Author: WadeEmmert

Michael R. Bertoncini & William Kang for Jackson Lewis:

Liability in False Claims Act (FCA) suits depends on whether a defendant subjectively believed its claims were false, not on whether it can offer an objectively reasonable basis for its claims, the U.S. Supreme Court has held in a unanimous decision authored by Justice Clarence Thomas. U.S. ex. rel. Schutte v. SuperValu Inc., No. 21-1326, together with U.S. ex rel. Proctor v. Safeway, Inc., No. 22-111 (June 1, 2023).

Following the Court’s decision, Medicare and Medicaid providers and other federal contractors should practice caution when submitting claims to the U.S. government. An FCA defendant’s subjective beliefs at the time claims were submitted may become subjected to intense scrutiny.

Recommending to clients that they self-disclose violations of the False Claims Act often creates a lot of anxiety. It is a certainty that self-disclosure will be percevied as a good faith effort to by the provider to correct the conduct. It is also true that, without the disclosure, OIG might not identify the wrongful conduct.

Trey Hendershot, for Hendershot Cowart, PC discusses why self-disclosure is almost always the best course of action.

[T]he OIG Self-Disclosure Protocol generally benefits the provider in several ways:

The OIG views a good-faith disclosure as an indication of a robust and effective compliance program. As a result, many self-disclosed violations are resolved through settlements that do not involve exclusion from participation in federal healthcare programs.

The OIG believes that entities that self-disclose and cooperate deserve to pay a lower multiplier on damages than normally would be required in resolving an DOJ-led investigation.

The Self-Disclosure Protocol may mitigate potential exposure under the Civil Monetary Penalties Law and the False Claims Act.

Providers can expect a streamlined and less costly review and resolution process upon acceptance into the Self-Disclosure Protocol.

Matt Stringer, for The Texan:

[T]he Texas Data and Privacy Security Act (TDPSA), was signed into law by Gov. Greg Abbott on Sunday and will take effect in two stages over the next two years.

The act creates a list of rights for internet users over their personal data, including knowing when it is collected, the ability to correct and delete personal data, the right to prohibit the sale of personal data, and protections against being discriminated against or retaliation by companies for using these rights.

Companies will also be required to obtain consent before collecting data relating to racial or ethnic origins, health conditions, sexuality, or citizenship status, as well as genetic and biometric data.

Artificial Intelligence, particularly generative AI, is upending many industries. It will be years before we have an appreciation for the many ways AI can be used to improve quality and equity in healthcare. It will be even longer before laws catch up to protet patients from its inevitable misuse.

Sarah M. Worthy, for The Fast Mode:

Healthcare executives must navigate the delicate balance between harnessing the power of AI and safeguarding the privacy and security of sensitive data. This article explores the imperative for healthcare executives to fortify data protection efforts, delves into the unique challenges posed by AI, and emphasizes the need for a comprehensive approach to safeguard patient and employee data.

Holden Godat, Taylor Anderson, CVA, and Trent Fritzsche, writing for VMG Health:

With the emergence of private equity (PE) firms attempting to align with physician practices, VMG Health has seen an increase in the number of management services agreements (MSAs). Due to the highly fragmented and regulated nature of healthcare, PE investment in healthcare is not as straightforward as in other industries. In states with some level of corporate practice of medicine (CPOM) adoption, PE’s interaction with physician practices usually involves a “Friendly PC” model with an affiliated management services organization (MSO) [1]. In return for providing most of the non-clinical assets and services to a physician practice, the MSO charges a management fee via an MSA. To better understand how these arrangements are structured in the market, VMG Health experts have outlined their findings from valuing over 120 MSAs and offer insight into how to generate more value from these agreements.

Jose Vela, Jr., for Clark Hill:

Last Friday, the U.S. Supreme Court (SCOTUS) handed down an important ruling that will give healthcare organizations and practitioners relief against meritless whistleblower lawsuits. The ruling could result in saving organizations and practitioners their time, money, and reputation.

In a near-unanimous 8-1 decision, the SCOTUS affirmed the Third Circuit Court of Appeals on whether the federal government may obtain dismissal of a whistleblower lawsuit it declined to intervene under the federal False Claims Act (FCA). Upon a defendant’s request or its own volition, the federal government may move to voluntarily dismiss a FCA case over the objection of the whistleblower.

From HuschBlackwell, Healthcare Law Insights:

Following two weeks of trial testimony, a Travis County jury recently rendered a $10 million verdict in a novel corporate practice of medicine (CPOM) case. The jury found in favor of a physician hospitalist group that claimed a management company repeatedly broke its promise to comply with the state’s CPOM prohibition, putting profits over patients, among other wrongdoings.

An appeal is underway, but the case stands out among CPOM cases that typically focus on terms of a contract or on practice models and are limited to seeking declaratory judgments and not money damages. The case also serves as a reminder that breaching a contractual promise to follow applicable state laws (even those to be enforced by regulators and that do not provide for a private right of action) can carry real risk.

Most improper disclosures are caused by complacency, poor training, or lack of attention. These kinds of lists are good reminders of some of the biggest types of violations. Of course, Covered Entities should provide this, and more, to employees and business associates.

From Security Boulevard:

1. Unsecure internet access. Transmitting e-PHI over unsecured networks, such as Wi-Fi networks at a coffee shop, internet cafe, or even at home, can increase the risk of patient data becoming accessible to hackers.

2. Improper handling of paper-based PHI. Paper-based procedures are still commonly used for some elements of a healthcare organization’s operations. This may result in unauthorized access to PHI. For example, if a remote employee prints out patient information from their family printer, the household may access these files.

3. Improper disposal of files. Improper disposal includes disposing of files, physical or electronic, in a way that information can still be read or accessed by unauthorized individuals. …

4. Unauthorized devices.  HIPAA rules require all devices that use, gather, store, or transfer e-PHI to be safeguarded by specific security controls. Employees often use multiple devices to complete their daily tasks, so it is possible to use a device their organization did not authorize unintentionally. …

5. Insufficient compliance training program.  Business associates and covered entities are required to renew their HIPAA certifications annually through compliance training programs. All staff, including remote employees, must complete compliance training.

6. Lost or stolen records.  The HIPAA Security Rule outlines security and safeguards to ensure minimal risk of unauthorized access to PHI. …

7. Incorrect filing of PHI. Incorrect filing can result in unauthorized access to PHI. For example, if a health care provider sends digital X-ray results to the wrong physician or patient information to the wrong patient …

8. Phishing scams.  Phishing scams are a common way cybercriminals trick individuals into accidentally revealing passwords and other sensitive information by sending them communications that appear to come from a reputable source. Refresher courses for all employees on cybersecurity awareness can help reduce these risks. …

9. Unencrypted data.  With most communication occurring through text, email, and other messaging platforms, it’s easy to forget how vulnerable that information is. If PHI is not encrypted appropriately, there is an increased risk of cyberattacks, threats, and data breaches. …

10. Lack of physical security.  For example, leaving paper PHI unattended in communal rooms of the house or on the table at a coffee shop increases the risk of theft or unauthorized access to these files.

Source: 10 HIPAA Violations to Watch Out for While Working Remotely – Security Boulevard