Author: WadeEmmert

Categories
Health Law Highlights

Wellness Apps and Privacy

From Seyfarth Shaw LLP, by Diane Dygert:

  • Employers are increasingly interested in providing wellness tools, such as apps and wearables, to enhance employee benefits. These tools, which cover various areas like mental health, physical fitness, and financial fitness, are relatively inexpensive and easily accessible.
  • The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy and security of individually identifiable health information. However, this only applies to data created or maintained by a “covered entity”, usually healthcare providers or health plans. Many wellness apps are not developed by such entities, and therefore, their data may not be protected by HIPAA.
  • If a wellness app is provided as part of an employer’s health plan, the underlying data collected may be considered HIPAA Protected Health Information (PHI). In such cases, the wellness vendor and the health plan must enter into a HIPAA compliant business associate agreement outlining the uses and security measures for the PHI.
  • State laws may also impact the privacy of health data collected through wellness apps. Several states are passing their own privacy laws to cover health data privacy gaps in HIPAA’s scope. However, most of these laws exclude information collected in the scope of an employment relationship, and the extent of these exclusions is not yet clear.
  • Employers deploying wellness apps should consider privacy implications at both federal and state levels before implementation. Failure to do so could potentially lead to privacy law liability.
Categories
Health Law Highlights

The Corporate Transparency Act: A Reporting Guide for Medical Groups and MSOs

From Sheppard Mullin Richter & Hampton LLP, by John Golembesky, Jordan Grushkin, Leonard Lipsky, Kathleen O’Neill, Richard Rifenbark, and Carolyn Young:

  • The Corporate Transparency Act (CTA) of 2021 mandates that any “reporting company” must submit a Beneficial Ownership Information Report (BOIR) to the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). This report includes identification details of the entity’s key owners and leaders, or “beneficial owners”. The CTA primarily targets non-publicly traded entities, including medical groups and management services organizations (MSOs).
  • Entities formed or registered on or after January 1, 2024, must also report information about the individual who oversaw the preparation of the certificate of formation and the person who filed the document with the Secretary of State. However, there are several exceptions to the reporting requirement, including larger, active companies, public companies, and entities that already report to the federal government.
  • Reporting companies registered prior to January 1, 2024, must submit their BOIR by January 1, 2025. Companies registered between January 1, 2024 and January 1, 2025, have 90 days post-registration to file, and those registered after January 1, 2025, have 30 days to file.
  • The CTA’s application to common corporate structures in the healthcare industry raises questions about whether individual leaders of an MSO should be reported as “beneficial owners” of an affiliated medical group. Each reporting company should consider the facts and circumstances of its existing relationships and assess its legal duties and degree of risk tolerance.
  • The BOIR must include information about the reporting company and any beneficial owners, and for companies formed after January 1, 2024, information on company applicants. Beneficial owner information includes each individual’s full legal name, date of birth, residential address, ID number and issuing jurisdiction of a non-expired US passport, driver’s license, or other government-issued ID, and an image/photocopy of such ID.
Categories
Alert

Houston Dental Clinic Operator Convicted in $6M Pediatric Fraud Scheme

From Press Release, United States Attorney’s Office, Southern District of Texas:

  • Rene Gaviola, operator of Floss Family Dental Care clinic in Houston, admitted to submitting fraudulent claims to Medicaid for pediatric dental services that were not provided.
  • Gaviola confessed to employing unlicensed individuals to practice dentistry on Medicaid-insured children and operating the clinic without any licensed dentists, billing Medicaid as if licensed professionals provided the services.
  • He further admitted to paying kickbacks to marketers and caregivers of Medicaid-insured children for bringing them to Floss, and to laundering Medicaid funds from the clinic’s business account to his personal account in transactions exceeding $100,000.
  • From 2019 to 2021, Floss billed Medicaid nearly $6.9 million for pediatric dental services, of which Medicaid paid approximately $4.9 million.
  • Gaviola pleaded guilty and awaits sentencing on April 16, facing potential penalties including up to 10 years for conspiracy to commit health care fraud, payment of kickbacks, and money laundering, as well as potential fines in the hundreds of thousands.
Categories
Health Law Highlights

Researchers Observe Increase in Emerging Ransomware Groups Targeting Healthcare

From HealthIT Security, by Jill McKeon:

  • The healthcare sector experienced significant data breaches in 2023, with over 540 organizations reporting such incidents, largely due to ransomware attacks. Healthcare was the third-most targeted industry, following manufacturing and technology.
  • The GuidePoint Research and Intelligence Team (GRIT) identified 63 distinct ransomware groups responsible for these attacks, with established groups like LockBit, Alphv, and Clop causing the majority of breaches. These groups have operated for at least nine months and have well-defined tactics.
  • Both established and emerging ransomware groups have increasingly targeted healthcare organizations. Despite traditionally being considered ‘off-limits’ due to potential negative press and law enforcement attention, the number of attacks on healthcare organizations rose in 2023.
  • Emerging groups, defined as those in operation for less than three months, have been particularly problematic for the healthcare sector. One such group, Rhysidia, has been aggressive in its attacks despite its relative newness, using tactics like phishing to compromise victims.
  • GRIT predicts that ransomware attacks will continue to escalate in 2024, with the most prolific groups leading advancements in techniques and strategies. The report emphasizes the importance of industry best practices in threat intelligence, information sharing, and public-private partnerships to combat this growing threat.
Categories
Health Law Highlights

CMS Finalizes its Proposal to Advance Interoperability and Improve Prior Authorization Processes

From Sheppard Mullin Richter & Hampton LLP, by Gianfranco Spinelli and Krysten Thomas:

  • Final Rule Issued by CMS: The Centers for Medicare and Medicaid Services (CMS) issued a final rule titled “CMS Interoperability and Prior Authorization” on January 17, 2024, which aims to advance interoperability and improve prior authorization processes. This rule impacts Medicare Advantage organizations, state Medicaid and CHIP agencies, Medicaid and CHIP managed care plans, and plans on the Affordable Care Act exchanges, as well as MIPS eligible clinicians, and eligible hospitals and critical access hospitals.
  • Patient Access API: The final rule requires Impacted Payers to provide patients access to certain information, including claims, cost sharing data, encounter data, and a set of clinical data accessible via health applications. The implementation of this requirement is set for January 1, 2027, which is a change from the original proposed date of January 1, 2026.
  • Provider Access API and Payer-to-Payer API: The rule mandates Impacted Payers to build and maintain a Provider Access API for data sharing with in-network providers. It also requires a Payer-to-Payer API to ensure patients can maintain continuity of care and have uninterrupted access to their health data. Both these requirements are to be implemented by January 1, 2027.
  • Prior Authorization API and Process Improvements: CMS finalized the proposal to require Impacted Payers to build and maintain a Prior Authorization API, which is to be implemented by January 1, 2027. The rule also shortens the time frames for prior authorization decisions and requires Impacted Payers to provide a specific reason for denied decisions. These requirements are to be complied with by January 1, 2026.
  • Public Reporting and Electronic Prior Authorization Measure: The final rule requires Impacted Payers to publicly report certain prior authorization metrics, with the initial set of metrics to be reported by March 31, 2026. It also mandates MIPS eligible clinicians, eligible hospitals, and CAHs to report the number of prior authorizations for medical items and services requested electronically from a Prior Authorization API.
Categories
Alert

Physician’s Assistant Convicted at Trial of Amniotic Fluid Scam

From Press Release, United States Attorney’s Office, Northern District of Texas:

  • A 36-year-old physician’s assistant at a Fort Worth pain management clinic has been convicted of conspiracy to commit health care fraud and 12 counts of healthcare fraud.
  • The PA submitted claims to Medicare for injections of unapproved amniotic fluid for pain management.
  • Although some amniotic products are FDA-approved for wound care, they are not approved for pain management, making the injections medically unnecessary and non-reimbursable by Medicare.
  • He used an amniotic product called “Cell Genuity,” which was not covered by Medicare for either wound care or pain management. He initially asked patients to pay out of pocket for the injections, but many refused due to the high cost and questionable efficacy.
  • The PA identified another product, “Fluid Flow,” that he believed could be reimbursed by Medicare. Instead of purchasing this more expensive product, he continued to use Cell Genuity but billed Medicare under Fluid Flow’s unique code. This resulted in significant profits for the clinic and himself.
  • The PA now faces up to 240 years in federal prison – 20 years per count.
Categories
Health Law Highlights

HHS Releases Voluntary Cybersecurity Performance Goals to Beef Up Healthcare’s Digital Defenses

From Fierce Healthcare, by Dave Mulio:

  • The Department of Health and Human Services (HHS) has published voluntary cybersecurity performance goals for healthcare organizations, aiming to enhance industry-wide cybersecurity. The goals are hosted on a new website launched by the department to centralize cybersecurity resources from various government groups.
  • The goals are divided into two categories: “Essential Goals” and “Enhanced Goals”, reflecting cybersecurity frameworks, best practices, and strategies developed by the healthcare industry. They address common attack vectors against U.S. hospitals, as identified in the 2023 Hospital Cyber Resiliency Landscape Analysis.
  • The voluntary goals cover initial protection, response, and mitigation of residual risk. They provide a prioritization roadmap for layers of protection across various points of weakness, aiming to prevent potential breaches.
Categories
Health Law Highlights

New California Law Imposes Significant Data Management Requirements for Sensitive Health Data

From Troutman Pepper, by Brent Hoard, Emma Trivax, and Erin Whaley:

  • Effective January 1, AB 352 introduces significant changes to the management and sharing of sensitive health information in California, particularly related to reproductive health services. The bill amends the existing [[Reproductive Privacy Act and the Confidentiality of Medical Information Act (CMIA)]] and several other statutes.
  • Enhanced Security Measures: By July 1, businesses that electronically store or maintain certain medical information must implement enhanced security measures, including limiting user access, preventing sharing of medical information outside of California, segregating certain medical information, and disabling access to segregated information from outside California.
  • Prohibition on Cooperation With Out-of-State Inquiries: Health care providers and related entities are prohibited from cooperating with out-of-state or federal inquiries that would identify an individual seeking or obtaining an abortion or abortion-related services, unless authorized under existing law provisions.
  • Prohibition on Disclosure of Medical Information: Entities are prohibited from knowingly disclosing information that would identify an individual related to an abortion to any individual or entity from another state, unless authorized under specific conditions. A grace period until January 31, 2026, is provided for entities working diligently and in good faith to comply with the prohibition.
  • Exclusion From Automatic Data Sharing: The bill excludes the exchange of health information related to abortion and abortion-related services from automatic sharing on the California Health and Human Services Data Exchange Framework. Entities should assess their compliance, undertake a data inventory, develop technical controls, revise procedures for individual rights requests, and incorporate these changes into training sessions.
Categories
Health Law Highlights

Recent $345 Million Settlement Underscores Critical Importance of Appropriate Physician Compensation

From Baker Donelson, by Alissa Fleming and Joseph Keillor:

  • An Indianapolis-based health system recently settled with the Department of Justice for $345 million due to allegations of Stark Law and False Claims Act violations related to its physician compensation arrangements, highlighting the importance of appropriately structuring physician compensation to avoid fraud and abuse enforcement.
  • The health system was accused of providing false information to appraisers, inflating physician salaries, and ignoring warnings about the large discrepancies between high physician compensation and moderate productivity. Additionally, it was alleged that physician compensation was dependent on the volume or value of referrals, which violates Stark Law’s restrictions.
  • The actual compensation for many specialties was either fixed guaranteed compensation or wRVU-based compensation for personally-performed services, which under the December 2020 rulemaking, should not violate the Volume/Value element.
  • The government argued that exceeding fair market value does not necessarily implicate the “indirect compensation arrangement” definition in place at the time, and that fair market value is only relevant where the parties have implicated a threshold volume/value standard.
  • The settlement emphasizes the importance of structuring physician compensation appropriately, with the health system now under a five-year corporate integrity agreement with an independent review organization and a compliance expert. Unsettled claims from the relator are still pending, and attorney’s fees relating to the settled claims may be added to the $345 million settlement.
Categories
Health Law Highlights

7 HIPAA Predictions For 2024

From Becker’s Hospital Review, by Madeline Ashley:

  • The Office for Civil Rights (OCR) is expected to increase enforcement actions for violations of HIPAA security and breach notification rules, with a predicted record number of civil monetary penalties and settlements in 2024.
  • The HIPAA right of access will continue to be a focus for OCR enforcement due to its straightforward nature and minimal resource requirement for investigations.
  • An update to the HIPAA security rule is anticipated in spring 2024, likely introducing new mandatory cybersecurity measures, including stricter access control requirements such as mandatory multi-factor authentication.
  • Following the overturning of Roe v. Wade, a new rule on reproductive health information disclosure, limiting its use to specific purposes like payment, healthcare operations, treatment, and legal investigations related to reproductive healthcare services.
  • The American Hospital Association’s lawsuit against OCR’s tracking technologies guidance could lead to the first enforcement action regarding the use of tracking technologies on hospital websites in 2024. If the lawsuit is successful, further rulemaking on tracking technology is expected to enhance patient privacy.
  • The Centers for Medicare & Medicaid Services (CMS) are projected to introduce cybersecurity requirements as a condition for participation in their programs.
  • State attorneys general are expected to increase HIPAA compliance enforcements, imposing additional financial penalties on healthcare organizations failing to meet minimum cybersecurity standards.