Author: WadeEmmert

Categories
Health Law Highlights

Online Tracking Technologies: Updated HIPAA Guidance Creates Uncertainty

From Morgan Lewis, by W. Reece Hirsch, Amy M. Magnano, Michael J. Madderra, Sydney Reed Swanson:

The US Department of Health and Human Services’ (HHS’s) Office for Civil Rights (OCR) updated its guidance on the use of online tracking technologies, causing further uncertainty for HIPAA-covered entities. OCR acknowledges that tracking technologies, such as cookies and web beacons, can unintentionally capture protected health information (PHI), thus implicating HIPAA. The updated guidance states that individually identifiable health information (IIHI) collected on a regulated entity’s website or app is generally considered PHI, even without specific treatment or billing details. The guidance differentiates between authenticated and unauthenticated pages, warning that PHI could be accessible even on unauthenticated pages. The update presents a compliance challenge for HIPAA-regulated entities, as discerning the subjective intent of website visitors is difficult, and entities must also consider other federal and state laws where HIPAA does not apply.

Categories
Health Law Highlights

Forecasting the Integration of AI into Health Care Compliance Programs

From Robinson Cole, by Kathleen Healy, Josh Yoo:

Healthcare entities need to incorporate AI standards into their compliance programs to manage and mitigate legal risks. Executive Order No. 14110 outlines key principles for AI including confidentiality, security, transparency, governance, and non-discrimination. The National Institute of Standards and Technology (NIST) provides a Risk Management Framework for AI and a playbook to help organizations manage AI risks. Key federal privacy and security laws like HIPAA and Section 5 will impact the use of AI in healthcare. It’s vital for healthcare entities to monitor evolving AI laws and regulations, inventory existing and upcoming AI use, educate themselves on updates, and adapt their compliance plans accordingly.

Categories
Health Law Highlights

Pandemic Fraud Suits Have Yielded Over $100 Million, Report Says

From Bloomberg Law, by Daniel Seiden:

The Covid-19 Fraud Enforcement Task Force has reported that over $100 million has been reclaimed by the US government through False Claims Act (FCA) cases related to pandemic fraud. These funds have been recovered from more than 400 settlements and judgments, including cases of Paycheck Protection Program fraud, Economic Injury Disaster Loan fraud, health-care fraud, and agricultural program fraud. The report indicates a steady rise in new whistleblower actions under the FCA alleging pandemic relief fraud from 2020 to 2023. In 2023 alone, the Department of Justice (DOJ) recovered a record $2.68 billion from 543 FCA settlements and judgments.

Categories
Health Law Highlights

“Stark” Differences: DOJ’s Renewed Focus on Stand-Alone Stark Law Violations

From Arnold & Porter, by Murad Hussain, Allison W. Shuren, Loreli (Lori) Wright:

The Department of Justice (DOJ) has recently increased enforcement of the False Claims Act (FCA) based on the Stark Law, also known as the Physician Self-Referral Law. This law focuses on financial relationships between physicians and health care entities, particularly when compensation exceeds fair market value (FMV) or varies with the volume or value of referrals. Violations of Stark Law can lead to FCA claims, requiring less proof than Anti-Kickback Statute (AKS)-based FCA claims. This trend has been evident in a series of new FCA enforcement actions and resolutions involving large health care providers since early 2023.

Categories
Health Law Highlights

Healthcare Highlights from FTC’s 2024 PrivacyCon

From SheppardMullin, by Carolyn Metnick, Carolyn Young:

The Federal Trade Commission’s annual PrivacyCon highlighted three healthcare privacy research projects: tracking technology use by healthcare providers, women’s privacy concerns post Roe era, and bias propagation through large language learning models (LLMs). One key finding was the extensive use of tracking technologies on hospital websites, which can reveal personal health information and potentially be exploited. Despite serious implications, healthcare data privacy concerns are largely overlooked by users. The event also underscored how biases in LLM training data can lead to biased healthcare outcomes. The key takeaway was the need for transparency in handling healthcare data, including clear policies around data collection and usage, compliance with HIPAA and FTC rules, and the need for accurate privacy notices for users.

Categories
Article

Why You Need a Privacy Program

In a previous video, we talked about what a Privacy Program is. In this video, we look at six reasons why your organization needs a privacy program.

Reason No. 1 – To Comply With the Law

A privacy program may be essential for your organization to comply with federal and state law.

  • Medical records
  • Education records
  • Disability information
  • Employer background checks
  • Financial records

No matter what business you are in, you likely collect, use, store, disclose and share a lot of personally identifiable information that is protected by law.

To comply with the law, you may need a designated privacy officer and policies in place to protect the privacy and security of that data.

Reason No. 2 – To Meet Industry Standards

Your organization may have agreed to abide by industry standards.

Take credit cards, for example. The credit card industry requires everyone who accepts credit cards to comply with the Payment Card Industry Data Security Standard (PCI DSS).

You’re required to protect your network, protect stored credit card information, apply strong access controls measures, regularly monitor and test your network, and create security policies for employees and contractors.

Are your policies compliant? Don’t assume so.

A privacy program will ensure that all standards applicable to your organization are properly addressed.

Reason No. 3 – It’s a Business Differentiator.

The news is replete with examples of companies that squandered consumer trust.

In the first three months of 2024, there have been over 700 million records breached in 658 publicly disclosed incidents.

And that’s just the breaches we know about.

A well-run privacy program keeps you out of the news for data breaches and reinforces positive customer relationships.

Reason No. 4 – It Protects Your Business Data Too.

Good security practices not only protect consumer data, they protect your business data too.

Lax privacy and security controls can lead to loss of proprietary business data.

The same techniques employed by threat actors to steal consumer data, can compromise your business plans.

Improving security controls not only protects customers’ privacy, but also your organization’s secrets.

Reason No. 5 – It Enables You to Scale and Grow.

A good privacy program creates a foundation for your organization to grow.

Every state has it’s own privacy laws, and every country has it’s own regulatory scheme.

With a privacy program in place, you may already satisfy the laws in those other jurisdictions. But if not, you are not starting from scratch.

With concepts like privacy by design integrated throughout your organization, you can more easily adapt to the laws in new markets, even if those markets are on the other side of the globe.

Reason No. 6 – It’s the Right Thing to Do.

Respecting privacy is a fundamental aspect of maintaining trust with your customers and employees.

Data breaches can harm customers financially, reputationally, and emotionally. It leads to identity theft and the feeling of being violated.

A robust privacy program helps ensure that personal data is handled responsibly and ethically, further strengthening the bond between your organization and its stakeholders.

Categories
Health Law Highlights

CMS Again Settles Record Stark Self-Disclosures in 2023

From McGuireWoods, by Gretchen Heinze Townshend, Timothy Fry, Kristen H. Chang, Varsha Gadani, Micaela Enger:

The Centers for Medicare & Medicaid Services (CMS) reported a record 176 settlements of voluntary self-disclosures related to past or potential violations of the physician self-referral law (Stark Law) in 2023, with settlements totaling over $12 million. This represents an increase from 103 self-disclosures and over $9 million in settlements in 2022. Despite the increase in total settlements, the average settlement amount in 2023 was $71,363.73, one of the lowest on record. The CMS’ self-referral disclosure protocol (SRDP) allows healthcare providers to self-disclose violations to resolve overpayment liability. The data suggests that CMS is focusing on processing SRDP submissions more quickly, with average settlement amounts remaining consistent with previous years.

Categories
Health Law Highlights

Fair Market Value and Commercial Reasonableness Considerations Amid CMS Radiopharmaceutical Reimbursement Challenges

From VMG Health, by Carla Zarazua, Preston Edison, and James Tekippe, CFA:

Radiopharmaceutical drugs (RPs) are crucial for diagnosing and treating diseases. However, the current pricing structure by the Centers for Medicare and Medicaid Services (CMS) places a financial strain on hospitals and health systems and potentially restricts patient access to these vital resources. The existing CMS payment structure categorizes diagnostic RPs as supplies, bundling their cost into the overall procedure rate, causing a disconnect between the cost of acquiring RPs and the reimbursement received, particularly for high-cost drugs. 

The CMS encourages hospitals to use cost-effective resources while ensuring patient care. A temporary exception allows for separate pricing for new and high-cost drugs for two to three years, but this is a finite period. The current pricing model may force hospitals to limit the use of high-cost or newer RPs, potentially leading to suboptimal patient care and stifling innovation in drug development.

In response to these challenges, the CMS proposed five alternative payment models in 2024, including paying separately for diagnostic RPs with per-day costs above a certain threshold, restructuring the ambulatory payment classification (APC), and adopting codes that incorporate the disease state being diagnosed. Stakeholders, including the Medical Imaging & Technology Alliance (MITAS) and the American College of Radiology (ACR), advocate for separate payment for diagnostic RPs based on the average sales price (ASP) + 6% methodology.

However, the CMS has not yet decided on a new reimbursement structure for RPs, leaving hospitals to navigate the financial implications of using these drugs. To remain compliant with fair market value (FMV) and commercial reasonableness (CR), hospitals need to review and negotiate vendor agreements, document the necessity of higher-priced drugs, and establish a process for deciding which RPs to use.

In conclusion, while awaiting a resolution from the CMS, hospitals and health systems must proactively develop compliance protocols and negotiate agreements to minimize the financial impact and ensure optimal patient care. The proposed changes to the reimbursement structure for RPs represent a significant step towards addressing the economic challenges faced by healthcare providers and improving patient access to essential diagnostic and therapeutic resources.

Categories
Alert

Oklahoma Chiropractic Clinic, Owner, and Referring Physicians Pay $465,000 to Settle Federal False Claims Act and Kickback Allegations

From United States Department of Justice:

Chiropractic Associates and Dr. Scott Kirkpatrick paid $365,000 to settle allegations of wrongfully paying physicians to induce referrals of durable medical equipment (DME), leading to the submission of false claims to the Medicare program. Dr. Cash Biddle and Dr. Chad Keeney each paid $50,000 to settle allegations that they received remuneration from Chiropractic Associates and/or Dr. Kirkpatrick to induce referrals of Medicare DME orders.

From October 2017 to July 2021, Chiropractic Associates and Dr. Kirkpatrick allegedly violated the Anti-Kickback Statute (AKS) and/or the Physician Self-Referral Law (Stark Law) by paying referring providers to induce referrals of Medicare DME orders. It is also alleged that Dr. Biddle and Dr. Keeney received such remuneration during certain periods.

The AKS and Stark Law aim to ensure that physicians’ medical judgments are not influenced by improper financial incentives and are based on patients’ best interests. Violations of these laws result in claims under the False Claims Act. To settle these allegations, Chiropractic Associates and Dr. Kirkpatrick paid $365,000, and Dr. Biddle and Dr. Keeney each paid $50,000 to the U.S.

In reaching this settlement, Chiropractic Associates, Dr. Kirkpatrick, Dr. Biddle, and Dr. Keeney did not admit liability, and the government did not make any concessions about the legitimacy of the claims. The agreements allow the parties to avoid the delay, expense, and uncertainty associated with litigation.

Categories
Alert

HHS’ Office for Civil Rights Settles HIPAA Investigation with Phoenix Healthcare

From U.S. Health and Human Services:

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has reached a settlement with Phoenix Healthcare over a potential violation of the HIPAA Right of Access provision. The case involved a daughter, acting as a representative for her mother, who could not access her mother’s health information for almost a year despite numerous requests. OCR Director Melanie Fontes Rainer emphasized the importance of timely access to medical records for patient decision-making and treatment accuracy. Phoenix Healthcare eventually provided the requested records 323 days after the initial request. This case marks OCR’s 47th enforcement action related to the Right of Access provision under HIPAA.