On October 30, 2015, the Centers for Medicare and Medicaid (“CMS”) issued a final regulation that includes modifications to the Stark Law (the “Final Rule”). Among other things, the Final Rule adds two new exceptions to the Stark Law’s prohibited referrals and clarifies regulatory definitions and requirements. These new regulations were published in the Federal Register on November 16, 2015. The majority of these changes will go into effect on January 1, 2016. Continue Reading
In the past few years, medical devices have become a major target for online criminals. Not only are medical devices considered to be one of the easiest and most vulnerable points of entry into a health care enterprise, they are one of the most difficult areas to remediate even when an attack has been identified. Once infiltrated, hackers can use medical devices to steal patient medical records and personal data from a hospital system. In addition, hackers can manipulate medical devices to harm and even kill patients. In a 2015 report, the cybersecurity firm TrapX reported that it expects targeted attacks on hospitals to continue to increase throughout the remainder of 2015 and into 2016. Continue Reading
Beginning in 2016, the United States Department of Health and Human Services’ Office for Civil Rights (OCR) will conduct another round of audits to gauge compliance with privacy provisions in the Health Insurance Portability and Accountability Act (HIPAA). This announcement comes in the wake of criticism leveled against OCR for inconsistencies enforcing the HIPAA Rules.
In an executive summary entitled “OCR Should Strengthen its Oversight of Covered Entities’ Compliance with the HIPAA Privacy Standards,” the United States Department of Health and Human Services’ Office of the Inspector General (OIG) criticized OCR for its failure to implement the required audit program in order to proactively assess possible noncompliance from covered entities. In a second executive summary, “OCR Should Strengthen its Followup of Breaches of Patient Health Information Reported by Covered Entities,” OIG determined that OCR was failing to ensure covered entities who experienced large data breaches documented corrective action. The report found that OCR did not record small-breach information in its case tracking system. OIG recommended that OCR develop a policy to check whether covered entities had been previously investigated. OIG recommended that OCR continue to expand outreach and education efforts to covered entities. Continue Reading
This week, the Senate passed a cybersecurity bill, called the Cybersecurity Information Sharing Act of 2015 (the “CISA”), by a vote of 74 to 21. With the Senate’s vote, the bill is one step closer to becoming law.
The CISA authorizes the Director of National Intelligence, the Department of Homeland Security, the Department of Defense, and the Department of Justice to develop procedures to promote the following:
- the timely sharing of classified and declassified cyber threat indicators in possession of the federal government with private entities, non-federal government agencies, or state, tribal, or local governments;
- the sharing of unclassified indicators with the public; and
- the sharing of cybersecurity threats with entities to prevent or mitigate adverse effects.
In essence, the bill is designed to help companies and the government share information about the latest cybersecurity threats. Continue Reading
In July, New Jersey Governor Chris Christie signed legislation that expands the access, registration, and utilization of the New Jersey Prescription Monitoring Program (NJPMP). The legislation, Senate Bill 1998 (S-1998), is slated to take effect on November 1, 2015. S-1998 is part of a larger effort in New Jersey to fight prescription drug abuse. Governor Christie said that he hopes the new legislation will inspire healthcare professionals, treatment providers, law enforcement, and members of the public to work together and be part of “a solution that fights the stigma of addiction, saves lives, and helps rebuild families.” Continue Reading
Concierge medicine is a relatively new, but rapidly growing and evolving supplement to traditional medical care. A concierge physician charges an annual retainer fee that provides the patient with additional services that are not covered by insurance, but which enhance accessibility, the amount of time spent with the physician, and hopefully a much more personalized and satisfying relationship. Enhanced accessibility usually includes 24/7 direct cellphone access to the physician, same day appointments with efforts made to minimize waiting, and meetings to develop a plan for preventive care. Individuals and families that have concierge physicians report significantly more satisfaction with their medical care and the state of their health. Continue Reading
Cancer Care Group, P.C. (“CCG”), a radiation oncology physician group practice in Indiana, agreed to pay $750,000 for a breach of unsecured electronic protected health information (“ePHI”). CCG will also implement a corrective action plan.
The breach occurred in 2012 when a CCG employee’s unattended laptop bag was stolen from a car. The laptop bag contained computer server backup media with the ePHI of approximately 55,000 individuals. The computer server backup media was unencrypted, and the ePHI included names, addresses, dates of birth, Social Security numbers, insurance information, and clinical information. The employee’s computer was also in the stolen laptop bag, but it did not contain ePHI. Continue Reading
The Department of Health and Human Services Office of Inspector General (“OIG”) recently issued a new advisory opinion finding that free introductory visits (the “Introductory Visits”) for patients offered by a home health care provider (the “Requestor”) would not violate the Anti-Kickback Statute (“AKS”) or the Civil Monetary Penalties Law (“CMP”). The main issue addressed by the OIG is whether the free Introductory Visits offered by the Requestor constitute prohibited remuneration (broadly defined as anything of value) to patients under the AKS and/or the CMP. Continue Reading
On Tuesday, August 4, Senators Chris Murphy (D-Conn) and Bill Cassidy (R-La) introduced The Mental Health Reform Act of 2015. The bill proposes reforms to Medicare and Medicaid, introduces new grant programs, and enhances the federal government’s commitments to integrating physical and mental health and improving mental health services.
According to Murphy, the bill will “overhaul and strengthen America’s mental healthcare system.”
Key provisions of the bill include:
- Reforms to Medicare/Medicaid. The bill removes rules prohibiting patients from using mental health services and primary care services at the same location, on the same day. It also repeals the current Medicaid exclusion on inpatient care for individuals between the ages of 22 and 64.
- Grant Programs. Grants of up to $2 million for five years will be allocated to states demonstrating a commitment to integrating physical and mental health services. Other grant programs focus on early intervention for children at risk for developing mental illness and on collaboration between pediatricians and mental health teams.
- New Roles, Committees, Entities. The bill establishes an Assistant Secretary for Mental Health and Substance Use Disorder within the U.S. Department of Health and Human Services. The Assistant Secretary will oversee a new committee, the Serious Mental Illness Coordinating Committee. The bill creates the National Mental Health Policy Laboratory, which will oversee and fund the implementation and scaling of models of care for adults and children.
- Mental Health Parity Enforcement. The bill requires the federal government to audit compliance with the Affordable Care Act’s insurance benefit parity requirement for physical health and mental health services.
St. Elizabeth’s Medical Center (“SEMC”), a tertiary care hospital in Brighton, Massachusetts, has agreed to pay $218,400 to the Office for Civil Rights (“OCR”) to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). SEMC will also implement a corrective action plan.
The settlement stems from a 2012 complaint to OCR when SEMC workforce members reported that they used an internet-based document sharing application to store documents containing protected health information (“PHI”). Then in 2014, SEMC reported a separate incident to OCR regarding a breach of unsecured electronic PHI (“ePHI”) stored on a former SEMC workforce member’s personal laptop and USB flash drive. Continue Reading