Tom Price is out as Secretary of the U.S. Department of Health and Human Services (“HHS”).  Mr. Price announced his resignation on September 29th as he faced more questions and increasing scrutiny over his use of taxpayer-funded private planes.  While Mr. Price’s departure from HHS will impact some aspects of the Trump Administration’s health care agenda, health care enforcement and compliance issues are bi-partisan in support and therefore less volatile.

Under Inspector General Daniel Levinson, who has led HHS’ Office of Inspector General (“OIG”) for twelve years, HHS remains committed to detecting, preventing, and prosecuting individuals and companies for health care fraud.  Accordingly, all signs point to OIG continuing to focus on detecting fraudulent billing practices and illegal physician referral programs, and using corporate integrity agreements to ensure that health care providers obey Medicare and Medicaid rules and policies.

In addition to fighting fraud in HHS programs, Health Information Portability and Accountability Act (“HIPAA”) security and cyber security are top priorities for HHS’ Office for Civil Rights (“OCR”).  To combat cyber security threats and to mitigate damage caused by cyber security breaches, OCR will likely increase its enforcement of HIPAA privacy rules and regulations and scrutinize providers’ cyber security policies, best practices, and response procedures.  Driving home this point, new OCR Director Roger Severino said, “I’ve gotten up to speed on HIPAA, and as the threats evolve, we have to evolve in how we approach it – and we have to be smart about who we target.  At most I will say the big, juicy case is going to be my priority and the methods for us finding it – stay tuned.”[1]

Under Attorney General Jeff Sessions, the U.S. Department of Justice has maintained a high tempo in its efforts to combat health care fraud.  For example, in July 2017 DOJ announced a partnership between its Health Care Fraud Unit’s Corporate Fraud Strike Force and Foreign Corrupt Practices Act (“FCPA”) prosecutors to ensure that health care companies are held accountable to the standards of the False Claims Act and the FCPA.  And DOJ’s new Opioid Fraud and Abuse Detection Unit will help combat the ongoing opioid crisis, in keeping with Attorney General Sessions’ enforcement priorities.

Tom Price’s departure as HHS Secretary is significant for other important aspects of health care, including the future of the Affordable Care Act and the Medicare and Medicaid bundled payment models.  However, current HHS and DOJ enforcement programs remain a priority under President Trump and Attorney General Sessions.

[1] Marianne K. McGee, Top HIPAA Enforcer Names His Top Enforcement Priority, Data Breach Today (Sept. 5, 2017), https://www.databreachtoday.com/top-hipaa-enforcer-names-his-top-enforcement-priority-a-10258.

Cyber_securityThe U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) recently issued a checklist that details suggested best practices for entities covered by the Health Insurance Portability and Accountability Act (HIPAA) in responding to potentially damaging cyber attacks.  The checklist, and an accompanying infographic, provide welcome guidance for health care companies, which have found themselves increasingly targeted by cybercriminals who seek to steal valuable data or launch potentially devastating ransomware attacks.  Indeed, last month’s WannaCry ransomware attack crippled portions of the U.K.’s National Health Service, resulting in the cancellations of medical procedures and the closure of emergency rooms across the U.K.

OCR’s guide should serve as a quick response tool for all HIPAA-covered entities – including health care organizations and their vendors – to efficiently and effectively react to a cyber attack.  Importantly, the checklist identifies the minimum criteria, or foundational elements, a company must meet in the wake of a cyber emergency to safeguard data. Specifically, OCR’s checklist recommends that HIPAA covered entities (and affiliates) pursue the following actions:

  1. Execute mitigation procedures to immediately fix the technical problem that caused or permitted the cyber attack;
  2. Report the breach to local and federal law enforcement;
  3. Share all cyber threat indicators with information-sharing and analysis organizations (ISAOs), which include the Department of Homeland Security, Health and Human Services Assistant Secretary for Preparedness and Response, and private sector ISAOs; and
  4. Disclose the breach to OCR immediately – but no later than 60 days following the discovery of a breach that affects at least 500 people – and to those whose information has been compromised.  If a cyber attack affects fewer than 500 people, the HIPAA covered entity must notify the affected individuals “without unreasonable delay” and report the breach to OCR within 60 days of the end of the calendar year.

Compliance with these protocols by health care entities will be considered by OCR as a mitigating factor in any OCR investigation into a data breach.

It is important to note, however, that the checklist only addresses post-breach compliance under HIPAA.  Health care providers may have other reporting obligations under federal and state laws, particularly state data breach notification laws.  Health care providers that are the victims of a data breach should consult with counsel to determine the extent of their reporting obligations.

DOJOn May 31, 2017, the Department of Justice announced a $155 million settlement with eClincialWorks (ECW), an electronic health records (EHR) software vendor, to resolve a whistleblower complaint that alleged violations of the False Claims Act and the Anti-Kickback Statute.  This settlement, the “largest financial recovery in the history of the State of Vermont,” should put EHR vendors on notice, as well as vendors that offer services or products to health care providers: providing misinformation to a government contractor or health care provider about their products or services, or furnishing nonconforming goods or services, may expose them to significant financial exposure under the False Claims Act, even if they do not themselves submit claims to the government.

Background:  Pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009, the United States Department of Health and Human Services (HHS) established a program to provide incentive payments to health care providers who demonstrated “meaningful use” of “certified” EHR technology.  The incentive payments are to encourage health care providers to transition to using EHR.  To obtain the proper certification, EHR vendors are required to affirm that their products meet certain requirements adopted by HHS and then pass certain tests by a certifying agency approved by HHS.

Allegations:  The lawsuit, in which the federal government intervened, alleged that ECW falsely attested that its products met the applicable certification criteria and prepared its software to pass the certification testing without actually meeting the certification criteria.  Significantly, ECW was alleged to have violated the False Claims Act because it had “caused” the end user health care providers to submit inaccurate attestations concerning their use of “certified” EHR in support of their claims to the government for “meaningful use” incentive payments.

Settlement:  ECW agreed to pay $155 million to settle the complaint and entered into an onerous, five-year Corporate Integrity Agreement (CIA).  In what the DOJ described as “innovative,” the CIA requires, among other things, that ECW (a) retain an Independent Software Quality Oversight Organization to assess ECW’s software quality control systems, (b) provide prompt notice to its customers of any safety related issues, (c) maintain on its customer portal a comprehensive list of issues and steps users should take to mitigate potential patient safety risks, (d) provide its customers with updated versions of their software free of charge, (e) offer customers the option to have ECW transfer their data to another EHR vendor without penalties or charges, and (f) retain an Independent Review Organization to review ECW’s arrangements with health care providers to ensure compliance with the Anti-Kickback Statute.

Implications:  EHR and other health care vendors cannot assume that their liability is limited to breach of contract or indemnification of its customers.  Rather, the ECW case points to the risk of direct exposure under the False Claims Act, without ever submitting a single claim to the government.  In a similar vein, in the context of the Health Insurance Portability and Accountability Act (HIPAA), software and other vendors may also be directly subject to penalties under HIPAA for breaches of protected health information – as a business associate to their health care provider customers.

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced on April 24, 2017, a $2.5 million settlement with mobile health services company CardioNet related to its “potential noncompliance” with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to the exposure of unsecured electronic protected health information (ePHI) of more than a thousand individuals. OCR touted the settlement as its first with a wireless health services provider.

The settlement requires CardioNet to adopt a Corrective Action Plan, as part of which CardioNet must:

  • conduct a risk analysis to identify the security risks and vulnerabilities to its systems that house ePHI;
  • develop and implement a risk management plan to mitigate those risks and vulnerabilities;
  • review—and potentially revise—its security policies for electronic devices and media; and
  • review—and potentially revise—its training program related to the security of ePHI.

Continue Reading HHS Office for Civil Rights Announces HIPAA Settlement for Exposure of Electronic PHI

wooden toolbox with tools. isolated on white.

As we reported last week, on January 17, 2017, staff from the Department of Health and Human Services Office of Inspector General (HHS-OIG) met with Health Care Compliance Association (HCCA) professionals for a roundtable meeting to develop a resource guide aimed at helping health care organizations develop ways to benchmark and measure the effectiveness of compliance programs.

The results of the roundtable meeting were released by HHS-OIG on March 27, 2017, with the release of the Resource Guide on Compliance Program Effectiveness (“Resource Guide”).  The Resource Guide provides a large number of measurement options designed to work across “a wide range of organizations with diverse size, operational complexity, industry sectors, resources, and compliance programs.” It covers the well-established seven elements of an effective compliance program, articulated in the U.S. Sentencing Guidelines:

  1. Standards, policies and procedures
  2. Compliance program administration
  3. Screening and evaluation of employees, physicians, vendors and other agents
  4. Communication, education and training on compliance issues
  5. Monitoring, auditing and internal reporting systems
  6. Discipline for noncompliance and
  7. Investigations and remedial measures

Continue Reading Regulatory Guidance Part II: Synthesizing 2017 DOJ Fraud Section and HHS-OIG Guidance

 

USDHHS-sealThe federal Health and Human Services’ Office of Inspector General (OIG) has recently circulated a new resource guide for compliance, titled “Measuring Compliance Program Effectiveness.”  Beyond reciting the seven elements of an effective compliance program, this guidebook provides concrete metrics for “what to measure” and “how to measure” compliance under each element, including for instance performing a fraud risk assessment.

The OIG is careful to remind the health care community that there is no “one size fits all” compliance plan, and that this latest guidance is not meant to serve as a checklist or substitute for a program particularized to the organization’s particular needs and industry risks. Nevertheless, the guidance can serve as a useful platform for building out an effective compliance program and for evaluating and enhancing a program already in place.  Performing a compliance review with the Guide as a tool can also help demonstrate a provider’s or health plan’s commitment to compliance “best practices.”

USDHHS-sealNew regulations have been released in the form of a Final Rule (announced at 82 Fed. Reg. 4100) (the “Final Rule”), revising and expanding the authority of the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) to exclude entities and individuals from participation in federal health care programs. The Final Rule adds to the OIG’s longstanding statutory authority to issue exclusions, which was most recently expanded by Congress in the 2010 Affordable Care Act.

The Final Rule was announced on January 12, 2017, and was intended to go into effect on February 13, 2017. The new administration’s temporary freeze on pending regulations delays that effective date until March 21, 2017. Continue Reading New Regulations Expand Authority of HHS OIG to Issue Exclusion Orders