Third Circuit Puts Penn State Hershey/Pinnacle Merger on Hold

Posted by Health Law Informer Author on October 04, 2016
FTC / No Comments

gavel and bookLast week, the Third Circuit Court of Appeals held that the merger between Penn State Hershey Medical Center and PinnacleHealth System, the two largest hospitals in Harrisburg, Pennsylvania, may not move forward at this time. The Court of Appeals overturned the District Court’s (Middle District of PA) denial of the FTC’s and the Commonwealth of Pennsylvania’s request for a preliminary injunction, directing the District Court to enter a preliminary injunction blocking the merger “pending the outcome of the FTC’s administrative adjudication.”

In reaching its decision, the Court of Appeals held that the critical determination of the relevant market for a proper antitrust analysis should be defined primarily “through the lens of the insurers” and that it “was error for the District court to completely disregard the role insurers play in the healthcare market.” The Court of Appeals ruled that the relevant market was the four- county Harrisburg area. It found that the market was highly concentrated and that the combined hospitals would control 76% percent of the market. As a result the plaintiffs were found to have established a prima facie case that the merger “is presumptively anticompetitive.”

In rebuttal, the hospitals alleged, among other things, that, the merger would result in efficiencies leading to capital savings and enhance the hospitals’ efforts to engage in risk-based contracting, but the Court of Appeals found that these arguments failed to demonstrate tangible, verifiable benefits to consumers, and only constituted “speculative assurances.” It remains to be seen whether the hospitals will continue their pursuit of merger through the FTC’s administrative review process or abandon it.

This decision, like others involving hospitals that have preceded it, underscores the unique nature of the markets in which hospitals and other healthcare providers operate. These markets are not primarily defined by the direct impact of market consolidation upon the behavior of the ultimate consumers, the patients. Instead, the markets are defined by the patients’ purchasing surrogates, their health insurers.

For more information about this decision, contact Chris Raphaely, Nicole Martin or a member of Cozen O’Connor’s Health Law team

Tags: , , , , , , , , , , , , , , ,

CMS Hears and Responds to Physician Feedback Regarding MACRA

Posted by Health Law Informer Author on September 09, 2016
Accountable Care Organizations, CMS, HHS, Medicare / No Comments

CMS Hears and Responds to Physician Feedback Regarding MACRAOn September 8, 2016, CMS announced in its blog that it will allow physicians to select their level of participation for the first performance year of the Medicare Access and CHIP Reauthorization Act of 2015 (“MACRA”) Quality Payment Program, which begins January 1, 2017. Importantly, during the first performance year (2017), “[c]hoosing one of these options would ensure [physicians] do not receive a negative payment adjustment” under MACRA in 2019.

Under the Quality Payment Program physicians will fall under the Merit-Based Incentive Payment System (“MIPS”) if they do not qualify under the Advanced Alternative Payment Model (“Advanced APM”) option.  In 2019, physicians who are in the MIPS default option could face Medicare rate adjustments of up to 5% based on their performance under four weighted performance categories: quality (50%); resource use (10%); advancing care information (25%); and clinical practice improvement (15%). Advanced APMs include, for example, Track 2 and 3 MSSP ACOs; next generation ACOs; and bundled payment models, and physicians who qualify under the Advanced APM option earn a 5% incentive, are excluded from MIPS adjustments and receive higher fee schedule updates after 2024.

Recognizing that many physicians may face negative payment adjustments under MIPS as a result of participating under the Quality Payment Program, CMS is going to allow eligible physicians to “pick their pace of participation” and ensure they do not receive such negative payment adjustments in 2019 by choosing one of four options for the first performance year:

  1. Test the Quality Payment Program;
  2. Participate for part of the calendar year;
  3. Participate for the full calendar year; or
  4. Participate in an Advanced APM in 2017.

The first three options fall under MIPS, while the fourth option falls under the Advanced APM. In the first option, physicians could “submit some data to the Quality Payment Program”, avoid negative payment adjustments and test the waters before broader participation in subsequent years. Under option two, the performance year could begin later than January 1, 2017, a physician practice “could qualify for a small positive payment adjustment”, and a physician would submit Quality Payment Program information for fewer days. The third option is ideal for those physician practices that are ready to participate beginning January 1, 2017 and who are able to submit a full year of quality data. Additionally, physicians “could qualify for a modest positive payment adjustment.” The fourth option would be viable for those physicians or physicians groups who treat enough Medicare beneficiaries and who receive enough of their Medicare payments through an Advanced APM (e.g., MSSP ACOs). Through the Advanced APM option, physicians/physician groups would “qualify for a 5 percent payment in 2019.” It remains unclear what the difference is between a “small” and “modest” payment adjustment. However, CMS may address this in the final rule along with how it will implement MIPS and the Advanced APM. CMS will release the final rule by November 1, 2016.

For more information about MACRA, contact Chris Raphaely, Nicole Martin or a member of Cozen O’Connor’s Health Law team.

Tags: , , , , , , , , , , , , ,

FTC Overturns ALJ’s LabMD Decision and Reasserts its Role as a Data Security Enforcer

Posted by Health Law Informer Author on August 25, 2016
Federal Trade Commission, HIPAA, OCR / No Comments

On July 29, 2016, the Federal Trade Commission (“FTC” or “Commission”) reversed an FTC administrative law judge’s (“ALJ”) opinion which had ruled against the FTC, finding that the Commission had failed to show that LabMD’s conduct caused harm to consumers to satisfy requirements under Section 5 of the FTC Act. In reversing the ALJ, the FTC issued a unanimous opinion and final order that concluded, in part, that public exposure of sensitive health information was, in itself, a substantial injury.

The FTC initially filed a complaint against LabMD in 2013 under Section 5 of the FTC Act, alleging that the laboratory company failed to “provide reasonable and appropriate security for personal information on its computer networks,” which the FTC claimed lead to the data of thousands of consumers being leaked. The complaint resulted from two security incidents that occurred several years prior, which the FTC claimed were caused by insufficient data security practices.

In its opinion, the FTC concluded that the ALJ had applied the wrong legal standard for unfairness and went on to find that LabMD’s data security practices constituted an unfair act or practice under Section 5 of the FTC Act. Specifically, the Commission found LabMD’s security practices to be unreasonable – “lacking even basic precautions to protect the sensitive consumer information on its computer system.” The Commission stated that “[a]mong other things, [LabMD] failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had protected.” As a result of these alleged shortcomings in data security, medical and other sensitive information for approximately 9,300 individuals was disclosed without authorization.

Further, and perhaps more importantly, the Commission concluded that “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n), and thus that LabMD’s disclosure of the [ ] file itself caused substantial injury.” Thus, contrary to the findings of the ALJ, the Commission essentially held that the mere exposure of sensitive personal and health information into the public domain may be enough to constitute a substantial injury for purposes of Section 5, without any proof that the information was ever misused.

As a result, the FTC ordered LabMD to establish a comprehensive information security program, obtain independent third party assessments of the implementation of the information security program for 20 years, and to notify the individuals who were affected by the unauthorized disclosure of their personal information and inform them about how they can protect themselves from identity theft or related harms.

Takeaway: While LabMD has announced its intention to appeal, the FTC’s decision reinforces its role as an enforcer of data security, even in the health care arena, where OCR has been the traditional enforcer of HIPAA and health care data breaches.   Thus, in addition to OCR, health care entities must continue to monitor FTC enforcement actions to see if there are any additional or conflicting data security standards mandated by both agencies.   Any companies handling PHI should, therefore, continue to ensure that their data security policies and procedures are being implemented and followed in accordance with industry standards. Inadequate security safeguards may contribute to data breaches resulting in government investigations and enforcement actions – not just by OCR, but the FTC as well.

For more information about the FTC’s opinion, contact Gregory M. Fliszar or a member of Cozen O’Connor’s Health Law team.

Tags: , ,

New Grower/Processor Regulations Released

Posted by Chris Raphaely on August 22, 2016
DOH, Pennsylvania, Regulations / No Comments

On August 18, 2016, the Secretary of Pennsylvania’s Department of Health (“DOH”), Dr. Karen Murphy, announced that the DOH has posted draft temporary regulations (“Regulations”) focusing on the 25 medical marijuana grower/processor permits that will become available under Pennsylvania’s Medical Marijuana Act (“Act”) that was passed last April.

The Regulations state the general application requirements for medical marijuana organizations, which requirements include detailed information about principals and financial backers of such organizations. Medical marijuana organizations include not just grower/processors, but also clinical registrants and dispensaries. The application requirements also contain a clear commitment to foster diversity. The Regulations establish procedures for promoting and ensuring that medical organizations foster diversity through participation of diverse groups in all aspects of the medical organization’s operations. This includes but is not limited to requiring each organization to have a diversity plan. Diverse groups are defined under the Regulations as “disadvantaged business[es], minority-owned business[es], women-owned business[es], service-disabled veteran-owned small business[es] or veteran-owned small business[es] that ha[ve] been certified by a third-party certifying organization.”

The Regulations also contain specific requirements for grower/processor permits. Application forms for permits will be posted on the DOH website in the future. Among the requirements is that a grower/processor notify DOH within six months of being issued an initial permit that it is ready, willing and able to begin production.

The Regulations prohibit executive level employees of the Commonwealth and their immediate family members from being employed by or holding an interest in medical marijuana organizations while employed by the Commonwealth and for one year thereafter.

The Regulations are not final and are open for public comment until August 26, 2016.

Although Pennsylvania joins 23 other states and the District of Columbia to legalize medical marijuana, marijuana is still classified as a Schedule I controlled substance by the U.S. Drug Enforcement Agency, and as such it remains a crime under federal law to grow, sell and/or use marijuana. Any content contained herein is not intended to provide legal advice in connection with the violation of any state or federal law.  Although the Act provides for the legalization of medical marijuana in the Commonwealth of Pennsylvania, one should obtain legal advice with respect to any such compliance issues.

Stay tuned for details regarding an upcoming Cozen O’Connor webinar on these Regulations.

For more information about the Regulations or the Act, contact Chris Raphaely, J. Nicole Martin or another member of Cozen O’Connor’s Cannabis Industry Team.

Tags: ,

OCR Announces New HIPAA Guidance on Ransomware

Posted by Health Law Informer Author on July 13, 2016
HHS, OCR / No Comments

shutterstock_438013921In response to the increasing prevalence of ransomware cyber-attacks by hackers on electronic health information systems in hospitals and medical practices, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on Monday July 11, 2016 its publication of new HIPAA guidance on ransomware (“Ransomware Guidance”). According to OCR:

Ransomware is a type of malware (or malicious software) that encrypts data with a key known only to the hacker and makes the data inaccessible to authorized users. After the data is encrypted, the hacker demands that authorized users pay a ransom (usually in a cryptocurrency such as Bitcoin to maintain anonymity) in order to obtain a key to decrypt the data.

Notably, the HIPAA Security Rule already requires implementation of security measures to help covered entities and business associates prevent the introduction of malware (e.g., ransomware) into their systems, and to implement policies and procedures to assist in responding to ransomware attacks. The Ransomware Guidance addresses, among other areas, how to implement security measures in order to prevent, mitigate the chances of, or even recover from ransomware attacks. Not surprisingly, conducting a risk analysis (or risk assessment) is at the core of covered entities and business associates implementing security management processes as required by the HIPAA Security Rule. The Ransomware Guidance further notes that maintaining an overall contingency plan, as required by the Security Rule, that includes disaster recovery planning, emergency operations planning and frequent backups of data can also help covered entities and business associates respond to and recover from malware infections, including ransomware attacks.

In addition, the Ransomware Guidance states that ransomware attacks against a covered entity or business associate can be considered a breach under the HIPAA Rules. Specifically, the Ransomware Guidance provides, “[w]hen electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e. unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.” Therefore, unless it can be shown that there is a low probability that the PHI involved in the ransomware attack has been compromised based on the factors in the Breach Notification Rule, a breach is presumed to have occurred, which would trigger the applicable breach notification provisions.

Even before OCR’s publication of the Ransomware Guidance, in late June the Secretary of HHS sent a letter (“Letter”) to the attention of chief executive officers at health care entities addressing the threat of ransomware. The Secretary attached interagency guidance to the Letter containing best practices and mitigation strategies integral to combatting ransomware incidents.

Ransomware is immediately disruptive to the day-to-day operation of businesses, as seen by its impact earlier this year on health care systems like MedStar in Washington, D.C. and Hollywood Presbyterian Medical Center in Los Angeles (“HPMC”), resulting for example, in HPMC paying 40 Bitcoins (approximately $17,000) to regain control of its computer system. Although the Ransomware Guidance does not address whether payment or ransom should be paid to regain access to computer systems, the interagency guidance attached to the Letter advises against paying hackers because, among other reasons, paying a ransom doesn’t necessarily guarantee that an entity will regain access to its system. The Ransomware Guidance does recommend that an entity victimized by a ransomware attack contact its local FBI or United States Secret Service field office.

For more information about the Ransomware Guidance contact Gregory M. Fliszar, Ryan Blaney, J. Nicole Martin or a member of Cozen O’Connor’s Health Law team.

Tags: , , , , , , , , , , , , , , , , ,

Data Security Plays a Key Role in the Adoption and Success of Precision Medicine

Posted by Health Law Informer Author on June 16, 2016
Uncategorized / No Comments

shutterstock_157454741The White House recently released a guidance document for those in the precision medicine community to help ensure that participants’ data and resources remain secure.  The document, titled “Precision Medicine Initiative: Data Security Policy Principles and Framework,” is meant to offer “security policy principles and a framework to guide decision-making by organizations conducting or participating in precision medicine activities” and is the result of a collaborative, interagency process featuring roundtable discussions with various security experts as well as a review of existing data security resources.  Federal PMI agencies already have committed to integrating the framework into all PMI activities.

But the document is meant only to be a guideline – not a one-size-fits-all solution.  It notes that those in the PMI community must constantly strive to use current best practices and should conduct their own “comprehensive risk assessment to identify specific security requirements and establish processes to continuously review and make improvements.”

The guidance emphasizes some overarching principles that anyone dealing with sensitive data should bear in mind when developing and implementing a data security plan:

  • Keep pace with changing technology and new security threats.
  • Tailor your data security plan to your unique circumstances.
  • Be specific – think about your risks and put in writing how you will neutralize them.
  • Have an independent third party review your plan.
  • Without compromising security, be transparent about your plan to build trust among participants.

The document also offers specific suggestions with respect to identity proofing, user credentials and authentication, encryption and physical security, audits to detect anomalous activity, and incident response, among other topics.  The White House also emphasizes the importance of ongoing participant education, as well as role-specific training for those who use PMI data.

On balance, the White House’s message to the PMI community is clear: Think hard about data security, think often about data security, and act vigilantly.

The guidance is available here: www.whitehouse.gov/sites/whitehouse.gov/files/documents/PMI_Security_Principles_Framework_v2.pdf.

For more information you can contact Ryan P. Blaney or another member of Cozen O’Connor’s Health Law team.

The E-Cigarettes Industry Fights Back Challenging the FDA in Federal Court

Posted by Health Law Informer Author on May 16, 2016
E-Cigarettes, Food and Drug Law, HHS, Regulations / No Comments

e cig

Days after the publication of the Food and Drug Administration’s controversial final rule regarding e-cigarettes (and other nicotine-delivering products), a company called Nicopure Labs LLC filed a lawsuit challenging it in the U.S. District Court for the District of Columbia.  Nicopure seeks to have the rule vacated and declared unlawful, and has requested a preliminary injunction barring enforcement of the rule and prohibiting the FDA from taking any action under the rule pending resolution of the lawsuit.

The final rule, which will take effect on August 8, 2016 absent an injunction, grants the FDA authority to regulate electronic cigarettes and other vaping products and imposes rules on the industry that many insiders fear will leave it decimated.  These rules include banning sales to anyone younger than 18 years of age, requiring extensive warning labels on packing and — most significantly — subjecting all products (even those currently on the market) to the FDA approval process and the FDA’s reporting and recordkeeping requirements.  The price tag associated with the FDA approval process alone likely will pose an insurmountable barrier for the small vape shops, device manufacturers and e-liquid producers that currently drive most of the industry.

Nicopure, a Florida company that distributes battery-powered vaping devices and manufactures and distributes e-liquid, seeks to have the Final Rule vacated on several grounds.  First, Nicopure alleges that the deeming rule defines “tobacco product” so broadly that it constitutes an unreasonable construction of the authority granted under the Administrative Procedure Act (APA).  Additionally, Nicopure contends that the rule should be vacated as arbitrary and capricious in violation of the APA.  Finally, Nicopure brings a constitutional challenge, arguing that the rule violates the First Amendment by prohibiting manufacturers from “making truthful and nonmisleading statements regarding vaping devices, e-liquids and related products” and from “engaging in other forms of protected expression, including by distributing free samples of vaping devices or e-liquids.”

As of this writing, the FDA has not responded to Nicopure’s complaint, but the case (Nicopure Labs, LLC v. Food and Drug Administration, et al.,1:16-cv-00-878) will no doubt be closely watched by the rule’s proponents and detractors alike.

For more information you can contact Ryan Blaney or another member of Cozen O’Connor’s Health Law team.

 

Tags: , , ,

Medical Marijuana in Pennsylvania: What Physicians Should Know

Posted by Chris Raphaely on May 09, 2016
DEA, DOH, Medicaid, Pennsylvania / No Comments

shutterstock_244196869On April 17, 2016, Governor Wolf signed Act 16 of 2016, making Pennsylvania the 24th state (plus the District of Columbia) to legalize marijuana for medical use. The full text of the act is available here.

Physicians, not surprisingly, will play a vital role in making medical marijuana available to Pennsylvanians, while ensuring patient safety in the process.  This is what they should know about Act 16: Continue reading…

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Cyber-Security Alert: D.C. Area Hospital Chain MedStar Targeted By Hackers

Posted by Health Law Informer Author on March 30, 2016
Healthcare, Hospital / No Comments

MedStar, a Washington, D.C.-area hospital chain, became the latest healthcare industry victim of a cyber-attack when hackers breached its systems with a crippling virus. MedStar operates 10 hospitals in the D.C./Baltimore region, employs 30,000 staff, has 6,000 affiliated physicians, and serviced more than 4.5 million patient visits in 2015.

After being paralyzed by the virus, MedStar’s entire IT system for its 10 hospitals was forced to shut down and revert to paper records. The chain’s approximately 35,000 employees do not have access to emails and cannot look up digital patient records in the attack’s wake. The FBI is assisting the chain by investigating the incident. It’s unclear at the moment whether or not the hackers are demanding ransom from MedStar in exchange for removing the virus.

Monday’s cyber-attack at MedStar comes weeks after Hollywood Presbyterian Medical Center in Los Angeles paid hackers 40 bitcoins, or about $17,000, to regain control of its computer system, which hackers had seized with ransomware using an infected email attachment.

Hackers increasingly target healthcare entities as security protections in healthcare often lag behind those in banking and financial sectors. Healthcare information contains a treasure trove of patients’ personal information, and a complete healthcare record is worth at least ten times more on the black market than credit card information. Also, hospitals are considered critical infrastructure that cannot reasonably be closed or incapacitated for any great length of time, and so may be more inclined to bowing to hackers’ demands for ransom.

This latest attack just goes to show the importance of cybersecurity at hospitals and other healthcare entities. In addition to the recent Hollywood Presbyterian Medical Center attack, data breaches and cyber-attacks have also recently occurred at Excellus Blue Cross Blue Shield, UCLA Health System, Premera Blue Cross, and Anthem Inc.

For more information, please contact Dana Petrillo, or another member of Cozen O’Connor’s Health Law team.

Tags: , , , , , , , , , , ,

Heads-up! HIPAA Phase Two Audits Begin – Business Associates Included!

Posted by Health Law Informer Author on March 22, 2016
HHS, OCR / No Comments

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) finally announced on March 21 that it is ready to begin Phase Two of its HIPAA audit program, which will include business associates. These audits, mandated by HITECH, will primarily be comprised of desk audits, scheduled for completion by the end of December 2016, followed by onsite audits.

OCR explained it will immediately commence Phase Two by verifying, via email, cover entities’ and business associates’ contact information. The OCR is requesting timely responses, so that it can send pre-audit questionnaires out in order to gather data from covered entities and business associates for the creation of potential audit subject pools. The data will relate to the entities’ size, type and operations. Should covered entities and business associates fail to respond to OCR’s requests, they may still be part of OCR’s potential subject pools because OCR plans to compile publicly available information about covered entities and business associates that do not respond to its requests.

The first round of desk audits will focus on covered entities, and the second round will focus on business associates. The third round will be onsite audits, with a greater focus on the HIPAA requirements. OCR explains that some covered entities and business associates who are subject to desk audits may also be subject to onsite audits. According to OCR, all covered entities and business associates are eligible to be audited. The audits will focus on identifying compliance with specific privacy and security requirements under HIPAA/HITECH, and OCR will notify auditees by letter, regarding the subject(s) of their specific audits. On the HHS website, OCR provides a sample letter for review. Subsequent to the audits, OCR will review and analyze information from audit final reports.

Importantly, if an audit report uncovers significant noncompliance with HIPAA, it could prompt an investigation by OCR. The areas of interest for OCR in Phase Two will become clearer as the Phase Two audit program gets underway, but for now, we know OCR will focus on assessing covered entities’ and business associates’ HIPAA compliance, identifying best practices and discovering risks and vulnerabilities.

More information about the Phase Two audits is available here, and you can also contact Greg Fliszar, Ryan Blaney, J. Nicole Martin or another member of Cozen O’Connor’s Health Law team.

Tags: , , , , , , , , , , , , , , , ,

« Previous Page Next Page »