FCC Puts Another Carrier On Notice with Cease and Desist Letter

If you haven’t already figured it out, the FCC is serious about carriers and providers not carrying robocalls.

The FCC sent a cease and desist letter to DigitalIPvoice informing them of the need to investigate suspected traffic. The FCC reminded them that failure to comply with the letter “may result in downstream voice service providers permanently blocking all of DigitalIPvoice’s traffic”.

For background, DigitalIPvoice is a gateway provider meaning they accept calls directly from foreign originating or intermediate providers. The Industry Traceback Group (ITG) investigated some questionable traffic back in December and identified DigitalIPvoice as the gateway provider for some of the calls. ITG informed DigitalIPvoice and “DigitialIPVoice did not dispute that the calls were illegal.”

This is problematic because as the FCC states “gateway providers that transmit illegal robocall traffic face serious consequences, including blocking by downstream providers of all of the provider’s traffic.”

Emphasis in original. Yes. The FCC sent that in BOLD to DigitalIPvoice. I love aggressive formatting choices.

The FCC then gave DigitalIPvoice steps to take to mitigate the calls in response to this notice. They have to investigate the traffic and then block identified traffic and report back to the FCC and the ITG on the outcome of the investigation.

The whole letter is worth reading but a few points for voice service providers and gateway providers:

  1. You have to know who your customers are and what they are doing on your network. The FCC is requiring voice service providers and gateway providers to include KYC in their robocall mitigation plans.
  2. You have to work with the ITG. You have to have a traceback policy and procedures. All traceback requests have to be treated as a P0 priority.
  3. You have to be able to trace the traffic you are handling. From beginning to end.

The FCC is going after robocalls hard. Protect yourself by understanding what is going to be required of your network.

Keeping you in the loop.

For more news on FCC Regulations, visit the NLR Communications, Media & Internet section.

FCC Adopts Updated Data Breach Notification Rules

On December 13, 2023, the Federal Communications Commission (FCC) voted to update its 16-year old data breach notification rules (the “Rules”). Pursuant to the FCC update, providers of telecommunications, Voice over Internet Protocol (VoIP) and telecommunications relay services (TRS) are now required to notify the FCC of a data breach, in addition to existing obligations to notify affected customers, the FBI and the U.S. Secret Service.

The updated Rules introduce a new customer notification timing requirement, requiring notice of a data breach to affected customers without unreasonable delay after notification to the FCC and law enforcement agencies, and in no case more than 30 days after the reasonable determination of a breach. The new Rules also expand the definition of “breach” to include “inadvertent access, use, or disclosure of customer information, except in those cases where such information is acquired in good faith by an employee or agent of a carrier or TRS provider, and such information is not used improperly or further disclosed.” The updated Rules further introduce a harm threshold, whereby customer notification is not required if a carrier or TRS provider can “reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach,” or where the breach solely involves encrypted data and the encryption key was not affected.

Health Care Providers on Alert: Two Hospitals Penalized for Continuous Noncompliance with the Hospital Price Transparency Rule

We previously discussed the requirements of the Hospital Price Transparency Rule (“Rule”) on health care providers and health plans, as well as CMS’s proposal to increase penalties for a hospital’s failure to comply with the Rule.  About a year and a half after the Rule became effective, CMS has now imposed its first set of civil monetary penalties (“CMPs”) on Northside Hospital Atlanta and Northside Hospital Cherokee, which have been fined $883,180 and $214,320, respectively.

The Rule requires, in part, hospitals to make public a machine-readable file containing a list of all standard charges for all items and services, such as, e.g., supplies, room and board, and use of the facility, among other items.  See 45 C.F.R. § 180.40(a); id. at § 180.20.  The Rule also requires hospitals to display shoppable services in a consumer-friendly manner.  See id. at § 180.60(d)(2); id. at § 180.60(b).  The goal of these specific requirements, in addition to those set forth in the remainder of the Rule, is to provide consumers with sufficient information about the charges for certain items and services by requiring health care providers and health plans to be publicly transparent about such charges.

Based on CMS’s CMP letters, dated June 7, 2022, Northside Hospital Atlanta and Northside Hospital Cherokee were non-compliant with the aforementioned specific requirements of the Rule.  The chronology of events is important to understand how CMS ended up issuing its CMP letters.

Northside Hospital Atlanta

For Northside Hospital Atlanta:

  • CMS documented the hospital’s non-compliance since March 24, 2021.
  • CMS issued a Warning Letter, dated April 19, 2021, to the hospital and provided it the opportunity to respond and to provide supporting documentation to CMS.
  • Northside Hospital Atlanta did not respond.
  • On September 2, 2021, CMS reviewed the hospital’s website and determined that the non-compliance persisted.
  • On September 30, 2021, CMS issued a Request for Corrective Action Plan (CAP) to the hospital, stating that it was non-compliant with the aforementioned specific requirements of the Rule.
  • On November 15, 2021, in response to the Request for CAP, the hospital stated that patients could request specific price estimate quotes by calling or emailing Northside Hospital Atlanta, which CMS determined was insufficient in response to its Request for CAP and to comply with the Rule.
  • On December 20, 2021, CMS requested a revised CAP from the hospital.
  • Northside Hospital Atlanta did not respond.
  • On January 11, 2022, CMS conducted a technical assistance call with the hospital, during which the hospital confirmed that it was non-compliant with the Rule and explained that it had intentionally removed all previously posted pricing files.
  • On January 24, 2022, CMS, again, requested a revised CAP from the hospital.
  • Northside Hospital Atlanta did not respond.

Based on the foregoing, CMS imposed an $883,180 CMP on Northside Hospital Atlanta, calculated as follows, pursuant to 45 C.F.R. § 180.90:

  • $36,300
    • $300 per day of non-compliance times 121 days.
    • 121 days represents the number of calendar days during 2021 that Northside Hospital Atlanta was non-compliant with the Rule (September 2, 2021 through December 31, 2021), pursuant to 45 C.F.R. § 180.90(2)(i).

 plus

  • $846,880
    • $10 per bed per day times 536 beds times 158 days.
    • 158 days represents the number of calendar days during 2022 that Northside Hospital Atlanta was non-compliant with the Rule (January 1, 2022 through the date of CMS’s CMP letter, June 7, 2022), pursuant to 45 C.F.R. § 180.90(2)(ii).

Northside Hospital Atlanta has until 60 calendar days from the date of CMS’s CMP letter to pay.  Until the hospital notifies CMS that all non-compliance has been corrected, CMPs will continue to accrue.

Northside Hospital Cherokee

For similar reasons as Northside Hospital Atlanta, Northside Hospital Cherokee was fined $214,320.  CMS noted that Northside Hospital Cherokee was non-compliant since April 16, 2021, and notified the hospital by Warning Letter, dated May 18, 2021.  CMS reviewed the hospital’s website on September 9, 2021, and issued a Request for CAP on October 27, 2021—to which the hospital did not respond.  Similar to Northside Hospital Atlanta, CMS held a technical assistance call on January 11, 2022, during which Northside Hospital Cherokee notified CMS that it had intentionally removed all previously posted pricing files.  CMS requested a Request for CAP on January 24, 2022—to which the hospital did not respond.

Similar to Northside Hospital Atlanta, Northside Hospital Cherokee was penalized $214,320, calculated as follows:

  • $34,200
    • $300 per day of non-compliance times 114 days.
    • 114 days represents the number of calendar days during 2021 that Northside Hospital Cherokee was non-compliant with the Rule (September 9, 2021 through December 31, 2021), pursuant to 45 C.F.R. § 180.90(2)(i).

plus

  • $180,120
    • $10 per bed per day times 114 beds times 158 days.
    • 158 days represents the number of calendar days during 2022 that Northside Hospital Cherokee was non-compliant with the Rule (January 1, 2022 through the date of CMS’s CMP letter, June 7, 2022), pursuant to 45 C.F.R. § 180.90(2)(ii).

Similar to Northside Hospital Atlanta, CMS noted that Northside Hospital Cherokee continues to be non-compliant and, thus, CMPs will continue to accrue.

Takeaways

These fines reflect CMS’s willingness to take material enforcement action where the Rule’s regulatory requirements are largely ignored and CMS’s subsequent efforts to obtain compliance are rejected.  Non-compliance carries heavy fines that are calculated, in part, by the number of days of non-compliance and by bed count.  Health care providers should take notice and ensure that they are compliant or, at least, making efforts towards compliance with the Rule’s requirements.  Critically, CMS will not accept a refusal to comply, as reflected in CMS’s responses to Northside Hospital Atlanta’s and Northside Hospital Cherokee’s refusals to submit CAPs.  As noted in CMS’s CMP letters to these providers, CMS is scanning websites and subsequently notifying providers that appear to be non-compliant with the Rule—which are ignored at the provider’s peril.

© 2022 Proskauer Rose LLP.