Categories
Health Law Highlights

Healthcare Still Underprepared for Scope of Cyber Threats, Says Report

Summary of article from Healthcare IT News, by Andrea Fox:

A new report from Kroll reveals a discrepancy between healthcare organizations’ self-assessment of their cybersecurity maturity and the reality of their readiness. Despite healthcare being among the most breached sectors, many organizations in this industry believe their cybersecurity processes are “very mature”. The report also identified remote access as a key vulnerability, with ransomware groups increasingly gaining initial access through external remote services. Kroll warns of increased scrutiny and accountability for C-suite executives in overseeing cybersecurity defenses. The report concludes that healthcare organizations must close the ‘self-diagnosis gap’ and enhance their security measures to protect against cyber threats.

Categories
Health Law Highlights

Ernest Health Sued Over 2024 Ransomware Attack and Data Breach

Summary of article from The HIPAA Journal, by Steve Adler:

Ernest Health, a Texas-based health system, is facing a lawsuit following a cyberattack that compromised the protected health information of approximately 94,747 patients. The breach, claimed by the LockBit ransomware group, occurred between January 16, 2024, and February 4, 2024, leading to unauthorized access to sensitive patient data. The lawsuit, filed by Joe Lara and Lauri Cook, alleges that Ernest Health had insufficient cybersecurity measures and training, resulting in the inability to prevent or effectively respond to the breach. The plaintiffs claim that the 73-day delay in individual notifications hindered their ability to mitigate damages and that the response measures, including credit monitoring and identity theft protection, were inadequate. The lawsuit seeks a jury trial, various forms of relief, and damages, alleging negligence, breach of implied contract, invasion of privacy, unjust enrichment, and breach of fiduciary duty.

Categories
Health Law Highlights

Bogus Botox Poisoning Outbreak Spreads to 9 States, CDC Says

Summary of article from Ars Technica, by Beth Mole:

The Centers for Disease Control and Prevention (CDC) reported that 19 women across nine US states have been poisoned by counterfeit Botox injections. Almost half of these cases resulted in hospitalization, with four individuals treated with botulinum anti-toxin. The Food and Drug Administration (FDA) reported these fake products were administered by unlicensed or untrained individuals in non-medical or unlicensed settings.The FDA and CDC noted symptoms from the counterfeit injections similar to botulism, including blurred vision, difficulty swallowing, dry mouth, constipation, and muscle weakness. They advised anyone experiencing these symptoms to seek immediate medical attention.The counterfeit Botox was primarily used for cosmetic purposes by women aged between 25 and 59. Exposure to the counterfeit product can lead to botulism or similar illnesses, potentially resulting in muscle paralysis or even death.

Categories
Health Law Highlights

PE-Owned Health Care Saw Surge in 2023 Bankruptcies, Report Says

Summary of article from Mergers & Acquisitions, by Bloomberg News:

Private equity (PE)-backed businesses accounted for about 20% of the 80 bankruptcies in the healthcare sector in 2023, according to the Private Equity Stakeholder Project. Additionally, venture-capital backed companies made up another 15% of these filings. The report predicts this trend of healthcare bankruptcies will continue in 2024, especially among companies owned by PE firms. Two of the largest bankruptcies in 2023 were KKR Group’s Envision Healthcare Corp. and GenesisCare. The report also highlighted that increased regulation, high expenses, and the impact of the pandemic have contributed to the distress in the healthcare sector.

Categories
Health Law Highlights

Change Healthcare Faces Another Ransomware Threat—and It Looks Credible

From Ars Technica, Andy Greenberg and Matt Burgess:

Change Healthcare, a prominent healthcare company in the U.S., has been embroiled in a significant ransomware debacle, initially victimized by the group AlphV, which encrypted the company’s network and received a $22 million ransom payment. Now, a new ransomware group, RansomHub, claims to possess 4 terabytes of Change Healthcare’s stolen data and is demanding its own ransom. While the origins of RansomHub’s data are unclear, security analysts suggest that the threat may be legitimate. This situation highlights the risk of re-extortion in ransomware attacks and the untrustworthiness of cybercriminals, even after ransoms are paid. The ongoing attack has caused severe disruptions across U.S. medical practices, with 80% of clinicians reporting revenue loss and many facing potential bankruptcy.

Categories
Health Law Highlights

CMS Issues Hospice Proposed Payment Rule

From King & Spalding, by Kate Karpenko:

The CMS has issued a proposed rule for fiscal year 2025 to update Medicare hospice payments and aggregate cap amount, which includes a 2.6% increase in payments and an updated aggregate cap of $34,364.85. The proposal also introduces changes to the Hospice Quality Reporting Program (HQRP), including the addition of two new measures and the use of the Hospice Outcomes and Patient Evaluation (HOPE) tool for patient data collection. It also suggests changes to the Hospice Consumer Assessment of Healthcare Providers and Systems (CAHPS) Survey, including a web-mail mode and a simplified survey. Technical changes are proposed to the Conditions of Participation (CoPs) to clarify language around the roles of a medical director and physician designee. Stakeholders are encouraged to submit comments on the proposed rule by May 28, 2024.

Categories
Health Law Highlights

Online Tracking Technologies: Updated HIPAA Guidance Creates Uncertainty

From Morgan Lewis, by W. Reece Hirsch, Amy M. Magnano, Michael J. Madderra, Sydney Reed Swanson:

The US Department of Health and Human Services’ (HHS’s) Office for Civil Rights (OCR) updated its guidance on the use of online tracking technologies, causing further uncertainty for HIPAA-covered entities. OCR acknowledges that tracking technologies, such as cookies and web beacons, can unintentionally capture protected health information (PHI), thus implicating HIPAA. The updated guidance states that individually identifiable health information (IIHI) collected on a regulated entity’s website or app is generally considered PHI, even without specific treatment or billing details. The guidance differentiates between authenticated and unauthenticated pages, warning that PHI could be accessible even on unauthenticated pages. The update presents a compliance challenge for HIPAA-regulated entities, as discerning the subjective intent of website visitors is difficult, and entities must also consider other federal and state laws where HIPAA does not apply.

Categories
Health Law Highlights

Forecasting the Integration of AI into Health Care Compliance Programs

From Robinson Cole, by Kathleen Healy, Josh Yoo:

Healthcare entities need to incorporate AI standards into their compliance programs to manage and mitigate legal risks. Executive Order No. 14110 outlines key principles for AI including confidentiality, security, transparency, governance, and non-discrimination. The National Institute of Standards and Technology (NIST) provides a Risk Management Framework for AI and a playbook to help organizations manage AI risks. Key federal privacy and security laws like HIPAA and Section 5 will impact the use of AI in healthcare. It’s vital for healthcare entities to monitor evolving AI laws and regulations, inventory existing and upcoming AI use, educate themselves on updates, and adapt their compliance plans accordingly.

Categories
Health Law Highlights

Pandemic Fraud Suits Have Yielded Over $100 Million, Report Says

From Bloomberg Law, by Daniel Seiden:

The Covid-19 Fraud Enforcement Task Force has reported that over $100 million has been reclaimed by the US government through False Claims Act (FCA) cases related to pandemic fraud. These funds have been recovered from more than 400 settlements and judgments, including cases of Paycheck Protection Program fraud, Economic Injury Disaster Loan fraud, health-care fraud, and agricultural program fraud. The report indicates a steady rise in new whistleblower actions under the FCA alleging pandemic relief fraud from 2020 to 2023. In 2023 alone, the Department of Justice (DOJ) recovered a record $2.68 billion from 543 FCA settlements and judgments.

Categories
Health Law Highlights

“Stark” Differences: DOJ’s Renewed Focus on Stand-Alone Stark Law Violations

From Arnold & Porter, by Murad Hussain, Allison W. Shuren, Loreli (Lori) Wright:

The Department of Justice (DOJ) has recently increased enforcement of the False Claims Act (FCA) based on the Stark Law, also known as the Physician Self-Referral Law. This law focuses on financial relationships between physicians and health care entities, particularly when compensation exceeds fair market value (FMV) or varies with the volume or value of referrals. Violations of Stark Law can lead to FCA claims, requiring less proof than Anti-Kickback Statute (AKS)-based FCA claims. This trend has been evident in a series of new FCA enforcement actions and resolutions involving large health care providers since early 2023.