Litigants Beware: Unjust Enrichment v. Quantum Meruit

The distinction between unjust enrichment claims and quantum meruit claims have long bedeviled courts and practitioners. In Core Finance Team Affiliates v. Maine Medical Center, the Law Court provided important guidance regarding the differences between these claims while leaving open a difficult question relating to the implications of pursuing one claim but not the other.

Core Finance involved a suit by a contractor against hospitals relating to the provision of services for reimbursement submittals. The contractor asserted claims for breach of contract and unjust enrichment. After a jury concluded that the contractor failed to prove the existence of a contract, the court held a bench trial and awarded damages to the contractor for unjust enrichment.

The Law Court reversed the judgment on narrow grounds—namely, that the contractor failed to “prove the damages recoverable under either a quantum meruit theory or an unjust enrichment theory.” The Court concluded that, absent proof of conscious wrongdoing, “the appropriate measure of damages” for an unjust enrichment claim is the same as for a quantum meruit claim: “the market value of [defendant’s] uncompensated contractual performance.” The contractor had not presented evidence of the value of its services; rather, its evidence focused on the increase in reimbursement to the hospitals (i.e., the value to the defendants of the services). Thus, the record did not contain a sufficient basis for correctly determining damages.

Although this holding is of note in its own right, it was preceded by a particularly notable discussion of the differences between a quantum meruit claim and an unjust enrichment claim. The parties had disputed whether the trial court should have considered the unjust enrichment claim at all, absent any quantum meruit claim. The hospitals argued that the contractor had to exhaust its legal remedies by pursuing a quantum meruit claim before pursuing an unjust enrichment claim.

Discussing this issue, the Court emphasized that a quantum meruit claim involves “recovery for services or materials provided under an implied contract.” It thus involves enforcement of a promise, and is a legal remedy. An unjust enrichment claim, by contrast, does not involve an implied contract, but rather involves compelled performance “of a legal and moral duty to pay.” Unjust enrichment does not involve any express or implied promise, and is an equitable remedy.

The Court went on to observe that it had “never stated that an unjust enrichment claim involving the rendition of services cannot be adjudicated until after the court has rejected a quantum meruit claim involving the same services.” Importantly, it then acknowledged that this “premise can readily be inferred” for two reasons: (1) the limitation on the availability of equitable remedies if there is an adequate legal remedy, and (2) the primacy over contract over unjust enrichment in the remedial scheme, which requires determining whether an express contract exists before considering quantum meruit or unjust enrichment claims. The Court noted that equitable remedies should be granted “only when there is not an adequate legal remedy,” and that “the court need not consider unjust enrichment if quantum meruit is an adequate remedy.” Having said all that, however, the Court declined “to explore the dilemma further,” instead resolving the case on the damages issue.

The Court’s lengthy discussion is dicta, but it is important nevertheless. Although the Court did not hold that the failure to bring a quantum meruit claim barred an unjust enrichment claim, the Court walked right up to that line. Its language certainly is suggestive that it would so hold if it had to resolve the issue. As such, Core Finance is an important guidepost for litigants considering which claims to bring in the alternative to a breach of contract claim.

The False Claims Act in 2023: A Year in Review

In 2023, the government and whistleblowers were party to 543 False Claims Act (FCA) settlements and judgments, the highest number of FCA settlements and judgments in a single year. As a result, collections under the FCA exceeded $2.68 billion, confirming that the FCA remains one of the government’s most important tools to root out fraud, safeguard government programs, and ensure that public funds are used appropriately. As in recent years, the healthcare industry was the primary focus of FCA enforcement, with over $1.8 billion recovered from matters involving hospitals, pharmacies, physicians, managed care providers, laboratories, and long-term acute care facilities. Other areas of focus in 2023 were government procurement fraud, pandemic fraud, and enforcement through the government’s new Civil Cyber-Fraud Initiative.

Listen to this post 

EMTALA in the Post-Dobbs World

The Emergency Medical Treatment and Labor Act (EMTALA) requires hospitals with emergency departments and participating in Centers for Medicare and Medicaid Services (CMS) programs to provide medical screening, treatment and transfer for patients with emergency medical conditions (EMCs) or women in labor.1 EMTALA, which was enacted in 1986 to address concerns about patient dumping, went unnoticed for many years, but has garnered heightened attention as a result of the COVID-19 pandemic, and more recently, the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization (Dobbs).2

EMTALA is a federal law and expressly preempts state laws with which it directly conflicts. After the Dobbs decision was officially published in June, a number of states implemented laws that prohibited or restricted access to reproductive care. Many of these laws include potential civil sanctions and criminal liability for healthcare providers offering or performing these services regardless of the circumstances, including emergency situations. The Biden Administration, in contrast, has taken action to preserve access to reproductive care through a number of executive and federal agency actions. These actions are intended by the federal government to apply in all states, including those states where restrictions have been put in place. Following this activity, litigation between the federal government and several states has ensued to address potential conflicts between federal laws requiring the provision of access and state laws that prohibit or restrict access to reproductive health services. A summary of the current EMTALA landscape is set forth below.

EMTALA Requirements

Under EMTALA, hospitals with emergency departments (EDs) must provide a medical screening examination to any individual who comes to the ED, regardless of insurance status. EMTALA prohibits hospitals with EDs from refusing to examine or treat individuals with an EMC. Upon provision of a medical screening examination, hospitals must provide necessary stabilizing treatment for EMCs and labor within the hospital’s capability. If the hospital is unable to properly treat or stabilize the patient, the hospital must provide an appropriate transfer to another medical facility.

Under EMTALA, an EMC includes “a medical condition manifesting itself by acute symptoms of sufficient severity (including severe pain) such that the absence of immediate medical attention could reasonably be expected to result in:

(i) placing the health of the individual (or, with respect to a pregnant woman, the health of the woman or her unborn child) in serious jeopardy,

(ii) serious impairment to bodily functions, or

(iii) serious dysfunction of any bodily organ or part…”3

Many common pregnancy-related complications, such as preeclampsia or ectopic pregnancies, qualify as EMCs. However, certain state anti-abortion laws prohibit or criminalize abortions regardless of the existence of an EMC under federal law, which creates a potential conflict when an abortion is necessary to stabilize an EMC under EMTALA. As a result of this friction between state and federal law, EMTALA has received renewed attention at a federal and state level in recent months.

Executive Order on Protecting Access to Reproductive Healthcare Services

On July 8, 2022, after the Dobbs decision was officially issued, President Biden issued Executive Order 14076 (Executive Order), which directed the Department of Health and Human Services (HHS) to submit a report identifying steps to ensure all patients, including pregnant women and women experiencing pregnancy loss, receive the full protections offered by EMTALA. The Executive Order also directed HHS to consider updates to guidance on obligations under EMTALA.

CMS Memorandum and HHS Letter to Healthcare Providers

On July 11, 2022, in response to the Executive Order, CMS published a memorandum to State Survey Agency Directors to restate existing guidance for hospital staff and physicians in light of new state laws that prohibit or restrict access to abortion (Memorandum). The Memorandum reinforced CMS’ view that:

  • EMTALA mandates that all patients who come to a EDs and request examination or treatment must receive an appropriate medical screening examination, stabilizing treatment, and transfer regardless of any state law restrictions about specific procedures,

  • Only physicians and qualified medical personnel may make the determination of an EMC,

  • Hospitals should ensure that all staff who interact with patients presenting to the ED are aware of the hospital’s obligations under EMTALA,

  • Hospitals may not cite state law or practice as the basis for transfer,

  • Physicians’ professional and legal duties under EMTALA preempt any conflicting state law or mandate,

  • If a physician believes that abortion is the stabilizing treatment necessary to resolve an EMC, the physician must provide that treatment, and

  • State law is preempted by EMTALA when it prohibits abortion and does not include an exception for the life and health of the pregnant person or has a more restrictive definition of EMC.

The Memorandum also clarified that pregnant patients may experience EMCs including, but not limited to, ectopic pregnancy, complications of pregnancy loss, or emergent hypertensive disorders, such as preeclampsia with severe features and that stabilizing treatment encompasses both medical and surgical interventions, such as methrotrexate therapy or dilation and curettage.

The Secretary of HHS also published on July 11, 2022 a letter to healthcare providers reminding them of their obligation to provide stabilizing medical treatment to their pregnant patients in accordance with EMTALA, regardless of the state in which the provider practices (Letter). The Letter also reiterated that:

  • any state laws or mandates which employ a more restrictive definition of EMC are preempted by EMTALA statute, and

  • the course of necessary stabilizing treatment is under the physician’s or other qualified medical personnel’s purview.

The State of Texas Sues the Biden Administration

On July 14, 2022, the Texas Attorney General brought suit against HHS and CMS to challenge the Memorandum and Letter relating to federal law obligations for pregnant patients.4 The complaint alleged that EMTALA does not preempt state law when state law prohibits abortion and does not include an exception for the life of the pregnant person or draws the exception more narrowly than the definition of EMC under EMTALA. Specifically, Texas sought to enforce a state statute, the Human Life Protection Act, which would ban and criminalize abortions unless a woman “has a life-threatening physical condition arising from pregnancy that places her ‘at risk of death or poses a serious risk of substantial impairment of a major bodily function unless the abortion is performed”(emphasis added).5 The complaint also alleged that EMTALA does not require a healthcare provider to perform an abortion if it is the stabilizing treatment necessary to resolve an EMC. On August 23, 2022, the United States District Court for the Northern District of Texas (Lubbock Division) blocked enforcement of the Memorandum and Letter in the State of Texas on the basis that federal guidance did not preempt state law, exceeded the authority of EMTALA, and was issued without a proper notice and comment period. The Court found that, because EMTALA is silent regarding abortion and “how stabilizing treatments must be provided when a doctor’s duties to a pregnant woman and her unborn child possibly conflict,” “there is no direct conflict” between federal and Texas law with the end result that “EMTALA leaves it to the states”.6

The Biden Administration Sues the State of Idaho

On August 2, 2022, the Department of Justice (DOJ) sued the State of Idaho, alleging violation of EMTALA. Under Idaho’s proposed abortion law, which was slated to go into effect on August 25th, the performance of all abortions are criminalized regardless of the reason for which they may be performed including to prevent the death of the pregnant woman.7 Instead, the law permits physicians to raise two affirmative defenses to avoid criminal liability:

(i) The physician determined, in h/her good faith medical judgment and based on the facts known to the physician at the time, that the abortion was necessary to prevent the death of the pregnant woman, and

(ii) Prior to the performance of the abortion, the pregnant woman reported the act of rape or incest to a law enforcement agency and provided a copy of such report to the physician.8

The DOJ’s complaint alleged that  Idaho’s law does not provide a defense when the health of the pregnant patient is at stake, which is considered to fall within the definition of an EMC under EMTALA. In addition, the DOJ asserted that the fear of criminal prosecution may lead providers to avoid performing abortions even when it is a medically necessary treatment to prevent severe risk to the patient’s health. On August 24, 2022, the United States District Court for the District of Idaho found that Idaho’s law conflicted with EMTALA and granted the federal government a preliminary injunction blocking the enforcement of Idaho’s proposed abortion law.9 In contrast to the Northern District of Texas Court’s interpretation of the conflict between state law and EMTALA, the District Court of Idaho noted that found that Idaho’s criminal abortion statute deterred abortions given that it provided for an affirmative defense rather than an exception for the provision of emergency care and, therefore, obstructed EMTALA’s purpose.10

Looking to the Future

While EMTALA has been in place for decades, its applications in the post-Dobbs world continue to evolve and will be at the forefront in states with abortion restrictions, particularly where the scope of federal law obligations to provide stabilizing treatment for conditions that threaten the health of the pregnant patient conflict with state law exceptions or affirmative defenses.

The law, policy and regulatory climate surrounding the Dobbs decision is complex and quickly developing. The information included in this article is current as of writing, but it does not address all potential legal issues or jurisdictional differences, and the information presented may no longer be current. Readers should consult counsel regarding their specific situation.


FOOTNOTES

1 42 U.S.C. §1395dd.

For additional information regarding the Dobbs decision, please refer to the following resources: Supreme Court Decision in Dobbs v. Jackson Women’s Health Organization Overturns 50 Years of Precedent on Abortion Laws and Rights | Healthcare Law Blog (sheppardhealthlaw.com)WHLC Dobbs Series Part 1 Where are we now?: Sheppard Mullin Webinar.

42 U.S.C. §1395dd(e)(1).

4 State of Tex. v. Becerra, et al., No. 5:22-cv-185 (N.D. Tex. Jul. 14, 2022).

Tex. Health & Safety Code § 170A.

State of Tex. v. Becerra, et al., No. 5:22-cv-185 (N.D. Tex. Jul. 14, 2022), Memorandum Opinion and Order at 49.

7 Idaho Code § 18-622.

8  Idaho Code § 18-622(3).

9 U.S. v. Idaho, No. 1:22-cv-00329-BLW.

10 U.S. v. Idaho, No. 1:22-cv-00329-BLW, Memorandum Decision and Order at 26-31.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.

Medical Staff Leaders: 10 Things Your Lawyers Want You to Know

Whether you are new to medical staff leadership or have served in the past and have been called to serve again, there are times when you will need to consult a lawyer who specializes in medical staff matters. While there is nothing simple about medical staff affairs, there are some basic guidelines and protections that your lawyers would like you to know that will make your term easier and make you more effective.

Understand that hospitals and medical staffs are highly regulated organizations with a myriad of laws and standards that must be followed. As a medical staff leader, advisor or medical staff professional, you are leading and advising the professionals responsible for practitioner competence and conduct within the organization. Medical staff law has evolved from the lawyer in the office who would return your call in a week, or fax you a letter, to a specialty area where your lawyer is your partner and there to assist in all aspects of medical staff affairs.

We hope you will benefit from and find the following 10 recommendations make your term or role more informed and manageable.

10. Keep Your Governance Documents Up to Date and Reflective of Actual Practice.

We don’t suggest you must read every page of your governance documents, but you should be sure you know where to look and how to use them. Governance documents include the medical staff bylaws, credentialing manual, hearing plan, rules and regulations, policies and other documents approved by the medical staff and designed to set and guide medical staff processes. Too often we have found the documents will conflict or are missing critical passages. Your medical staff bylaws or medical staff governance committee can be one of the strongest committees in the organization. This is the committee that will annually review the documents and make sure they are internally consistent, reflect actual practice and are relevant to your organization’s practice and clinical services. Remember the medical staff bylaws set the overall guiding principles for the medical staff organization. All other governance documents flow from the foundation of the medical staff bylaws and must be consistent with their principles and mission. Undoubtedly, there will be some inconsistencies but look at those inconsistencies as opportunities to reexamine the principles and consider what is best for your organization. All governance documents should be reviewed in the context of the laws and regulations that require these documents. State and federal laws and regulations set out the basic requirements for the contents of the documents, as do many of the accreditation standards. It is far better to review and revise your governance documents regularly, rather than learn they are deficient during an unannounced survey or regulatory proceeding.

9. Use Your Committees Effectively.

There are two types of committees: those with authority to act and those that are advisory. The committees with authority are generally the Medical Executive Committee (“MEC”) and clinical department committees. All other committees are advisory to the MEC. Advisory committees can develop and recommend policies, rules and clinical practices. Authoritative committees approve policies and rules, take disciplinary action and make recommendations to the MEC. The MEC is the final medical staff authority that submits recommendations for final approval to the governing body. Knowing which committees to use and when is key to leadership success.

8. Know the Scope of Your Authority.

As a leader, you are an agent of the medical staff and the spokesperson for the committee/ department you chair. There are times when you will need to act without the benefit of input from your committee/department. Medical staff bylaws will generally identify the circumstances under which you can act alone and when your action(s) will need to be ratified by the committee. As the chair, you are acting on behalf of the committee/ department between meetings. Do what is needed when needed, within the scope of your authority, but report your actions to the committee/department on a regular basis and be sure your actions are properly recorded in the appropriate minutes. If summary or urgent action is needed, do not hesitate to call a special meeting. You are better off to have the protection of a committee action than to be acting alone or without ratification.

7. Know the Peer Review Protections of HCQIA, Your State and Organization.

Many, if not most, of your actions and the actions of your committees will be covered by federal, state and organizational protections. The Healthcare Quality Improvement Act (“HCQIA”) provides protection from liability for members of a professional review body/ medical staff, who take a professional review action (a) in the reasonable belief the action was in furtherance of quality health care, (b) after a reasonable effort to obtain the facts, (c) after adequate notice and hearing and (d) in the reasonable belief that the action was warranted by the facts. In addition to this federal protection, many states have laws that similarly protect peer review participants, and often, your organization will have an indemnification policy or provision that further protects you and your committee members from damages. Remind your committee participants and members on a regular basis of these protections and that they were specifically designed to encourage peer review by allowing free discussions aimed at improving patient care.

6. Know Your Reporting Obligations.

The National Practitioner Data Bank (“NPDB”) defines the circumstances under which a physician or dentist must be reported. Those include (a) when a professional review action adversely affects their clinical privileges for 30 days or longer or (b) when a physician surrenders clinical privileges while under investigation or in exchange for not conducting an investigation. The failure to report when required to do so can result in the loss of immunities under HCQIA for up to three years, along with a monetary fine. There are many nuances to reporting to the NPDB and we recommend you consult a medical staff attorney who can assist with identifying when to report and what to say. Additionally, each state may have reporting requirements for professional review actions to the state licensing board that exceed the NPDB’s requirements. The state licensing board may also have defined penalties for failure to report. In one state, the knowing failure of a physician leader to report a practitioner to the state licensing board can be considered unprofessional conduct, which can subject the physician leader to state board action.

5. Understand Confidentiality and Peer Review Privilege Protections.

A best practice at the beginning of each meeting is to remind committee members of the importance of maintaining confidentiality. State peer review privileges and protections are often dependent on maintaining confidentiality of the records and proceedings. The failure to maintain confidentiality can act as a waiver of the privilege and permit the introduction of confidential peer review documents and testimony in litigation in the future. Peer review privileges and protections are designed to promote candor in the peer review process. This permits free discussion and identification of opportunities to improve patient care. Without confidentiality and the corresponding privileges and protections, committee members would be reluctant to analyze and frankly discuss areas for improvement in a peer’s clinical care. Obtain information about your state’s peer review privilege and protections and fully understand the circumstances that may cause a waiver, which would permit confidential peer review information to be discussed in open court and stifle important, free-flowing discussion of quality of care at peer review meetings.

4. Know Your Options.

Every professional competence or conduct situation you face will be different. A sound guideline to generally follow is selecting the least restrictive action that will protect patients. Keep in mind that the goal of all peer review is education and remediation. For example, if a practitioner is having complications with robotic surgery, evaluate whether the complications are the result of technical skill, which can be remediated with more practice, or if the complications are the result of poor clinical judgment, which reaches into all areas of performance. In the first case, proctoring, monitoring or an additional educational course may correct the problem. But with the second, the cause of poor judgment is more challenging and may require a further workup, including a fitness for duty evaluation, retrospective review of cases, or an external expert review. Work with your committee and medical staff lawyer to identify all the facts and options to address the problem that has been brought to your attention. In some cases, it may be appropriate to have the issue addressed by the individual’s department or interdisciplinary peer review committee, but in others, the nature of the problem may require the immediate attention of the MEC. In some cases, a discrete referral to your organization’s well-being committee may be appropriate. Regardless, each matter must be carefully and thoughtfully analyzed in light of all the available facts. Then, with all appropriate actions on the table, an informed determination may be made.

3. Act When Indicated but Don’t Shortcut the Process.

. The law and your medical staff bylaws provide for the ability to take emergency action against a practitioner’s privileges when there is a concern of imminent threat to patients or others. What constitutes an “imminent” threat or danger is often the source of hours of discussion and analysis by medical staff lawyers throughout the country. Your legal team is invaluable in working through the facts of a given matter and determining whether a decision for summary suspension is legally sound. If there is a circumstance where emergency intervention via summary suspension is necessary to avoid patient harm after an initial evaluation of the matter, do not hesitate! Take the action to summarily suspend and remove an errant practitioner from the bedside. Afterward, there is time to re-examine the basis for the action and analyze whether continued suspension is necessary to protect patients or others. At that time, it is important to call on your MEC and legal team for their analysis and determination of whether the summary suspension should be upheld.

There are also times when summary suspension will be considered prospectively to address a chronic problem that is rising to an acute stage. The practitioner whose disruptive, bullying and retaliatory conduct has been tolerated may have reached a level where the cumulative effect creates the potential for patient harm because staff, for example, are afraid to call the physician at night about a patient’s health condition, seek clarification of an order, or question whether a procedure is being done on the right side or on the correct patient. Following the medical staff bylaws investigation process will allow for a careful analysis of the reported conduct, which will provide a solid framework for later defense, should it be necessary. That process will almost always involve a committee evaluation of the facts, interview of the practitioner, and a determination of the appropriate next steps. Each of these steps, if followed, will support the action when later scrutinized by a court or jury.

2. Do What is Right for the Patients.

Always put the patients first. There may be procedural missteps during a disciplinary process as the healthcare organization balances the need to protect patients with providing a practitioner due process. However, if the peer review being conducted is based in the foundation of improving patient care and patient safety, courts will generally consider the health care organization’s goals before making a determination that would go against the organization and potentially place patients in harm’s way.

1. Utilize Internal or External Counsel to Navigate Medical Staff Law so You Can Focus on Improving Patient Care.

I (Erin) was asked recently what possible motivation there would be for a physician to enter leadership in a medical staff organization if their role consisted solely of consulting with a medical staff lawyer. In response, I reminded this physician that medical staff leadership and medical staff lawyers work together on challenging matters and daily operations with the lawyer recommending limitations and guardrails and advising on how to avoid legal missteps and pitfalls. This advice from the lawyer enables the leader to focus on monitoring the business of the organization and improving patient care.

Final Take-Aways

Our medical staff organizations need people who are willing to serve as leaders during challenging times when caregivers are stretched thin, suffering burnout and subjected to daily difficulties that can be demoralizing. Strong leaders who are reassured of their legal protections can perform their leadership responsibilities without fear of reprisal when following the advice of their legal counsel. We encourage you to reach out and make your lawyer an integral part of your team so that they can understand your organization and business and provide you the best available advice that will reassure you and other leaders in the organization of the legal protections and immunities.

© Polsinelli PC, Polsinelli LLP in California

U.S. Supreme Court Agrees with HHS Payment Methodology for Disproportionate Share Hospitals

The fight about how Medicare compensates disproportionate share hospitals (“DSH”) is one of the longest-running reimbursement disputes of recent years, and it has generated copious work for judges around the country.  In a 5-4 decision, the U.S. Supreme Court settled one piece of the conflict:  the counting of “Medicare-entitled” patients in the Medicare fraction of the “disproportionate-patient percentage.”  Becerra v. Empire Health Found., 597 U.S. ___ (2022) (slip op.).  The Supreme Court concluded that the proper calculation, under the statute, counts “individuals ‘entitled to [Medicare] benefits[,]’ . . . regardless of whether they are receiving Medicare payments” for certain services.  Id. (slip op., at 18) (emphasis added).

DSH payments are made to hospitals with a large low-income patient mix.  “The mark-up reflects that low-income individuals are often more expensive to treat than higher income ones, even for the same medical conditions.”  Id. (slip op., at 3).  The federal government thus gives hospitals a financial boost for treating a “disproportionate share” of the indigent population.

The DHS payment depends on a hospital’s “disproportionate-patient percentage,” which is basically the sum of two fractions: the Medicare fraction, which reflects what portion of the Medicare patients were low-income; and the Medicaid fraction, which reflects what portion of the non-Medicare patients were on Medicaid.  Historically, HHS calculated the Medicare fraction by including only patients actually receiving certain Medicare benefits for their care.  In 2004, however, HHS changed course and issued a new rule.  It counted, in the Medicare fraction, all patients who were eligible for Medicare benefits generally (essentially, over 65 or disabled), even if particular benefits were not actually being paid.  For most providers, that change resulted in a pay cut.

The new rule sparked several lawsuits.  Hospitals challenged HHS’s policy based on the authorizing statutory language.  These hospitals essentially argued in favor of the old methodology.  Appeals led to a circuit split, with the Sixth and D.C. Circuits agreeing with HHS, and the Ninth Circuit ruling that HHS had misread the statute.

The Supreme Court has now resolved the issue.  The majority opinion, authored by Justice Kagan, sided with HHS.  The majority concluded that, based on the statutory language, “individuals ‘entitled to [Medicare] benefits’ are all those qualifying for the program, regardless of whether they are receiving Medicare payments for part or all of a hospital stay.”  Id. (slip op., at 18).  The majority also explained that if “entitlement to benefits” bore the meaning suggested by the hospital, “Medicare beneficiaries would lose important rights and protections . . . [and a] patient could lose his ability to enroll in other Medicare programs whenever he lacked a right to [certain] payments for hospital care.”  Id. (slip op., at 11).

Justice Kavanaugh dissented, joined by Chief Justice Roberts and Justices Gorsuch and Alito.  The dissent argued that those lacking certain Medicare coverage should be excluded from HHS’s formula, based on “the most fundamental principle of statutory interpretation: Read the statute.”  Id. (Kavanaugh, J., dissenting) (slip op., at 2).  According to the dissent, the majority’s ruling will also restrict hospitals’ ability to provide care to underprivileged communities.  “HHS’s misreading of the statute has significant real-world effects: It financially harms hospitals that serve low-income patients, thereby hamstringing those hospitals’ ability to provide needed care to low-income communities.”  Id. (slip op., at 4).

There was one point of agreement among the majority and dissenting justices: the complexity of the statutory language for DSH payments.  Echoing the thoughts often held by healthcare advisors, Justice Kagan found the statutory formula to be “a mouthful” and “a lot to digest.”  Id. (majority opinion) (slip op., at 4).  And in his dissent, Justice Kavanaugh called the statute “mind-numbingly complex,” and resorted to an interpretation that he found “straightforward and commonsensical”: that patients cannot be “simultaneously entitled and disentitled” to Medicare benefits.  Id. (Kavanaugh, J., dissenting) (slip op., at 1, 3).

© Copyright 2022 Squire Patton Boggs (US) LLP

Health Care Providers on Alert: Two Hospitals Penalized for Continuous Noncompliance with the Hospital Price Transparency Rule

We previously discussed the requirements of the Hospital Price Transparency Rule (“Rule”) on health care providers and health plans, as well as CMS’s proposal to increase penalties for a hospital’s failure to comply with the Rule.  About a year and a half after the Rule became effective, CMS has now imposed its first set of civil monetary penalties (“CMPs”) on Northside Hospital Atlanta and Northside Hospital Cherokee, which have been fined $883,180 and $214,320, respectively.

The Rule requires, in part, hospitals to make public a machine-readable file containing a list of all standard charges for all items and services, such as, e.g., supplies, room and board, and use of the facility, among other items.  See 45 C.F.R. § 180.40(a); id. at § 180.20.  The Rule also requires hospitals to display shoppable services in a consumer-friendly manner.  See id. at § 180.60(d)(2); id. at § 180.60(b).  The goal of these specific requirements, in addition to those set forth in the remainder of the Rule, is to provide consumers with sufficient information about the charges for certain items and services by requiring health care providers and health plans to be publicly transparent about such charges.

Based on CMS’s CMP letters, dated June 7, 2022, Northside Hospital Atlanta and Northside Hospital Cherokee were non-compliant with the aforementioned specific requirements of the Rule.  The chronology of events is important to understand how CMS ended up issuing its CMP letters.

Northside Hospital Atlanta

For Northside Hospital Atlanta:

  • CMS documented the hospital’s non-compliance since March 24, 2021.
  • CMS issued a Warning Letter, dated April 19, 2021, to the hospital and provided it the opportunity to respond and to provide supporting documentation to CMS.
  • Northside Hospital Atlanta did not respond.
  • On September 2, 2021, CMS reviewed the hospital’s website and determined that the non-compliance persisted.
  • On September 30, 2021, CMS issued a Request for Corrective Action Plan (CAP) to the hospital, stating that it was non-compliant with the aforementioned specific requirements of the Rule.
  • On November 15, 2021, in response to the Request for CAP, the hospital stated that patients could request specific price estimate quotes by calling or emailing Northside Hospital Atlanta, which CMS determined was insufficient in response to its Request for CAP and to comply with the Rule.
  • On December 20, 2021, CMS requested a revised CAP from the hospital.
  • Northside Hospital Atlanta did not respond.
  • On January 11, 2022, CMS conducted a technical assistance call with the hospital, during which the hospital confirmed that it was non-compliant with the Rule and explained that it had intentionally removed all previously posted pricing files.
  • On January 24, 2022, CMS, again, requested a revised CAP from the hospital.
  • Northside Hospital Atlanta did not respond.

Based on the foregoing, CMS imposed an $883,180 CMP on Northside Hospital Atlanta, calculated as follows, pursuant to 45 C.F.R. § 180.90:

  • $36,300
    • $300 per day of non-compliance times 121 days.
    • 121 days represents the number of calendar days during 2021 that Northside Hospital Atlanta was non-compliant with the Rule (September 2, 2021 through December 31, 2021), pursuant to 45 C.F.R. § 180.90(2)(i).

 plus

  • $846,880
    • $10 per bed per day times 536 beds times 158 days.
    • 158 days represents the number of calendar days during 2022 that Northside Hospital Atlanta was non-compliant with the Rule (January 1, 2022 through the date of CMS’s CMP letter, June 7, 2022), pursuant to 45 C.F.R. § 180.90(2)(ii).

Northside Hospital Atlanta has until 60 calendar days from the date of CMS’s CMP letter to pay.  Until the hospital notifies CMS that all non-compliance has been corrected, CMPs will continue to accrue.

Northside Hospital Cherokee

For similar reasons as Northside Hospital Atlanta, Northside Hospital Cherokee was fined $214,320.  CMS noted that Northside Hospital Cherokee was non-compliant since April 16, 2021, and notified the hospital by Warning Letter, dated May 18, 2021.  CMS reviewed the hospital’s website on September 9, 2021, and issued a Request for CAP on October 27, 2021—to which the hospital did not respond.  Similar to Northside Hospital Atlanta, CMS held a technical assistance call on January 11, 2022, during which Northside Hospital Cherokee notified CMS that it had intentionally removed all previously posted pricing files.  CMS requested a Request for CAP on January 24, 2022—to which the hospital did not respond.

Similar to Northside Hospital Atlanta, Northside Hospital Cherokee was penalized $214,320, calculated as follows:

  • $34,200
    • $300 per day of non-compliance times 114 days.
    • 114 days represents the number of calendar days during 2021 that Northside Hospital Cherokee was non-compliant with the Rule (September 9, 2021 through December 31, 2021), pursuant to 45 C.F.R. § 180.90(2)(i).

plus

  • $180,120
    • $10 per bed per day times 114 beds times 158 days.
    • 158 days represents the number of calendar days during 2022 that Northside Hospital Cherokee was non-compliant with the Rule (January 1, 2022 through the date of CMS’s CMP letter, June 7, 2022), pursuant to 45 C.F.R. § 180.90(2)(ii).

Similar to Northside Hospital Atlanta, CMS noted that Northside Hospital Cherokee continues to be non-compliant and, thus, CMPs will continue to accrue.

Takeaways

These fines reflect CMS’s willingness to take material enforcement action where the Rule’s regulatory requirements are largely ignored and CMS’s subsequent efforts to obtain compliance are rejected.  Non-compliance carries heavy fines that are calculated, in part, by the number of days of non-compliance and by bed count.  Health care providers should take notice and ensure that they are compliant or, at least, making efforts towards compliance with the Rule’s requirements.  Critically, CMS will not accept a refusal to comply, as reflected in CMS’s responses to Northside Hospital Atlanta’s and Northside Hospital Cherokee’s refusals to submit CAPs.  As noted in CMS’s CMP letters to these providers, CMS is scanning websites and subsequently notifying providers that appear to be non-compliant with the Rule—which are ignored at the provider’s peril.

© 2022 Proskauer Rose LLP.

Interpol Issues Alert on Increased Risk of Ransomware Attacks Against COVID-19 Medical Organizations

Interpol has issued an alert to global law enforcement agencies about the increased risk of ransomware attacks on hospitals, health care providers and other organizations on the front line of response to the COVID-19 pandemic.

The Purple Notice, issued to all 194 member countries, notified them that Interpol’s Cybercrime Threat Response team has detected a “significant increase” in ransomware attempts against hospitals and medical organizations.

According to a spokesman from Interpol, “[A]s hospitals and medical organizations around the world are working non-stop to preserve the well-being of individuals stricken with the coronavirus, they have become targets for ruthless cyber-criminals who are looking to make a profit at the expense of sick patients. Locking hospitals out of their critical systems will not only delay the swift medical response required during these unprecedented times, it could directly lead to deaths. INTERPOL continues to stand by its member countries and provide assistance necessary to ensure our vital healthcare systems remain untouched and the criminals targeting them held accountable.”

The primary vector for the ransomware attacks continues to be phishing attempts. Unfortunately, due to the emergency nature of COVID-19, healthcare workers are working long, stressful hours, and may not be as vigilant as usual in spotting phishing emails. The criminals are luring tired workers into clicking on links and attachments with subject lines that appear to be COVID-19- related or are from the Centers for Disease Control or other governmental bodies trying to keep healthcare workers informed about the rapidly spreading virus.

Hospitals and other healthcare entities should be aware of these warnings from INTERPOL and Microsoft [view related post] and notify their employees to be extra vigilant when opening emails, links and attachments.


Copyright © 2020 Robinson & Cole LLP. All rights reserved.

For more industries affected by COVID-19, see the National Law Review Coronavirus News section.

CMS Issues Final Regulations For Hospital Price Transparency

On November 15, 2019, the U.S. Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) announced final regulations implementing greater price transparency requirements for hospitals. Issued on the heels of a Trump Administration Executive Order directing HHS to propose regulations on increased price transparency, the new regulations modify and finalize CMS’ earlier guidance implementing section 2718(e) of the Public Health Service Act, to further expand price transparency requirements for hospitals. (See our previous analysis of the Executive Order here.) Effective January 1, 2021, the new regulations will be located at 45 C.F.R. 180.00 et. seq. and will require hospitals to make accessible specific “standard charge” pricing data for all “items and services” provided. Furthermore, the regulations include special requirements for posting pricing information about “shoppable services.” Key details are summarized below:

Important Definitions (45 CFR 180.20)

  • Hospital. The regulations apply to any institution licensed as a hospital under applicable state law.
  • Items and Services. The regulations require pricing data on all items and services “including individual items and services and service packages, that could be provided by a hospital to a patient in connection with an inpatient admission or an outpatient department visit for which the hospital has established a standard charge.”
  • Shoppable Service. The regulations define a shoppable service as a service that a consumer can schedule in advance.
  • Standard Charge. Hospitals must post the following five standard charges:
    1. Gross charge – The price on the hospital’s chargemaster with no discounts.
    2. Payer-specific negotiated charge – The charge negotiated with a third-party payer.
    3. De-identified minimum negotiated charge – The lowest charge the hospital has negotiated with all third-party payers for an item or service.
    4. De-identified maximum negotiated charge – The highest charge the hospital has negotiated with all third-party payers for an item or service.
    5. Discounted cash price – The charge for an individual who pays cash for an item or service.

Substantive Requirements (45 CFR 180.40-180.60)

All hospitals must now make public two items related to pricing; (a) a machine-readable file containing a list of all standard charges for all items and services, and (b) a consumer-friendly list of standard charges for a limited set of shoppable services. Each of these components are described in more detail below.

  • All Items and Services. Each hospital must establish a list of standard charges for all items and services they provide. This list must include a description of each item or service, the five standard charges (applicable to both inpatient and outpatient services), and any common identifier billing or accounting code used by the hospital. This information must be published on a publicly accessible website in a single searchable digital file without any barriers to access. The posting requirement will apply to each hospital location operating under the same license if the location has different standard charges.
  • Shoppable Services. Each hospital must establish a list of standard charges for 300 shoppable services. This list must include any of the 70 CMS-specified shoppable services the hospital provides and as many additional shoppable services determined by the hospital as needed to reach the 300-service threshold (unless the hospital does not provide 300, then all must be published). The list must include a plain language description of the service, indicators of CMS shoppable services that are not offered, the standard charges – except for the gross charge – for all shoppable services (the gross charge only needs to be posted if the hospital does not offer a discounted cash price), the locations where the shoppable service is provided and any location-specific pricing, and any common identifier billing or accounting code used by the hospital. The hospital may choose the format of publication, but it must be on the internet, accessible without barriers, and prominently located. Compliance with this requirement can occur if a hospital maintains an internet-based price estimator tool for the relevant services.

Enforcement (45 CFR 180.70-180.90)

CMS will monitor compliance by fielding complaints about hospitals, reviewing individuals’ or entities’ analysis of noncompliance, and auditing hospital websites. If noncompliance is detected, CMS will have the authority to issue warning letters, request a corrective action plan, and potentially impose civil monetary penalties up to a maximum of $300 per day.

The regulations go into effect January 1, 2021, giving hospitals a little more than a year to develop a plan for compliance.


Copyright © 2019 Robinson & Cole LLP. All rights reserved.

More on CMS & HHS regulations on the National Law Review Health Law & Managed Care page.

Nurse Staffing Ratios May Be Coming to a Hospital Near You

On November 6, 2018, when Massachusetts voters go to the polls to select a new Governor and other key elected officers, they will also consider Ballot Question 1, which will mandate rigid registered nurse staffing ratios for hospitals across the Commonwealth effective as of January 1, 2019. This proposal would make Massachusetts the second state in the United States to have specific staffing ratios mandated in all units. This initiative follows only California, which passed a less comprehensive law through the legislative process in 1999 and provided over five (5) years for hospitals to implement by 2004.[1] The Massachusetts ballot initiative process, like that of some other states, allows the voters to write entirely new law into books. Question 1 appears to be the most heavily-fought ballot initiative in Massachusetts in recent memory. While Massachusetts seems to be the only state this year with a nurse staffing ratio as a referendum ballot initiative,[2] unions nationally will focus on the results of this year’s effort.

What is Question 1?

Question 1, if passed, would mandate highly-prescriptive and specific nurse-to-patient ratios based on the type of patients/units in hospitals, regardless of market, acuity of the patient, physician orders, or nursing judgement. Hospitals are required to implement a written plan detailing the maximum number of patients to be assigned to a registered nurse by unit at all times, while also “concurrently detailing the facility’s plans to ensure that it will implement such limits without diminishing the staffing levels of its health care workforce.”

Hospitals would also be required to develop a “patient acuity tool” for each unit to be used to determine whether the maximum number of patients that may be assigned should be lower than the assignment limits in the law. Notices regarding the patient assignment limits must be posted in conspicuous places, including each unit, patient room, and waiting area.

What are the Ratios?

The specific ratios mandated are summarized as follows (nurse:patient):

  • Step-down/intermediate care 1:3
  • Post anesthesia care (PACU) 1:1; PACU post-anesthesia 1:2
  • All units with operating room (OR) patients 1:1; OR patients post-anesthesia 1:2
  • Emergency Services Department: 1:1, 1:2,1:3, or 1:5 depending on the emergent or urgent nature of a patient which often changes by the minute
  • Maternal child care patients:
    • Active labor, intermittent auscultation for fetal assessment, and patients with medical or obstetrical complications 1:1
    • During birth and for up to two hours immediately postpartum 1:1 for mother and baby; when the condition of the mother and baby are determined to be stable and the critical elements are met, 1 nurse may care for both the mother and the baby(ies)
    • During postpartum for uncomplicated mothers or babies 1:6 (either 6 mothers or babies, 3 couplets of mothers and babies, or, in the case of multiple babies, not more than a total of 6 patients
    • Intermediate care or continuing care babies is 1:2 for babies
    • Well-babies 1:6
  • Pediatric 1:4
  • Psychiatric 1:5
  • Medical, surgical and telemetry patients 1:4
  • Observation/outpatient treatment 1:4
  • Rehabilitation units 1:5
  • All others 1:4

How Would the New Law be Enforced?

Question 1 also requires the state’s Health Policy Commission (HPC) (as opposed to the Department of Public Health, which is the state authority to license and regulate hospitals and other health care providers) to promulgate regulations and conduct inspections governing the implementation of the initiative.  The HPC is a six year old independent state agency charged with monitoring health care spending growth, it does not have the staff or infrastructure to conduct routine hospital surveys to monitor internal facility management and operations. It is also important to note that the proposed ballot would restrict the HPC by preventing it from issuing any delays, temporary or permanent waivers, or modifications of the ratios. Thus, even if the HPC believed that the January 1st  implementation date was unfeasible, it may be prohibited from offering waivers.

The HPC may report violations to the State Attorney General, who could file suit to obtain injunctions as well as civil penalties of up to $25,000 per violation and up to $25,000/day for continued violations.

The Impact if Question 1 Passes

Coalitions have lined up on both sides of Question 1.  Each side has painted dramatically-different pictures of a future for the industry with mandated nurse staffing ratios. The supportive nursing union has cast the initiative as being relatively small dollars for the industry, costing only $47 Million for all hospitals in the state in total according to their study.[3],[4]  The Massachusetts Health and Hospital Association and a broad-based coalition of health care providers and other nursing organizations opposed to the initiative point to studies estimating that the cost will be in excess of $1 Billion to the industry.[5]  Increased costs are based on the need to recruit new nurses, as well as the across-the-board increases in pay. There will be a need to hire 5,911 registered nurses within 37 business days to comply with January 1st  deadline and this is in a state that already has a shortage of approximately 1,200 registered nurses.[6]  Individual community hospitals are reporting projected additional expenditures that amount to more than the $30 Million per year, with teaching hospitals anticipating increased expenditures higher than that.[7]

On October 4, 2018, the HPC issued its independent report on the estimated costs of Question 1, essentially validating the opposition’s concerns, and projecting annual increased costs of $676 Million to $949 Million, and noted that the projections were “conservative.” The HPC study undercounted costs as it only looked at increased costs in certain units, and excluded costs associated with increased staffing in emergency departments, observation units, outpatient departments, or any costs for implementation or to non-acute hospitals.[8]  Wage increases of 4 – 6% are predicted in the HPC study, based on the California experience with across-the-board staffing requirements in place, and estimated increases of total health expenditures in Massachusetts of 1.1 – 1.6%, with increases of 2.4 – 3.5% for hospital spending alone, again, based on a conservative and partial analysis. Thus, it appears that the industry fears of greater than $1Billion in annual increased expenses are valid.

Ancillary adverse impacts anticipated by the HPC included reduced access to emergency care, increased wait times, decreased patient flow, increased “boarding,” and more ambulance diversions.

The HPC also compared Massachusetts to California hospitals and concluded that there was “no systematic improvement in patient outcomes post-implementation of ratios.”

What Should Hospitals be Doing Now?

Question 1, if passed, would only apply to Massachusetts licensed hospitals.  But hospitals and health systems in other jurisdictions should be prepared for similar efforts in their states. The following are some initial steps hospitals should be considering

Access Management.  Access problems will be common starting in January if Question 1 passes. Elective procedures, non-emergent appointments and other services may need to be curtailed effective January 1, 2019.  Hospitals will need to meet staffing levels on that day with respect to then-current inpatients and outpatients.  Avoiding new admissions in December may be necessary to assure the hospital is not in instant violation on New Year’s Day. Early patient contact to warn about the possibility of rescheduling procedures will prudent.

Payer Contract “Reopeners.”  Payer contracting “reopeners” should be added to managed care contracts now. The hospital community has been watching the interest of the unions in pushing nurse staffing ratios in Massachusetts and other states for a number of years. Health systems and hospitals negotiating long-term contracts with payers have often included “reopeners” to permit the hospital to revisit contract rates even during the term of an agreement if certain extreme events come to pass.  Hospitals in all jurisdictions are encouraged to consider adding such reopeners to their agreements today.

Massachusetts hospitals should review their payer contracts now to confirm if they have the right to a mid-term reopening and, if so, provide notice immediately upon passage to their payers that the hospital will need to renegotiate rates to address the increased costs. Charge masters will also need to be reviewed immediately.

Union status? Based on their efforts to rally public support around Question 1, the Massachusetts Nurses Association is trying to do an end-run around the collective bargaining table where their past efforts on the issue of staffing ratios have failed.  Health systems and hospitals should review their collective bargaining agreements to determine whether they are in a position to trigger a reopener during the term of the contract to address the numerous monetary and non-monetary consequences of rigid staffing ratios contemplated by Question 1.

Unit Closure Plans.  If passed, hospitals in Massachusetts will likely need to immediately assess whether and how they could comply with these new ratios. Units that already operate at a loss, or for which meeting the staffing requirements is impossible, should be closed or reduced to the smallest possible patient compliment.  Closure plans and negotiations will need to commence immediately.

Massive Recruitment Efforts.  While there are believed to be a few hospitals that may already meet these staffing levels (at some times), most hospitals will need to recruit many more registered nurses, as well as have additional nurses standing by for fluctuations in patient loads on various units on a daily basis.  As noted above, the law will require hiring nearly 6,000 RNs in the fourth quarter of this year.[9]

Conclusion

If Question 1 passes, conservative projections estimate extreme new costs will be incurred by Massachusetts hospitals, which will result in both reductions in levels of service, and increased costs to payers and patients.  It is important to note that the dire circumstances of the ballot has led to an increasing large number of nursing organizations and physician groups in Massachusetts to all oppose Question 1. While Massachusetts hospitals are making plans akin to natural disaster preparedness, hospitals in other states should watch carefully these events to be ready should similar initiatives arise locally.

———————————

[1] A few other states have limited ratios in certain special types units (like intensive care units), but Question 1 applies to all hospital units.

[2] See http://www.ncsl.org/research/elections-and-campaigns/ballot-measures-database.aspx(June 6, 2018); downloaded on October 8, 2018.

[3] See https://www.massnurses.org/news-and-events/p/openItem/11083

[4] See https://safepatientlimits.org/wp-content/uploads/Shindul-Rothschild-Esti…

[5] See https://www.protectpatientsafety.com/get-the-facts/

[6]  See Mass Insight Global Partnership, Protecting the Best Patient Care in the Country, Local Choices v Statewide Mandates in Massachusetts (April, 2018)  http://www.bwresearch.com/reports/bwresearch_mha-nlr-report_2018Apr.pdf (“Mass Insight Study”)

[7] See Financial impact of nurses ballot question? Depends who’s counting, Priyanka Dayal McCluskey, Boston Globe (Sept. 17, 2018).  https://www.bostonglobe.com/metro/2018/09/17/financial-impact-nurses-ballot-question-depends-who-counting/mlS4yZa5IB8hcDaFZ7ojXM/story.html

[8] See Analysis of Potential Cost Impact of Mandated Nurse-to-Patient Staffing Ratios, October 3, 2018, https://www.mass.gov/doc/presentation-analysis-of-potential-cost-impact-…

[9] Mass Insight Study.

 

© 2018 Foley & Lardner LLP
This post was written by Lawrence W. Vernaglia and Donald W. Schroeder of  Foley & Lardner LLP.

Ransomware Strikes California Hospital – Could You Be Next?

digitallife03-111715In a chain of events that should be a wake-up call to any entity using and storing critical health information (and indeed, ANY kind of critical information), Hollywood Presbyterian Medical Center (“HPMC”) has announced that it paid hackers $17,000 to end a ransomware attack on the hospital’s computer systems. On February 5, HPMC fell victim to an attack that locked access to the medical center’s electronic medical record (“EMR”) system and blocked the electronic exchange of patient information. Earlier reports indicated that the hackers had originally demanded $3,400,000.Such “ransomware” attacks are caused by computer viruses that wall off or encrypt data to prevent user access. Hackers hold the data ransom, demanding payment for the decryption key necessary to unlock the data. The attacks are often caused by email phishing scams. The scams may be random or target particular businesses or entities. In the case of HPMC, the medical center’s president and CEO indicated to media outlets that the attack was random, though Brian Barrett, writing for Wiredquestioned that assertion. The medical center’s announcement of the resolution of the incident indicates that there is no evidence that patient or employee information was accessed by the hackers as part of the attack. Even if the data was not compromised, the attack led to enormous hassles at the hospital, returning it to a pre-electronic record-keeping system.

We have seen many variations of the ransomware attacks on the increase lately.   Cryptolocker and Cryptowall are the two most prevalent threats, but a Forbes article about the HPMC attack revealed that HPMC was victimized by a variant called “Locky,” which, according to the Forbes article, is infecting about 90,000 machines a day.

Details of the HPMC Incident

On February 2, 2016, three days before the HPMC attack, the Department of Health & Human Services Office for Civil Rights (“OCR”) announced the launch of its new Cyber-Awareness Initiative. That announcement included information on ransomware attacks and prevention strategies. Suggested prevention strategies from OCR included:

  1. Backing up data onto segmented networks or external devices and making sure backups are current.  That protects you from data loss of any kind, whether caused by ransomware, flood, fire, loss, etc.  If your system is adequately backed up, you may not need to pay ransom to get your data unlocked.

  2. Don’t be the low-hanging fruit:  Ensuring software patches and anti-virus are current and updated will certainly help.   Many attacks rely on exploiting security bugs that already have available fixes.

  3. Installing pop-up blockers and ad-blocking software.

  4. Implementing browser filters and smart email practices.

Most of these prevention strategies are HIPAA security and overall general business security measures that ought to be in place for companies across the board. As OCR and the FBI (see below) both indicate, smart email practices and training the workforce on them are key elements to preventing phishing scams.

FBI on Ransomware

One of the big questions arising out of the HPMC and other ransomware cases is:  do we pay?   If your business is about to grind to a halt, you likely have no choice.    However, the incident should first be reported to the FBI and discussed with forensics and legal experts who have experience with ransomware in particular. The FBI’s Ransomware information page provides some tips.  Ransomware attacks should be part of your incident response plan and the “what do we do” should be discussed at the highest levels of the company.

When in Doubt, Don’t Be a Click Monkey!

Before clicking on a link in an email or opening an attachment, consider contextual clues in the email. The following types of messages should be considered suspicious:

  • A shipping confirmation that does not appear to be related to a package you have actually sent or expect to receive.

  • A message about a sensitive topic (e.g., taxes, bank accounts, other websites with log-in information) that has multiple parties in the To: or cc: line.

  • A bank with whom you do not do business asking you to reset your password.CodeMonkey-68762_960x3601

  • A message with an attachment but no text in the body.

All businesses in any sector need to take notice of the HPMC attack and take steps to ensure that they are not the next hostages in a ransomware scheme.

©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.