Category: Health Care Law

Olympus to Pay $632.2 Million to Resolve Allegations of Kickbacks

Olympus Corporation of the Americas, the United States’ largest distributor of endoscopes and related medical equipment, recently agreed to pay $623.2 million to resolve criminal charges and civil claims, according to a United States Department of Justice (DOJ) press release on March 1, 2016. The settlement is a result of a qui tam action alleging violations of the Federal False Claims Act (FCA), Federal Anti-Kickback Statute (AKS), and analogous state statutes for paying kickbacks to physicians and hospitals to induce the purchase of Olympus medical and surgical equipment. Olympus was required to enter into a Corporate Integrity Agreement and a Deferred Prosecution Agreement that, among other things, includes an executive financial recoupment program that will cause company executives to forfeit certain compensation if they are associated with future misconduct.

The relator and government alleged that, because the Olympus equipment used for treatment was purchased as a result of a kickback, Olympus caused the physicians and hospitals to file false claims for treatment under Medicare, TRICARE, and Medicaid in violation of the FCA and state law. The kickbacks themselves were prohibited under the AKS. Both federal laws have separate penalties that were combined in this settlement, which is a reminder to the health care industry that liability under the FCA and AKS can reach staggering amounts.

What Providers Should Know

  • If an employee raises a compliance concern, investigate and appropriately address the concern. Do not retaliate. While the Olympus relator was a former Chief Compliance Officer with a long employment history at Olympus, individuals at all levels and experiences may have insight into company practices sufficient to identify areas of compliance vulnerability (thereby later arming themselves with information sufficient to file a qui tam action should the company choose to ignore individuals’ concerns or otherwise fail to correct non-compliance).

  • Prohibited remuneration under the AKS may take many forms. For instance, the remuneration that Olympus allegedly provided to physicians and hospitals included free use of medical equipment, unprotected discounts, payments disguised as grants for educational or research programs, payments to physicians in excess of fair market value for speaking engagements, vacations, meals, and entertainment.

  • If referring health care providers receive remuneration, the compensation arrangements should be carefully structured to meet applicable AKS safe harbors. Providing remuneration in the form of medical equipment discounts, leases or payments for speaking engagements may increase a company’s exposure under the AKS. Where such remuneration is provided, it is best to structure the arrangement with relevant AKS safe harbor protection.

  • An effective and robust compliance program is essential. In addition to allegations of kickbacks, the federal government also focused on Olympus’ alleged lack of appropriate training, knowledgeable compliance staff, and compliance programs to prevent and identify violations of the AKS and other federal health care laws.

Background and Alleged Misconduct – Kickbacks and More Kickbacks

The relator in the qui tam action was an 18-year employee of Olympus and was appointed to be Chief Compliance Officer of Olympus in 2009. Prior to 2009, Olympus had no compliance department. As the Chief Compliance Officer, the relator alleged that the he began to try to “eliminate the illegal and systemic practices” described below, but was met with inaction, retaliation, harassment, and severe resistance. In March 2010, Olympus relieved the relator of all his compliance duties and months later terminated his employment. The relator thereafter filed a qui tam action against Olympus.

The relator and government alleged that, from 2006 to 2011, Olympus induced physicians and hospitals to purchase Olympus endoscopes and other medical and surgical equipment by way of the following:

  • Providing free medical equipment and discounts to hospitals and physicians to induce them to purchase surgical consumables produced by Olympus.

  • Paying sales reps stipends of $2,300 that were meant to be used to entertain physicians.

  • Paying physicians tens of thousands and as much as $100,000 per year for consulting services, often without written agreements.

  • Providing physicians and hospitals with millions of dollars worth of free medical equipment, categorized as “permanent loans,” “leases,” “promotions,” “demo units,” “samples,” and “trade-ins.”  In one case, the relator and the government alleged that Olympus provided a physician with approximately $400,000 in endoscopes and other equipment to use without charge in the physician’s private practice, allegedly resulting in one hospital’s decision to purchase millions of dollars of Olympus products.

  • Leasing products to physicians on a debt forgiveness program under which Olympus wrote off debt if the physician entered into a new lease for new products.

  • Paying physicians honorariums for speaking engagements, often without speaker agreements.

  • Paying out grants of hundreds of thousands of dollars from a grant committee made up entirely of sales reps, marketing people, and customer relation personnel.

  • Paying for physicians’ golf trips and vacations, including week-long trips to Japan with sightseeing excursions and lavish entertainment included.

Relator alleged that, because of the aforementioned conduct, Olympus facilitated more than $600 million in sales, earning more than $230 million in gross profits.

Agreements to the Olympus Settlement

The Olympus settlement contains three written agreements: a Civil Settlement Agreement, a Deferred Prosecution Agreement (DPA), and a Corporate Integrity Agreement (CIA). Collectively, these agreements reiterate the monetary and non-monetary consequences to settling allegations of kickbacks and also provide invaluable insight into the government’s view of an effective compliance program.

  • Civil Settlement Agreement. To settle civil claims, Olympus agreed to pay the federal government and affected state governments $306 million total plus interest, with $263.16 million going to the federal government and the remaining $42.84 million to be divided among the states. The realtor was awarded $43.4 million from the federal government’s share. Olympus also agreed to enter into a CIA with the government for five years as part of the civil settlement agreement.

  • Deferred Prosecution Agreement. The DPA indicates that the federal government will file on, or shortly after, the effective date of the DPA a criminal complaint charging Olympus with conspiracy to commit violations of the AKS. Under the DPA, Olympus agreed to pay the federal government $306 million plus interest in exchange for a three-year deferral of criminal prosecution, provided Olympus takes specific remedial actions. Such remedial actions include: (i) the development and implementation of an effective corporate compliance program; (ii) retention of an independent monitor to evaluate and monitor compliance with the DPA and review Olympus’ procedures and practices related to tracking loaned equipment, selecting and paying consultants, considering and awarding grants, and training and education programs; (iii) performance of specific duties by Olympus’ Chief Compliance Officer; and, (iv) enhancement and maintenance of existing training and education programs for all sales, marketing, legal, and compliance employees and senior executives. The DPA also includes an executive financial recoupment program that will cause company executives to forfeit certain compensation if they are associated with future misconduct. If Olympus fulfills its obligations, the government will not thereafter pursue a criminal conviction and will seek dismissal of the criminal complaint the federal government filed in connection with the alleged conduct.

  • Corporate Integrity Agreement. Olympus entered into a five year CIA with the government to review and approve its compliance program, in exchange for the government’s promise not to seek exclusion of Olympus from Medicare, Medicaid, or TRICARE. The CIA sets forth many general obligations for Olympus to meet, including: (i) compliance responsibilities of specific Olympus employees and the board of directors; (ii) development and implementation of a health care compliance code of conduct and policies and procedures regarding the operation of Olympus’ compliance program; (iii) training and education programs; (iv) risk assessment and mitigation; and, (v) establishment of a mechanism, e.g., compliance hotline, to enable individuals to disclose any identified issues or questions with compliance

The CIA further directs Olympus to meet the following specific requirements related to the alleged misconduct:

  1. Consulting arrangements. Olympus must require all consultants who are health care professionals to enter written agreements describing the scope of work to be performed, the fees to be paid, and compliance obligations for the consultant. Olympus will pay consultants according to a centrally managed, pre-set rate structure that is determined based on a fair-market value analysis.

  2. Grants and Charitable Contributions. Olympus must establish a grants management system that will be the exclusive mechanism through which requestors may request or be awarded grants.

  3. Management of Field Assets. Olympus must establish a system to manage medical and surgical equipment and products provided to health care professionals on a temporary basis.

  4. Review of Travel Expenses. Olympus must establish processes for the review and approval of travel and related expenses for health care professionals.

Article By Jennifer L. EvansDayna C. LaPlanteRyan M. McAteer & Stephen M. Angelette
Polsinelli PC
© Polsinelli PC, Polsinelli LLP in California

OCR Kicks Off HIPAA Audits After Issuing Two Major Settlements

HIPAAOn Monday, the HHS Office for Civil Rights (OCR) launched phase two of its much-anticipated audit program for covered entities and business associates. The announcement comes in the wake of OCR’s issuance of two major settlements—totaling more than $5 million—which highlighted the critical importance of managing the security basics, such as the business associate agreement (BAA) and the organization-wide risk analysis. These developments are summarized below, with practical tips that can help organizations mitigate related risks.

Summary

2016 Audit Program Begins

In announcing the 2016 audit program launch, OCR confirmed it will contact organizations by email to verify contact information and complete a pre-audit questionnaire. Organizations selected for audit will be subject to either a desk audit, an onsite audit or potentially both. Organizations will have a short period to produce requested documents, typically 10 business days, so it is important to have HIPAA privacy and security policies, security risk assessments, breach notification documentation, BAAs, and other HIPAA documentation up-to-date and readily available. While there is a detailed audit protocol from the phase one OCR audits, that protocol has not been updated for the final rules implementing the HITECH Act. OCR has committed to issuing an updated audit protocol closer to the date the audits will be conducted, which will set forth the criteria that auditors will review. Importantly, the phase two audits will extend to business associates. Although the risk of being selected for an audit is low, organizations would be well advised to review the existing and, when available, new audit protocols, conduct a compliance gap assessment and take corrective actions as needed, as part of overall HIPAA compliance efforts. While OCR states that the audits are primarily a compliance improvement activity, enforcement may follow where a serious issue is identified.

The North Memorial Settlement – The Importance of Business Associate Agreements

In the first of two recent settlements, North Memorial Health System, a nonprofit organization, will pay $1.55 million and enter into a two-year corrective action plan to settle charges that it violated HIPAA by failing to have a written BAA with a key contractor. OCR’s investigation followed the 2011 theft of an unencrypted laptop from a contractor’s workforce member’s vehicle. The settlement notes that the laptop contained protected health information (PHI) of approximately 9,497 North Memorial patients. For its part, the contractor separately settled HIPAA violations for $2.5 million, and entered into a related 20-year FTC consent order relating to its security procedures.[1] OCR also alleged that North Memorial failed to conduct an organization-wide risk analysis that covered all of its IT infrastructure.

OCR’s investigation indicated that North Memorial failed to execute a BAA with the contractor as required by HIPAA Privacy and Security Rules. OCR asserted that North Memorial gave the contractor access to its hospital database, which stored the electronic PHI of 289,904 patients, as well as access to non-electronic PHI as it performed services on-site at North Memorial.[2] In total, OCR’s investigation found that, from March 21, 2011, to October 14, 2011, North Memorial impermissibly disclosed the PHI of at least 289,904 individuals to the contractor without obtaining a proper BAA.[3] The investigation further indicated that North Memorial failed to complete a comprehensive risk analysis to identify all potential risks and vulnerabilities to the electronic PHI (ePHI) that it maintained, accessed or transmitted across its entire IT infrastructure, as required by the HIPAA Security Rule.[4]In settling the matter, North Memorial did not concede liability.

In addition to the $1.55 million payment, North Memorial agreed to a two-year corrective action plan (CAP) that requires it to develop policies and procedures related to business associate relationships and to conduct an organization-wide risk analysis and risk management plan, as required under the HIPAA Security Rule.[5] The CAP also requires North Memorial to train appropriate workforce members on all policies and procedures newly developed or revised pursuant to the CAP.[6]

OCR has previously (and repeatedly) emphasized the importance of having an organization-wide, thorough analysis, which it reinforces here with North Memorial. In addition, this settlement highlights the importance that OCR attaches to having BAAs where required, which OCR describes as another “cornerstone” of effective security.[7] Further, the settlement illustrates that, when a breach occurs with a business associate, the impacted covered entity should expect OCR to request a copy of the underlying BAA. Where that BAA cannot be found, the covered entity and business associates should expect potential enforcement.

FIMR Settlement: Basic Compliance Required of All Covered Entities (and Business Associates)

In the second settlement, Feinstein Institute for Medical Research (FIMR), a nonprofit research institute, will pay $3.9 million and enter into a three-year corrective action plan to settle charges it violated HIPAA, following its breach when an employee’s unencrypted laptop containing patient information of 13,000 individuals was stolen. OCR’s investigation determined that FIMR’s security management process was limited, it had failed to conduct a thorough risk analysis, and lacked sufficient policies and procedures. In its press release, OCR emphasized that it expects research institutions that are covered entities to comply with the same standards as other covered entities.

OCR’s investigation of FIMR stemmed from a self-reported breach after an employee’s unencrypted laptop was stolen. Based on the resolution agreement, OCR’s investigation appears to have identified widespread non-compliance. For example, OCR alleged that FIMR: (1) failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to all of the ePHI held by FIMR, including the ePHI on the employee’s laptop; (2) failed to implement policies and procedures for granting access to ePHI by its workforce members and restricting access by unauthorized users; (3) failed to implement physical safeguards for the laptop; (4) failed to implement policies and procedures that govern receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility; and (5) failed to encrypt ePHI on the laptop or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent safeguard.

As part of an extensive three-year CAP, FIMR must conduct an organization-wide risk analysis and develop a corresponding risk management plan, develop a process for evaluating environmental or operational changes to the security of ePHI, revise its policies and procedures for privacy and security, and provide extensive training and reporting.

Tips to Mitigate Risks

Covered entities and business associates can enhance HIPAA compliance, and reduce audit risk, by taking a number of practical steps outlined below.

Business Associate Risks:

  1. train workforce (at onboarding and at least annually thereafter) to recognize situations where a BAA (or subcontractor BAA) is required and understand how to activate the organization’s process for securing one;

  2. conduct periodic audits of existing outside service relationships to ensure that all necessary BAAs (or subcontractor BAAs) are, in fact, in place;

  3. periodically audit BAAs (and subcontractor BAAs) on file to ensure they are fully compliant (including as to the final HITECH rule content requirements), in full force and effect, and readily retrievable; and

  4. retain records of training and audits conducted for at least six years.

This also is an excellent time for covered entities and business associates to re-examine the effectiveness of their processes for conducting initial diligence and periodic audits of the security compliance of their key business associates and subcontractors.

Risk Analysis:

While not a new point, it remains critical for covered entities and business associates to conduct and document the requisite security risk analysis on a regular basis, and take prompt corrective action to manage identified risks. It is particularly important to ensure that the risk analysis covers all ePHI maintained, accessed or transmitted across the organization’s entire IT infrastructure, including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes. This can be a challenge—particularly in light of the pace of developments and acquisitions/consolidations in the health care industry—but is essential. Organizations should develop a complete inventory of all electronic equipment data systems, and applications controlled by, administered or owned by the organization and its workforce that contain or store ePHI, including personally owned devices. Organizations should make sure their process includes equipment purchased outside of standard procurement processes.

Audit Preparation Tips:

  1. Confirm that all required HIPAA privacy and security policies and procedures are implemented and up-to-date;

  2. Make sure a through, organization-wide security risk analysis as described above has recently been conducted, and that resulting corrective actions have been taken;

  3. Confirm that BAAs are fully up-to-date and accessible, and follow the steps above to further reduce business associate risks;

  4. Use the audit protocols to conduct a gap assessment;

  5. Be prepared to provide documentation showing that breach notices have been provided as required by HIPAA; and

  6. Covered entities should ensure their notices of privacy practices are up-to-date and provided as required.

Other Basics:

  1. Encryption: Encryption of laptops, thumb drives and other mobile devices remains a critical risk mitigation strategy. HIPAA does not require encryption of ePHI in all cases “per se”; however, it does require organizations to specifically address, as part of their required risk analysis, whether encryption is a reasonable and appropriate safeguard (and if so, it requires organizations to encrypt; if not, it requires organizations to document why encryption is not reasonable and appropriate, and adopt an alternative safeguard ). However, encryption per the HHS guidance provides a “safe harbor” from breach notification under HIPAA and generally obviates the need to make state law data breach notifications as well, in the event of loss of encrypted data. Further, because encryption will, in fact, be “reasonable and appropriate” in many cases, often it is effectively required.

  2. Training: The scope and frequency of training also should be regularly reviewed to ensure training covers key aspects of privacy and security policies. In addition, training should address current and emerging threats and risk areas. For example, in light of the significant role of phishing attacks and malware in cyber-breaches, training should include employee awareness of how to identify and respond to these types of attacks.

[1] The related 2012 settlement by business associate Accretive Health with the Minnesota attorney general for violations of the HIPAA rules and state law was widely touted within the industry as the first HIPAA enforcement action against a business associate. See Settlement Agreement, Release, and Order, 12-cv-00145, ECF No. 90 (July 30, 2012). Because the breach occurred prior to the issuance of final rules implementing the HITECH Act’s extension of direct liability for HIPAA violations to business associates, OCR—the primary federal HIPAA enforcement agency—had indicated it would not enforce the HITECH Act changes against business associates until issuance of the final rules. However, this did not prevent the Minnesota attorney general from proceeding to enforce HIPAA, using newly expanded enforcement authority granted to state attorneys general under the HITECH Act. Accretive Health also entered into a related, 20-year consent order with the FTC, pursuant to which no fine or penalty was paid but in which Accretive Health agreed to establish and maintain a comprehensive information security program, and to periodic evaluations of that program. See Press Release, FTC approves final consent order settling charges that Accretive Health failed to adequately protect consumers’ personal information (Feb. 24, 2014).

[2] See North Memorial Resolution Agreement and Corrective Action Plan, I.2.A, (Mar. 16, 2016).

[3] See id. at I.2.B.

[4] See id. at I.2.C.

[5] See id. at I.V.A-C.

[6] See id. at I.V.D.

[7] See Press Release, $1.55 million settlement underscores the importance of executing HIPAA business associate agreements (Mar. 16, 2016).

Article By Matthew R. BakerMichael R. CallahanDoron S. Goldstein & Megan Hardiman of Katten Muchin Rosenman LLP
©2016 Katten Muchin Rosenman LLP

More Than Family Affair: Six-Figure HIPAA Penalty Upheld for Unrepentant Home Care Agency due to PHI Access by Spurned Spouse of Employee

HIPAAIntroduction

The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and the regulations promulgated thereunder (“HIPAA”) should be now well-known to health care providers and health plans.  Under HIPAA’s “Privacy Rule,” covered entities must take steps to “reasonably safeguard” protected health information (“PHI”) from any “intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements” of the Privacy Rule.  What is also becoming painfully clear is the growing financial and reputational risks to covered entities (and business associates) from a breach of HIPAA’s Privacy or Security Rules stemming from unauthorized access or disclosure of PHI.

A recent ruling by a U.S. Department of Health and Human Services Administrative Law Judge (“ALJ”) in the case of Director of the Office for Civil Rights v. Lincare, Inc., (Decision No. CR4505, Jan. 13, 2016), underscores the substantial penalties that a health care provider can face, even for relatively small-scale HIPAA violations, particularly if the provider determines to not settle with the Office of Civil Rights (“OCR”) and instead contests the claimed violations.  In Lincare, a home care agency was found to have violated the Privacy Rule when an unauthorized person (the husband of a home health employee) was able to access patient records after the employee had removed records from the agency and taken them into the field as part of her job.  Specifically, the ALJ upheld a civil monetary penalty (“CMP”) of $239,800 imposed by OCR – only the second time the OCR has sought CMPs for violations of HIPAA’s Privacy Rule.  In a unique twist, OCR was alerted to the improper disclosures when the “estranged husband” of an employee of the home care agency complained to OCR that his wife allowed him to access documents containing PHI when she moved out of the marital home and left patient records behind.

Background

Lincare Home Care Agency.  The respondent Lincare, Inc., d/b/a United Medical (“Lincare”) supplies respiratory care, infusion therapy, and medical equipment to patients in their homes.  Lincare operates more than 850 branch locations in 48 states.  As Lincare explained, because its employees provide services in the homes of patients, they often remove patient records containing PHI from its branch locations.  Additionally, according to Lincare, managers of the various Lincare branch offices are required to maintain in their vehicles copies of Lincare’s “Emergency Procedures Manual,” which contains PHI of Lincare patients, so that employees could access patient contact information if an office was destroyed or otherwise inaccessible.

PHI at Issue.  Faith Shaw was a Lincare branch manager in Wynne, Arkansas from October 2005 until July 2009 and maintained the “Emergency Procedures Manual,” with PHI of 270 Lincare patients, as well as patient-specific documents of eight Lincare patients.  The patient records and Manual were apparently hard copies, and not electronically secured through encryption or authentication.

Disclosure of the PHI.  Ms. Shaw kept the records containing PHI in her car and in her marital home, where her husband lived.  After a falling out with her husband Richard in August 2008, Ms. Shaw moved out of the marital home and left the documents containing the PHI behind in her home and car.  In November of 2008, Mr. Shaw, who was concededly not authorized to access the Lincare PHI, reported to Lincare and OCR that he had in his possession the Emergency Procedures Manual and the eight patient files left behind by his wife.

OCR’s Investigation and Action.  Following its investigation, OCR determined that Ms. Shaw:  (a) kept the PHI either in her vehicle or home, to which Mr. Shaw had access; (b) maintained the PHI without proper safeguards, (c) knew or reasonably should have known that the manner in which she kept the PHI did not reasonably safeguard such PHI, and (d) knew or reasonably should have known that Mr. Shaw had ready access to the PHI.  While acknowledging that the provision of home care services may require providers to remove PHI from their offices, OCR found that Lincare’s policies and procedures did not adequately instruct its employees how to maintain PHI taken off the premises in a safe and secure manner and that Lincare did not properly record or track removed PHI.  Unlike the majority of HIPAA violations cited by OCR against providers, Lincare did not settle with OCR and instead determined to contest OCR’s charges.

In the absence of a settlement, OCR cited the following “aggravating” factors for imposing a substantial CMP against Lincare:

  • The length of time Lincare allowed employees to transport PHI away from the office without appropriate and reasonable safeguards; and

  • Lincare’s failure to promptly review and enhance its HIPAA policies for safeguarding PHI taken off premises even after it was notified of the improper disclosure.

Accordingly, OCR sought to impose a CMP totaling 239,800 for Lincare’s alleged violations of HIPAA’s Privacy Rule, broken down as follows:

  • Impermissibly disclosing PHI:  OCR determined that Lincare had improperly disclosed PHI of 278 patients in November of 2008, which then carried a penalty of $100 per patient.  OCR imposed a penalty of $25,000 – the maximum penalty that could be applied in the 2008 calendar year.

  • Failure to safeguard PHI:  OCR determined that the failure to safeguard the PHI lasted from February 1, 2008 through November 17, 2008, which carried a penalty of $100 per day.  OCR imposed an additional penalty of $25,000 – the maximum penalty that could be applied in the 2008 calendar year.

  • Failure to implement policies and procedures to ensure compliance with the Privacy Rule:  OCR determined that Lincare’s failure continued from (a) February 1, 2008 through December 31, 2008, at a penalty of $100 per day, with a maximum of $25,000 per calendar year, (b) January 1, 2009 through February 17, 2009, at a penalty of $100 per day, which totaled $4,800, and (c) from February 18, 2009 through July 28, 2009, during which time, penalty amounts were increased pursuant to the adoption of the HITECH Act, and which OCR determined to be $1,000 per day, totaling $160,000.

Significantly, in effectively stacking CMPs for separate HIPAA violations, one on top of another—although arising from the same breach or continued breach—OCR was able to multiply the aggregate size of penalties to $239,800.  At the same time, OCR determined that there was no basis to waive the imposition of the CMP because there was no evidence that the payment of a CMP would be excessive relative to the violations that it found.

Lincare appealed OCR’s determination before an ALJ.  OCR moved for summary judgment, arguing that there was no genuine issue of material fact concerning the HIPAA violations and that it was entitled to impose the aggregate CMP as a matter of law.

The ALJ’s Analysis

The ALJ granted OCR’s motion for summary judgment, finding that the evidence established that Lincare had violated HIPAA, and upheld the CMP of $239,800.

Theft is No Defense to Improper Disclosures:  In its defense, Lincare claimed that it was not responsible for the improper disclosure because it was the victim of a theft.  Specifically, Lincare claimed that Mr. Shaw “stole” the PHI from his wife and “attempted to use it as leverage to induce his estranged wife to return to him.”  The ALJ rejected this argument, concluding that Lincare was obligated to take “reasonable steps to protect its PHI from theft.”  The ALJ explained that Lincare violated this obligation when Ms. Shaw took documents out of the office and left them in in her car or home, allowing her husband to access them; and then completely abandoned them.

Lincare’s Policies Did Not Properly Address the Removal of PHI:  The ALJ also found that Lincare’s privacy policy failed to properly address the security of records removed from the office for use in the field, and monitor removed records to ensure their return.  When asked about specific guidelines for safeguarding PHI taken out of its offices, Lincare’s Corporate Compliance Officer replied that Lincare personnel “considered putting a policy together that said thou shalt not let anybody steal your protected health information.”  The ALJ did not “consider this a serious response.”

Key Takeaways

Consider Settling with OCR to Avoid a CMP:  The OCR’s imposition of a CMP, and the ALJ’s decision to affirm this penalty, represents only the second time a CMP has been imposed for a violation of the HIPAA Privacy Rule, and the first one in which an ALJ ruled on the merits.  Typically, OCR attempts to resolve HIPAA violations informally, but could not reach such a resolution with Lincare in this case.  Had a resolution been reached, the OCR would likely not have sought and secured such a substantial CMP based on “aggravating factors,” with the resultant fine likely to have been significantly lower.

Consider Encryption or other Means for Accessing PHI Remotely:  Employees of home care agencies often need to access PHI in the field when providing services.  However, the provider should consider restricting access only through electronic devices, with appropriate encryption and user authentication, to prevent unauthorized users from accessing these records.

Update Policies and Procedures:  Policies and procedures should detail for employees when patient records can be removed from the office and taken into the field, and under what circumstances; and identify how such records containing PHI should be safeguarded from disclosure.

Implement a System to Track Removed PHI:  Similarly, a system should be implemented to record and track the removal of records containing PHI so as to allow the health care provider to account for and maintain oversight over removed documents.

Regularly Train Employees:  Having detailed policies and procedures is not enough; all employees should be regularly trained on the HIPAA Privacy and Security Rules, and the agency’s corresponding HIPAA policies and practices.  To reinforce training, to the extent any PHI is removed from the premises, employees should be continually reminded not to allow unauthorized persons—including a spouse or other family or friends—to access the records.

Article By Jared Facher & Brian T. McGovern of Cadwalader, Wickersham & Taft LLP
© Copyright 2016 Cadwalader, Wickersham & Taft LLP

A Twisting Path: Illinois Licensure Actions Against Physicians, Nursing Home Administrators, Nurses, and Other Professionals

The Illinois Department of Financial & Professional Regulation (the Department), Division of Professional Regulation (the Division), regulates the licenses of numerous professionals in the health care fields, including physicians, nurses, nursing home administrators, and many others. For health care professionals facing an investigation, hearing, or potential disciplinary action related to alleged misconduct, the Division’s process can seem quite daunting and confusing. The information provided below, along with the advice of experienced legal counsel, can help you navigate this twisting path.

Notifications and Investigations

Most disciplinary actions are for the overly broad and subjective reason of “unethical or unprofessional conduct.” Individuals can come to the Division’s attention through complaints by dissatisfied patients, co-workers, or supervisors, or by referrals from other regulatory bodies such as the Illinois Department of Public Health (IDPH) or the Illinois Department of Healthcare and Family Services (IDHFS).

Although logic and efficiency dictate that the Division investigate any complaints it receives before alleging the licensed professional might have violated applicable regulations, that is not always the case. More often than not, the “investigation” begins with the filing of a notice to the licensee that the Division received a complaint, and the notice includes a request that the licensee appear at an informal conference. The Division sends such notices to the licensee’s home, as that is the address the Division has on file. Occasionally, licensees will be visited by an investigator at the place of business; this is usually done only when the state budget allows for such expenditures.

If this happens, then do not panic. For reasons detailed below, with the help of experienced counsel, many informal conferences result in the Division concluding that the licensee did nothing wrong.

There are numerous occasions when reporting to the Division is mandatory. For example, IDPH must report the names and license numbers of nursing home administrators when it cites certain deficiencies in a nursing home. Nurses who are administrators or officers of a health facility must report a nurse impaired by drugs or alcohol or who possesses, uses, or distributes drugs. IDHFS reports when physicians enter into integrity agreements or opt out of the Medical Assistance Program. If a health care licensee is accused of a sex crime, the prosecutor notifies the Division and the practitioner can only practice with a chaperone.

Disciplinary Conferences and Hearings

If the Division schedules an informal disciplinary conference, the licensee should consider hiring a lawyer. If the Division does not schedule an informal conference, then the licensee should ask the Division to do so. These conferences are typically handled by a Division attorney and a member of the relevant licensing board (the latter of whom usually takes the lead in asking questions and making the final decisions).

Informal disciplinary conferences generally take the place of an investigation and offer an excellent opportunity for the licensee to tell his or her side of the story. The board members who attend these conferences are typically in the same profession as the licensee (although not necessarily from the same kind of work environment), so they understand the practices, processes, and pressures facing the individuals who appear before them. The vast majority of such conferences end with a recommendation that no further action be taken.

A hearing is a far more formal process, conducted by an administrative law judge (ALJ) with a court reporter present and, generally, conducted according the rules of evidence. Again, the licensee can and should be represented by counsel. One or more members of the relevant board may be present and may participate by questioning witnesses. The ALJ prepares a report that is then reviewed by a committee of board members before it goes to the director of the Department for a final order.

Disciplinary Actions

Activities that generate disciplinary actions include sister-state discipline, drug/alcohol issues, failures related to treatment, and bureaucratic issues. In looking at recent disciplinary actions reported over a seven-month period on the Division’s website, physicians were disciplined for sister-state discipline 58 times, for drug/alcohol transgressions 20 times, treatment problems 50 times and bureaucratic issues 40 times. Nurses were disciplined for sister-state discipline 92 times, drug/alcohol transgressions 88 times, treatment problems 21 times and bureaucratic issues 46 times. Only one nursing home administrator — one on a temporary license, at that — was disciplined for failure to report abuse in a timely manner.

Disciplinary actions can include reprimand, additional continuing education hours, inservices, probation (for a defined or indefinite period), restrictions, quality assurance audits, fines, suspension, refusal to renew, placement in permanent inactive status, or termination. The Division may also place a letter in a licensee’s file, but the letter is not considered discipline — as such, these letters do not appear on the Division’s website. These letters essentially tell the licensee to avoid doing whatever brought them to the attention of the Division in the first place. The Division can use such letters as a basis for progressive discipline if the licensee comes to the Division’s attention for a similar reason in the future.

Disciplinary actions in one state affect licensure status in other states. They also may affect a licensee’s ability to participate in the Medicaid and Medicare programs and to prescribe controlled substances. Even an investigation that does not result in a penalty must on some occasions be reported, and failure to do so may result in further disciplinary action.

Protect Your Privileges!

Remember, holding a professional license is a privilege, not a right. Such a privilege is always subject to strict scrutiny and can be restricted as necessary to assure that the public are not harmed in any way. Needless to say, seeking out knowledgeable counsel is always recommended.

Article By Frances D. Meehan of Much Shelist, P.C.

© 2016 Much Shelist, P.C.

Take Note: Social Security and Medicare Benefits Changing in 2016

Claiming Social Security Twice is Eliminated

Prior to 2016, some married individuals who were 62 or older had claimed Social Security retirement benefits twice. Previously, a person whose spouse was at full retirement age and was herself or himself at an early retirement age, age 62 to 65, could claim spousal payments and then switch to payments based on their own work, which would then be higher because they were claiming it at an older age.

As of this year, however, workers who turn 62 in 2016 or later will not be able to claim both types of payments, but instead one or the other. However, the younger spouse can still claim spousal benefits when he or she turns 66, and those individuals will continue to contribute to their own Social Security Retirement benefit until age 70, thereby receiving a higher benefit when they begin to receive their full retirement benefits 4 years later.

Stricter Rules for Suspended Payment of Benefits

In May 2016, the rules have changed for suspending your Social Security Retirement benefits until a later date when they would be higher, and this process will no longer be permitted. Previously, spouses and dependent children could claim payments based on your work record while your benefits were suspended and continued to grow.

This option is no longer available, however, as of May 2016. You will no longer be allowed to “file and suspend.” If the retired worker’s benefits are suspended, spousal and dependent benefits will not be paid.

Higher Medicare Part B Premiums for some Social Security Recipients

Most Social Security recipients will pay the same Medicare Part B premium in 2016, as they did in 2015. That amount is $104.90 per month. Increases in Medicare Part B premiums are tied to increases in Social Security benefits due to cost-of-living adjustments which did not occur this year. However, those individuals who are enrolling for the first time in Medicare Part B this year will pay a higher premium of $121.80 per month.

Article By Leslie A. Mitnick of Stark & Stark

COPYRIGHT © 2016, STARK & STARK

 

Ransomware Strikes California Hospital – Could You Be Next?

digitallife03-111715In a chain of events that should be a wake-up call to any entity using and storing critical health information (and indeed, ANY kind of critical information), Hollywood Presbyterian Medical Center (“HPMC”) has announced that it paid hackers $17,000 to end a ransomware attack on the hospital’s computer systems. On February 5, HPMC fell victim to an attack that locked access to the medical center’s electronic medical record (“EMR”) system and blocked the electronic exchange of patient information. Earlier reports indicated that the hackers had originally demanded $3,400,000.Such “ransomware” attacks are caused by computer viruses that wall off or encrypt data to prevent user access. Hackers hold the data ransom, demanding payment for the decryption key necessary to unlock the data. The attacks are often caused by email phishing scams. The scams may be random or target particular businesses or entities. In the case of HPMC, the medical center’s president and CEO indicated to media outlets that the attack was random, though Brian Barrett, writing for Wiredquestioned that assertion. The medical center’s announcement of the resolution of the incident indicates that there is no evidence that patient or employee information was accessed by the hackers as part of the attack. Even if the data was not compromised, the attack led to enormous hassles at the hospital, returning it to a pre-electronic record-keeping system.

We have seen many variations of the ransomware attacks on the increase lately.   Cryptolocker and Cryptowall are the two most prevalent threats, but a Forbes article about the HPMC attack revealed that HPMC was victimized by a variant called “Locky,” which, according to the Forbes article, is infecting about 90,000 machines a day.

Details of the HPMC Incident

On February 2, 2016, three days before the HPMC attack, the Department of Health & Human Services Office for Civil Rights (“OCR”) announced the launch of its new Cyber-Awareness Initiative. That announcement included information on ransomware attacks and prevention strategies. Suggested prevention strategies from OCR included:

  1. Backing up data onto segmented networks or external devices and making sure backups are current.  That protects you from data loss of any kind, whether caused by ransomware, flood, fire, loss, etc.  If your system is adequately backed up, you may not need to pay ransom to get your data unlocked.

  2. Don’t be the low-hanging fruit:  Ensuring software patches and anti-virus are current and updated will certainly help.   Many attacks rely on exploiting security bugs that already have available fixes.

  3. Installing pop-up blockers and ad-blocking software.

  4. Implementing browser filters and smart email practices.

Most of these prevention strategies are HIPAA security and overall general business security measures that ought to be in place for companies across the board. As OCR and the FBI (see below) both indicate, smart email practices and training the workforce on them are key elements to preventing phishing scams.

FBI on Ransomware

One of the big questions arising out of the HPMC and other ransomware cases is:  do we pay?   If your business is about to grind to a halt, you likely have no choice.    However, the incident should first be reported to the FBI and discussed with forensics and legal experts who have experience with ransomware in particular. The FBI’s Ransomware information page provides some tips.  Ransomware attacks should be part of your incident response plan and the “what do we do” should be discussed at the highest levels of the company.

When in Doubt, Don’t Be a Click Monkey!

Before clicking on a link in an email or opening an attachment, consider contextual clues in the email. The following types of messages should be considered suspicious:

  • A shipping confirmation that does not appear to be related to a package you have actually sent or expect to receive.

  • A message about a sensitive topic (e.g., taxes, bank accounts, other websites with log-in information) that has multiple parties in the To: or cc: line.

  • A bank with whom you do not do business asking you to reset your password.CodeMonkey-68762_960x3601

  • A message with an attachment but no text in the body.

All businesses in any sector need to take notice of the HPMC attack and take steps to ensure that they are not the next hostages in a ransomware scheme.

Article By Cynthia J. Larose & Kate F. Stewart of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

The UK Psychoactive Substances Act 2016: An Example of Poor Drafting and Unintended Consequences for Food?

The UK has enacted new legislation to address the issue of so-called ‘legal highs’ following a number of cases of paranoia, seizures, hospitalisation and even death after consumption of certain psychoactive substances.  The Psychoactive Substances Act 2016 (the “Act”) was granted Royal Assent on 28 January 2016.  It is expected to come into force on 6 April 2016.  The Act makes it an offence to produce, supply, offer to supply, possess with intent to supply, possess in a custodial institution, import or export psychoactive substances.

A psychoactive substance is defined very broadly to cover “any substance which is capable of producing a psychoactive effect in a person who consumes it”.  A substance produces a psychoactive effect in a person if it affects the person’s mental functioning or emotional state  by stimulating or depressing the person’s central nervous system.  There are a number of specific exemptions, including controlled drugs, medicinal products, alcohol, nicotine and tobacco products, caffeine and food.  However, the definition of food has left a number of questions since it does not align with the legal definition of food set out in EU Regulation 178/2002.  Rather, the Act defines food as:

Any substance which—

            (a) is ordinarily consumed as food, and

            (b) does not contain a prohibited ingredient (emphasis added).

In this paragraph—

  • “food” includes drink;

  • “prohibited ingredient”, in relation to a substance, means any

psychoactive substance—

            (a) which is not naturally occurring in the substance, and

            (b) the use of which in or on food is not authorised by an EU instrument.

The authorities have stated that the Act is not intended to capture foods with a “negligible” psychoactive effect, such as chocolate and nutmeg, but concerns were raised during the legislative debates that the Act could capture inadvertently a much broader range of food substances, including energy drinks and certain botanical ingredients used in foods and dietary supplements.  It is hoped that guidance from the enforcement authorities will make clear exactly which foods and drinks are exempted.

Article By Brian Kelly of Covington & Burling LLP

Lucie Klabackova, paralegal, also contributed to this article.

© 2016 Covington & Burling LLP

3 Takeaways from the Recent Ruling on Statistical Extrapolations in CMS Audits

On Jan. 20, 2016, a federal district court in the Western District of Texas affirmed a decision of the Medical Appeals Council (Appeals Council) affirming a CMS contractor’s extrapolation methodology used to assess an overpayment of more than $773,000 from a home health provider, Maxmed. Three key takeaways from the Court’s decision that may help health care providers avoid a similar situation include:

  1. Providers should be keenly aware of the rules limiting CMS’s participation as a party to an appeal when devising their appeal strategies, and its subsequent ability to appeal the ALJ decision on its own. Similarly, they should be aware of the Medicare Appeals Council’s ability to review any ALJ decision or dismissal on its own motion, or with referral from CMS.

  2. When disputing a statistical sample and/or extrapolation, submit an expert’s opinion as soon in the appeals process as practicable, preferably at the redetermination stage. When a statistical extrapolation is disputed, the Qualified Independent Contractor relies on its own statistical expert (often times an outside accounting firm). If you can overturn the extrapolation in the first two levels of appeal, and you don’t seek ALJ review, CMS cannot overturn the determination.

  3. CMS’s rules for statistical extrapolation balance its competing interests in reaching an accurate estimate of the overpayment: limited resources vs. accuracy. CMS admits in its manuals that it does not require the most accurate estimate, and will compromise on reaching the most accurate estimate by accepting a lower bound estimation. Therefore, CMS will trade a more imprecise statistical extrapolation for a lower overpayment estimate. Knowing this can help you and your statistical expert craft a more effective argument to try and get the statistical sampling thrown out.

Background

The case arose out of a post-pay investigation by the Zone Program Integrity Contractor (ZPIC) Health Integrity, which denied 39 of 40 sampled Maxmed claims in a post-payment audit. Health Integrity then used a statistical extrapolation to calculate an estimated overpayment of $773,967.00.

Appeals

After the Medicare Administrative Contractor Palmetto GBA and Qualified Independent Contractor confirmed Health Integrity’s findings, Maxmed appealed to an Administrative Law Judge (ALJ). The ALJ found one denied claim in favor of Maxmed, and also concluded that Health Integrity’s extrapolation methodology was not valid because it did not conform to the Medicare Program Integrity Manual (MPIM).

Parties’ Arguments

In the appeal, Maxmed argued that Health Integrity’s sampling and extrapolation methodology was invalid because Health Integrity failed to record the random numbers it relied upon in forming the sample, its choice of sampling units based upon clusters of claim-lines resulted in a skewed distribution, and its precision level of 8 percent resulted in an unacceptably imprecise extrapolation.

Court’s Decision

The court agreed with the Appeals Council, and granted summary judgment to HHS, finding that, “substantial evidence supported the Appeals Council’s overall determination that the ALJ erred by invalidating the statistical sampling and overpayment extrapolation.”

© Polsinelli PC, Polsinelli LLP in California
  • See more at: http://www.natlawreview.com/article/3-takeaways-recent-ruling-statistical-extrapolations-cms-audits#sthash.s4lBCnDo.dpuf

Hollywood Presbyterian Concedes to Hacker’s Demands in Ransomware Attack

In a chain of events that should be a wake-up call to any entity using and storing critical health information, Hollywood Presbyterian Medical Center (“HPMC”) has announced that it paid hackers $17,000 to end a malware attack on the hospital’s computer systems. On February 5, HPMC fell victim to an attack that locked access to the medical center’s electronic medical record (“EMR”) system and blocked the electronic exchange of patient information. Earlier reports indicated that the hackers had originally demanded $3,400,000.

Such “ransomware” attacks are caused by computer viruses that wall off or encrypt data to prevent user access. Hackers hold the data ransom, demanding payment for the decryption key necessary to unlock the data. The attacks are often caused by email phishing scams. The scams may be random or target particular businesses or entities. In the case of HPMC, the medical center’s president and CEO indicated to media outlets that the attack was random, though Brian Barrett, writing for Wired,questioned that assertion.

The medical center’s announcement of the resolution of the incident indicates that there is no evidence that patient or employee information was accessed by the hackers as part of the attack. Even if the data was not compromised, the attack led to enormous hassles at the hospital, returning it to a pre-electronic record-keeping system.

On February 2, 2016, three days before the HPMC attack, the Department of Health & Human Services Office for Civil Rights (“OCR”) announced the launch of its new Cyber-Awareness Initiative. That announcement included information on ransomware attacks and prevention strategies. Suggested prevention strategies from OCR included:

  1. Backing up data onto segmented networks or external devices and making sure backups are current.

  2. Ensuring software patches and anti-virus are current and updated.

  3. Installing pop-up blockers and ad-blocking software.

  4. Implementing browser filters and smart email practices.

Most of these prevention strategies are HIPAA security measures that ought to be in place generally. As OCR indicates, smart email practices and training the workforce on them are key elements to preventing phishing scams. Before clicking on a link in an email or opening an attachment, consider contextual clues in the email. The following types of messages should be considered suspicious:

  • A shipping confirmation that does not appear to be related to a package you have actually sent or expect to receive.

  • A message about a sensitive topic (e.g., taxes, bank accounts, other websites with log-in information) that has multiple parties in the To: or cc: line.

  • A bank with whom you do not do business asking you to reset your password.

  • A message with an attachment but no text in the body.

All health care providers, payors, and their business associates need to take notice of the HPMC attack and take steps to ensure that they are not the next hostages in a ransomware scheme.

Article By Kate F. Stewart  of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Congress Awaits Health Provisions in President’s Budget

Health Bills Slated for House Floor Consideration; SAMHSA Releases Proposed Rule Focused on Confidentiality of Substance Use Disorder Patient Records

Legislative Activity

Congress Awaits Health Provisions in President’s Budget

On Tuesday, February 9, President Barack Obama will submit his FY 2017 Budget Request to Congress, which is expected to include several large-scale investments for the nation’s health. Last week, the White House released a “sneak preview” of the Budget, which includes: $755 million for cancer research as part of the “moonshot” to cure cancer; a legislative proposal to provide any state that takes up the Medicaid expansion option the same three years of full federal support that states that expanded in 2014 received; a commitment to changes in the excise tax on high-cost employer-sponsored health coverage, otherwise known as the “Cadillac Tax”; and $1 billion in mandatory funding over two years to address prescription drug abuse and heroin use.

On Wednesday, February 10, U.S. Department of Health and Human Services (HHS) Secretary Sylvia Mathews Burwell will provide testimony on the Budget to the House Committee on Ways and Means. The next day, she will also address the Budget in her testimony to the Senate Committee on Finance.

Health Bills Slated for House Floor Consideration

House Majority Leader Kevin McCarthy (R-CA) has announced that several health care bills will be considered on the floor this week.

On Tuesday, the following pieces of health legislation are expected to be considered under suspension of the rules: H.R. 3016, the Veterans Employment, Education, and Healthcare Improvement Act, as amended, which clarifies the role of podiatrists in the Department of Veterans Affairs (VA); H.R. 3106, the Construction Reform Act of 2016, which makes certain changes in the administration of Department medical facility construction projects; H.R. 3262, To provide for the conveyance of land of the Illiana Health Care System of the Department of Veterans Affairs in Danville, Illinois; H.R. 4056, To authorize the Secretary of Veterans Affairs all right, title, and interest of the United States to the property known as “The Community Living Center” at Lake Baldwin Veterans Affairs Outpatient Clinic, Orlando, Florida, as amended; H.R. 4437, To extend the deadline for the submittal of the final report required by the Commission on Care; H.R. 3234, the VA Medical Center Recovery Act, which establishes within the VA an Office of Failing Medical Center Recovery; and H.R. 2915, the Female Veteran Suicide Prevention Act, which directs the Secretary of the VA to identify mental health care and suicide prevention programs that are effective in treating women veterans.

Later in the week, the House is expected to consider H.R. 2017, the Common Sense Nutrition Disclosure Act of 2015, which seeks to improve and clarify disclosure requirements for restaurants and other retail food establishments.

Senate HELP Committee to Mark Up Health Legislation

On Tuesday, February 9, the Senate Committee on Health, Education, Labor, and Pensions (HELP) will hold a markup to consider several health care bills. In January, Committee Chairman Lamar Alexander (R-TN) announced the Committee’s schedule for the “step by step” consideration of biomedical innovation bills. This process, aimed at legislation that is somewhat similar to language in the House-passed 21st Century Cures Act (H.R. 6), begins with this markup.

Legislation to be considered on Tuesday includes: S. 2030, the Advancing Targeted Therapies for Rare Diseases Act of 2015, which allows the sponsor of an application for the approval of a targeted drug to utilize data and information from the sponsor’s previously approved targeted drugs; S. 1622, the FDA Device Accountability Act of 2015, which requires the Food and Drug Administration (FDA) to ensure training on least burdensome requirements for employees who review premarket submissions of medical devices; S. 2014, the Next Generation Researchers Act, which seeks to demonstrate a commitment to our nation’s scientists by increasing opportunities for the development of future researchers; S. 800, the Enhancing the Stature and Visibility of Medical Rehabilitation Research at NIH Act, which seeks to improve, coordinate, and enhance National Institutes of Health (NIH) rehabilitation research; S. 849, the Advancing Research for Neurological Diseases Act of 2015, which provides for systematic data collection and analysis and epidemiological research regarding neurological diseases; S. ___, the Preventing Superbugs and Protecting Patients Act; and S. ___, the Improving Health Information Technology Act.

This Week’s Hearings:

  • Tuesday, February 9: The Senate Committee on Health, Education, Labor, and Pensions (HELP) will hold a markup of health care bills, as described above.

  • Wednesday, February 10: The House Committee on Energy and Commerce Subcommittee on Health will hold a hearing titled “Examining Medicaid and CHIP’s Federal Medical Assistance Percentage.”

  • Wednesday, February 10: The House Committee on Veterans’ Affairs will hold a hearing titled “U.S. Department of Veterans Affairs Budget Request for Fiscal Year 2017.”

  • Wednesday, February 10: The House Committee on Foreign Affairs Subcommittee on Africa, Global Health, Global Human Rights, and International Organizations and Subcommittee on the Western Hemisphere will hold a joint hearing titled “The Global Zika Epidemic: Emerging in the Americas.”

  • Wednesday, February 10: The House Committee on Ways and Means will hold a hearing titled “Department of Health and Human Services’ (HHS) Fiscal Year 2017 Budget Request.”

  • Wednesday, February 10: The House Committee on Rules will meet on H.R. 2017, the Common Sense Nutrition Disclosure Act of 2015.

  • Wednesday, February 10: The Senate Committee on the Judiciary will hold a hearing titled “Breaking the Cycle: Mental Health and the Justice System.”

  • Wednesday, February 10: The Senate Special Committee on Aging will hold a hearing which “will unveil and examine a new, troubling scam by global drug traffickers perpetrated against our nation’s seniors.”

  • Thursday, February 11: The House Committee on Veterans’ Affairs Subcommittee on Health will hold a hearing titled “Choice Consolidation: Improving VA Community Care Billing and Reimbursement.”

  • Thursday, February 11: The House Committee on Homeland Security Subcommittee on Emergency Preparedness, Response, and Communications will hold a hearing titled “Improving the Department of Homeland Security’s Biological Detection and Surveillance Programs.”

  • Thursday, February 11: The Senate Committee on Finance will hold a hearing titled “The President’s Fiscal Year 2017 Budget.”

  • Thursday, February 11: The Senate Committee on the Judiciary will hold a markup, which will include consideration of: S. 483, the Ensuring Patient Access and Effective Drug Enforcement Act of 2015, which seeks to improve enforcement efforts for prescription drug diversion and abuse; and S. 524, the Comprehensive Addiction and Recovery Act of 2015, which authorizes the Attorney General to award grants to address prescription opioid abuse and heroin use.

  • Friday, February 12: The House Committee on Energy and Commerce Subcommittee on Oversight and Investigations will hold a hearing titled “Outbreaks, Attacks, and Accidents: Combatting Biological Threats.”

Regulatory Activity

SAMHSA Releases Proposed Rule Focused on Confidentiality of Substance Use Disorder Patient Records

On Friday, February 5, the Substance Abuse and Mental Health Services Administration (SAMHSA) released a proposed rule titled “Confidentiality of Substance Use Disorder Patient Records.” The proposed rule seeks to amend the Confidentiality of Alcohol and Drug Abuse Patient Records regulations, which were last substantively updated in 1987. According to HHS, the proposed rule will “facilitate health information exchange to support delivery system reform efforts” and ensure privacy for patients seeking substance use disorder treatment.

The proposed rule will be published in the Federal Register on February 9, and comments are due April 11.

Article By Beth L. Goldstein of Squire Patton Boggs (US) LLP
© Copyright 2016 Squire Patton Boggs (US) LLP