Category: Health Care Law

Emerging Cyber-Security Threats for 2020: The Rise of Disruptionware and High-Impact Ransomware Attacks

Disruptionware is defined by the Institute for Critical Infrastructure Technology (ICIT) as a new and “emerging category of malware designed to suspend operations within a victim organization through the compromise of the availability, integrity and confidentiality of the systems, networks and data belonging to the target.”  New forms of disruptionware can be a more crippling form of cyber-attack than other more “garden-variety” malware and ransomware attacks. This is the case since, as the ICIT notes, disruptionware not only attempts to encrypt and deny users access to their data, but works as a “layered attack” designed to “disrupt operations and production in manufacturing or industrial environments (as well as infrastructure) in order to achieve some other strategic goal.”

Disruptionware has “consumed” many traditional cyber-attacks, making them part of the disruptioware “toolkit.” These techniques include cyber-attacks such as ransomware, “wipers,” “bricking capabilities,” automated components, data exfiltration tools and network reconnaissance tools. (See ICIT report for further definitions.) Today, the rise of disruptionware is a new and even more chaotic form of cyber warfare attack – it not only attempts to encrypt and deny users access to their data, but disruptionware works to “disrupt operations and production in manufacturing or industrial environments (as well as infrastructure) in order to achieve some other strategic goal.”

Additionally, generalized forms of ransomware attacks – designed to block access to the victim’s computer systems until money is paid – are continuing to represent a more prevalent threat to government agencies, healthcare providers and educational institutions. Ransomware was so destructive on its own that the FBI recently issued a Public Service Announcement (PSA) warning about such “high-impact” attacks on critical private and public sector institutions. Underscoring the FBI’s announcement, another publication has noted the rise of ransomware attacks since the beginning of 2019 finding that there have been at least 621 reported successful ransomware attacks against U.S.-based corporations. Of these attacks, at least 491 were targeted against healthcare providers, while another 68 of the attacks were directed at county and municipal institutions, and 62 of the attacks were focused on school districts.

According to the FBI, hospitals and health care institutions are the primary targets of these high-impact ransomware attacks because of the critical role they play in providing lifesaving services, and the fact that these institutions usually do not have the luxury of taking time to restore backups in order to get their networks working again and running safely and securing after an attack. Above and beyond the costs associated with paying the ransom and restoring computer networks and systems, ransomware attacks on hospitals and health care providers have proven especially damaging because they affect the ability of the targeted healthcare providers to deliver critical health care services to patients. Perhaps even more disturbingly, many of the victim companies reported losing data even when they paid the ransom demanded by the hackers. Nevertheless, according to the blog “knowbe4,” it was predicted that ransomware payments alone by victim companies will have exceeded $11.5 billion in 2019 – representing an increase of almost 30% over the approximately $8 billion paid in 2018.

Along with the rise of disruptionware and high-impact ransomware, hackers are also now using new and diverse techniques to launch multiple forms of cyber-attacks including, among other things, an increased use of new Remote Desktop Protocol (RDP) attacks, as well as leveraging various software vulnerabilities to infect organizations through backdoor channels. Unfortunately, few businesses are hardening their IT infrastructure against these new types of extremely damaging cyber-attacks. RDP attacks are becoming far more common because of the simplicity of many users’ login credentials, while companies are not doing enough to “whitelist” exclusively acceptable computer software and applications to prevent security holes caused by numerous software vulnerabilities in unsecured and sometimes untested software applications.

The FBI’s PSA serves as a warning to businesses that they should have a plan in place to respond efficiently and appropriately in the event of high impact ransomware and disruptionware attacks. Such plans should include, among other things, clear designations of responsible individuals (both inside and outside the company), procedures for contacting law enforcement, and the business having a firm understanding of what their data is as well as a good understanding of its importance in the overall business plan. Finally, businesses need a current and workable Disaster Recovery Plan for getting the organization up and running again as quickly as possible if there is a cyber-attack. Businesses would be wise to review how their systems are backed up, as reliable and readily accessible backups are often critical in allowing ransomware or disruptionware victims to try and resume normal business operations as quickly as possible.

©2020 Drinker Biddle & Reath LLP. All Rights Reserved

For more on ransomware and other cyberthreats, see the Communications, Media & Internet section of the Nationa Law Review.

The Shell Game Played with Your DNA, or 23 and Screwing Me

So you want to know how much Neanderthal is in your genes.

You are curious about the percentage of Serbo-Croatian, Hmong, Sephardim or Ashanti blood that runs through your veins. Or maybe you hope to find a rich great-aunt near death, seeking an heir.

How much is this worth to you?  Two hundred bucks? That makes sense.

But what about other costs:

– like sending your cousin to prison for life (and discovering that you grew up with a serial killer)?

– like all major companies refusing to insure you due to your genetic make-up?

— like ruining your family holidays when you find that your grandfather is not really genetically linked to you and grandma had been playing the field?

– like pharma companies making millions using your genetic code to create new drugs and not crediting you at all (not even with discounts on the drugs created by testing your cells)?

– like finding that your “de-identified” genetic code has been re-identified on the internet, exposing genetic propensity for alcoholism or birth defects that turn your fiancé’s parents against you?

How much are these costs worth to you?

According to former FDA commissioner Peter Pitts, writing in Forbes, “The [private DNA testing] industry’s rapid growth rests on a dangerous delusion that genetic data is kept private. Most people assume this sensitive information simply sits in a secure database, protected from hacks and misuse. Far from it. Genetic-testing companies cannot guarantee privacy. And many are actively selling user data to outside parties.” Including law enforcement.

Nothing in US Federal health law protects the privacy of DNA test subjects at “non-therapeutic” labs like Ancestry or 23andMe. Information gleaned from the DNA can be used for almost anything.  As Pitts said, “Imagine a political campaign exposing a rival’s elevated risk of Alzheimer’s. Or an employer refusing to hire someone because autism runs in her family. Imagine a world where people can have their genomic building blocks held against them. Such abuses represent a profound violation of privacy. That’s an inherent risk in current genetic-testing practices.”

Genetic testing companies quietly, and some would argue without adequate explanation of facts and harms which are lost in a thousand words of fine print that most data subjects won’t read, push their customers to allow genetic testing on the customer samples provided. Up to 80% of 23andMe customers consent to this activity, likely not knowing that the company plans to make money off the drugs developed from customer DNA. Federal laws require labs like those used by 23andMe for drug development to keep information for more than 10 years, so once they have it, despite rights to erasure provided by California and the EU, 23andMe can refuse to drop your data from its tests.

Go see the HBO movie starring Oprah Winfrey about medical exploitation of the cell lines of Henrietta Lacks, or better yet, read the bestselling book it was based on. Observe that an engaging, vivacious woman who couldn’t afford health insurance was farmed for a line of her cancer cells that assisted medical science for decades and made millions of dollars for pharma companies without any permission from or benefit to the woman whose cells were taken.  Or any benefit to her family once cancer killed her. Companies secured over 11,000 patents using her cell lines. This is the business model now adopted by 23andMe. Take your valuable data under the guise of providing information to you, but quietly turning that data into profitable products for their shareholders’ and executives’ benefit. Not to mention that 23andMe can change its policies at any time.

As part of selling your genetic secrets to the highest bidder, 23andMe is constantly pushing surveys out to its customers. According to an article in Wired, 23andMe Founder Ann Wojcicki said, “We specialize in capturing phenotypic data on people longitudinally—on average 300 data points on each customer. That’s the most valuable by far.” Which means they are selling not only your DNA information, but all the other data you give them about your family and lifestyle.

This deep ethical compromise by 23andMe is personal for me, and not because I have sent them any DNA samples – I haven’t and I never would. But because, when questioned publicly about their trustworthiness by me and others close to me, 23andMe has not tried to explain its policies, but has simply attacked the questioners in public. Methinks the amoral vultures doth protest too much.

For example, a couple of years ago, my friend, co-author and privacy expert Theresa Payton noted on a Fox News segment that people who provide DNA information to 23andMe do not know how such data will be used because the industry is not regulated and the company could change its policies any time. 23andMe was prompt and nasty in its response, attacking Ms. Payton on Twitter and probably elsewhere, claiming that the 23andMe privacy policy, as it existed at the time, was proof that no surprises could ever be in store for naïve consumers who gave their most intimate secrets to this company.

[BTW, for the inevitable attacks coming from 23andMe and their army of online protectors, the FTC endorsement guidelines require that if there is a material connection between you and 23andMe, paid or otherwise, you need to clearly and conspicuously disclose it.]

Clearly Ms. Payton was correct and 23andMe’s attacks on her were simply wrong.

Guess what? According to the Wall Street Journal, 23andMe sold a $300 MM stake in itself to GlaxoSmithKline recently and, “For 23andMe, using genetic data for drug research ‘was always part of the vision,’ according to Emily Drabant Conley, vice president and head of business development.” So this sneaky path is not even a new tactic. According to the same WSJ story, “23andMe has long wanted to use genetic data for drug development. Initially, it shared its data with drug makers including Pfizer Inc. and Roche Holding AG ’s Genentech but wasn’t involved in subsequent drug discovery. It later set up its own research unit but found it lacked the scale required to build a pipeline of medicines. Its partnership with Glaxo is now accelerating those efforts.”

And now 23andMe has licensed an antibody it developed to treat inflammatory diseases to Spanish drug maker Almirall SA. “This is a seminal moment for 23andMe,” said Conley. “We’ve now gone from database to discovery to developing a drug.” In the WSJ, Arthur Caplan, a professor of bioethics at NYU School of Medicine said “You get this gigantic valuable treasure chest, and people are going to wind up paying for it twice. All the people who sent in DNA will be paying the same price for any drugs that are developed as anybody else.”

So this adds another ironic dimension to the old television adage, “You aren’t the customer, you are the product.” You pay to provide your DNA – the code to your entire physical existence – to a private company. Why? Possibly because you want information that may affect your healthcare, but in all likelihood you simply intend to use the information for general entertainment and information purposes.

You likely send a swab to the DNA company because you want to learn your ethnic heritage and/or see what interesting things they can tell you about why you have a photic sneeze reflex, if you are genetically inclined to react strongly to caffeine, or if you are carrier of a loathsome disease (which you could learn for an additional fee). But the company uses the physical cells from your body not only to build databases of commercially valuable information, but to develop drugs and sell them to the pharmaceutical industry. So who is the DNA company’s customer? 23andMe and its competitors take physical specimens from you and sell products made from those specimens to their real customers, the drug companies and the data aggregators.

These DNA processing firms may be the tip of the spear, because huge data companies are coming for your health information. According to the Wall Street Journal,

“Google has struck partnerships with some of the country’s largest hospital systems and most-renowned health-care providers, many of them vast in scope and few of their details previously reported. In just a few years, the company has achieved the ability to view or analyze tens of millions of patient health records in at least three-quarters of U.S. states, according to a Wall Street Journal analysis of contractual agreements. In certain instances, the deals allow Google to access personally identifiable health information without the knowledge of patients or doctors. The company can review complete health records, including names, dates of birth, medications and other ailments, according to people familiar with the deals.”

And medical companies are now tracking patient information with wearables like smartwatches, so that personally captured daily health data is now making its way into these databases.

And, of course, other risk issues affect the people who provide data to such services.  We know through reporting following the capture of the Golden State Killer that certain genetic testing labs (like GEDMatch) have been more free than others with sharing customer DNA with law enforcement without asking for warrants, subpoenas or court orders, and that such data can not only implicate the DNA contributors but their entire families as well. In addition, while DNA testing companies claim to only sell anonymized data, the information may not remain that way.

Linda Avey, co-founder of 23andMe, concedes that nothing is foolproof. She told an online magazine, “It’s a fallacy to think that genomic data can be fully anonymized.” This articles showed that researchers have already re-identified people from their publicly available genomic data. For example, one 2013 study matched Y-chromosome data with names posted in places such as genealogy sites. In another study that same year, Harvard Professor Latanya Sweeney re-identified 84 to 97 percent of a sample of Personal Genome Project volunteers by comparing gender, postal code and date of birth with public records.

2015 study re-identified nearly a quarter of a sample of users sequenced by 23andMe who had posted their information to the sharing site openSNP. “The matching risk will continuously increase with the progress of genomic knowledge, which raises serious questions about the genomic privacy of participants in genomic datasets,” concludes the paper in Proceedings on Privacy Enhancing Technologies. “We should also recall that, once an individual’s genomic data is identified, the genomic privacy of all his close family members is also potentially threatened.” DNA data is the ultimate genie, that once released from the bottle, can’t be changed, shielded or stuffed back inside, and that threatens both the data subject and her entire family for generations.

And let us not forget the most basic risk involved in gathering important data. This article has focused on how 23andMe and other private DNA companies have chosen to use the data – probably in ways that their DNA contributing customers did not truly understand – to turn a profit for investors.  But collecting such data could have unintended consequences.  It can be lost to hackers, spies or others who might steal it for their own purposes.  It can be exposed in government investigations through subpoenas or court orders that a company is incapable of resisting.

So people planning to plaster their deepest internal and family secrets into private company databases should consider the risks that the private DNA mills don’t want you to think about.

Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.

For more in health data privacy, see the National Law Review Health Law & Managed Care section.

Offered Free Cyber Services? You May Not Need to Look That Gift Horse in the Mouth Any Longer.

Cyberattacks continue to plague health care entities. In an effort to promote improved cybersecurity and prevent those attacks, HHS has proposed new rules under Stark and the Anti-Kickback Statute (“AKS”) to protect in-kind donations of cybersecurity technology and related services from hospitals to physician groups. There is already an EHR exception1 which protects certain donations of software, information technology and training associated with (and closely related to) an EHR, and HHS is now clarifying that this existing exception has always been available to protect certain cybersecurity software and services. However, the new proposed rule explicitly addresses cybersecurity and is designed to be more permissive then the existing EHR protection.

The proposed exception under Stark and safe harbor under AKS are substantially similar and unless noted, the following analysis applies to both. The proposed rules allow for the donation of cybersecurity technology such as malware prevention and encryption software. The donation of hardware is not currently contemplated, but HHS is soliciting comment on this matter as discussed below. Specifically, the proposed rules also allow for the donation of cybersecurity services that are necessary to implement and maintain cybersecurity of the recipient’s systems. Such services could include:

  • Services associated with developing, installing, and updating cybersecurity software;

  • Cybersecurity training, including breach response, troubleshooting and general “help desk” services;

  • Business continuity and data recovery services;

  • “Cybersecurity as a service” models that rely on a third-party service provider to manage, monitor, or operate cybersecurity of a recipient;

  • Services associated with performing a cybersecurity risk assessment or analysis, vulnerability analysis, or penetration test; or

  • Services associated with sharing information about known cyber threats, and assisting recipients responding to threats or attacks on their systems.

The intent of these rules is to allow the donation of these cybersecurity technology and services in order to encourage its proliferation throughout the health care community, and especially with providers who may not be able to afford to undertake such efforts on their own. Therefore, these rules are expressly intended to be less restrictive than the previous EHR exception and safe harbor. The proposed restrictions are as follows2:

  • The donation must be necessary to implement, maintain, or reestablish cybersecurity;

  • The donor cannot condition the donations on the making of referrals by the recipient, and the making of referrals by the recipient cannot be conditioned on receiving a donation; and

  • The donation arrangement must be documented in writing.

AKS has an additional requirement that the donor must not shift the costs of any technology or services to a Federal health care program. Currently, there are no “deeming provisions” within these proposed rules for the purpose of meeting the necessity requirement, but HHS is considering, and is seeking comment on, whether to add deeming provisions which essentially designate certain arrangements as acceptable. Some in the industry appreciate the safety of knowing what is expressly considered acceptable and others find this approach more restrictive out of fears that the list comes to be considered exhaustive.

HHS is also considering adding a restriction regarding what types of entities are eligible for the donation. Previously for other rules, HHS has distinguished between entities with direct and primary patient care relationships, such as hospitals and physician practices, and suppliers of ancillary services, such as laboratories and device manufacturers.

Additionally, HHS is soliciting comment on whether to allow the donation of cybersecurity hardware to entities for which a risk assessment identifies a risk to the donor’s cybersecurity. Under this potential rule, the recipient must also have a risk assessment stating that the hardware would reasonably address a threat.

1 AKS Safe Harbor 42 CFR §1001.952(y); Stark Exception §411.357(bb)
2 AKS Safe Harbor 42 CFR §1001.952(jj); Stark Exception §411.357(w)(4)

©2020 von Briesen & Roper, s.c

More on cybersecurity software donation regulation on the National Law Review Communications, Media & Internet law page.

Pharmaceutical Company Agrees To $54 Million To Settle False Claims Kickback Allegations

Teva Pharmaceuticals has agreed to pay $54 Million to settle false claims kickback allegations brought by two whistleblowers, Charles Arnstein and Hossam Senousy. In their 2013 complaint, the whistleblowers asserted that Teva Pharmaceuticals (“Teva”) violated the False Claims Act when the company knowingly induced physicians to prescribe two of the company’s drugs in exchange for “speaker fees.”

Physicians hosted Teva’s speaker events, which were attended by the speakers, their families, Teva employees, and various repeat attendees. In her memorandum decision and order denying Teva’s motion for summary judgment, Chief Judge Colleen McMahon pointed to the suspect audience in attendance as well as the event locations, and the amount of alcohol served as further evidence of the questionable nature of the events.

Physician speakers earned speaker fees for their event appearances. These same physicians subsequently prescribed the drugs Copaxone and Azilect, both manufactured by Teva. The physicians in question also encouraged other doctors to prescribe the medications that treated multiple sclerosis and Parkinson’s disease, respectively. Pharmacies across the United States filled the prescriptions and submitted reimbursement claims to government-funded healthcare programs. Reimbursement funds to the pharmacies are taxpayers’ dollars.

The whistleblowers allege that the reimbursement payments from the various Federal health care programs were a result of fraud, namely the questionable “speaker fees” paid to the physicians in exchange for their prescribing Copaxone and Azilect. Furthermore, the Anti-Kickback Statute of the False Claims Act makes it illegal to knowingly pay or offer to pay kickbacks, bribes, or rebates to encourage someone to recommend the purchase of a pharmaceutical covered by a Federal health care program.

The False Claims Act has been a vital tool in the fight against government programs fraud since its inception; however, the success of the act depends on private citizens like Charles Arnstein and Hossam Senousy who are willing and able to speak out against the wrong that they encounter and work closely with the help of an experienced False Claims Act attorney to get results for everyone. The settlement of this case is not only beneficial to the government from a monetary perspective, but it is also a win for the taxpayers – those who ultimately pay when companies like Teva Pharmaceuticals choose to defraud the government.

© 2020 by Tycko & Zavareei LLP

For more false claims act settlements, see the National Law Review Litigation & Trial Practice section.

Health Law Section Report – September-December 2019

  • On September 16, 2019, at 51 N.J.R. 1462(a), the Department of Human Services, Division of Medical Assistance and Health Services, published an adoption of a correction to an error in the text of the definition of “nurse delegation” in the definitions set forth in N.J.A.C. 10:60-1.2. During the comment period, Disability Rights New Jersey (DRNJ) submitted a comment pertaining to the definition of nurse delegation. As part of the comment, DRNJ requested DMAHS to add “pursuant to N.J.A.C. 13:37-6.2” after “selected nursing tasks” to clarify what selected nursing tasks referred to (see Comment 16). DMAHS agreed to the change; however, in making the addition upon adoption, DMAHS inadvertently added the cross-reference as “N.J.A.C. 10:37-6.2.” The adoption corrects the error and inputs pursuant to N.J.A.C. 13:37-6.2.
  • On October 7, 2019, at 51 N.J.R. 1493(a), the Department of Human Services, Division of Medical Assistance and Health Services, published a rule proposal for a new chapter, N.J.A.C. 10:52B, to implement The County Option Hospital Fee Pilot Program. The purpose of the pilot program is to increase financial resources through the Medicaid/NJ FamilyCare program to support local hospitals in providing necessary services to low-income residents. The pilot program shall be in effect for a period of five years from April 30, 2019 and will end on April 30, 2024.
  • On October 7, 2019, at 51 N.J.R 1514(a), the Department of Law and Public Safety, Division of Consumer Affairs, Board of Medical Examiners, adopted an amendment to the athletic trainer continuing legal education requirement at N.J.A.C. 13:35-10.21, to require one credit in topics concerning prescription opioid drugs, including the risks and signs of opioid abuse, addiction, and diversion, commencing with the biennial renewal period beginning on February 1, 2019.
  • On October 7, 2019, at 51 N.J.R 1546(a), the Commissioner of the Department of Health published a notice of petition for rulemaking submitted by the New Jersey Hospital Association to make certain amendments to N.J.A.C. 8:43G Hospital Licensing Standards, Subchapter 14 Infection Control, N.J.A.C. 8:43G-14.9, Sepsis protocols, as recommended by CMS and the Surviving Sepsis Campaign, known as Sepsis-1.
  • On October 21, 2019 at 51 N.J.R. 1568(a), the Department of Law and Public Safety, Division of Consumer Affairs, Board of Physical Therapy Examiners, published a proposal to amend rules for supervision of licensed physical therapy assistants to clarify the record keeping regulations (N.J.A.C. 13:39A-7.2 and 7.3) in a manner that in the event patient records are maintained on computer recordkeeping systems that do not permit a supervising licensed physical therapist to sign a licensed physical therapist assistant’s notes, the supervising licensed physical therapist will be able to enter a separate note in the record indicating that he or she reviewed the licensed physical therapist assistant’s notes or the plan of care with the physical therapist assistant. This is meant to avoid a de facto dual signature requirement.
  • On November 4, 2019 at 51 N.J.R. 1597(a), the Department of Law and Public Safety, Division of Consumer Affairs, Board of Medical Examiners proposed amendments to its existing rules concerning graduate medical education programs in order to update the eligibility requirements for graduates of international medical schools who seek licensure or authorization to engage in the practice of medicine as residents. The proposed amendments would replace outdated restrictions on graduates of international medical schools pursuing licensure or authorization in New Jersey and allow the Board to rely on recognized accrediting bodies for international medical schools that adhere to standards substantially similar to the bodies that accredit domestic medical schools. By expanding eligibility, the proposed amendments may positively affect the supply of physicians practicing in the State. The proposal seeks to amend N.J.A.C. 13:35-1.5, 3.11, and 3.11A.
  • On November 4, 2019 at 51 N.J.R. 1600(a) the Department of Law and Public Safety, Division of Consumer Affairs, Audiology and Speech-Language Pathology Advisory Committee (Committee) proposes new rules to effectuate the provisions of the telemedicine and telehealth statute for licensed audiologists and/or speech-language pathologists. The proposed new rules would be codified at N.J.A.C. 13:44C-11.
  • On November 18, 2019, at 51 N.J.R. 1638(a), the Department of Law and Public Safety, Division of Consumer Affairs, State Board of Dentistry, proposed amendments, repeals, and new rules to: 1) implement new laws; 2) update rules, terminology, citations, website addresses, and the names of the licensure examinations; and 3) clarify and codify current standards of practice and licensure and registration requirements. The rulemaking reflects updates related to statutory changes, additions to enhance the safety of patients receiving dental services and those working in the profession, and identifies continuing education courses that must be completed in each renewal period. In response to adverse incident reports and news articles from across the country, the Board is proposing amendments to the sedation rules to enhance the safety of patients receiving dental services. Because the Board is seeing incidents of trained individuals achieving a deeper level of sedation than intended, the Board wants to provide more guidance to the regulated community as to what is expected so as to enhance patient safety. See N.J.A.C. 13:30. Comments due January 17, 2020.
  • On November 18, 2019, at 51 N.J.R. 1664(a), the Department of Law and Public Safety, Division of Consumer Affairs, State Acupuncture Examining Board (Board) proposed to amend N.J.A.C. 13:35-9.20 to require licensed acupuncturists to hold current certification in cardiopulmonary resuscitation (CPR), first aid, and the use of an automated external defibrillator (AED) as part of continuing education required to renew licensure. The certification must be from the American Heart Association, or a substantially similar course approved by the American Red Cross, National Safety Council, Coyne First Aid, Inc., American Safety and Health Institute, EMP International Inc., or EMS Safety Services Inc. In recognition of the hours required to obtain the certification, the Board proposes to reduce the number of required continuing education hours from 30 to 26. The Board is changing the total credits that could be obtained by certain methods to reflect that half of the total required hours will be 13 rather than 15. The Board also proposes to allow licensees who complete more than the continuing education hours required to renew licensure to apply those additional hours to the immediately succeeding biennial license renewal period. See N.J.A.C. 13:35-9.20.
  • On November 18, 2019, at 51 N.J.R. 1666(a), the Department of Law and Public Safety, Division of Consumer Affairs, Board of Massage and Bodywork Therapy proposed amendments that would require applicants for licensure and licensed massage and bodywork therapists to physically attend CPR, first aid, and use of an automated external defibrillator (AED) courses, would require licensed massage and bodywork therapists to complete continuing education in laws and rules pertinent to the practice of massage and bodywork therapy, and would end recognition of continuing education courses provided by schools, colleges, or universities. See N.J.A.C. 13:37A-2.1, 2.2, 2.3, 4.1, and 4.2.
  • On November 18, 2019, at 51 N.J.R. 1674(a), the Department of Law and Public Safety, Division of Consumer Affairs, State Board Of Marriage And Family Therapy Examiners, Art Therapists Advisory Committee adopted new rules at N.J.A.C. 13:34D requiring licensure of art therapists and providing rules governing licensed art therapists. The new rules require licensed art therapists to preserve the confidentiality of information obtained from a client in the course of professional treatment unless disclosure is required by Federal law and requires an art therapist whose client has explicitly waived the art therapist-client confidentiality privilege to release client information to a third-party payor whose benefit plan is qualified under the Federal Employee Retirement Income Security Act (ERISA). In addition, the new regulations provide that failure to comply with Federal laws related to the practice of art therapy will be deemed professional misconduct. See N.J.A.C. 13:34D.
  • On November 18, 2019, 51 N.J.R. 1688(a), the Department of Law and Public Safety, Division of Consumer Affairs, Board of Massage and Bodywork Therapy readopted rules with amendments, adopted repeals and new rules regarding licensure, reinstatement and reporting of misconduct, record keeping and business registration. See N.J.A.C. 3:37A.
  • On November 18, 2019, 51 N.J.R. 1691(a), the Department of Law and Public Safety, Division of Consumer Affairs, Orthotics and Prosthetics Board adopted a new rule regarding the abandonment of license applications due to incomplete information on the application or a one year lapse in submission of information requested by the Board. See N.J.A.C. 13:44H-3.5A.
  • On November 18, 2019, 51 N.J.R. 1691(b), the Department of Law and Public Safety, Division of Consumer Affairs, Orthotics and Prosthetics Board adopted a new rule to implement the telemedicine statute and to permit the use of telemedicine and telehealth by licensed orthotist, orthotist assistant, pedorthist, prosthetist, prosthetist assistant, prosthetist-orthotist, or prosthetist-orthotist assistant. See N.J.A.C. 13:44H-11.
  • On December 2, 2019, at 51 N.J.R. 1761(a), the Department of Law and Public Safety, Division of Consumer Affairs, State Board Of Marriage And Family Therapy Examiners, Alcohol & Drug Counselor Committee adopted amendments to the rules regarding who may provide clinical supervision to interns and counselors. See N.J.A.C. 13:34C-6.2, 6.2A, and 6.3.
  • On December 2, 2019, at 51 N.J.R. 1806(a), the Commissioner of the Department of Health published a notice of action on rulemaking by announcing that more time is required for deliberating on the adoption of new sepsis protocols for hospitals, as proposed on October 7, 2019 at 51 N.J.R 1546(a).
  • On December 16, 2019, at 51 N.J.R. 1841(a), the Department of Law and Public Safety, Division of Consumer Affairs, State Board of Physical Therapy Examiners proposed an amendment and new rule recognizing the provisions of the Compact privileges that would require physical therapists and physical therapist assistants working in New Jersey, under Compact privileges, to comply with Board rules, except for those governing credentialing of applicants, license renewal, and continuing education. The proposed amendment and new rule require those seeking to work in New Jersey, pursuant to Compact privileges, to pass the State jurisprudence examination and to pay the Compact privilege fee ($40).
  • On December 16, 2019, at 51 N.J.R. 1849(ab), the Department of Law and Public Safety, Division of Consumer Affairs, State Board of Medical Examiners adopted amendments to the rules regarding continuing medical education that would permit up to 10 hours volunteer medical service to uninsured low income patients to count towards the required CME requirement. See N.J.A.C. 13:35-6.15.

© 2020 Giordano, Halleran & Ciesla, P.C. All Rights Reserved

For more health care developments in New Jersey and other states, see the National Law Review Health Law & Managed Care section.

 

HHS HIV Drug Lawsuit: Setting Precedent for Other High Priced Medications or Government Collaborations?

On November 6, 2019, the bonds between the U.S. government and pharmaceutical companies were stretched when the U.S. Department of Health and Human Services (“HHS”) filed a patent infringement lawsuit against Gilead Sciences in Delaware federal court regarding Gilead’s popular HIV drugs, Truvada® and Descovy®.  HHS rarely sues for patent infringement.  In fact, the U.S. government and pharmaceutical companies typically have collaborative relationships.  For example, Gilead provided the Center for Disease Control and Prevention (“CDC”) with free drugs for government experiments to expand treatment for certain diseases.  So, what happened?

In 2004, Gilead—after receiving patent protection—began selling Truvada® to treat people already infected with HIV.  The CDC later investigated whether Truvada® could be used as a prophylactic to prevent HIV in monkeys and received patent protection for four key patents that “generally cover processes for protecting a primate or human host from a self-replicating infection by an immunodeficiency retrovirus, including HIV.”  (Complaint, ¶ 196).  Specifically, the claimed inventions provide protection “by a combination of nucleoside reverse transcriptase inhibitor, such as FTC, and a nucleotide reverse transcriptase inhibitor, such as tenofovir, or esters/prodrugs of tenofovir, such as TDF or TAF.” Id. Gilead donated the FTC, TDF, and tenofovir used in the CDC’s research, but its personnel do not appear to have otherwise assisted in the research.

The government alleges that first, it helped develop the drug with Gilead, and second, that Gilead “repeatedly refused to obtain a license from CDC to use the patented regimens” and “profited from research funded by hundreds of millions of taxpayer dollars[,]” without paying any royalties to the CDC.  HHS seeks damages and royalties for Gilead’s alleged infringement.  Many speculate that HHS’s motivation goes beyond royalties to something deeper: to increase access and decrease the price of Truvada® and Descovy® for pre-exposure prophylaxis (“PrEP”).

One goal identified by the Trump administration is to eradicate new cases of HIV and AIDS by 2030.  In fact, the administration requested $291 million for this initiative in May 2019. Truvada® and Descovy® play a critical role in PrEP.  PrEP is stated to be a highly-effective HIV prevention strategy that may play a vital role in ending the global HIV and AIDS epidemic.  However, PrEP is not as widely used as it could be.  Some allege that the limited use is related to limited access to the drugs—which in turn could be due in part to the high cost.  In the United States, Truvada® costs roughly $1,782 a month.[1]  Some have speculated that this suit is part of the Trump administration’s initiative to lower PrEP prices and end the HIV epidemic in the United States.  But is there more?

Political anger and public outcry over drug costs has increased over the years.  Three years ago, a national controversy erupted over the price of EpiPen injectors manufactured by Mylan pharmaceuticals.  In 2008, EpiPens cost about $100.  In 2016, that price rose to $600.  This price increase outraged customers and put the company at the forefront of the debate over drug costs.  Public outrage, coupled with a whistleblower lawsuit, led Mylan to finalize a $465 million settlement with the U.S. Justice Department over claims that it overcharged the government for EpiPens.

The EpiPen controversy, coupled with the HHS lawsuit against Gilead, may signal to pharmaceutical companies across the country that the U.S. government is ready and willing to step in and demand lower drug prices.  Accordingly, this case may be an important bellwether and should be followed by those with interests in these areas.

[1] Descovy® is new to the market, so the average monthly cost is unknown.

©1994-2019 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

ARTICLE BY Aarti Shah and  Kara E. Grogan of Mintz.
For more on drug patents, see the National Law Review Intellectual Property law page.

2020 Vision: Protecting Your Hospital’s Tax-Exempt Status

The manner in which medical services are being provided to patients is rapidly changing. Procedures that used to be performed in hospitals and required overnight stays are now being performed at outpatient clinics. Similarly, technological advances have decentralized hospital administration and the way in which treatment is provided. This should not come as a surprise to anyone that has any level of familiarity with the health care system, which includes just about anyone who goes to a doctor on a regular basis.

It should also come as no surprise that the law often lags behind technological advances and is often in a state of playing “catch up.” This trend is readily apparent when it comes to the property tax exemption for Wisconsin hospitals. The good news is that the courts are now taking the advances in hospital care into account when affirming eligibility for property tax exemption, particularly as to clinics and outpatient facilities. That said, hospitals must be vigilant in obtaining and maintaining their exemption.

This Legal Update offers guidance for Wisconsin nonprofit hospitals that may be filing tax exemption applications for calendar year 2020. Later in this Legal Update, we briefly discuss recent developments at the federal level involving hospital exemptions under § 501(c)(3) of the Internal Revenue Code.

Property Tax Exemption for Nonprofit Hospitals

In Wisconsin, all property is subject to taxation unless it is explicitly deemed exempt by statute. The Wisconsin Statutes provide that the following type of property is exempt:

(4m) NONPROFIT HOSPITALS. (a) Real property owned and used and personal property used exclusively for the purposes of any hospital of 10 beds or more devoted primarily to the diagnosis, treatment or care of the sick, injured, or disabled…. This exemption does not apply to property used … as a doctor’s office.

(Wis. Stat. § 70.11(4m)). The legislative intent behind this exemption is to encourage not-for-profit hospitals to provide care for the sick.

Applications for property tax exemption must be filed by March 1. This includes exemption applications for newly constructed property as well as for existing and previously non-exempt property whose use has changed in a way that now makes it eligible for exemption. The property owner bears the burden of proving that the property is exempt and the Wisconsin courts interpret the statutory exemptions narrowly. Hospitals should start analyzing and preparing their exemption applications well in advance of the filing deadline.

All real property is assessed based on its “fair market value” as of January 1 of each year. The Wisconsin Property Assessment Manual (“WPAM”) makes it clear that in the case of partially completed improvements, the assessor must value the improvements as they exist on the assessment date. Accordingly, hospitals with facilities currently under construction need to document the state of building as of January 1, 2020. Key documentation may include photographs and time-lapse construction progress videos. Assessors typically conduct an on-site inspection when there have been significant construction changes, and may also request additional documentation such as construction contracts and blueprints.

Assessors frequently utilize the cost approach when valuing new construction. One way to assess value for an under-construction project is to look at construction draws. This method has the appeal of simplicity but does not always produce accurate results. For example, if there have been construction draws of $12 million as of January 1 on a $30 million dollar project, an assessor might be inclined to give the property a fair market value of $12 million as of that date. It is entirely possible, however, that $1 million of that work was done on grading, soil stabilization, or other site development work that adds no value to the building from a “fair market value” perspective. Accordingly, the owner should be armed with knowledge of the actual condition of the building, including statements from the project manager, showing the value of what is “in the ground” as of the assessment date.

While it is important that new exemption applications document value as of January 1, the most important piece of the application involves documentation of exempt use. Recent litigation has focused on whether outpatient clinics or satellite hospital facilities are being used as a “doctor’s office,” which may disqualify the facility from exemption. The Wisconsin courts have identified the following list of factors that must be considered and evaluated when determining whether real property is used as an exempt hospital or as a doctor’s office:

  1. Do physicians own or lease the facility or equipment or are they hospital owned?
  2. Do physicians at the facility receive “variable compensation,” that is, compensation based on their productivity?
  3. Do physicians at the facility employ or supervise non-physician staff, or receive extra compensation for such duties?
  4. Does the facility and hospital generate separate billing statements or use separate billing software?
  5. Do the physicians in the facility have office space in the facility?
  6. Does the facility provide care on an outpatient, as opposed to inpatient, basis?
  7. Is the facility only open during regular business hours during which time the physicians generally see patients by appointment or is there 24/7 urgent care?

It should also be noted that the exemption for a nonprofit hospital is not an all-or-nothing proposition—partial exemptions are permitted. For example, in a seminal case interpreting the breadth of the nonprofit hospital exemption, Covenant Healthcare System, Inc. v. City of Wauwatosa, the Wisconsin Supreme Court upheld Covenant Healthcare System’s application for an exemption for 3 out of 5 floors in an outpatient clinic. The other floors did not fall within the criteria for the hospital exemption because they were doctors’ offices, among other reasons.

Another use-related issue involves the exempt status of vacant space in newly constructed hospital facilities. The WPAM acknowledges that “hospitals often construct oversize additions to anticipate technological and industrial changes and to reduce the unit cost of construction.” Assessors will generally treat this space as exempt so long as it meets the following conditions:

  • The hospital is exempt.
  • The space is attached to an existing hospital.
  • The projected use of the space is declared in the board minutes, in the general building plans, and in the blueprints and is consistent with exempt hospital use.
  • The building specifications and actual construction-to-date include features appropriate for hospital space.
  • The owner annually declares by affidavit that the space will be used as hospital space that would normally be exempt.

Hospitals intending to seek exemption for vacant space in new construction should ensure that they have appropriate documentation for these elements as of January 1.

Wisconsin law states that property tax exemption claims are strictly construed in favor of taxability. Given today’s climate of tight budgets, assessors are understandably conservative in their exemption determinations as they try to protect their tax base. Vigilance and thorough preparation are the keys to obtaining exemption under § 70.11(4m). Hospitals that are planning to file an exemption application by March 1 of this coming year, particularly for property that might have been taxable in the past as a physician clinic, should begin preparing their exemption applications no later than January 1 with an eye on these requirements.

Finally, note that owners of property exempt under sec. 70.11, Wis. Stats., are required to file a Tax Exemption Report form with the municipal clerk in each even-numbered year. Reports are due March 31, 2020.

Federal Tax Exemption under IRC § 501(c)(3)

Hospitals claiming exemption under IRC § 501(c)(3) have been under the microscope for the past several years; judging from events in 2019, that pattern will continue in 2020.

Senator Charles Grassley (R-Iowa) is back at the helm of the Senate Finance Committee and is once again pushing for increased transparency and oversight, including hospital adherence to community benefit requirements. In February 2019, Senator Grassley asked that IRS Commissioner Charles Rettig provide a briefing on the scope of IRS audits of tax-exempt hospitals on matters including charity care, financial assistance, and billing and collection policies. Senator Grassley called into question hospital compliance with the standards set by Congress and made it clear that he expects IRS enforcement to include all of the tools in its toolbox, including denial of exempt status. He specifically asked for details on how many hospitals have been found to be out of compliance with § 501(c)(3) requirements and how the IRS is dealing with noncompliant hospitals. In October of this year, Senator Grassley wrote to the University of Virginia Health System regarding a news report that the System’s financial assistance and debt-collection practices did not comply with its obligations as a tax-exempt entity, as well as regarding possible issues on overcharging.

Nonprofit hospitals and health systems can expect increasing scrutiny on Schedule H of Form 990. Past analyses of Schedule H reporting have found inaccuracies and inconsistencies in reporting of community benefits and financial assistance policies, including how financial assistance policies are publicized – these areas should receive particular attention when preparing 990 forms in the coming year. Form 990 is due on the 15th day of the 5th month following the end of the organization’s taxable year. Hospitals and health systems with September 30 fiscal years will need to file their 990 forms by February 15, while organizations on a calendar year have a due date of May 15.

Conclusion

Nonprofit hospitals remain under attack regarding their tax-exempt status. It is extremely important—now more than ever—for administrators to have a familiarity with the law and the criteria necessary to maintain their exemptions into the future. Proper planning heading into 2020 is an important key to that success.

©2019 von Briesen & Roper, s.c

For more on hospital administration, please see the National Law Review Health Law & Managed Care page.

CMS Issues Final Regulations For Hospital Price Transparency

On November 15, 2019, the U.S. Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) announced final regulations implementing greater price transparency requirements for hospitals. Issued on the heels of a Trump Administration Executive Order directing HHS to propose regulations on increased price transparency, the new regulations modify and finalize CMS’ earlier guidance implementing section 2718(e) of the Public Health Service Act, to further expand price transparency requirements for hospitals. (See our previous analysis of the Executive Order here.) Effective January 1, 2021, the new regulations will be located at 45 C.F.R. 180.00 et. seq. and will require hospitals to make accessible specific “standard charge” pricing data for all “items and services” provided. Furthermore, the regulations include special requirements for posting pricing information about “shoppable services.” Key details are summarized below:

Important Definitions (45 CFR 180.20)

  • Hospital. The regulations apply to any institution licensed as a hospital under applicable state law.
  • Items and Services. The regulations require pricing data on all items and services “including individual items and services and service packages, that could be provided by a hospital to a patient in connection with an inpatient admission or an outpatient department visit for which the hospital has established a standard charge.”
  • Shoppable Service. The regulations define a shoppable service as a service that a consumer can schedule in advance.
  • Standard Charge. Hospitals must post the following five standard charges:
    1. Gross charge – The price on the hospital’s chargemaster with no discounts.
    2. Payer-specific negotiated charge – The charge negotiated with a third-party payer.
    3. De-identified minimum negotiated charge – The lowest charge the hospital has negotiated with all third-party payers for an item or service.
    4. De-identified maximum negotiated charge – The highest charge the hospital has negotiated with all third-party payers for an item or service.
    5. Discounted cash price – The charge for an individual who pays cash for an item or service.

Substantive Requirements (45 CFR 180.40-180.60)

All hospitals must now make public two items related to pricing; (a) a machine-readable file containing a list of all standard charges for all items and services, and (b) a consumer-friendly list of standard charges for a limited set of shoppable services. Each of these components are described in more detail below.

  • All Items and Services. Each hospital must establish a list of standard charges for all items and services they provide. This list must include a description of each item or service, the five standard charges (applicable to both inpatient and outpatient services), and any common identifier billing or accounting code used by the hospital. This information must be published on a publicly accessible website in a single searchable digital file without any barriers to access. The posting requirement will apply to each hospital location operating under the same license if the location has different standard charges.
  • Shoppable Services. Each hospital must establish a list of standard charges for 300 shoppable services. This list must include any of the 70 CMS-specified shoppable services the hospital provides and as many additional shoppable services determined by the hospital as needed to reach the 300-service threshold (unless the hospital does not provide 300, then all must be published). The list must include a plain language description of the service, indicators of CMS shoppable services that are not offered, the standard charges – except for the gross charge – for all shoppable services (the gross charge only needs to be posted if the hospital does not offer a discounted cash price), the locations where the shoppable service is provided and any location-specific pricing, and any common identifier billing or accounting code used by the hospital. The hospital may choose the format of publication, but it must be on the internet, accessible without barriers, and prominently located. Compliance with this requirement can occur if a hospital maintains an internet-based price estimator tool for the relevant services.

Enforcement (45 CFR 180.70-180.90)

CMS will monitor compliance by fielding complaints about hospitals, reviewing individuals’ or entities’ analysis of noncompliance, and auditing hospital websites. If noncompliance is detected, CMS will have the authority to issue warning letters, request a corrective action plan, and potentially impose civil monetary penalties up to a maximum of $300 per day.

The regulations go into effect January 1, 2021, giving hospitals a little more than a year to develop a plan for compliance.

Copyright © 2019 Robinson & Cole LLP. All rights reserved.

More on CMS & HHS regulations on the National Law Review Health Law & Managed Care page.

Federal Court Temporarily Blocks Health Insurance Requirement for Immigrant Visa Applicants

On November 2, 2019, the U.S. District Court for the District of Oregon issued a temporary restraining order, blocking the Trump administration from enforcing a recent presidential proclamation requiring health insurance for immigrant visa applicants. The proclamation, which had been scheduled to take effect on November 3, 2019, would have required certain immigrant visa applicants to prove that within 30 days of their entering the United States they would have approved health insurance or that they otherwise possessed the “financial resources” to cover “reasonably foreseeable medical costs.”

The restraining order will remain in effect for 28 days. In the meantime, the court will hear arguments on November 22, 2019, to determine if the proclamation warrants a preliminary injunction.

© 2019, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.

More on immigration on the Immigration Law page of the National Law Review.

CMS’s Request for Information Provides Additional Signal That AI Will Revolutionize Healthcare

On October 22, 2019, the Centers for Medicare and Medicaid Services (“CMS”) issued a Request for Information (“RFI”) to obtain input on how CMS can utilize Artificial Intelligence (“AI”) and other new technologies to improve its operations.  CMS’ objectives to leverage AI chiefly include identifying and preventing fraud, waste, and abuse.  The RFI specifically states CMS’ aim “to ensure proper claims payment, reduce provider burden, and overall, conduct program integrity activities in a more efficient manner.”  The RFI follows last month’s White House Summit on Artificial Intelligence in Government, where over 175 government leaders and industry experts gathered to discuss how the Federal government can adopt AI “to achieve its mission and improve services to the American people.”

Advances in AI technologies have made the possibility of automated fraud detection at exponentially greater speed and scale a reality. A 2018 study by consulting firm McKinsey & Company estimated that machine learning could help US health insurance companies reduce fraud, waste, and abuse by $20-30 billion.  Indeed, in 2018 alone, improper payments accounted for roughly $31 billion of Medicare’s net costs. CMS is now looking to AI to prevent improper payments, rather than the current “pay and chase” approach to detection.

CMS currently relies on its records system to detect fraud. Currently, humans remain the predominant detectors of fraud in the CMS system. This has resulted in inefficient detection capabilities, and these traditional fraud detection approaches have been decreasingly successful in light of the changing health care landscape.  This problem is particularly prevalent as CMS transitions to value-based payment arrangements.  In a recent blog post, CMS Administrator, Seema Verma, revealed that reliance on humans to detect fraud resulted in reviews of less than one-percent of medical records associated with items and services billed to Medicare.  This lack of scale and speed arguably allows many improper payments to go undetected.

Fortunately, AI manufacturers and developers have been leveraging AI to detect fraud for some time in various industries. For example, the financial and insurance industries already leverage AI to detect fraudulent patterns. However, leveraging AI technology involves more than simply obtaining the technology. Before AI can be used for fraud detection, the time-consuming process of amassing large quantities of high quality, interoperable data must occur. Further, AI algorithms need to be optimized through iterative human quality reviews. Finally, testing the accuracy of the trained AI is crucial before it can be relied upon in a production system.

In the RFI, CMS poses many questions to AI vendors, healthcare providers and suppliers that likely would be addressed by regulation.  Before the Federal government relies on AI to detect fraud, CMS must gain assurances that AI technologies will not return inaccurate or incorrect outputs that could negatively impact providers and patients. One key question raised involves how to assess the effectiveness of AI technology and how to measure and maintain its accuracy. The answer to this question should factor heavily into the risk calculation of CMS using AI in its fraud detection activities. Interestingly, companies seeking to automate revenue cycle management processes using AI have to grapple with the same concerns.  Without adequate compliance mechanisms in place around the development, implementation and use of AI tools for these purposes, companies could be subject to high risk of legal liability under Federal False Claims Act or similar fraud and abuse laws and regulations.

In addition to fraud detection, the RFI is seeking advice as to whether new technology could help CMS identify “potentially problematic affiliations” in terms of business ownership and registration.  Similarly, CMS is interested to gain feedback on whether AI and machine learning could speed up current expensive and time-consuming Medicare claim review processes and Medicare Advantage audits.

It is likely that this RFI is one of many signals that AI will revolutionize how healthcare is covered and paid for moving forward.  We encourage you to weigh in on this on-going debate to help shape this new world.

Comments are due to CMS by November 20, 2019.

©2019 Epstein Becker & Green, P.C. All rights reserved.

For more CMS activities, see the National Law Review Health Law & Managed Care page.