Categories
Alert

Proposed FTC Order will Prohibit Telehealth Firm Cerebral from Using or Disclosing Sensitive Data for Advertising Purposes, and Require it to Pay $7 Million

Cerebral, Inc., a telehealth company, has agreed to settle Federal Trade Commission (FTC) charges over its failure to secure and protect sensitive consumer health data. The settlement includes a $7 million fine for disclosing consumers’ personal health information to third parties for advertising purposes and failing to uphold its cancellation policies. The FTC claimed that Cerebral violated privacy rights by revealing sensitive mental health conditions across the internet and in the mail. The proposed order will restrict Cerebral’s use and disclosure of sensitive consumer data and require the company to implement a comprehensive privacy and data security program. The order, which must be approved by a court, also mandates that Cerebral provide an easy way for consumers to cancel services.

Categories
Alert

Consumer Health Information: Handle With (Extreme) Care

From the Federal Trade Commission, Business Blog, by Lesley Fair:

The Federal Trade Commission (FTC) has taken action against online healthcare providers Cerebral and Monument, Inc. for allegedly violating consumer privacy rights. Both companies were accused of sharing sensitive health data with third-party advertising platforms without consumer consent. Cerebral was also charged with misleading cancellation practices, while Monument was accused of falsely claiming HIPAA compliance.

The FTC’s lawsuit against Cerebral resulted in a settlement that included a $5.1 million judgment for consumer refunds, a $10 million civil penalty (suspended after a $2 million payment due to the company’s inability to pay the full amount), and injunctive provisions to change the company’s business practices, including a ban on using or disclosing consumers’ personal and health information to third parties for most marketing or advertising purposes.

The proposed order against Monument includes a ban on sharing data with third parties for advertising and a $2.5 million civil penalty (suspended due to the company’s inability to pay).

Businesses, especially those in the health sector, must substantiate any privacy or security representations they make and integrate privacy and data security into their operations. The FTC also insists that companies must provide simple mechanisms for consumers to cancel services and stop recurring charges.

Categories
Alert

Oklahoma Chiropractic Clinic, Owner, and Referring Physicians Pay $465,000 to Settle Federal False Claims Act and Kickback Allegations

From United States Department of Justice:

Chiropractic Associates and Dr. Scott Kirkpatrick paid $365,000 to settle allegations of wrongfully paying physicians to induce referrals of durable medical equipment (DME), leading to the submission of false claims to the Medicare program. Dr. Cash Biddle and Dr. Chad Keeney each paid $50,000 to settle allegations that they received remuneration from Chiropractic Associates and/or Dr. Kirkpatrick to induce referrals of Medicare DME orders.

From October 2017 to July 2021, Chiropractic Associates and Dr. Kirkpatrick allegedly violated the Anti-Kickback Statute (AKS) and/or the Physician Self-Referral Law (Stark Law) by paying referring providers to induce referrals of Medicare DME orders. It is also alleged that Dr. Biddle and Dr. Keeney received such remuneration during certain periods.

The AKS and Stark Law aim to ensure that physicians’ medical judgments are not influenced by improper financial incentives and are based on patients’ best interests. Violations of these laws result in claims under the False Claims Act. To settle these allegations, Chiropractic Associates and Dr. Kirkpatrick paid $365,000, and Dr. Biddle and Dr. Keeney each paid $50,000 to the U.S.

In reaching this settlement, Chiropractic Associates, Dr. Kirkpatrick, Dr. Biddle, and Dr. Keeney did not admit liability, and the government did not make any concessions about the legitimacy of the claims. The agreements allow the parties to avoid the delay, expense, and uncertainty associated with litigation.

Categories
Alert

HHS’ Office for Civil Rights Settles HIPAA Investigation with Phoenix Healthcare

From U.S. Health and Human Services:

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has reached a settlement with Phoenix Healthcare over a potential violation of the HIPAA Right of Access provision. The case involved a daughter, acting as a representative for her mother, who could not access her mother’s health information for almost a year despite numerous requests. OCR Director Melanie Fontes Rainer emphasized the importance of timely access to medical records for patient decision-making and treatment accuracy. Phoenix Healthcare eventually provided the requested records 323 days after the initial request. This case marks OCR’s 47th enforcement action related to the Right of Access provision under HIPAA.

Categories
Alert

Texas Medical Board Notice of Proposed Rule Amendments and Statement Regarding Abortion Ban Exceptions

The Texas Medical Board (TMB) is proposing new rules to clarify how the state’s abortion ban exceptions apply to its enforcement process. This marks the beginning of a rulemaking process that will invite public participation and written comment.

The proposed rules, according to the TMB, are designed within the limits of existing laws to clarify the criteria the Board will consider if it receives a related complaint. The Board emphasizes that it does not have the authority to change or create new definitions in existing laws, nor does it have the power to regulate or prohibit abortion.

The Board is cautious about specifying particular conditions or scenarios that would qualify as exceptions. It recognizes the individuality of each patient and the complexity of medical practice, asserting that it is impractical and impossible to create a comprehensive list of situations that may arise in any given patient scenario.

The Board stresses the importance of “reasonable medical judgment,” which depends entirely on the patient’s unique circumstances and the expertise of the treating physician. Even if there were a list of conditions, it would not be enforceable without going through the standard process, given the varying impact of the same condition on different patients.

Categories
Alert

Justice Department, Federal Trade Commission and Department of Health and Human Services Issue Request for Public Input as Part of Inquiry into Impacts of Corporate Ownership Trend in Health Care

From DOJ Office of Public Affairs:

The Justice Department’s Antitrust Division, Federal Trade Commission (FTC), and Department of Health and Human Services (HHS) have launched a joint public inquiry into the increasing control of private-equity and corporate entities over healthcare. This inquiry aims to understand how certain healthcare market transactions may lead to increased consolidation, generate profits for firms, and potentially threaten patient health, worker safety, and the affordability and quality of care.

The agencies are seeking public comment on deals conducted by health systems, private payers, private equity funds, and other alternative asset managers that involve healthcare providers, facilities, or ancillary products or services. This includes transactions that would not be reported to the Justice Department or FTC for antitrust review under the Hart-Scott-Rodino Antitrust Improvements Act.

Research indicates that competition in healthcare provider and payer markets promotes higher quality, lower-cost healthcare, greater access to care, increased innovation, higher wages, and better benefits for healthcare workers. The responses to the RFI will inform the agencies’ enforcement priorities and future actions, including potential regulations aimed at promoting and protecting competition in healthcare markets and ensuring appropriate access to quality, affordable healthcare items and services.

The public, including patients, consumer advocates, doctors, nurses, healthcare providers and administrators, employers, insurers, and more, are invited to share their comments in response to the RFI within 60 days. The agencies are particularly interested in comments on a variety of transactions, including those involving dialysis clinics, nursing homes, hospice providers, primary care providers, hospitals, home health agencies, home- and community-based services providers, behavioral health providers, as well as billing and collections services.

Categories
Alert

HHS’ Office for Civil Rights Settles Second Ever Ransomware Cyber-Attack

From HHS Press Release:

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), reached a settlement with Green Ridge Behavioral Health, LLC under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) due to potential violations identified during an investigation following a ransomware attack, which affected over 14,000 individuals’ protected health information.

This incident marks the second settlement that OCR has reached with a HIPAA-regulated entity following a ransomware attack. The OCR’s investigation revealed that Green Ridge Behavioral Health had failed to accurately assess potential risks and vulnerabilities to electronic protected health information, implement adequate security measures, and monitor its health information systems effectively to guard against cyber-attacks.

As part of the settlement, Green Ridge Behavioral Health agreed to pay a fine and implement a corrective action plan, which will be monitored by OCR for three years, to address potential violations of the HIPAA Privacy and Security Rules. The CAP includes conducting a thorough risk analysis, developing a risk management plan, revising policies and procedures as needed to comply with HIPAA rules, providing workforce training, auditing third-party arrangements for proper business associate agreements, and reporting non-compliance by workforce members to the OCR.

Categories
Alert

NIST Publishes SP 800-66 Revision 2, Implementing the HIPAA Security Rule

From NIST Computer Security Resource Center:

The National Institute of Standards and Technology (NIST) has released the final version of Special Publication (SP) 800-66r2 (Revision 2), “Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide”.

SP 800-66 provides guidance for entities regulated by HIPAA on evaluating and managing risks associated with electronic Protected Health Information (ePHI). It outlines typical activities for an information security program and offers advice to improve cybersecurity posture and assist with HIPAA Security Rule compliance.

NIST’s Cybersecurity and Privacy Reference Tool (CPRT) includes mappings of the HIPAA Security Rule’s standards and implementation specifications to NIST Cybersecurity Framework Subcategories and SP 800-53r5 security controls. It also lists NIST publications relevant to each HIPAA Security Rule standard, which can be used as additional resources for implementing HIPAA Security Rule standards and implementation specifications.

Categories
Alert

Houston Dental Clinic Operator Convicted in $6M Pediatric Fraud Scheme

From Press Release, United States Attorney’s Office, Southern District of Texas:

  • Rene Gaviola, operator of Floss Family Dental Care clinic in Houston, admitted to submitting fraudulent claims to Medicaid for pediatric dental services that were not provided.
  • Gaviola confessed to employing unlicensed individuals to practice dentistry on Medicaid-insured children and operating the clinic without any licensed dentists, billing Medicaid as if licensed professionals provided the services.
  • He further admitted to paying kickbacks to marketers and caregivers of Medicaid-insured children for bringing them to Floss, and to laundering Medicaid funds from the clinic’s business account to his personal account in transactions exceeding $100,000.
  • From 2019 to 2021, Floss billed Medicaid nearly $6.9 million for pediatric dental services, of which Medicaid paid approximately $4.9 million.
  • Gaviola pleaded guilty and awaits sentencing on April 16, facing potential penalties including up to 10 years for conspiracy to commit health care fraud, payment of kickbacks, and money laundering, as well as potential fines in the hundreds of thousands.
Categories
Alert

Physician’s Assistant Convicted at Trial of Amniotic Fluid Scam

From Press Release, United States Attorney’s Office, Northern District of Texas:

  • A 36-year-old physician’s assistant at a Fort Worth pain management clinic has been convicted of conspiracy to commit health care fraud and 12 counts of healthcare fraud.
  • The PA submitted claims to Medicare for injections of unapproved amniotic fluid for pain management.
  • Although some amniotic products are FDA-approved for wound care, they are not approved for pain management, making the injections medically unnecessary and non-reimbursable by Medicare.
  • He used an amniotic product called “Cell Genuity,” which was not covered by Medicare for either wound care or pain management. He initially asked patients to pay out of pocket for the injections, but many refused due to the high cost and questionable efficacy.
  • The PA identified another product, “Fluid Flow,” that he believed could be reimbursed by Medicare. Instead of purchasing this more expensive product, he continued to use Cell Genuity but billed Medicare under Fluid Flow’s unique code. This resulted in significant profits for the clinic and himself.
  • The PA now faces up to 240 years in federal prison – 20 years per count.