilize patients with mental health emergencies as required by the Emergency Medical Treatment and Labor Act (“EMTALA”) according to recent statements by an analyst for CMS and an attorney with the Office of Inspector General (“OIG”) for the Department of Health and Human Services.

While speaking at the American College of Emergency Physicians annual meeting in Chicago, the CMS representative noted that EMTALA requires hospitals with emergency departments to provide a medical screening within the capabilities of the hospital by a person who is qualified to do the examination, which, if the hospital offers psychiatric services, would include a psychiatrist.  While the initial screening must be done with medical personnel such as a psychiatrist, the CMS official stated that other mental health professionals may be qualified to assist in those examinations.

The White House recently released a guidance document for those in the precision medicine community to help ensure that participants’ data and resources remain secure.  The document, titled “Precision Medicine Initiative: Data Security Policy Principles and Framework,” is meant to offer “security policy principles and a framework to guide decision-making by organizations conducting or participating in precision medicine activities” and is the result of a collaborative, interagency process featuring roundtable discussions with various security experts as well as a review of existing data security resources.  Federal PMI agencies already have committed to integrating the framework into all PMI activities.

But the document is meant only to be a guideline – not a one-size-fits-all solution.  It notes that those in the PMI community must constantly strive to use current best practices and should conduct their own “comprehensive risk assessment to identify specific security requirements and establish processes to continuously review and make improvements.”

The guidance emphasizes some overarching principles that anyone dealing with sensitive data should bear in mind when developing and implementing a data security plan:

• Keep pace with changing technology and new security threats.
• Tailor your data security plan to your unique circumstances.
• Be specific – think about your risks and put in writing how you will neutralize them.
• Have an independent third party review your plan.
• Without compromising security, be transparent about your plan to build trust among participants.

The document also offers specific suggestions with respect to identity proofing, user credentials and authentication, encryption and physical security, audits to detect anomalous activity, and incident response, among other topics.  The White House also emphasizes the importance of ongoing participant education, as well as role-specific training for those who use PMI data.

On balance, the White House’s message to the PMI community is clear: Think hard about data security, think often about data security, and act vigilantly.

The guidance is available here: www.whitehouse.gov/sites/whitehouse.gov/files/documents/PMI_Security_Principles_Framework_v2.pdf.

For more information you can contact Ryan P. Blaney or another member of Cozen O’Connor’s Health Law team.

On Tuesday, December 8 Cozen O’Connor’s Health Care practice and industry team hosted the Health Law Year in Review, an annual discussion of hot topics facing those in the health care industry.

Presentation topics included:

• Update from Washington, DC – Havi Glaser discussed the Affordable Care Act five years in and provided updates. She also gave a forecast of what is likely to happen in 2016 and discussed pharmaceutical pricing.
• The Move to Pay for Value Reimbursement – Chris Raphaely discussed changes to how we pay for health care services and pay providers. He also discussed new initiatives, including ACOs, risk arrangements, readmission penalties, care management fees, capitation, bundled payments, quality incentives and patient experience.
• Employment Update – Debra Friedman looked back at hot employment issues from 2015 and forward to issues that may come up in 2016, including wellness programs and wage and hour developments impacting health care providers.
• Are You Protecting Your Intellectual Property? – Kyle Vos Strache looked at the different types of intellectual property and how each can increase a company’s value and mitigate risk.
• Hot Tax Topics – Richard Silpe talked about the 2018 Cadillac Tax, final regulations under IRC Section 501(r) and the tax implications of the case involving Morristown Memorial Hospital determining whether the hospital was non-profit or for-profit.
• Trends in Concierge Medicine and Alternative Payment Methods – Marc Auerbach discussed the three models of concierge medicine, traditional, hybrid and direct primary care medical home, and the benefits of choosing each.
• Antitrust Developments in Health Care – Jonathan Grossman led a discussion on the recently announced mergers of Aetna/Humana and Anthem/Cigna. He also discussed the Supreme Court’s limit of state action immunity in NC Dental and the continuing aggressive federal and state antitrust enforcement.
• Cybersecurity and Health Care – Ryan Blaney and Gregory Fliszar discussed cybersecurity risks and best practices and the steps to take for compliance.
• M&A Update – Anna McDonough and Trey Crabb (Ziegler Investment Banking) talked about recent trends in health care transactions.

For more information about any of the topics listed above, or copies of the presentations, please click the speaker’s name to be directed to their biography. Please click here to be added to our health care alert list to read about new developments and to receive invitations to upcoming seminars and webinars.

Coming fresh off the heels of the Anthem data breach Premera Blue Cross announced on March 17^th that it was the victim of a “sophisticated” cyberattack that may have exposed the personal information of approximately 11 million of its members.  Premera has approximately 6 million members residing in the State of Washington, 250,000 members residing in Oregon and 80,000 members residing in Alaska.  Premera stated that the cyberattack began sometime in May of 2014 but was not discovered until the end of January 2015.   According to Premera, the information exposed may include social security numbers, bank account information, and medical and financial information, including clinical information.

Three state insurance commissioners (Washington, Oregon and Alaska) have already launched a joint investigation and a market conduct examination of Premera related to the breach.  The joint investigation will include on-site reviews of Premera’s financial books, records, transactions, and Premera’ cybersecurity.  The Washington Insurance Commissioner has expressed concern over the length of time (approximately six weeks) it took for Premera to notify his office of the attack.  Alaska’s governor ordered all state agencies to review their online security safeguards as well as those put in play by their business associates.  Premera is also conducting an internal forensic investigation by a cybersecurity firm and is cooperating with the FBI in a criminal investigation.

Combined with the cyberattacks on Community Health Systems and Anthem, this is the third large attack on a member of the health care industry announced in the last seven months, and these three breaches may have collectively impacted approximately 95.5 million people.   As these attacks illustrate, health information is now a high priority target for cybercriminals.  Currently a complete health record may be worth at least ten times more than credit card information on the black market as health records often include a wealth of personal information that can be used for identity theft and to file false health insurance claims.  Further, the data security protections currently in place in the health care industry tend to lag behind those in the banking and financial sector, which makes the information vulnerable to attack by those who view the valuable information as “low hanging fruit.”

Similar to the Anthem and the Community Health Systems breaches, Premera was immediately hit by a proposed class action accusing Premera of negligence and inadequate security.  The March 26, 2015 Complaint alleges that Premera breached its duty of care by failing to secure and safeguard the personal and health information of its members and negligently maintaining a system that it knew was vulnerable to a security breach.  The Complaint further alleges that Premera has a duty to secure and safeguard the personal health information of its members under HIPAA and its failure to implement security and privacy safeguards was a violation of HIPAA.  The Complaint also alleges violations of state consumer protection laws and data disclosure laws.

As evident by the Anthem and Premera breaches, a single security incident resulting in a data breach can have significant consequences for health care companies and business associates that include government investigations, class action lawsuits, and a hit to the organization’s reputation.  To manage this risk, we encourage all companies handling health information to conduct comprehensive risk assessments and to create, review and update their data security policies and procedures to ensure that they are doing enough to adequately protect the health information maintained on their IT systems and elsewhere in their organization.

The FDA released draft guidelines (“Guidelines”) on Monday, March 9, 2015 establishing recommendations on the use of e-media and processes to obtain informed consent for clinical investigations (trials) of medical products including human drug and biological products, medical devices and combinations. The Guidelines provide useful insight for how the FDA recommends clinical investigators, sponsors and institutional review boards (“IRB”) should use e-informed consent for a clinical trial.

The FDA defines e-informed consent as “using electronic systems and processes that may employ multiple electronic media (e.g., text, graphics, audio, video, podcasts and interactive Web sites, biological recognition devices, and card readers) to convey information related to the study and to obtain and document informed consent.” The FDA reminds clinical investigators and sponsors that informed consent is more than just a subject’s signature.  Informed consent – whether completed electronically or in paper form – includes providing prospective clinical trial participants with enough information regarding the research to enable them to make an informed decision regarding whether to participate in the study. The subjects must have “adequate information” about the research.  Clinical investigators and sponsors may use video conferencing (i.e. Skype) to answer a subject’s questions about the clinical trial.

The Guidelines also include a question and answer section containing 14 inquires such as:

• How information in an e-informed consent should be presented to subjects;
• How/where e-informed consent processes should be conducted; and
• How/when questions from subjects should be answered.

Similar to CMS and states recognizing the authenticity of e-signatures, this guidance demonstrates the FDA’s desire to digitize health care and respond to the increased patient access to clinical trials in states passing “right-to-try” bills.  Right-to-try bills generally permit doctors and terminally ill patients to negotiate directly with drug companies to obtain experimental drugs that have passed Phase-I trials. Stay tuned for a forthcoming Health Law Informer blog announcing the FDA’s release of the e-informed consent final guidelines, which clinical investigators, sponsors and IRBs will want to consider implementing.

For further information contact the Cozen O’Connor’s health care team or the authors Ryan P. Blaney (Washington, DC) and J. Nicole Martin (Philadelphia, PA).

Year #2 Report on Medicare Fraud Prevention System

On June 25, 2014, the Centers for Medicare & Medicaid Services (CMS) and the Department of Health and Human Services Office of Inspector General (OIG) issued and certified, as required by the Small Business Jobs Act of 2010 (SBJA) their second implementation year report  for the Fraud Prevention System (FPS) along with a press release.  By way of background, CMS is under pressure from Congress and the United States Government Accountability Office (GAO) to enhance their health care fraud, abuse and waste prevention and detection success through the use of predictive analytics technologies while at the same time monitoring the expenditures and costs by government contractors and auditors such as ZPICs to prevent fraud.  Last October, GAO published a Report concerning CMS’s Medicare Program Integrity titled, “Contractors Reported Generating Savings but CMS Could Improve Its Oversight.” 

CMS and OIG’s Report to Congress on the FPS responds to many, but not all, of GAO’s criticisms.  Here are a few of the noteworthy findings and observations in the Report:

• CMS reports that they “identified or prevented” $210.7 million in Medicare payments attributed to FPS.  This is a return on investment of $5 to $1 for the second implementation year and an increase ROI from Year 1.
• OIG disagrees with CMS’s use of “identified savings” to calculate the success of the FPS and instead recommends using “adjusted savings” as a measure of savings and return on investment related to the Department’s use of FPS.
• Under OIG’s adjusted savings analysis, OIG only certified $54.2 million of the $210.7 million as attributed to the Department’s use of FPS. 
• OIG found that the “Department’s use of its predictive analytics technologies resulted in a return on investment of $1.34 (not $5) for every dollar spent on the FPS.
• Based on criticism received by OIG and GAO, CMS reported that they changed the methodology to require ZPICs (Zone Program Integrity Contractors) to submit provider-specific outcome data to be able to conduct more quality control reviews prior to reporting savings.
• OIG disagreed with CMS and stated, “[A]lthough the Department has made significant progress in addressing the challenges of measuring actual and projected savings, its procedures were not always sufficient to ensure that its contractors provided and maintained reliable data to always support FPS savings.”  Interestingly, OIG initially included a much stronger statement but revised the final statement based on CMS’s objections.  The original statement was “[T]he Department could not ensure that its contractors always provided and maintained reliable data to support FPS savings.”   
• CMS expects that future activities of the FPS will substantially increase savings by expanding the use of predictive analytics and modeling beyond identifying FRAUD and into areas of WASTE and ABUSE.   This will require more refined predictive models and modifications from insights from field investigators, policy experts, clinicians, and data analysts.  In Year 3, CMS will convene workgroups with federal agency, states, and private partners to develop and expand FPS’s capabilities.
• In Year 3, CMS also will explore the cost-effectiveness and feasibility of expanding predictive analytics technology to Medicaid and the Children’s Health Insurance Program (CHIP).  CMS anticipates working with State Medicaid Agencies to train and explore opportunities for expanding predictive analytics. 

Practice Tip: CMS’s FPS is more fully integrated into the Medicare FPS payment system and allows CMS to monitor and deny individual claims in the prepayment stage.  ZPICs and other government contractors will continue to be the government’s “boots on the ground” but they will be armed with better information and real time data to investigate.  Providers need to take any and all inquiries by ZPICs seriously.  Anticipate more coordinated investigations by the FBI, ZPICs, States AGs, State Medicaid Fraud Agencies, and Federal agencies and faster freezing or rejections of provider claims.  Anticipate the expansion of FPS’s predictive analytics to the areas of waste and abuse. 

Please check back with the Health Law Informer Blog and Cozen O’Connor for additional analysis of CMS’s Second Implementation Year Report in the coming weeks. 

On January 10, 2013, President Obama signed into law H.R. 1845, which includes the Strengthening Medicare and Repaying Taxpayers Act of 2011 (SMART Act).[1] The SMART Act,  amends several portions of the Medicare Secondary Payer (MSP) Act that apply to non-group health plans, including liability (including self-insurance) and no-fault insurance and workers’ compensation plans (together, NGHPs).  Although the SMART Act makes significant substantive and procedural amendments to the MSP Act, many practical issues will continue to bedevil parties who are trying to settle a personal injury claim. Continue reading…