Author: WadeEmmert

Categories
Health Law Highlights

HHS-OIG Determines Consultant’s Gift Cards Given to Physicians Recommending Services Do Not Implicate Anti-Kickback Statute

From Barnes & Thornburg, by Jason D. Schultz and Mary Elizabth “Lizzy” Ford:

  • The U.S. Department of Health and Human Services’ Office of Inspector General (HHS-OIG) issued Advisory Opinion No. 23-15, permitting a consulting services company to offer gift cards as incentives for physician practices to recommend its services to other physicians. 
  • The company provides various consulting services, including workflow optimization, data analytics, electronic health record consulting, compliance monitoring, and assistance with Medicare Merit-Based Incentive Payment System (MIPS) matters.
  • The proposed arrangement involves three streams of remuneration: gift cards for recommendations and successful referrals, payment for consulting services, and potential higher MIPS reimbursements for customers. 
  • HHS-OIG determined that the Anti-Kickback Statute (AKS) would not be implicated, as the arrangement does not involve referrals or purchases for which payment may be made under a federal healthcare program. 
  • The opinion underscores that the AKS is not violated and no sanctions are imposed when the arrangement does not involve referrals or purchases related to a Federal health care program.
Categories
Health Law Highlights

OIG Approves Hospital’s Redemption Offer to Retiring Physician-Owners

From Bass, Berry & Sims, PLC, by Justin Brown, Krista Cooper, Ashley Gholston Fowler, Travis Lloyd:

  • The U.S. Department of Health and Human Services Office of Inspector General (OIG) issued Advisory Opinion No. 23-12 on January 3, approving a plan by a physician-owned hospital to redeem the ownership interests of physicians who retire at 67 over a two-year period. This opinion provides guidance on redemption of physicians’ ownership interests in syndicated facilities like physician-owned hospitals and ambulatory surgery centers.
  • The requesting party, a limited liability partnership operating two hospitals, proposed a one-time offer to physician-owners turning 67 to redeem their units over two years to avoid a potential liquidity crunch. To accept, a physician-owner must agree to retire within six months of the first payment and certify they will not refer patients to the hospitals or other partners.
  • The partnership would redeem the units in three equal increments over the two-year period at a fair market value price. Redeemed units are offered to existing and prospective physician-owners equally, without regard to the volume or value of referrals or other business generated.
  • The OIG concluded that the arrangement posed a low risk under the federal Anti-Kickback Statute, based on the fact that eligibility for the redemption offer is unrelated to the volume or value of referrals or other business generated, and the remuneration is unlikely to result in unfair competition by altering referral patterns.
  • The advisory opinion highlights the importance of objectivity and consistency in structuring redemptions and offerings. Basing redemptions and offerings on objective criteria unrelated to the volume or value of referrals or other business generated and applying these criteria consistently to all physicians reduces the risk of non-compliance with the Anti-Kickback Statute and federal physician self-referral law (Stark Law).
Categories
Health Law Highlights

Is Stripe HIPAA Compliant?

From The HIPAA Journal, by Steve Adler:

  • Stripe’s Non-HIPAA Compliance: Despite being compliant with various US and international data privacy regulations, Stripe is not HIPAA compliant. This is due to its method of recording personal data within transaction data, which is then used for fraud detection and shared with third-party payment providers, some of which have questionable security and privacy practices.
  • Payment Processing Exemption: Stripe can process payments without violating HIPAA because of an exemption provided by the Social Security Act (§1179), which excludes financial transactions from HIPAA’s Administrative Simplification Regulations. However, this exemption only applies to payment processing and not to other activities, such as fraud detection, without a Business Associate Agreement (BAA) in place.
  • Stripe’s BAA Limitation: Stripe cannot enter into a BAA with HIPAA covered entities and business associates because some of its third-party payment providers, like Coinbase and PayPal, will not enter into a BAA with Stripe. This makes Stripe non-HIPAA compliant.
  • Stripe’s Global Compliance: As a global payment processing platform, Stripe must adhere to various consumer protection regulations and licensing requirements worldwide, leading it to restrict or prohibit certain types of business activities, including collecting payments for certain healthcare services.
  • Violating Stripe’s Terms and Conditions: If a business violates Stripe’s Terms and Conditions, which include a list of restricted business activities, Stripe can immediately terminate access to its payment processing platform. Therefore, businesses considering Stripe should thoroughly review its Terms and Conditions and related documentation to understand their obligations.
Categories
Health Law Highlights

The Most Critical Elements of the FTC’s Health Breach Rulemaking

From Lawfare, by Justin Sherman and Devan Desai,

  • The Federal Trade Commission (FTC) is considering modifications to its Health Breach Notification Rule (HBNR), which governs how non-HIPAA-covered entities handle health data breaches. The proposed changes aim to keep up with technological advancements and trends in the health tech and data landscapes.
  • The FTC’s proposal comes amid a greater focus on health data privacy, following enforcement actions against prescription drug provider GoodRx and fertility tracking app Premom, both of which allegedly violated the HBNR by sharing sensitive health data without proper disclosures.
  • The proposed changes aim to expand federal health data breach regulations to reflect the evolving role of health tech apps, telehealth services, data brokers, and digital advertisers in collecting, aggregating, identifying, sharing, and selling Americans’ health information.
  • The FTC is looking to expand and clarify the definition of personal health record identifiable information, formally expand the definition of a breach to include unauthorized data disclosures, and clarify how the HBNR applies to mobile apps and health tech companies.
  • While the proposed changes largely serve to clarify existing policies and practices, they are viewed as crucial in improving privacy regulation, aligning with state-level health data regulations, and addressing harmful practices such as selling sensitive health data without consumers’ consent.
Categories
Health Law Highlights

HHS Issues First Settlement for HIPAA Violations Related to a Ransomware Attack

From Hall Benefits Law, by Anne Tyler Hall:

  • The U.S. Department of Health and Human Services (HHS) reached a settlement with a Massachusetts-based medical management company for alleged violations of HIPAA’s Privacy and Security Rules. The company, a HIPAA business associate, will pay $100,000 and comply with a three-year corrective action plan (CAP).
  • The investigation began in 2019, following the company’s notification to HHS about a Gandcrab ransomware attack that had occurred two years prior. The attack, discovered 18 months after it happened, affected the electronic Protected Health Information (ePHI) of over 206,000 individuals.
  • HHS found that the company violated HIPAA rules by disclosing individuals’ ePHI without authorization and failing to perform a thorough risk analysis, regularly review information system activity, and establish compliant security policies and procedures.
  • The CAP requires the company to revise its HIPAA policies and procedures, addressing issues like security awareness, training, and regular review of information system activities. The company must distribute these revised policies to all workers who use or disclose ePHI, and promptly report any noncompliance to HHS.
  • The CAP also mandates that the company conduct a thorough risk analysis of potential risks and vulnerabilities concerning its existing system for storing ePHI. The company must document its security measures, adopt a risk management plan, and submit annual reports to HHS throughout the three-year duration of the CAP.
Categories
Health Law Highlights

Ownership Transparency: The New Normal in Healthcare?

From Davis Wright Tremain, LLP, by Megan Leonard and Robert G. Homchick,

  • On November 17, 2023, the U.S. Department of Health and Human Services published a final rule requiring Medicare and Medicaid nursing facilities to provide more detailed ownership and managerial information on the Medicare Enrollment Application Form CMS-855A.
  • Private equity’s role in the healthcare sector has been under scrutiny, with increased transparency and oversight measures being implemented at both the federal and state levels.
  • The Final Rule was issued in response to studies linking private equity ownership to a decline in quality of care in nursing homes and SNFs.
  • The Final Rule will be effective January 16, 2024 and will require disclosure of ownership and managerial information upon initial enrollment, revalidation, and change of ownership.
  • The Final Rule requires nursing homes to disclose information on their governing body, officers, directors, and additional disclosable parties, as well as the organizational structure and relationships of these parties. This information must be reported upon initial enrollment, revalidation, and every five years.
Categories
Health Law Highlights

US Enforcement of Emergency Abortion Rule Halted in Texas

From Bloomberg Law, by Mary Anne Pazanowski and Ian Lopez:

  • The Fifth Circuit has ruled that the Biden administration’s guidance document, intended to protect abortion access nationwide, cannot be enforced due to a failure to follow proper rulemaking procedures.
  • The guidance document added new obligations under the Emergency Medical Treatment and Labor Act, rather than simply restating existing requirements.
  • The court’s decision limits the government’s ability to ensure that clinicians can provide necessary care, including abortion, in emergency situations.
  • The case highlights a conflict between the Biden administration’s pro-abortion stance and Texas law, which largely bans the procedure.
  • The decision has been met with concern from advocates for reproductive justice, who fear that access to abortion services will be further restricted.
Categories
Health Law Highlights

OCR Doubles Down: Two Settlements in Two Months for Two Common Cybersecurity Issues

From Taft Stettinius & Hollister LLP, by Ike Willett & Cory Brennan:

  • On December 7, 2023, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced a settlement with a Louisiana medical group following a phishing attack that affected the PHI of approximately 34,862 individuals.
  • This marks the first settlement OCR has resolved involving a phishing attack under HIPAA Rules, and comes just weeks after another settlement with a Massachusetts medical management company for a ransomware attack affecting 206,695 individuals.
  • These settlements serve as a reminder for all health care entities to regularly review and update their risk analysis, implement audit controls, utilize multi-factor authentication, and provide ongoing workforce training to mitigate the impact of cyber-attacks.
  • In addition to a $100,000 settlement, the agreement with the medical management company requires them to operate in accordance with a Corrective Action Plan (CAP) for three years, which includes updating their risk analysis and implementing security measures.
  • The health care industry continues to be a prime target for cyber threats, with a significant increase in reported breaches involving hacking and ransomware. Organizations should seek qualified legal counsel and regularly review their compliance practices to prepare for potential breaches or regulatory investigations.
Categories
Health Law Highlights

FDA Warns Against Unauthorized Fat-Melting Injection Treatments

From NBC News, by Berkeley Lovelace Jr.:

  • The FDA has issued a warning about the dangers of using unauthorized versions of fat-dissolving injections, citing reports of severe side effects such as scarring, infections, and skin deformities.
  • These injections, also known as lipolysis injections, are typically used in problem areas such as the chin, legs, upper arms, and abdomen.
  • While the FDA has approved one injection, Kybella, from Kythera Biopharmaceuticals, there are many unapproved versions being sold at clinics and med spas, as well as online.
  • Common ingredients in these unapproved injections, such as phosphatidylcholine and sodium deoxycholate, have not been approved by the FDA.
  • The FDA advises against purchasing fat-dissolving products from websites, as they may be ineffective and carry a risk of severe side effects. If experiencing side effects from these injections, it is recommended to see a healthcare provider.
Categories
Health Law Highlights

FTC Seeks to Put Private Equity Roll-Up Strategies to Sleep With its Case Against U.S. Anesthesia Partners

From Winston & Strawn, by Neely Agin and Hannah Gallagher, writing for AHLA (Subscription):

  • FTC and DOJ have increased regulatory scrutiny on the health care industry, particularly private equity investors.
  • FTC Chairwoman Lina Khan has expressed concern over “roll-up” or consolidation strategies in the health care industry, citing potential negative effects on quality of care and costs for patients.
  • In its recent complaint against Welsh Carson and USAP, the FTC alleges a “multi-year anticompetitive scheme” to consolidate anesthesiology practices in Texas and drive up prices.
  • The complaint also includes claims against Welsh Carson, the private equity firm, and not just the portfolio company.
  • This lawsuit serves as a reminder to private equity firms to carefully consider potential antitrust risks in their investments and post-consummation behavior.