Categories
Health Law Highlights

Hey Doc, Be Careful on TikTok – Legal Pitfalls of Healthcare Providers in the Social Media Age

From Buckingham, Doolittle & Burroughs, LLC, by Monica Davis:

Impact of Social Media on Healthcare: Social media platforms have enabled physicians to expand their practices, increase marketing, discover new clients, and build their reputations. However, they also pose risks..

HIPAA Violations: The Health Insurance Portability and Accountability Act (HIPAA) ensures strict confidentiality in physician-patient relationships. Violations, such as disclosing Protected Health Information (PHI) without patient authorization, can lead to severe penalties, including lawsuits, fines, and loss of license.

Cyber-Security Risks: Social media can expose healthcare providers to cyber-security threats, including viruses and hackers. The potential consequences are devastating if a hacker gains access to a patient’s private information. Strong authentication mechanisms and password-protected social media can help mitigate these risks.

Reputation Management: Social media can improve a physician’s reputation and client base, but it can also damage their image. Negative reviews and harassment can quickly tarnish a healthcare provider’s reputation, leading to potential legal action for defamation.

Malpractice and Thoughtful Use: The risk of malpractice increases when healthcare professionals give advice on social media, potentially exposing themselves to negligence allegations. To minimize risk and maximize benefits, healthcare facilities should implement social media risk management strategies, such as obtaining patient consent before posting identifying information, educating staff on HIPAA and privacy laws, and designating a social media manager.

Categories
Health Law Highlights

Highlights from OIG’s New Compliance Program Guidance

From Gardner Law:

The U.S. Department of Health and Human Services Office of Inspector General (HHS OIG) released the General Compliance Program Guidance (GCPG) in November 2023, a reference guide for health care compliance. It includes information about Federal laws, compliance program infrastructure, OIG resources, and other useful compliance-related information. 

The GCPG highlights primary sources of governing authority in the health care industry, including the Federal Anti-Kickback Statute and Physician Self-Referral Law. It also discusses the HHS OIG’s exclusion authority and potential civil and criminal implications of non-compliance.

The GCPG outlines seven key elements for an effective compliance program:

  1. Written Policies and Procedures
  2. Compliance Leadership and Oversight
  3. Training and Education
  4. Effective Lines of Communication
  5. Enforcing Standards
  6. Risk Assessment, Auditing, and Monitoring
  7. Responding to Detected Offenses and Developing Corrective Action Initiatives

The HHS OIG emphasizes that these elements are nonbinding recommendations, but they cover mandatory compliance obligations. Therefore, health care stakeholders should use the GCPG to identify and address their compliance duties.

Starting in 2024, the HHS OIG will issue industry segment-specific compliance program guidance and will publish new compliance guidance documents online instead of in the Federal Register. The release of the GCPG is an opportunity for health care stakeholders to audit their compliance programs and ensure they meet HHS OIG standards.

Categories
Health Law Highlights

Rise in Healthcare Data Breaches & the Impact for Healthcare Providers in 2024

From Bradley Arant Boult Cummings LLP, by Alexis Buese, Eric Setterlund

The healthcare sector has seen a significant increase in cyber-threats, especially hacking and ransomware, with a 256% rise in hacking-related breaches and a 264% surge in ransomware incidents in the last five years. In 2023, these breaches affected over 134 million individuals, a 141% increase from the previous year.

The OCR recommends proactive measures to mitigate these threats, including securing partnerships with vendors, conducting regular risk assessments, establishing robust audit controls, and adopting multi-factor authentication.

The OCR’s two Congressional Reports on HIPAA compliance and enforcement highlight the need for healthcare systems to address potential HIPAA compliance issues before breaches occur. The reports reveal common vulnerabilities and suggest areas for improvement tied to specific HIPAA Security Rule standards, including the security management process standard, audit controls standard, and response and reporting requirements.

Despite the sophistication of some cyber-attacks, the majority of incidents could be prevented or significantly lessened if healthcare entities adhered to the HIPAA Security Rule. This includes safeguarding against prevalent attack methods like phishing emails, exploiting existing vulnerabilities, and using weak authentication measures. In case of a successful breach, attackers often encrypt or steal electronic Protected Health Information (ePHI) for ransom or future malicious activities.

Categories
Health Law Highlights

Insights into Healthcare Provider Compensation Trends for 2024

From VMG Health, by Ben Minnis, Tyler Navarro, Anthony Domanico:

Innovative Recruitment Strategies: Healthcare organizations are adopting creative methods to attract and retain physicians due to significant changes in the Medicare Physician Fee Schedule and an aging physician population. These methods include enhanced benefits, leadership development programs, broader loan forgiveness, adjustments to hard-to-recruit models, and investment in technology and infrastructure.

Tailored Compensation Models: The one-size-fits-all approach to compensation is becoming obsolete as healthcare delivery settings evolve. Organizations are now tailoring compensation models to suit specific circumstances, with a focus on balancing innovation and standardization.

Emphasis on Work-Life Balance: Physicians are increasingly prioritizing a healthier work-life balance. This is prompting healthcare organizations to adapt their compensation packages to include flexible scheduling options, telemedicine opportunities, and expanded paid time off allowances.

Alignment with At-Risk Incentives and Regulatory Constraints: Modern compensation structures often include a substantial portion of compensation tied to high-quality metrics. However, while innovating compensation models and incentives, it’s essential for organizations to operate within regulatory boundaries to avoid violations of laws governing healthcare practices.

Migration to Advanced Practice Providers (APPs): To address the challenges of physician shortages, health systems are increasingly turning to APPs. The rise of nurse practitioners and physician assistants is seen as a pragmatic response to the growing demand for healthcare services, offering a cost-effective solution and a multifaceted approach to patient care.

Categories
Health Law Highlights

How Hospitals Are Fighting to Keep Their Former Doctors From Seeing Patients

From NBC News, by Shannon Pettypiece:

Noncompete agreements, which prevent doctors from seeing patients for one to two years within a geographic region if they leave their job, have become increasingly common in the healthcare industry.

Critics, including the American Medical Association and the American College of Physicians, argue that noncompete agreements contribute to physician shortages, sever doctor-patient relationships, and deter doctors from speaking out for fear of being fired and unable to work elsewhere in the community.

The American Hospital Association opposes the proposed ban on noncompete agreements by the Biden administration, arguing that they are necessary to protect the financial investment hospitals make in recruiting, relocating, marketing, and training their doctors.

Some doctors have successfully challenged noncompete agreements in court, but it remains a relatively rare occurrence due to the potential financial and reputational consequences. Instead, many doctors choose to move to a new city if they want to leave their job or are fired, avoiding the risk of a lawsuit but uprooting their families and leaving their patients behind.

Categories
Health Law Highlights

The FDA and the Future of AI Oversight

From Manatt, Phelps & Phillips, LLP, by Nicholas Bath Jr., Rachel Sher, Daniel Weinstein:

The U.S. Government Accountability Office (GAO) issued a report in January 2024 highlighting challenges faced by the U.S. Food and Drug Administration (FDA) in effectively regulating artificial intelligence (AI) and machine learning (ML) in medical devices and other emerging health care technologies. The report emphasized the need for clear regulations that balance safety, transparency, consumer protection, and innovation, especially considering the rapid evolution of AI/ML technology and its potential applications and risks.

Over the past five years, federal regulation of AI/ML has increased, particularly in the health care sector. In 2023, the FDA issued its first-ever AI/ML device draft guidance, aiming to provide a forward-thinking approach to the development of machine learning-enabled device software functions.

Despite the FDA’s efforts, the approach to AI/ML regulation has been criticized as uncoordinated and overly broad, potentially hindering technology development and rollout, and causing confusion among stakeholders. State legislators, regulators, and medical boards are beginning to introduce state-level policy, adding to the regulatory complexity.

Given the legislative gridlock, some stakeholders have proposed a novel approach to ensure the safety and effectiveness of AI/ML-enabled medical devices through public-private assurance laboratory partnerships. These labs would be testing grounds to validate and monitor AI/ML in medical devices. The proposal, while controversial, is expected to garner more attention in the coming months as the Congressional Bipartisan AI Task Force develops its comprehensive report and policy proposals to bolster the federal government’s ability to regulate AI/ML.

Categories
Health Law Highlights

Cyberattack Shuts Down Pharmacies Across the US

From Brew Healthcare, by Quinn Sental:

Change Healthcare, a prominent health tech firm owned by UnitedHealth Group, suffered a cyberattack, disrupting patient payments and prescription processing across the US. The company, part of Optum, handles 15 billion healthcare transactions annually.

The cyberattack was first noticed as disruptions in the company’s applications, later identified as “enterprise-wide connectivity issues”, and eventually confirmed as a cybersecurity issue. In response, Change Healthcare disconnected its systems to prevent further spread.

The incident has affected pharmacies nationwide, preventing them from processing prescription orders. Some pharmacies could accept prescriptions but were unable to process them through patients’ insurance.

Change Healthcare said the disruption is expected to last at least a day and is specific to their systems, with all other UnitedHealth Group systems remaining operational.

Categories
Health Law Highlights

Ten Physicians and Local Execs Indicted in Pharmacy Kickback Scheme

From D Magazine, by Will Maddox:

A pharmaceutical kickback scheme in the Northern District of Texas has led to the indictment of 14 people, including several podiatrists, local businessmen, and executives at Next Health, a healthcare holding company. The scheme involved physicians receiving bribes and kickbacks from pharmacies for referring prescriptions to be filled at those pharmacies, with payments being proportional to the number of prescriptions received.

The scheme, which began in 2014, was concealed through complex business arrangements and involved multiple entities. Payments were funneled through management service organizations (MSOs) and a company called Med Left, which was used to conceal and funnel bribes from the pharmacies to the physicians.

The kickbacks were often disguised as legitimate returns on investments in the pharmacies. Physicians would purchase a percentage of the pharmacy for a nominal fee and were required to refer prescriptions to the pharmacy for ownership. The profits from these prescriptions were then shared with the prescribing doctors.

The owners of Next Health, Andrew Hillman and Semyon Narosov, previously pleaded guilty to charges connected with the scheme in 2018 and were sentenced to several years in prison. Ten physicians, including podiatrists, orthopedic surgeons, and a gastroenterologist, have been indicted for referring prescriptions to Next Health’s pharmacies and receiving kickbacks.

Categories
Health Law Highlights

The Risk of Criminal Charges in Hospice Fraud Cases

From Hospice News, by Holly Vossel:

Hospice providers face significant regulatory risks related to False Claims Act (FCA) violations, with potential criminal charges in instances of suspected fraud, waste and abuse. While most FCA cases don’t result in criminal charges, the resolution process can be complex and challenging for providers.

The burden of proof in most civil hospice fraud cases is relatively low, making it easier for the government to establish evidence of wrongdoing. However, the burden of proof in federal criminal fraud investigations is higher, requiring evidence of intent to defraud and willfulness.

Fraud cases can result in severe penalties for hospice owners, including prison sentences, heavy fines, revocation of Medicare certification, and being barred from the industry. An example is the case of Dr. Shiva Akula, former owner of Canon Healthcare, who was convicted for FCA violations totaling nearly $47 million.

Regulatory oversight of the hospice industry has increased due to concerns about fraud, waste, and abuse. This has been driven by the proliferation of new hospices and fraudulent billing practices. The Centers for Medicare & Medicaid Services (CMS) has implemented a “36-month” rule forbidding any change in majority ownership during the 36 months after initial Medicare enrollment.

The hospice industry is experiencing a surge in audit activity, with providers focusing more on documentation to prove patient eligibility and medical necessity of services. While increased audits do not necessarily indicate fraud, a high prevalence of billing errors can signal potential wrongdoing to regulators.

Categories
Health Law Highlights

New PCI DSS 4.0 Will Impact the Digital Health, Healthcare Industries

From McDermott Will & Emery, by Mark E. Schreiber, Brian Long, Jonathan Ende:

The healthcare industry, particularly digital health, is increasingly adopting an e-commerce model, accepting direct payments from consumers. This necessitates compliance with the Payment Card Industry Data Security Standard (PCI DSS), even if payment card processing is outsourced. 

The new version of PCI DSS (4.0) will be mandatory from March 31, 2024, introducing more rigorous requirements. Entities that offer these services and accept payment cards must complete either a report on compliance (ROC) or a self-assessment questionnaire (SAQ) annually.

PCI DSS 4.0 brings new requirements, focusing on targeted risk analysis, organizational maturity, and governance. It makes PCI DSS compliance a continuous effort, rather than an annual task, and allows businesses to implement alternative controls that meet the customized approach objective.

Some significant changes in PCI DSS 4.0 include increased requirements for yearly diligence for merchants and service providers, introduction of a customized approach for controls, expanded risk analysis guidance, and clarifications to the “significant change” standard.

Failure to comply with PCI DSS 4.0 may lead to investigations, fines, penalties, and assessments by card brands and acquirers. It may also lead to legal risks, as the new version requires more security documentation and risk analysis, exposing the company’s security posture to greater scrutiny. Therefore, businesses should promptly begin addressing and validating compliance.