On consecutive days, the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) recently announced two large HIPAA breach settlements. On March 16, 2016, OCR announced that it entered into a Resolution Agreement with North Memorial Health Care of Minnesota for $1.55 million plus a two-year corrective action plan. On March 17, 2016 OCR followed by announcing that Feinstein Institute for Medical research, a New York biomedical research institute, agreed to pay to OCR $3.9 million and enter into a three-year corrective action plan to settle potential HIPAA violations. Both cases resulted from the all too familiar scenario of breaches resulting from stolen, unencrypted laptops.

In the Minnesota hospital breach, the unencrypted laptop containing the PHI of over 9,000 individuals was stolen from the locked car of an employee of a business associate of the hospital. According to the OCR’s investigation, the hospital failed to have a business associate agreement in place with that particular business associate. OCR also alleged that the hospital had not previously performed a risk analysis to identify and address potential risks and vulnerabilities to the ePHI it maintained, accessed or transmitted.

In the New York research corporation breach, OCR alleged that the institution did not have policies and procedures in place, including a policy on encryption and one that addressed use and access of electronic devices (e.g., the removal of the devices from the institution’s facility), nor did it have in place a security management process that sufficiently addressed potential security risks and vulnerabilities to ePHI, namely, its confidentiality, vulnerability or integrity. Notably, the stolen, unencrypted laptop contained the PHI of approximately 13,000 individuals.

As above, both OCR settlements also include multiple year corrective action plans requiring the hospital and research facility to conduct risk analyses/assessments, train their employees, and have HIPAA compliant policies and procedures in place. The Resolution Agreement for the Minnesota hospital breach is available here, and the Resolution Agreement for the New York research institute breach is available here.

Takeaways: The OCR’s 2016 breach enforcement is off to a very strong start with two high dollar settlements. Lessons learned from both breaches include the significance of encrypting electronic devices, conducting and updating on a regular basis security risk assessments and analyses, having adequate safeguards in place to protect PHI, having business associate agreements with all business associates, and having and implementing HIPAA policies and procedures to protect the security and privacy of PHI, including for example, policies related to encryption, authorized access to ePHI/PHI, and removal of electronic devices from facilities.

For more information, contact Greg Fliszar, J. Nicole Martin, or a member of Cozen O’Connor’s Health Law team.

On April 27, 2015, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that Cornell Prescription Pharmacy (“Cornell Pharmacy”) had entered into a resolution agreement to settle, without an admission of liability or wrongdoing, potential HIPAA violations. As part of the resolution agreement Cornell Pharmacy will pay $125,000 and enter into a two-year corrective action plan (“CAP”) focused on correcting the alleged deficiencies in its HIPAA compliance program.

Cornell Pharmacy is a small, single store pharmacy located in Denver, Colorado that specializes in compound medications and providing services for local hospice agencies. OCR began an investigation into the pharmacy after it received a media report from a Denver news agency that protected health information (“PHI”) belonging to Cornell Pharmacy was apparently disposed of and found in an unlocked, publicly accessible dumpster. The documents were not shredded and contained the PHI of approximately 1,610 of Cornell Pharmacy’s patients.   After conducting its investigation, OCR concluded that Cornell Pharmacy failed to implement any written policies and procedures as required by HIPAA’s Privacy Rule, and further failed to provide training on the Privacy Rule to its workforce members.

This settlement is instructive as OCR again highlights the importance of having updated and comprehensive HIPAA policies and procedures in place, including policies on the proper disposal of PHI, and on training all staff on those policies and procedures.   Further, in this year of massive cyber-attacks and other breaches of electronic data, this HIPAA settlement serves to remind covered entities and business associates not to forget about protecting their paper records as well.   As stated by OCR in its press release, “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.” As discovered by Cornell Pharmacy, a breach or other improper disclosure of paper PHI can also result in significant consequences.

For further information please contact the author, Gregory M. Fliszar (Philadelphia, PA), or other members of Cozen O’Connor’s healthcare team.

On Friday October 10, 2014, the Department of Justice (DOJ) and the U.S. Department of Health and Human Services Office of Inspector General (HHS-OIG) jointly announced a $38 million settlement with a skilled nursing facility (SNF), Extendicare Health Services Inc. (Extendicare) and its subsidiary Progressive Step Corporation (ProStep). Extendicare owns and operates 146 SNFs in eleven states. Prostep offers Extendicare residents occupational, physical and speech rehabilitation services.

The settlement stemmed from allegations in two qui tam cases: United States ex rel. Lovvorn v. EHSI, et. al. C.A. 10-1580 (E.D. Pa); and United States ex rel. Gallick et al., v. EHSI et al., C.A. 2:13cv-092 (S.D. Ohio). The allegations were that Extendicare (1) “billed Medicare and Medicaid for materially substandard nursing services that were so deficient that they were effectively worthless”; and (2) “billed Medicare for medically unreasonable and unnecessary rehabilitation therapy services.” Continue reading…

With little fanfare just before the Labor Day weekend, CMS announced a program in which it would enter into administrative agreements with eligible providers in exchange for the providers’ withdrawal of pending appeals (“Settlement Process”). This announcement follows massive backlogs in administrative appeals resulting from retroactive denials of inpatient claims by Medicare contractors, including recovery auditor contractors (“RAC”), as well as a lawsuit brought by the American Hospital Association challenging these delays. Under the Settlement Process, CMS is willing to pay “68% of the net allowable amount” for eligible claims within 60 days. According to CMS, eligible providers should submit requests to participate in the Settlement Process by October 31, 2014, and eligible providers may file for an extension of time to request a settlement if they are unable submit requests by the end of October. Although this Settlement Process holds promise for certain providers, it does not apply to all providers or all claims.

Eligible Providers

Only acute care hospitals and critical access hospitals may participate in the Settlement Process. The following providers are not eligible to participate:

• Cancer hospitals;
• Children’s hospitals;
• Inpatient rehabilitation facilities;
• Long-term care hospitals; and
• Psychiatric hospitals that are paid under the inpatient psychiatric facility prospective payment system.

CMS may exclude eligible providers from participating in this Settlement Process if they are subject to pending False Claims Act litigation or investigations.

Eligible Claims

Only the following claims are eligible:

• Claims for dates of admissions prior to October 1, 2013;
• Claims for patients that were not Medicare Part C enrollees; and
• Claims that are pending appeals of inpatient-status claim denials, which were rejected by Medicare contractors, including RACs.

An eligible provider may select the eligible claims it would like to settle, while continuing to appeal certain other claims.

For more information regarding the Settlement Process, please contact Mark Gallant, Chris Raphaely, or Ryan Blaney.

The United States Department of Justice (DOJ) recently announced the settlement of two qui tam whistleblower lawsuits against Omnicare Inc., the largest nursing home pharmaceutical and pharmacy services vendor in the nation. The suits alleged that Omnicare gave significant discounts to skilled nursing facilities in exchange for lucrative referrals and pharmacy provider contracts. This $124.24 million settlement is the largest ever in a “swapping” case brought under the Anti-Kickback Statute.

In addition to its size, this settlement is noteworthy because DOJ had initially declined to intervene in the underlying suits and relators pursued the claims independently. That go-it-alone decision was so resoundingly vindicated in Omnicare, it is likely that this case will encourage other whistleblowers to follow a similar course of action. Relators have long had the right to continue False Claims Act litigation without governmental participation. DOJ’s decision whether to intervene or not was traditionally (although not explicitly stated) viewed as a reflection of the strength of the whistleblower’s allegations.  With the increase in whistleblower complaints, the limitations on the number of cases that DOJ can put resources on, statutory changes, the rise of a specialized qui tam bar, and big dollar victories like this may significantly increase the number of independent qui tam lawsuits. Continue reading…