HIPAA Update: Recent Enforcement Actions Highlight Need to Implement Policies and Procedures and Oversee Your Organization’s HIPAA Compliance ProgramMay 2017

CardioNet $2.5M Settlement

On April 24, 2017, CardioNet agreed to pay $2.5 million to the Department of Health & Human Services (HHS) to settle potential violations of HIPAA Privacy and Security Rules. The company also agreed to implement a corrective action plan. This settlement is the first involving a wireless health services provider, as CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.  The enforcement action resulted from a January 2012 report by CardioNet to the Office for Civil Rights (OCR) regarding a laptop that was stolen from an employee’s vehicle.   The laptop contained the electronic protected health information (ePHI) of 1,391 individuals. During the subsequent investigation, OCR discovered that the risk analysis and risk management processes CardioNet had in place at the time of the theft were insufficient. Additionally, the organization’s policies and procedures regarding the implementation of the standards of the HIPAA Security Rule were in draft form and had not been implemented.   In fact, CardioNet could not produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices. 

Takeaway for Covered Entities and Business Associates: It is critical that covered entities and business associates have sufficient risk analysis (performed on a periodic and ongoing basis) and management processes (updated on a periodic and ongoing basis) in place and all policies and procedures implementing standards of HIPAA are final, approved, and implemented – including those for mobile devices.

Center for Children’s Digestive Health $31,000 Settlement

On April 17, 2017, the Center for Children’s Digestive Health (CCDH) agreed to pay HHS $31,000 to settle potential violations of the HIPAA Privacy Rule and implement a corrective action plan.  The corrective action plan requires CCDH to develop, maintain and revise written policies and procedures to comply with federal standards that govern the privacy and security of protected health information (PHI).  CCDH is also required to distribute these policies and procedures to all members of its workforce and assess and update them as appropriate, but at least annually.      

The enforcement action is a result of an August 2015 compliance review of CCDH initiated by the OCR following an investigation of CCDH’s business associate, FileFax, Inc.  During the investigation, OCR learned FileFax stored records for CCDH containing PHI.  However, neither CCDH nor FileFax could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015, despite the fact that CCDH began disclosing PHI to FileFax in 2003.

Takeaway for Covered Entities and Business Associates:  If a Covered Entity discloses PHI to a Business Associate, both parties must have a current, updated and executed BAA in place at all times.

Metro Community Provider Network $400,000 Settlement

On April 12, 2017, MCPN, a federally-qualified health center of Denver, Colorado, agreed to settle potential noncompliance with the HIPAA rules by paying $400,000to HHS and implementing a corrective action plan.  The settlement is based on the lack of a security management process to safeguard ePHI.  On January 27, 2012, MCPN filed a breach report informing OCR that a hacker gained access to employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident. OCR subsequently investigated and learned that although MCPN took necessary corrective action related to the incident, the organization failed to conduct a risk analysis until mid-February 2012. OCR also learned that prior to the phishing incident, MCPN failed to conduct a risk analysis to assess the risks and vulnerabilities in its ePHI environment and had not implemented any corresponding risk management plan to address those identified risks and vulnerabilities, as required by HIPAA.  

Related Practice: Health Law

PermalinkE-mail SharingGoogleTwitter

Legislative UpdateMay 2017

Performance-Based Incentive Payments to Physicians – On May 1, 2017, Governor Christie signed Senate Bill 913 into law, which permits hospitals to institute a system for making performance-based incentive payments to physicians. The legislation allows hospitals to establish compensation plans, subject to certain requirements, which allow for direct payments of incentives from the hospital to physicians or physicians groups, based on the physician’s performance in meeting the hospital’s institutional and specialty-specific goals as determined using an incentive payment methodology.

Criminal Background Checks Readopted – On April 17, 2017, the New Jersey Department of Health readopted N.J.A.C 8:43I regarding fingerprint supported criminal background checks for certain providers.  The rule mandates that nurse’s aides, personal care assistants and assisted living administrators submit to a fingerprint process and criminal background checks when applying for certification and re-certification.  Individuals found to be convicted of certain crimes and offenses are disqualified from certification or renewals, unless the person demonstrates rehabilitation through a process described in the rule. 

Rules Governing Alcohol and Drug Counselors Readopted and Amended – On April 3, 2017, the Alcohol and Drug Counselor Committee published a notice in the New Jersey Register readopting and amending certain rules governing the practice of alcohol and drug counselors.  The amendments to the rules include, but are not limited to, changes to the application and renewal process as well as scope of practice.   

DCA Authority Clarified – Senate Bill 2563 was introduced on May 1, 2017 that clarifies the Department of Community Affairs (DCA) rulemaking authority over free-standing residential health care facilities, and prohibits eviction of residents from such facilities except for good cause.  The bill amends existing law pertaining to residential health care facilities to clarify that the DCA is responsible for regulating free-standing residential health care facilities, that are not located with, or operated by a Department of Health licensed health care facility.  

Prescription Monitoring Information and Emergency Departments – On May 1, 2017, Senate Bill 3118 was introduced to require practitioners to check prescription monitoring information before issuing certain prescriptions to emergency department patients.  The bill would require each practitioner to not only access prescription monitoring information the first time the practitioner prescribes a Schedule II controlled substance to a new patient for acute or chronic pain, but also any time the practitioner prescribes a Schedule II controlled substance to a patient receiving care or treatment in the emergency department of a general hospital.

Related Practice: Health Law

Attorneys: Mark Manigan, John Fanburg and Cheryll Calderon

PermalinkE-mail SharingGoogleTwitter

Amendments to NJCLIAMay 2017

On January 9, 2017, Governor Christie signed into law certain amendments to the New Jersey Clinical Laboratory Improvement Act (CLIA) which went into effect immediately. As a result of extensive pressure from certain advocacy groups in search of a better understanding of these amendments, and their effect on the provision of clinical laboratory services in New Jersey, the New Jersey Department of Health Clinical Laboratory Improvement Service (CLIS) issued a guidance memorandum on April 10, 2017. The memorandum details the CLIA amendments and how CLIS intends to implement the changes, pending official revision to its implementing regulations. In short, the guidance memorandum details the following:

  • CLIS licensure is not required for facilities that perform only point of care laboratory testing so long as certain criteria are met such as the where instruments or kits are used, place of testing, type of tests, management and quality controls

  • Quality control program standards will not exceed the standards set forth in federal regulations, or alternative quality control testing procedures approved by Centers for Medicare & Medicaid Services

  • CLIS must recognize all waived tests under the federal “Clinical Laboratory Improvement Amendments of 1988” (FCLIA), as well as require that standards for use of such waived tests not exceed the FCLIA standards, so long as CLIS by way of CLIA, or with additional amendments to CLIA, determine it necessary to protect the public health

  • Collection station licensure is required for NJ schools that collect patient specimens and refer such specimens to reference laboratories

  • Collection stations require CLIS licensure even if a certificate of waiver is obtained

  • CLIS maintains authority to investigate all clinical laboratories and collection stations

  • Anatomic pathology is within the scope of practice of a clinical laboratory, thereby requiring licensure by CLIS.

Related Practice: Health Law

Attorneys: Debra Lienhardt and Keith Roberts

PermalinkE-mail SharingGoogleTwitter

Court Holds that New York Home Care Agencies Must Pay Non-Residential Employees for Entire 24 Hours of On-Call ShiftsMay 2017

On April 11, 2017, a New York State appeals court ruled that 24-hour home care workers must be paid for all 24 hours they work or are on call, if they are not “residential” employees. According to New York’s Department of Labor regulations, minimum wage must be paid for each hour an employee is required to be available for work, except for “residential employees”, who live on the employer’s premises.  Residential employees are not entitled to pay for normal sleeping hours or any hours when they may leave the residence. In the case, Tokhtama v. Human Care, LLC, 2017 NY Slip Op 02759, the Court held that the plaintiff sufficiently alleged she is not a residential employee as a matter of law and therefore entitled to pay beyond a residential employee’s 13 hour shift. 

If the court ruling is upheld, home care agencies in New York may face liability for back pay owed to many non-residential employees who were not paid for portions of their 24 hour on-call shifts.  If the decision is followed elsewhere, home care agencies nationwide may be exposed to similar claims for denial of pay.

Related Practice: Health Law

Attorneys: Joseph Gorrell, Debra Lienhardt and Nicole Medrozo

PermalinkE-mail SharingGoogleTwitter

OCR Issues Security Bulletin on HTTPS TransmissionsMay 2017

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) published a bulletin on April 3, 2017, warning of potential dangers from using the security measure Secure Hypertext Transport Protocol (HTTPS) to transmit protected health information (PHI) and other confidential information over the internet. Malicious attacks, called “man-in-the-middle” attacks, are specifically designed to intercept and alter these HTTPS communications. Such attacks could result in the exposure or corruption of PHI and breaches of the Health Insurance Portability and Accountability Act (HIPAA).

The bulletin may be found at: https://www.hhs.gov/sites/default/files/april-2017-ocr-cyber-awareness-newsletter.pdf?language=es

Related Practice: Health Law

Attorneys: Carol Grelecki, Debra Lienhardt and Brian Wong

PermalinkE-mail SharingGoogleTwitter

Proposed Legislation Would Limit Non-Economic Damages in Certain Medical Malpractice SuitsMay 2017

Republicans in the House of Representatives have drafted a bill as part of their Affordable Care Act (ACA) replacement that would impose new limits on lawsuits involving care covered by Medicare, Medicaid or private health insurance subsidized by the ACA. The limits would apply to medical malpractice lawsuits and certain product liability claims. The bill, H.R. 1215, would set a $250,000 limit on non-economic damages, such as pain and suffering. There would be no limit to the recovery of economic damages. The nonpartisan Congressional Budget Office estimates that the bill would reduce federal budget deficits by almost $50 billion over 10 years.

The bill also states that a health care provider who prescribes a drug or medical device that was approved, licensed or cleared by the FDA cannot be named as a party to a product liability lawsuit involving the product. In addition, a provider cannot be liable to a claimant in a class action lawsuit against the manufacturer, distributor or seller of the product.  The bill would also restrict the contingency fees that attorneys receive in such health care lawsuits.

Related Practice: Health Law

Attorneys: Keith Roberts, Joseph Gorrell and Brett Fischer

PermalinkE-mail SharingGoogleTwitter

Proposed Legislation Would Limit Non-Economic Damages in Certain Medical Malpractice SuitsMay 2017

Republicans in the House of Representatives have drafted a bill as part of their Affordable Care Act (ACA) replacement that would impose new limits on lawsuits involving care covered by Medicare, Medicaid or private health insurance subsidized by the ACA. The limits would apply to medical malpractice lawsuits and certain product liability claims. The bill, H.R. 1215, would set a $250,000 limit on non-economic damages, such as pain and suffering. There would be no limit to the recovery of economic damages. The nonpartisan Congressional Budget Office estimates that the bill would reduce federal budget deficits by almost $50 billion over 10 years.

The bill also states that a health care provider who prescribes a drug or medical device that was approved, licensed or cleared by the FDA cannot be named as a party to a product liability lawsuit involving the product. In addition, a provider cannot be liable to a claimant in a class action lawsuit against the manufacturer, distributor or seller of the product.  The bill would also restrict the contingency fees that attorneys receive in such health care lawsuits.

Related Practice: Health Law

Attorneys: Keith Roberts, Joseph Gorrell and Brett Fischer

PermalinkE-mail SharingGoogleTwitter

CMS Updates Self-Referral Disclosure Protocol FormMay 2017

The Centers for Medicare & Medicaid Services (CMS) recently issued a new form to report actual or potential violations of the Medicare physician self-referral law, under the Self-Referral Disclosure Protocol (SRDP). The SRDP establishes a protocol that enables Medicare providers to self-disclose actual or potential violations of the physician self-referral statute, as required by federal law.

According to CMS, the purpose of the new SRDP disclosure form is to create a streamlined and standardized format for disclosing actual or potential violations of the physician self-referral law.  This will reduce the burden on providers and suppliers submitting disclosures and facilitate CMS’s review of the disclosures.  Use of the new SRDP disclosure form is mandatory beginning June 1, 2017.  Before then, parties submitting self-disclosures are encouraged, but not required, to use the new form.

Related Practice: Health Law

Attorneys: Carol Grelecki, Riza Dagli and Jonathan Walzman

PermalinkE-mail SharingGoogleTwitter

OIG Releases Resource Guide to Measure Compliance Program EffectivenessMay 2017

On March 27, 2017, the Department of Health & Human Services, Office of Inspector General (OIG) published a resource guide for health care professionals to measure compliance program effectiveness. The resource guide provides compliance measurement tools for a wide range of health care organizations. The guide focuses on the following compliance program elements:

  • Standards, Policies and Procedures
  • Compliance Program Administration
  • Screening and Evaluation of Employees, Physicians, Vendors and other Agents
  • Communication, Education and Training on Compliance Issues
  • Monitoring, Auditing and Internal Reporting Systems
  • Discipline for Non-Compliance
  • Investigations and Remedial Measures

Each element discussed contains a list of compliance program metrics.  The purpose of each metrics list is to give health care organizations as many ideas as possible regarding compliance program effectiveness, to be broad enough to help any type of organization and to let each organization choose which metrics are best suited to its needs.  The lists are not intended to be used as a standard for compliance with law, or for certification purposes.  The resource guide can be found on OIG’s website located at: https://oig.hhs.gov/compliance/101/files/HCCA-OIG-Resource-Guide.pdf

Related Practice: Health Law

Attorneys: Riza Dagli, Lani Dornfeld and Edward Hilzenrath

PermalinkE-mail SharingGoogleTwitter

House Passes Legislation to Repeal and Replace Affordable Care ActMay 2017

On May 4, 2017, House Republicans passed legislation to repeal and replace parts of the Affordable Care Act (ACA), also known as “Obamacare.” The bill would effectively repeal the ACA’s “individual mandate” by eliminating tax penalties for individuals who choose not to purchase health insurance.  The measure also removes the requirement that employers with at least 50 employees provide health insurance to their workers.  Government subsidies for those purchasing insurance in the marketplace would be replaced by tax credits of $2,000 to $4,000 per year, depending on age and income.  In addition, states would have the option to seek waivers to the federal requirement that insurers cover ten essential health benefits, including emergency services, hospitalization, maternity and mental health and substance abuse.  The bill also rolls back Medicaid expansion, allows states to establish a work requirement for Medicaid and revamps Medicaid funding by instituting a “per capita cap” wherein states would receive a fixed amount of money per enrollee. 

The legislation narrowly passed by a vote of 217-213 and is expected to face steep opposition from both Democrats and Republicans in the Senate, who are said to be already working to revise several of its key provisions.  Many speculate that the bill could be significantly amended if it returns to the House for another vote. 

Related Practice: Health Law

Attorneys: John Fanburg, Mark Manigan and Cheryll Calderon

PermalinkE-mail SharingGoogleTwitter

View Blog Archive