Categories
Alert

Consumer Health Information: Handle With (Extreme) Care

From the Federal Trade Commission, Business Blog, by Lesley Fair:

The Federal Trade Commission (FTC) has taken action against online healthcare providers Cerebral and Monument, Inc. for allegedly violating consumer privacy rights. Both companies were accused of sharing sensitive health data with third-party advertising platforms without consumer consent. Cerebral was also charged with misleading cancellation practices, while Monument was accused of falsely claiming HIPAA compliance.

The FTC’s lawsuit against Cerebral resulted in a settlement that included a $5.1 million judgment for consumer refunds, a $10 million civil penalty (suspended after a $2 million payment due to the company’s inability to pay the full amount), and injunctive provisions to change the company’s business practices, including a ban on using or disclosing consumers’ personal and health information to third parties for most marketing or advertising purposes.

The proposed order against Monument includes a ban on sharing data with third parties for advertising and a $2.5 million civil penalty (suspended due to the company’s inability to pay).

Businesses, especially those in the health sector, must substantiate any privacy or security representations they make and integrate privacy and data security into their operations. The FTC also insists that companies must provide simple mechanisms for consumers to cancel services and stop recurring charges.

Categories
Health Law Highlights

Change Healthcare Faces Another Ransomware Threat—and It Looks Credible

From Ars Technica, Andy Greenberg and Matt Burgess:

Change Healthcare, a prominent healthcare company in the U.S., has been embroiled in a significant ransomware debacle, initially victimized by the group AlphV, which encrypted the company’s network and received a $22 million ransom payment. Now, a new ransomware group, RansomHub, claims to possess 4 terabytes of Change Healthcare’s stolen data and is demanding its own ransom. While the origins of RansomHub’s data are unclear, security analysts suggest that the threat may be legitimate. This situation highlights the risk of re-extortion in ransomware attacks and the untrustworthiness of cybercriminals, even after ransoms are paid. The ongoing attack has caused severe disruptions across U.S. medical practices, with 80% of clinicians reporting revenue loss and many facing potential bankruptcy.

Categories
Health Law Highlights

CMS Issues Hospice Proposed Payment Rule

From King & Spalding, by Kate Karpenko:

The CMS has issued a proposed rule for fiscal year 2025 to update Medicare hospice payments and aggregate cap amount, which includes a 2.6% increase in payments and an updated aggregate cap of $34,364.85. The proposal also introduces changes to the Hospice Quality Reporting Program (HQRP), including the addition of two new measures and the use of the Hospice Outcomes and Patient Evaluation (HOPE) tool for patient data collection. It also suggests changes to the Hospice Consumer Assessment of Healthcare Providers and Systems (CAHPS) Survey, including a web-mail mode and a simplified survey. Technical changes are proposed to the Conditions of Participation (CoPs) to clarify language around the roles of a medical director and physician designee. Stakeholders are encouraged to submit comments on the proposed rule by May 28, 2024.

Categories
Health Law Highlights

Online Tracking Technologies: Updated HIPAA Guidance Creates Uncertainty

From Morgan Lewis, by W. Reece Hirsch, Amy M. Magnano, Michael J. Madderra, Sydney Reed Swanson:

The US Department of Health and Human Services’ (HHS’s) Office for Civil Rights (OCR) updated its guidance on the use of online tracking technologies, causing further uncertainty for HIPAA-covered entities. OCR acknowledges that tracking technologies, such as cookies and web beacons, can unintentionally capture protected health information (PHI), thus implicating HIPAA. The updated guidance states that individually identifiable health information (IIHI) collected on a regulated entity’s website or app is generally considered PHI, even without specific treatment or billing details. The guidance differentiates between authenticated and unauthenticated pages, warning that PHI could be accessible even on unauthenticated pages. The update presents a compliance challenge for HIPAA-regulated entities, as discerning the subjective intent of website visitors is difficult, and entities must also consider other federal and state laws where HIPAA does not apply.

Categories
Health Law Highlights

Forecasting the Integration of AI into Health Care Compliance Programs

From Robinson Cole, by Kathleen Healy, Josh Yoo:

Healthcare entities need to incorporate AI standards into their compliance programs to manage and mitigate legal risks. Executive Order No. 14110 outlines key principles for AI including confidentiality, security, transparency, governance, and non-discrimination. The National Institute of Standards and Technology (NIST) provides a Risk Management Framework for AI and a playbook to help organizations manage AI risks. Key federal privacy and security laws like HIPAA and Section 5 will impact the use of AI in healthcare. It’s vital for healthcare entities to monitor evolving AI laws and regulations, inventory existing and upcoming AI use, educate themselves on updates, and adapt their compliance plans accordingly.

Categories
Health Law Highlights

Pandemic Fraud Suits Have Yielded Over $100 Million, Report Says

From Bloomberg Law, by Daniel Seiden:

The Covid-19 Fraud Enforcement Task Force has reported that over $100 million has been reclaimed by the US government through False Claims Act (FCA) cases related to pandemic fraud. These funds have been recovered from more than 400 settlements and judgments, including cases of Paycheck Protection Program fraud, Economic Injury Disaster Loan fraud, health-care fraud, and agricultural program fraud. The report indicates a steady rise in new whistleblower actions under the FCA alleging pandemic relief fraud from 2020 to 2023. In 2023 alone, the Department of Justice (DOJ) recovered a record $2.68 billion from 543 FCA settlements and judgments.

Categories
Health Law Highlights

“Stark” Differences: DOJ’s Renewed Focus on Stand-Alone Stark Law Violations

From Arnold & Porter, by Murad Hussain, Allison W. Shuren, Loreli (Lori) Wright:

The Department of Justice (DOJ) has recently increased enforcement of the False Claims Act (FCA) based on the Stark Law, also known as the Physician Self-Referral Law. This law focuses on financial relationships between physicians and health care entities, particularly when compensation exceeds fair market value (FMV) or varies with the volume or value of referrals. Violations of Stark Law can lead to FCA claims, requiring less proof than Anti-Kickback Statute (AKS)-based FCA claims. This trend has been evident in a series of new FCA enforcement actions and resolutions involving large health care providers since early 2023.

Categories
Health Law Highlights

Healthcare Highlights from FTC’s 2024 PrivacyCon

From SheppardMullin, by Carolyn Metnick, Carolyn Young:

The Federal Trade Commission’s annual PrivacyCon highlighted three healthcare privacy research projects: tracking technology use by healthcare providers, women’s privacy concerns post Roe era, and bias propagation through large language learning models (LLMs). One key finding was the extensive use of tracking technologies on hospital websites, which can reveal personal health information and potentially be exploited. Despite serious implications, healthcare data privacy concerns are largely overlooked by users. The event also underscored how biases in LLM training data can lead to biased healthcare outcomes. The key takeaway was the need for transparency in handling healthcare data, including clear policies around data collection and usage, compliance with HIPAA and FTC rules, and the need for accurate privacy notices for users.

Categories
Article

Why You Need a Privacy Program

In a previous video, we talked about what a Privacy Program is. In this video, we look at six reasons why your organization needs a privacy program.

Reason No. 1 – To Comply With the Law

A privacy program may be essential for your organization to comply with federal and state law.

  • Medical records
  • Education records
  • Disability information
  • Employer background checks
  • Financial records

No matter what business you are in, you likely collect, use, store, disclose and share a lot of personally identifiable information that is protected by law.

To comply with the law, you may need a designated privacy officer and policies in place to protect the privacy and security of that data.

Reason No. 2 – To Meet Industry Standards

Your organization may have agreed to abide by industry standards.

Take credit cards, for example. The credit card industry requires everyone who accepts credit cards to comply with the Payment Card Industry Data Security Standard (PCI DSS).

You’re required to protect your network, protect stored credit card information, apply strong access controls measures, regularly monitor and test your network, and create security policies for employees and contractors.

Are your policies compliant? Don’t assume so.

A privacy program will ensure that all standards applicable to your organization are properly addressed.

Reason No. 3 – It’s a Business Differentiator.

The news is replete with examples of companies that squandered consumer trust.

In the first three months of 2024, there have been over 700 million records breached in 658 publicly disclosed incidents.

And that’s just the breaches we know about.

A well-run privacy program keeps you out of the news for data breaches and reinforces positive customer relationships.

Reason No. 4 – It Protects Your Business Data Too.

Good security practices not only protect consumer data, they protect your business data too.

Lax privacy and security controls can lead to loss of proprietary business data.

The same techniques employed by threat actors to steal consumer data, can compromise your business plans.

Improving security controls not only protects customers’ privacy, but also your organization’s secrets.

Reason No. 5 – It Enables You to Scale and Grow.

A good privacy program creates a foundation for your organization to grow.

Every state has it’s own privacy laws, and every country has it’s own regulatory scheme.

With a privacy program in place, you may already satisfy the laws in those other jurisdictions. But if not, you are not starting from scratch.

With concepts like privacy by design integrated throughout your organization, you can more easily adapt to the laws in new markets, even if those markets are on the other side of the globe.

Reason No. 6 – It’s the Right Thing to Do.

Respecting privacy is a fundamental aspect of maintaining trust with your customers and employees.

Data breaches can harm customers financially, reputationally, and emotionally. It leads to identity theft and the feeling of being violated.

A robust privacy program helps ensure that personal data is handled responsibly and ethically, further strengthening the bond between your organization and its stakeholders.

Categories
Health Law Highlights

CMS Again Settles Record Stark Self-Disclosures in 2023

From McGuireWoods, by Gretchen Heinze Townshend, Timothy Fry, Kristen H. Chang, Varsha Gadani, Micaela Enger:

The Centers for Medicare & Medicaid Services (CMS) reported a record 176 settlements of voluntary self-disclosures related to past or potential violations of the physician self-referral law (Stark Law) in 2023, with settlements totaling over $12 million. This represents an increase from 103 self-disclosures and over $9 million in settlements in 2022. Despite the increase in total settlements, the average settlement amount in 2023 was $71,363.73, one of the lowest on record. The CMS’ self-referral disclosure protocol (SRDP) allows healthcare providers to self-disclose violations to resolve overpayment liability. The data suggests that CMS is focusing on processing SRDP submissions more quickly, with average settlement amounts remaining consistent with previous years.