Tag: health care

Key Tax Changes in the American Health Care Act

The American Health Care Act (“AHCA”), passed by the House of Representatives on May 4, 2017, repeals many of the taxes added by the Affordable Care Act (“ACA”) and makes changes to other tax rules.  Some of the notable changes proposed to be made to the Internal Revenue Code are:

            1. The individual mandate to maintain health insurance and the employer mandate to offer health insurance remain in the Code, but the taxes are “zeroed out” effective retroactively to 2016.

            2. The following taxes, fees, credits and limitations are repealed as of the year shown below:

·         The net investment income tax (NIIT) (2017)

·         The 0.9% additional Medicare tax (2023)

·         The small employer health insurance credit (2020)

·         The $2500 limitation on contributions to a health flexible spending account (FSA) (2017)

·         The annual fee on branded prescription drug sales (2017)

·         The medical device excise tax (2017)

·         The annual fee on health insurance providers (2017)

·         The elimination of a deduction for expenses allocable to the Medicare Part D subsidy (2017)

·         The 10% tanning salon tax (June 30, 2017)

            3.         The “Cadillac” tax on high cost health plans is delayed until 2026.

            4.         Individuals may be reimbursed for over-the-counter medications under a health savings account (HSA), health FSA or a health reimbursement arrangement (HRA) (2017).

            5.         The penalty tax on withdrawals from an HSA not used for a qualified medical expense is reduced from 20% to 10% (2017).

6.         The bill would replace the current ACA premium tax credit with a new refundable, advanceable tax credit effective January 1, 2020.  The credit could be applied toward the cost of any eligible health insurance coverage, whether purchased on or off the Exchange.  The credit is age-based as follows:

Age

Annual Credit

Under 30

$2,000

30 – 40

$2,500

40 – 50

$3,000

50 – 60

$3,500

60 and over

$4,000

The maximum credit for a family is $14,000. The credit is adjusted each year by CPI + 1%.

The credit is phased out depending on the individual’s modified adjusted gross income (MAGI) for the year.  It begins phasing out for an individual with income of $75,000 ($150,000 for joint filers) by $100 for every $1,000 in income above those thresholds.  The MAGI dollar limitations are also indexed for inflation beginning in 2021.              To be eligible to claim the credit, the individual must be covered by “eligible health insurance,” not be eligible for “other specified coverage” (including employer coverage or a government sponsored health program) and be a U.S. citizen or a qualified alien.

7.         The bill would make the following changes to health savings accounts, effective in 2018:

§  The maximum contribution to an HSA would be increased to the out-of-pocket maximum (in 2017, $6,550 for self-only and $13,100 for family coverage).  Under current law, HSA contributions are limited to $3,400 for self-only and $6,750 for family coverage.
§  Both spouses could make a “catch-up” contribution to the same HSA.  Under current law, each spouse must have his or her own HSA.
§  If an HSA is established within 60 days after coverage under a high deductible plan begins, the individual could be reimbursed for medical expenses incurred within that 60-day period.  Under current law, an individual cannot be reimbursed for any expense incurred before the HSA is established.

The bill now moves to the Senate where significant changes are expected.

This post was written by Cynthia A. Moore of  Dickinson Wright PLLC.

Health Care Task Force Pre-Releases Report on Cybersecurity Days Before Ransomware Attack

Last week, the Health Care Industry Cybersecurity (HCIC) Task Force (the “Task Force”) published a pre-release copy of its report on improving cybersecurity in the health care industry.  The Task Force was established by Congress under the Cybersecurity Act of 2015.  The Task Force is charged with addressing challenges in the health care industry “when securing and protecting itself against cybersecurity incidents, whether intentional or unintentional.”

The Task Force released its report mere days before the first worldwide ransomware attack, commonly referred to as “WannaCry,” which occurred on May 12.  The malware is thought to have infected more than 300,000 computers in 150 jurisdictions to date.  In the aftermath of the attack, the U.S. Department of Health and Human Services (HHS) sent a series of emails to the health care sector, including a statement that government officials had “received anecdotal notices of medical device ransomware infection.”  HHS warned that the health care sector should particularly focus on devices that connect to the Internet, run on Windows XP, or have not been recently patched.  As in-house counsels understand, the ransomware attack raises a host of legal issues.

Timely, the HCIC report calls cybersecurity a “key public health concern that needs immediate and aggressive attention.”  The Task Force identifies six high-level imperatives, and for each imperative, offers several recommendations.

The imperatives are as follows:

  1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.

  2. Increase the security and resilience of medical devices and health IT.

  3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.

  4. Increase health care industry readiness through improved cybersecurity awareness and education.

  5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.

  6. Improve information sharing of industry threats, weaknesses, and mitigations.

With respect to medical devices (imperative #2), the Task Force specifically advocates for greater transparency regarding third party software components.  The report encourages manufacturers and developers to create a “bill of materials” that describes its components, as well as known risks to those components, to enable health care delivery organizations to move quickly to determine if their medical devices are vulnerable.  Furthermore, the Task Force writes that product vendors should be transparent about their ability to provide IT support during the lifecycle of a medical device product.  The Task Force also recommends that health care organizations ensure that their systems, policies, and processes account for the implementation of available updates and IT support for medical devices, such as providing patches for discovered vulnerabilities.  The report suggests that government and industry “develop incentive recommendations to phase-out legacy and insecure health care technologies.”

The Task Force also encourages medical device manufacturers to implement “security by design,” including by making greater security risk management a priority throughout the product lifecycle, such as through adding greater testing or certification. In addition, the report encourages both developers and users to take actions that improve security access to information stored on devices, such as through multi-factor authentication.  The Task Force recommends that government agencies, such as the U.S. Food and Drug Administration (FDA) and the Office of the National Coordinator for Health Information Technology (ONC) at HHS, consider using existing authorities to “catalyze and reinforce activities and action items” associated with this recommendation.  This includes leveraging existing government guidance and industry standards, like FDA’s premarket and postmarket cybersecurity guidance documents.  Published in 2014 and 2016, these documents recommend that “manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of the [secure development lifecycle].”  We have previously discussed these guidance documents here and here.

Finally, the Task Force recommends that the health care industry take a “long-range approach” to considering “viability, effectiveness, security, and maintainability of” medical devices. The Task Force states that each product should have a defined strategy and design that supports cybersecurity during each stage of the product’s lifecycle.  In particular, the Task Force encourages HHS to evaluate existing authorities to conduct cybersecurity surveillance of medical devices.

This post was written by Dena Feldman and Christopher Hanson of Covington & Burling LLP.

The Unknown Future Of The Affordable Care Act

Donald Trump Affordable Care Act

Donald Trump’s victory to become the next president of the United States, and the Republican Party’s continued control of the United States Senate and House, will likely have a significant impact on the future of the Affordable Care Act (ACA). President-elect Trump (Trump) has vowed to immediately dismantle the ACA. To date, Trump has provided only a broad outline of what exactly he plans to replace the law with, such as the following:

  • Eliminating ACA requirements which generally require (1) individuals to maintain health insurance, and (2) employers with more than 50 full time employees to offer affordable major medical plan coverage or run the risk of paying penalties;

  • Eliminating tax subsidies that eligible individuals can use to purchase coverage and/or offset costs under health insurance exchanges;

  • Expanding the use of health savings accounts to pay deductibles, copayments, etc.;

  • Establishing tax breaks to allow taxpayers to deduct premiums they pay for individual health insurance policies;

  • Allowing health insurance across state lines;

  • Allowing states to manage Medicaid funds;

  • Modifying or eliminating the ACA’s “essential health benefits” requirements;

  • Expanding age rating bands (increasing the range of premiums that will be allowed); and

  • “Modernizing” Medicare.

Despite his general opposition to the ACA, Trump has expressed support for ACA rules which prohibit insurers and employer plans from excluding coverage for expenses related to preexisting conditions. However, those prohibitions force insurance companies and employer plans to bear significant costs. The ACA’s employer and individual coverage mandates were intended to make the pre-existing condition exclusions more palatable to payers by forcing healthy individuals into the applicable insurance pools. Consequently, it is unclear how Trump would preserve the pre-existing condition exclusions yet eliminate the employer and individual mandates.

In addition, the ACA contains hundreds of provisions affecting hospitals, corporations, Medicare, health care quality and integrity, the health care workforce, biosimilars, health care prevention and other issues unrelated to what most people think of as “Obamacare.” To date, Trump appears not to have taken any public position on these provisions.

ARTICLE BY Molly R. BerkeryTodd M. ClearyJohn E. DonahueThomas N. ShorterCharles G. Vogel & Jed A. Roher of Godfrey & Kahn S.C.

Copyright © 2016 Godfrey & Kahn S.C.

New Presidency Will Compel Action in Key Areas of Health Care in 2017

health careAs we enter the final stretch of the U.S. presidential election, health care remains one of the most contested issues with great potential for change, particularly to existing insurance and patient care systems. Compounding matters is the opening of enrollment season for exchange plans, which places the already hotly debated Affordable Care Act (ACA) at the forefront of the national health care discussion.

Former U.S. Congressman Dennis Cardoza, co-chair of Foley’s Federal Public Affairs Practice, and Public Affairs Director Jennifer Walsh opined recently about how our next president could symbolically break the congressional logjam on several health care-related fronts and why the industry is poised for more market-driven disruption.

What follows are a few highlights of their conversation.

1. What health policy issues will be most impacted by the next administration?

Cardoza: Since the passage of the ACA, there has been very little legislative activity when it comes to health care, as everything has been done at the administrative level and spread across various departments. During the honeymoon period that follows every newly elected president, we’ll likely see an immediate and significant push around the ACA marketplaces, especially in light of some high-profile defections, decreasing competition and increasing premiums. It doesn’t matter who is in the White House; there are things happening in the market that can’t be ignored.

Walsh: I agree that legislation concerning the exchanges will be the first out of the gate. There is a strong impetus to fix the system, but it may happen initially as part of the reauthorization of the Children’s Health Insurance Program (CHIP) that is set to expire in 2017. CHIP is a bi-partisan issue and no one wants to see it lapse. This must be passed in the first or second-quarter and could grease the skids for other ACA measures that are either attached as amendments or follow in subsequent bills.

On a separate, simultaneous track, drug pricing will continue to be scrutinized. Lawmakers will pick up where they left off leading up to the August recess. It’s now part of the national dialogue and lawmakers will continue to discuss how to address the issue.

2. Will merger activity continue on its current, accelerated pace?

Cardoza: The ACA has forced market consolidation due to everyone’s ability, or rather inability to compete over costs. We may see other large insurance plans leave the exchanges if the Department of Justice doesn’t approve their respective mergers.

Walsh: Mergers have been an interesting consequence of the ACA, and we’ll see more alignment in this regard. They don’t always generate big news headlines, but smaller acquisitions of technology assets and payments systems are happening all over, so health care organizations can build their portfolios.

3. What are some other noteworthy developments you’re watching closely?

Cardoza: Concluding a long, iterative process, the Centers for Medicare & Medicaid Services will soon be rolling out its new health care payment and service delivery models as part of the transition from fee-for-service. Next year will be a key period as we work toward full-blown implementation of new reimbursement practices that reflect better value and promote quality care for patients.

Walsh: The 21st Century Cures Act, which is Representative Fred Upton’s legacy issue, has received broad bipartisan support and already passed the House. It will allocate more funding to the National Institutes of Health to explore new cures and treatments, and incent to innovative approaches to disease management. It should get a fair shake in 2017, if not during the upcoming lame duck session.

4. What should health care executives be thinking about heading into 2017?

Cardoza: Complacency has set in with the Washington gridlock, and many executives with bearish outlooks have accepted the broken system and are merely just controlling costs. However, they need to change their mindset and be more cognizant of what could soon affect their business, as we’re about to enter a transformative year where there will be a lot of moving parts. If they’re not informed and engaged, they’re going to get left behind.

Walsh: The uncertainty surrounding the ACA has certainly caused a lot of angst, and makes planning for businesses extremely difficult. Companies need to channel that energy into advocacy for their organization. Although every system is different, the industry-wide movement toward modernization, value, and quality will affect all parties. While it will be incremental, the change that will be prompted by the election is inevitable.

ARTICLE BY Dennis A. Cardoza & Jennifer F. Walsh of Foley & Lardner LLP

© 2016 Foley & Lardner LLP

EEOC Alleges Hospital’s Mandatory Flu Vaccine Policy Violates Title VII

Mandatory Flu VaccineAs summer temperatures soar, one might think the last thing to worry about is the upcoming flu season. And while that may be true in most respects, the flu is on the minds of the Equal Employment Opportunity Commission (EEOC). A lawsuit filed by the EEOC sheds light on the issue for healthcare employers who impose mandatory flu vaccine requirements on employees as a condition of continued employment.

The EEOC alleges in EEOC v. Mission Hospital, Inc. – a lawsuit that includes class allegations – that Mission Hospital violated Title VII by failing to accommodate employees’ religious beliefs and by terminating employees in connection with the hospital’s mandatory flu vaccination program. In particular, the EEOC took issue with the hospital’s alleged strict enforcement of its deadlines, which required employees to request an exemption by Sept. 1 and, if the exemption request was denied, to obtain the vaccination by Dec. 1.

According to Lynette Barnes, regional attorney for the EEOC’s Charlotte District Office, “An arbitrary deadline does not protect an employer from its obligation to provide a religious accommodation. An employer must consider, at the time it receives a request for a religious accommodation, whether the request can be granted without undue burden.”

The key takeaway here is that, similar to what is required under the Americans with Disabilities Act (when, for example, an employer is analyzing the application of a policy to a particular employee with a disability), employers should consider analyzing their duty to accommodate under Title VII based on the facts and circumstances of the particular case, as opposed to applying an (allegedly) inflexible rule without regard to the circumstances of the particular case. The other take-away here is that employers should consider basing this kind of employment decision on more than one reason – for example, a missed deadline plus a determination that granting the exemption would (or would not) be an undue burden (and why).

A copy of the EEOC’s lawsuit is found here and a copy of Mission Hospital’s answer is found here.

ARTICLE BY Norma W. Zeitler of Barnes & Thornburg LLP
© 2016 BARNES & THORNBURG LLP

FDA Releases Draft Guidance for Manufacturers on Dissemination of Patient Data from Medical Devices

medical devices health dataOn June 9, 2016, the US Food and Drug Administration (FDA) published draft guidance outlining considerations for the “appropriate and responsible” dissemination of individualized data from medical devices from device manufacturers to patients.

In the draft guidance, FDA clarifies that medical device manufacturers may share “patient-specific information” from legally marketed medical devices with patients at the patients’ request without additional premarket review by the agency, provided such dissemination falls within the lawful scope for which the manufacturer may market the device. For purposes of the draft guidance, “patient-specific information” is any information that is unique to an individual patient or unique to that patient’s treatment or diagnosis that, consistent with the intended use of the device, may be recorded, stored, processed, retrieved and/or derived from that device. Examples of patient-specific information include recorded patient data, device usage/output statistics, provider inputs, alarms and/or records of device malfunctions. Patient-specific information does not, however, include any interpretation of such data aside from interpretations normally reported by the device to the patient or the patient’s healthcare provider.

When sharing patient-specific information with patients, FDA recommends that manufacturers consider the following factors to ensure that such information is usable by patients and to avoid the disclosure of confusing or unclear information:

  • Content of information provided.  The information provided to patients should be comprehensive and up-to-date, and manufacturers should take measures to ensure that such information is easily understood and useful to the patient. Depending on the type and scope of information being shared, the manufacturer should provide supplementary instructions, materials or references to help patients understand the data. In deciding what measures may be necessary, the manufacturer should be sure to consider whether any characteristics of the intended recipient audience (e.g., mental capacity) may affect the interpretability of the information.

  • Context in which information should be understood.  Manufacturers should provide the information in context to avoid situations where the information may be misinterpreted, leading to invalid or inappropriate conclusions.

  • Necessity of access to follow-up information.  Manufacturers should consider what, if any, information they should include about whom to contact for follow-up information.  At minimum, manufacturers should advise patients to contact their health care providers with any questions about their data. Manufacturers should also consider providing their own contact information to facilitate response to patient questions about the device.

The draft guidance is the latest in a line of documents in which FDA has attempted to clarify its expectations for—and in many cases, allay the concerns of—developers of mobile health products. Though short on specifics, developers should find the guidance helpful insofar as they have questions regarding the extent to which they can disseminate medical device data to patients. Notably, however, the FDA does not address how manufacturers should proceed with respect to the dissemination of many patient-specific analyses, likely because the agency intends to address such issues in its long-awaited guidance on clinical decision support software.

ARTICLE BY Michael W. Ryan of McDermott Will & Emery
© 2016 McDermott Will & Emery

Health Care Companies Agree to “Core Commitments” to Improve Access to EHR

Last month, the Department of Health and Human Services (HHS) announced that a number of large health care companies and providers had “agreed to implement three core commitments” to improve access to electronic health records (EHR).  HHS touted the commitments as a significant step toward increased EHR interoperability.

The three core commitments to which the health care entities agreed are as follows:

  1. Consumer Access: To help consumers easily and securely access their electronic health information, direct it to any desired location, learn how their information can be shared and used, and be assured that this information will be effectively and safely used to benefit their health and that of their community.

  2. No Blocking/Transparency: To help providers share individuals’ health information for care with other providers and their patients whenever permitted by law, and not block electronic health information (defined as knowingly and unreasonably interfering with information sharing).

  3. Standards: Implement federally recognized, national interoperability standards, policies, guidance, and practices for electronic health information, and adopt best practices including those related to privacy and security.

HHS highlighted the number and importance of the entities that have agreed to this “Interoperability Pledge.”  According to HHS, the nation’s five largest private health care systems signed the Interoperability Pledge, as well as “[v]endors who provide 90 percent of hospital electronic health records used nationwide.”

Notably, the three commitments in the Pledge are not enforceable.  At most, the Interoperability Pledge represents an agreement by its signatories that access and interoperability are key goals of EHR use.

 
Article By Philip Peisch of Covington & Burling LLP

© 2016 Covington & Burling LLP

Department of Justice Launches Targeted Elder Justice Task Forces

Woman Pushing Man in WheelshairOn March 30, the Department of Justice (“DOJ”) announced the formal launch of 10 regional Elder Justice Task Forces designed to identify nursing homes and other long-term care (“LTC”) facilities that provide “grossly substandard care” to residents.

Similar to DOJ’s previously launched Medicare Fraud Strike Force and Health Care Fraud Prevention & Enforcement Action Team (“HEAT”) initiative, the newly created Elder Justice Task Forces will focus on coordination and information sharing among federal, state and local enforcement agencies to combat suspected cases of physical abuse and financial fraud. Each task force will consist of representatives from the U.S. Attorneys’ Offices, state Medicaid Fraud Control Units, state and local prosecutors’ offices, the Department of Health and Human Services, state Adult Protective Services agencies, Long-Term Care Ombudsman programs and other law enforcement officials.

Part of the larger DOJ Elder Justice Initiative, the task forces will have a national footprint with locations in the following districts: Northern District of California, Northern District of Georgia, District of Kansas, Western District of Kentucky, Northern District of Iowa, District of Maryland, Southern District of Ohio, Eastern District of Pennsylvania, Middle District of Tennessee and the Western District of Washington.

The new Elder Justice Task Forces signal heightened interest and attention on the LTC industry, a move that comes on the heels of last summer’s Centers for Medicare and Medicaid Services’ proposed rule to overhaul requirements for participation by LTC facilities in federal health care programs.

Article By Jessica Talati of Barnes & Thornburg LLP

© 2016 BARNES & THORNBURG LLP

OCR Kicks Off HIPAA Audits After Issuing Two Major Settlements

HIPAAOn Monday, the HHS Office for Civil Rights (OCR) launched phase two of its much-anticipated audit program for covered entities and business associates. The announcement comes in the wake of OCR’s issuance of two major settlements—totaling more than $5 million—which highlighted the critical importance of managing the security basics, such as the business associate agreement (BAA) and the organization-wide risk analysis. These developments are summarized below, with practical tips that can help organizations mitigate related risks.

Summary

2016 Audit Program Begins

In announcing the 2016 audit program launch, OCR confirmed it will contact organizations by email to verify contact information and complete a pre-audit questionnaire. Organizations selected for audit will be subject to either a desk audit, an onsite audit or potentially both. Organizations will have a short period to produce requested documents, typically 10 business days, so it is important to have HIPAA privacy and security policies, security risk assessments, breach notification documentation, BAAs, and other HIPAA documentation up-to-date and readily available. While there is a detailed audit protocol from the phase one OCR audits, that protocol has not been updated for the final rules implementing the HITECH Act. OCR has committed to issuing an updated audit protocol closer to the date the audits will be conducted, which will set forth the criteria that auditors will review. Importantly, the phase two audits will extend to business associates. Although the risk of being selected for an audit is low, organizations would be well advised to review the existing and, when available, new audit protocols, conduct a compliance gap assessment and take corrective actions as needed, as part of overall HIPAA compliance efforts. While OCR states that the audits are primarily a compliance improvement activity, enforcement may follow where a serious issue is identified.

The North Memorial Settlement – The Importance of Business Associate Agreements

In the first of two recent settlements, North Memorial Health System, a nonprofit organization, will pay $1.55 million and enter into a two-year corrective action plan to settle charges that it violated HIPAA by failing to have a written BAA with a key contractor. OCR’s investigation followed the 2011 theft of an unencrypted laptop from a contractor’s workforce member’s vehicle. The settlement notes that the laptop contained protected health information (PHI) of approximately 9,497 North Memorial patients. For its part, the contractor separately settled HIPAA violations for $2.5 million, and entered into a related 20-year FTC consent order relating to its security procedures.[1] OCR also alleged that North Memorial failed to conduct an organization-wide risk analysis that covered all of its IT infrastructure.

OCR’s investigation indicated that North Memorial failed to execute a BAA with the contractor as required by HIPAA Privacy and Security Rules. OCR asserted that North Memorial gave the contractor access to its hospital database, which stored the electronic PHI of 289,904 patients, as well as access to non-electronic PHI as it performed services on-site at North Memorial.[2] In total, OCR’s investigation found that, from March 21, 2011, to October 14, 2011, North Memorial impermissibly disclosed the PHI of at least 289,904 individuals to the contractor without obtaining a proper BAA.[3] The investigation further indicated that North Memorial failed to complete a comprehensive risk analysis to identify all potential risks and vulnerabilities to the electronic PHI (ePHI) that it maintained, accessed or transmitted across its entire IT infrastructure, as required by the HIPAA Security Rule.[4]In settling the matter, North Memorial did not concede liability.

In addition to the $1.55 million payment, North Memorial agreed to a two-year corrective action plan (CAP) that requires it to develop policies and procedures related to business associate relationships and to conduct an organization-wide risk analysis and risk management plan, as required under the HIPAA Security Rule.[5] The CAP also requires North Memorial to train appropriate workforce members on all policies and procedures newly developed or revised pursuant to the CAP.[6]

OCR has previously (and repeatedly) emphasized the importance of having an organization-wide, thorough analysis, which it reinforces here with North Memorial. In addition, this settlement highlights the importance that OCR attaches to having BAAs where required, which OCR describes as another “cornerstone” of effective security.[7] Further, the settlement illustrates that, when a breach occurs with a business associate, the impacted covered entity should expect OCR to request a copy of the underlying BAA. Where that BAA cannot be found, the covered entity and business associates should expect potential enforcement.

FIMR Settlement: Basic Compliance Required of All Covered Entities (and Business Associates)

In the second settlement, Feinstein Institute for Medical Research (FIMR), a nonprofit research institute, will pay $3.9 million and enter into a three-year corrective action plan to settle charges it violated HIPAA, following its breach when an employee’s unencrypted laptop containing patient information of 13,000 individuals was stolen. OCR’s investigation determined that FIMR’s security management process was limited, it had failed to conduct a thorough risk analysis, and lacked sufficient policies and procedures. In its press release, OCR emphasized that it expects research institutions that are covered entities to comply with the same standards as other covered entities.

OCR’s investigation of FIMR stemmed from a self-reported breach after an employee’s unencrypted laptop was stolen. Based on the resolution agreement, OCR’s investigation appears to have identified widespread non-compliance. For example, OCR alleged that FIMR: (1) failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to all of the ePHI held by FIMR, including the ePHI on the employee’s laptop; (2) failed to implement policies and procedures for granting access to ePHI by its workforce members and restricting access by unauthorized users; (3) failed to implement physical safeguards for the laptop; (4) failed to implement policies and procedures that govern receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility; and (5) failed to encrypt ePHI on the laptop or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent safeguard.

As part of an extensive three-year CAP, FIMR must conduct an organization-wide risk analysis and develop a corresponding risk management plan, develop a process for evaluating environmental or operational changes to the security of ePHI, revise its policies and procedures for privacy and security, and provide extensive training and reporting.

Tips to Mitigate Risks

Covered entities and business associates can enhance HIPAA compliance, and reduce audit risk, by taking a number of practical steps outlined below.

Business Associate Risks:

  1. train workforce (at onboarding and at least annually thereafter) to recognize situations where a BAA (or subcontractor BAA) is required and understand how to activate the organization’s process for securing one;

  2. conduct periodic audits of existing outside service relationships to ensure that all necessary BAAs (or subcontractor BAAs) are, in fact, in place;

  3. periodically audit BAAs (and subcontractor BAAs) on file to ensure they are fully compliant (including as to the final HITECH rule content requirements), in full force and effect, and readily retrievable; and

  4. retain records of training and audits conducted for at least six years.

This also is an excellent time for covered entities and business associates to re-examine the effectiveness of their processes for conducting initial diligence and periodic audits of the security compliance of their key business associates and subcontractors.

Risk Analysis:

While not a new point, it remains critical for covered entities and business associates to conduct and document the requisite security risk analysis on a regular basis, and take prompt corrective action to manage identified risks. It is particularly important to ensure that the risk analysis covers all ePHI maintained, accessed or transmitted across the organization’s entire IT infrastructure, including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes. This can be a challenge—particularly in light of the pace of developments and acquisitions/consolidations in the health care industry—but is essential. Organizations should develop a complete inventory of all electronic equipment data systems, and applications controlled by, administered or owned by the organization and its workforce that contain or store ePHI, including personally owned devices. Organizations should make sure their process includes equipment purchased outside of standard procurement processes.

Audit Preparation Tips:

  1. Confirm that all required HIPAA privacy and security policies and procedures are implemented and up-to-date;

  2. Make sure a through, organization-wide security risk analysis as described above has recently been conducted, and that resulting corrective actions have been taken;

  3. Confirm that BAAs are fully up-to-date and accessible, and follow the steps above to further reduce business associate risks;

  4. Use the audit protocols to conduct a gap assessment;

  5. Be prepared to provide documentation showing that breach notices have been provided as required by HIPAA; and

  6. Covered entities should ensure their notices of privacy practices are up-to-date and provided as required.

Other Basics:

  1. Encryption: Encryption of laptops, thumb drives and other mobile devices remains a critical risk mitigation strategy. HIPAA does not require encryption of ePHI in all cases “per se”; however, it does require organizations to specifically address, as part of their required risk analysis, whether encryption is a reasonable and appropriate safeguard (and if so, it requires organizations to encrypt; if not, it requires organizations to document why encryption is not reasonable and appropriate, and adopt an alternative safeguard ). However, encryption per the HHS guidance provides a “safe harbor” from breach notification under HIPAA and generally obviates the need to make state law data breach notifications as well, in the event of loss of encrypted data. Further, because encryption will, in fact, be “reasonable and appropriate” in many cases, often it is effectively required.

  2. Training: The scope and frequency of training also should be regularly reviewed to ensure training covers key aspects of privacy and security policies. In addition, training should address current and emerging threats and risk areas. For example, in light of the significant role of phishing attacks and malware in cyber-breaches, training should include employee awareness of how to identify and respond to these types of attacks.

[1] The related 2012 settlement by business associate Accretive Health with the Minnesota attorney general for violations of the HIPAA rules and state law was widely touted within the industry as the first HIPAA enforcement action against a business associate. See Settlement Agreement, Release, and Order, 12-cv-00145, ECF No. 90 (July 30, 2012). Because the breach occurred prior to the issuance of final rules implementing the HITECH Act’s extension of direct liability for HIPAA violations to business associates, OCR—the primary federal HIPAA enforcement agency—had indicated it would not enforce the HITECH Act changes against business associates until issuance of the final rules. However, this did not prevent the Minnesota attorney general from proceeding to enforce HIPAA, using newly expanded enforcement authority granted to state attorneys general under the HITECH Act. Accretive Health also entered into a related, 20-year consent order with the FTC, pursuant to which no fine or penalty was paid but in which Accretive Health agreed to establish and maintain a comprehensive information security program, and to periodic evaluations of that program. See Press Release, FTC approves final consent order settling charges that Accretive Health failed to adequately protect consumers’ personal information (Feb. 24, 2014).

[2] See North Memorial Resolution Agreement and Corrective Action Plan, I.2.A, (Mar. 16, 2016).

[3] See id. at I.2.B.

[4] See id. at I.2.C.

[5] See id. at I.V.A-C.

[6] See id. at I.V.D.

[7] See Press Release, $1.55 million settlement underscores the importance of executing HIPAA business associate agreements (Mar. 16, 2016).

Article By Matthew R. BakerMichael R. CallahanDoron S. Goldstein & Megan Hardiman of Katten Muchin Rosenman LLP
©2016 Katten Muchin Rosenman LLP

A Twisting Path: Illinois Licensure Actions Against Physicians, Nursing Home Administrators, Nurses, and Other Professionals

The Illinois Department of Financial & Professional Regulation (the Department), Division of Professional Regulation (the Division), regulates the licenses of numerous professionals in the health care fields, including physicians, nurses, nursing home administrators, and many others. For health care professionals facing an investigation, hearing, or potential disciplinary action related to alleged misconduct, the Division’s process can seem quite daunting and confusing. The information provided below, along with the advice of experienced legal counsel, can help you navigate this twisting path.

Notifications and Investigations

Most disciplinary actions are for the overly broad and subjective reason of “unethical or unprofessional conduct.” Individuals can come to the Division’s attention through complaints by dissatisfied patients, co-workers, or supervisors, or by referrals from other regulatory bodies such as the Illinois Department of Public Health (IDPH) or the Illinois Department of Healthcare and Family Services (IDHFS).

Although logic and efficiency dictate that the Division investigate any complaints it receives before alleging the licensed professional might have violated applicable regulations, that is not always the case. More often than not, the “investigation” begins with the filing of a notice to the licensee that the Division received a complaint, and the notice includes a request that the licensee appear at an informal conference. The Division sends such notices to the licensee’s home, as that is the address the Division has on file. Occasionally, licensees will be visited by an investigator at the place of business; this is usually done only when the state budget allows for such expenditures.

If this happens, then do not panic. For reasons detailed below, with the help of experienced counsel, many informal conferences result in the Division concluding that the licensee did nothing wrong.

There are numerous occasions when reporting to the Division is mandatory. For example, IDPH must report the names and license numbers of nursing home administrators when it cites certain deficiencies in a nursing home. Nurses who are administrators or officers of a health facility must report a nurse impaired by drugs or alcohol or who possesses, uses, or distributes drugs. IDHFS reports when physicians enter into integrity agreements or opt out of the Medical Assistance Program. If a health care licensee is accused of a sex crime, the prosecutor notifies the Division and the practitioner can only practice with a chaperone.

Disciplinary Conferences and Hearings

If the Division schedules an informal disciplinary conference, the licensee should consider hiring a lawyer. If the Division does not schedule an informal conference, then the licensee should ask the Division to do so. These conferences are typically handled by a Division attorney and a member of the relevant licensing board (the latter of whom usually takes the lead in asking questions and making the final decisions).

Informal disciplinary conferences generally take the place of an investigation and offer an excellent opportunity for the licensee to tell his or her side of the story. The board members who attend these conferences are typically in the same profession as the licensee (although not necessarily from the same kind of work environment), so they understand the practices, processes, and pressures facing the individuals who appear before them. The vast majority of such conferences end with a recommendation that no further action be taken.

A hearing is a far more formal process, conducted by an administrative law judge (ALJ) with a court reporter present and, generally, conducted according the rules of evidence. Again, the licensee can and should be represented by counsel. One or more members of the relevant board may be present and may participate by questioning witnesses. The ALJ prepares a report that is then reviewed by a committee of board members before it goes to the director of the Department for a final order.

Disciplinary Actions

Activities that generate disciplinary actions include sister-state discipline, drug/alcohol issues, failures related to treatment, and bureaucratic issues. In looking at recent disciplinary actions reported over a seven-month period on the Division’s website, physicians were disciplined for sister-state discipline 58 times, for drug/alcohol transgressions 20 times, treatment problems 50 times and bureaucratic issues 40 times. Nurses were disciplined for sister-state discipline 92 times, drug/alcohol transgressions 88 times, treatment problems 21 times and bureaucratic issues 46 times. Only one nursing home administrator — one on a temporary license, at that — was disciplined for failure to report abuse in a timely manner.

Disciplinary actions can include reprimand, additional continuing education hours, inservices, probation (for a defined or indefinite period), restrictions, quality assurance audits, fines, suspension, refusal to renew, placement in permanent inactive status, or termination. The Division may also place a letter in a licensee’s file, but the letter is not considered discipline — as such, these letters do not appear on the Division’s website. These letters essentially tell the licensee to avoid doing whatever brought them to the attention of the Division in the first place. The Division can use such letters as a basis for progressive discipline if the licensee comes to the Division’s attention for a similar reason in the future.

Disciplinary actions in one state affect licensure status in other states. They also may affect a licensee’s ability to participate in the Medicaid and Medicare programs and to prescribe controlled substances. Even an investigation that does not result in a penalty must on some occasions be reported, and failure to do so may result in further disciplinary action.

Protect Your Privileges!

Remember, holding a professional license is a privilege, not a right. Such a privilege is always subject to strict scrutiny and can be restricted as necessary to assure that the public are not harmed in any way. Needless to say, seeking out knowledgeable counsel is always recommended.

Article By Frances D. Meehan of Much Shelist, P.C.

© 2016 Much Shelist, P.C.