On April 18, 2024, the Federal Trade Commission (FTC), U.S. Department of Justice (DOJ), and U.S. Department of Health and Human Services (HHS) launched a public web portal for reporting anticompetitive practices in the health care sector. The portal, www.healthycompetition.gov, allows anyone to submit complaints about potential anticompetitive conduct in the healthcare industry. The portal provides information about federal laws ensuring healthy competition and examples of conduct that can harm competition in healthcare. The agencies have not limited the sources of reports, implying a wide scope for potential informants, from the general public to industry insiders. The launch of this portal necessitates increased vigilance from healthcare entities, as any information could potentially trigger an investigation by the FTC or DOJ.
Category: Alert
The Biden-Harris Administration has announced a Final Rule through the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) to enhance the HIPAA Privacy Rule and protect reproductive health care privacy. This rule prohibits the disclosure of protected health information (PHI) related to lawful reproductive health care under certain conditions. The rule was issued in response to community feedback for better patient confidentiality and to prevent misuse of medical records related to reproductive health care. The rule mandates regulated health care providers and organizations to modify their Notice of Privacy Practices and obtain a signed attestation for certain requests for PHI related to reproductive health care. The current HIPAA Privacy Rule remains in effect until the new rule is implemented.
Cerebral, Inc., a telehealth company, has agreed to settle Federal Trade Commission (FTC) charges over its failure to secure and protect sensitive consumer health data. The settlement includes a $7 million fine for disclosing consumers’ personal health information to third parties for advertising purposes and failing to uphold its cancellation policies. The FTC claimed that Cerebral violated privacy rights by revealing sensitive mental health conditions across the internet and in the mail. The proposed order will restrict Cerebral’s use and disclosure of sensitive consumer data and require the company to implement a comprehensive privacy and data security program. The order, which must be approved by a court, also mandates that Cerebral provide an easy way for consumers to cancel services.
From the Federal Trade Commission, Business Blog, by Lesley Fair:
The Federal Trade Commission (FTC) has taken action against online healthcare providers Cerebral and Monument, Inc. for allegedly violating consumer privacy rights. Both companies were accused of sharing sensitive health data with third-party advertising platforms without consumer consent. Cerebral was also charged with misleading cancellation practices, while Monument was accused of falsely claiming HIPAA compliance.
The FTC’s lawsuit against Cerebral resulted in a settlement that included a $5.1 million judgment for consumer refunds, a $10 million civil penalty (suspended after a $2 million payment due to the company’s inability to pay the full amount), and injunctive provisions to change the company’s business practices, including a ban on using or disclosing consumers’ personal and health information to third parties for most marketing or advertising purposes.
The proposed order against Monument includes a ban on sharing data with third parties for advertising and a $2.5 million civil penalty (suspended due to the company’s inability to pay).
Businesses, especially those in the health sector, must substantiate any privacy or security representations they make and integrate privacy and data security into their operations. The FTC also insists that companies must provide simple mechanisms for consumers to cancel services and stop recurring charges.
From United States Department of Justice:
Chiropractic Associates and Dr. Scott Kirkpatrick paid $365,000 to settle allegations of wrongfully paying physicians to induce referrals of durable medical equipment (DME), leading to the submission of false claims to the Medicare program. Dr. Cash Biddle and Dr. Chad Keeney each paid $50,000 to settle allegations that they received remuneration from Chiropractic Associates and/or Dr. Kirkpatrick to induce referrals of Medicare DME orders.
From October 2017 to July 2021, Chiropractic Associates and Dr. Kirkpatrick allegedly violated the Anti-Kickback Statute (AKS) and/or the Physician Self-Referral Law (Stark Law) by paying referring providers to induce referrals of Medicare DME orders. It is also alleged that Dr. Biddle and Dr. Keeney received such remuneration during certain periods.
The AKS and Stark Law aim to ensure that physicians’ medical judgments are not influenced by improper financial incentives and are based on patients’ best interests. Violations of these laws result in claims under the False Claims Act. To settle these allegations, Chiropractic Associates and Dr. Kirkpatrick paid $365,000, and Dr. Biddle and Dr. Keeney each paid $50,000 to the U.S.
In reaching this settlement, Chiropractic Associates, Dr. Kirkpatrick, Dr. Biddle, and Dr. Keeney did not admit liability, and the government did not make any concessions about the legitimacy of the claims. The agreements allow the parties to avoid the delay, expense, and uncertainty associated with litigation.
From U.S. Health and Human Services:
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has reached a settlement with Phoenix Healthcare over a potential violation of the HIPAA Right of Access provision. The case involved a daughter, acting as a representative for her mother, who could not access her mother’s health information for almost a year despite numerous requests. OCR Director Melanie Fontes Rainer emphasized the importance of timely access to medical records for patient decision-making and treatment accuracy. Phoenix Healthcare eventually provided the requested records 323 days after the initial request. This case marks OCR’s 47th enforcement action related to the Right of Access provision under HIPAA.
The Texas Medical Board (TMB) is proposing new rules to clarify how the state’s abortion ban exceptions apply to its enforcement process. This marks the beginning of a rulemaking process that will invite public participation and written comment.
The proposed rules, according to the TMB, are designed within the limits of existing laws to clarify the criteria the Board will consider if it receives a related complaint. The Board emphasizes that it does not have the authority to change or create new definitions in existing laws, nor does it have the power to regulate or prohibit abortion.
The Board is cautious about specifying particular conditions or scenarios that would qualify as exceptions. It recognizes the individuality of each patient and the complexity of medical practice, asserting that it is impractical and impossible to create a comprehensive list of situations that may arise in any given patient scenario.
The Board stresses the importance of “reasonable medical judgment,” which depends entirely on the patient’s unique circumstances and the expertise of the treating physician. Even if there were a list of conditions, it would not be enforceable without going through the standard process, given the varying impact of the same condition on different patients.
From DOJ Office of Public Affairs:
The Justice Department’s Antitrust Division, Federal Trade Commission (FTC), and Department of Health and Human Services (HHS) have launched a joint public inquiry into the increasing control of private-equity and corporate entities over healthcare. This inquiry aims to understand how certain healthcare market transactions may lead to increased consolidation, generate profits for firms, and potentially threaten patient health, worker safety, and the affordability and quality of care.
The agencies are seeking public comment on deals conducted by health systems, private payers, private equity funds, and other alternative asset managers that involve healthcare providers, facilities, or ancillary products or services. This includes transactions that would not be reported to the Justice Department or FTC for antitrust review under the Hart-Scott-Rodino Antitrust Improvements Act.
Research indicates that competition in healthcare provider and payer markets promotes higher quality, lower-cost healthcare, greater access to care, increased innovation, higher wages, and better benefits for healthcare workers. The responses to the RFI will inform the agencies’ enforcement priorities and future actions, including potential regulations aimed at promoting and protecting competition in healthcare markets and ensuring appropriate access to quality, affordable healthcare items and services.
The public, including patients, consumer advocates, doctors, nurses, healthcare providers and administrators, employers, insurers, and more, are invited to share their comments in response to the RFI within 60 days. The agencies are particularly interested in comments on a variety of transactions, including those involving dialysis clinics, nursing homes, hospice providers, primary care providers, hospitals, home health agencies, home- and community-based services providers, behavioral health providers, as well as billing and collections services.
From HHS Press Release:
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), reached a settlement with Green Ridge Behavioral Health, LLC under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) due to potential violations identified during an investigation following a ransomware attack, which affected over 14,000 individuals’ protected health information.
This incident marks the second settlement that OCR has reached with a HIPAA-regulated entity following a ransomware attack. The OCR’s investigation revealed that Green Ridge Behavioral Health had failed to accurately assess potential risks and vulnerabilities to electronic protected health information, implement adequate security measures, and monitor its health information systems effectively to guard against cyber-attacks.
As part of the settlement, Green Ridge Behavioral Health agreed to pay a fine and implement a corrective action plan, which will be monitored by OCR for three years, to address potential violations of the HIPAA Privacy and Security Rules. The CAP includes conducting a thorough risk analysis, developing a risk management plan, revising policies and procedures as needed to comply with HIPAA rules, providing workforce training, auditing third-party arrangements for proper business associate agreements, and reporting non-compliance by workforce members to the OCR.
From NIST Computer Security Resource Center:
The National Institute of Standards and Technology (NIST) has released the final version of Special Publication (SP) 800-66r2 (Revision 2), “Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide”.
SP 800-66 provides guidance for entities regulated by HIPAA on evaluating and managing risks associated with electronic Protected Health Information (ePHI). It outlines typical activities for an information security program and offers advice to improve cybersecurity posture and assist with HIPAA Security Rule compliance.
NIST’s Cybersecurity and Privacy Reference Tool (CPRT) includes mappings of the HIPAA Security Rule’s standards and implementation specifications to NIST Cybersecurity Framework Subcategories and SP 800-53r5 security controls. It also lists NIST publications relevant to each HIPAA Security Rule standard, which can be used as additional resources for implementing HIPAA Security Rule standards and implementation specifications.