ALJ

Court Temporarily Enjoins CMS from Withholding Medicare Payments from Home Health Agency

Posted by Robert A. Chu on June 19, 2018
Medicare / No Comments

medicareA home health agency has scored a second win in its fight to prevent CMS from withholding Medicare payments (to effectuate a recoupment of alleged overpayments), at least for the time being.  We previously reported on the home health agency’s first win before the Fifth Circuit (which reversed the Northern District of Texas’s jurisdictional dismissal of the lawsuit).  See Family Rehab., Inc. v. Azar, 886 F.3d 496 (5th Cir. 2018).  We now report on its second win: the Northern District of Texas’s decision, on remand, to grant the home health agency’s temporary restraining order (TRO) motion and to at least temporarily enjoin CMS from withholding further Medicare payments.  See Family Rehab., Inc. v. Azar, No. 3:17-CV-3008-K, 2018 BL 196462 (N.D. Tex. Jun. 4, 2018), TRO extended by Order of Jun. 18, 2018.

To recap, a Zone Program Integrity Contractor (ZPIC) in 2016 alleged that the Medicare program had overpaid a home health provider, Family Rehab, nearly $7.9 million.  Family Rehab asked for a redetermination from its Medicare Administrative Contractor (MAC).  The MAC, however, affirmed the ZPIC’s conclusion.  The provider then asked a Qualified Independent Contractor (QIC) to reconsider the decision.  The QIC slightly reduced the demand to over $7.6 million.  Since the MAC by regulation can begin recouping overpayments after the QIC issues its decision, the MAC then noticed its intention to begin recouping the alleged overpayment.  Family Rehab then requested an ALJ hearing. Continue reading…

Robert A. Chu

Robert A. Chu

Rob is a member in the Health Law Practice Group. He primarily represents health care clients in Medicare, Medicaid, and third-party payor reimbursement disputes. Rob also counsels health care clients on regulatory and compliance issues. He was selected as a Super Lawyers Rising Star (Health Care) for 2016-2018.

More Posts - Website

Tags:

FTC Overturns ALJ’s LabMD Decision and Reasserts its Role as a Data Security Enforcer

Posted by Gregory M. Fliszar on August 25, 2016
Federal Trade Commission, HIPAA, OCR / No Comments

On July 29, 2016, the Federal Trade Commission (“FTC” or “Commission”) reversed an FTC administrative law judge’s (“ALJ”) opinion which had ruled against the FTC, finding that the Commission had failed to show that LabMD’s conduct caused harm to consumers to satisfy requirements under Section 5 of the FTC Act. In reversing the ALJ, the FTC issued a unanimous opinion and final order that concluded, in part, that public exposure of sensitive health information was, in itself, a substantial injury.

The FTC initially filed a complaint against LabMD in 2013 under Section 5 of the FTC Act, alleging that the laboratory company failed to “provide reasonable and appropriate security for personal information on its computer networks,” which the FTC claimed lead to the data of thousands of consumers being leaked. The complaint resulted from two security incidents that occurred several years prior, which the FTC claimed were caused by insufficient data security practices.

In its opinion, the FTC concluded that the ALJ had applied the wrong legal standard for unfairness and went on to find that LabMD’s data security practices constituted an unfair act or practice under Section 5 of the FTC Act. Specifically, the Commission found LabMD’s security practices to be unreasonable – “lacking even basic precautions to protect the sensitive consumer information on its computer system.” The Commission stated that “[a]mong other things, [LabMD] failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had protected.” As a result of these alleged shortcomings in data security, medical and other sensitive information for approximately 9,300 individuals was disclosed without authorization.

Further, and perhaps more importantly, the Commission concluded that “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n), and thus that LabMD’s disclosure of the [ ] file itself caused substantial injury.” Thus, contrary to the findings of the ALJ, the Commission essentially held that the mere exposure of sensitive personal and health information into the public domain may be enough to constitute a substantial injury for purposes of Section 5, without any proof that the information was ever misused.

As a result, the FTC ordered LabMD to establish a comprehensive information security program, obtain independent third party assessments of the implementation of the information security program for 20 years, and to notify the individuals who were affected by the unauthorized disclosure of their personal information and inform them about how they can protect themselves from identity theft or related harms.

Takeaway: While LabMD has announced its intention to appeal, the FTC’s decision reinforces its role as an enforcer of data security, even in the health care arena, where OCR has been the traditional enforcer of HIPAA and health care data breaches.   Thus, in addition to OCR, health care entities must continue to monitor FTC enforcement actions to see if there are any additional or conflicting data security standards mandated by both agencies.   Any companies handling PHI should, therefore, continue to ensure that their data security policies and procedures are being implemented and followed in accordance with industry standards. Inadequate security safeguards may contribute to data breaches resulting in government investigations and enforcement actions – not just by OCR, but the FTC as well.

For more information about the FTC’s opinion, contact Gregory M. Fliszar or a member of Cozen O’Connor’s Health Law team.

Gregory M. Fliszar

Gregory M. Fliszar

Greg focuses his practice on health law and handles a variety of health law litigation and regulatory and compliance matters for a number of different types of health care providers, including hospitals, hospices, mental health providers and physician groups. He has significant experience with HIPAA and privacy issues and has counseled insurance company clients on understanding their obligations under the Medicare Secondary Payer Act.

More Posts - Website

Tags: , ,