Currently, providers have different risks of potential False Claims Act (“FCA”) liability depending on where they are geographically located due to the difference in the standards required by the U.S. Courts of Appeals regarding the level of specificity when relators (whistleblowers) plead FCA violations. The FCA imposes civil liability on any person requesting government funds or property who “knowingly presents . . . a false or fraudulent claim for payment or approval.” 31 U.S.C. § 3729(a)(1)(A). A pleading, “alleging fraud or mistake . . . must state with particularity the circumstances constituting fraud or mistake.” Fed. R. Civ. P. 9(b) (emphasis added). And the Circuits of the U.S. Courts of Appeals are split on what information is required in a relator’s FCA complaint under Rule 9(b) to avoid a dismissal of the complaint. The U.S. Supreme Court may resolve the difference in the standards if it grants certiorari in Johnson, et al. v. Bethany Hospice & Palliative Care of Ga., LLC. Continue Reading
The Biden Administration’s proposed budget for fiscal year 2023 serves as a warning to all plan issuers and administrators that enforcement of the Mental Health Parity and Addiction Equity Act (MHPAEA) is a top priority for the federal government. The proposed budget reflects a substantial and sustained commitment to ramp up enforcement efforts, with specific funding for MHPAEA audit activity, including $275 million for the Department of Labor over a 10-year period and $125 million for state grants to support their MHPAEA enforcement efforts. The Biden Administration has also proposed that Congress: (1) grant the Department of Labor (DOL) the ability to pursue civil monetary penalties against entities that provide administrative services to group health plans and do not comply with the MHPAEA; and (2) amend ERISA to allow participants and beneficiaries to recover losses due to parity violations through private rights of action. Plan issuers and administrators should take heed of these developments to get ahead of enforcement efforts and review their procedures, documents, and activities to ensure they meet the government’s stringent requirements. Continue Reading
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced June 10, 2022 that it is producing a video presentation on “recognized security practices” as set forth in the recent amendment of the Health Information Technology for Economic Health Act (HITECH Act) and is seeking questions from the public that OCR could address during the presentation. The video is expected to be available for viewing this summer and will be welcomed by those covered entities and business associates as the statutory amendment is short on details about how OCR will implement the new provisions.
The HITECH Act now requires OCR to consider in certain Security Rule enforcement and audit activities whether a covered entity or business associate (a regulated entity) has adequately demonstrated that it had recognized security practices in place for the prior twelve months. Regulated entities that can demonstrate to OCR that they have had recognized security practices in place for the prior twelve months may qualify for mitigation of fines and other remedial measures. Continue Reading
Healthcare facilities and other entities receiving federal financial assistance can breathe a little easier after a U.S. Supreme Court decision issued last week barring the recovery of emotional damages for certain discrimination claims.
Many federal anti-discrimination statutes allow recovery for “emotional injuries” that include humiliation, trauma, mental anguish, anxiety, depression, and other non-physical symptoms a plaintiff claims to have suffered as a result of discrimination. Federal appeals courts have been split on whether such damages are available to plaintiffs bringing discrimination claims under the Rehabilitation Act of 1973 (Rehab Act) and the Patient Protection and Affordable Care Act (ACA). The U.S. Supreme Court has now decided the issue, holding that emotional injuries are not recoverable under either the Rehab Act or the ACA. Continue Reading
The No Surprises Act (the “Act”) continues muddling through its implementation period. We have discussed the Act in prior posts, and most recently on March 8, 2022. The surprises have continued, with new updates coming out almost daily! There has been legal movement as health care providers and facilities (collectively, “Providers”) have brought lawsuits against the Departments of Health and Human Services (“HHS”), Labor, and Treasury, and the Office of Personnel Management (collectively, “Departments”). In addition, the Centers for Medicare & Medicaid Services (“CMS”) issued answers to new frequently asked questions (“FAQs”). Continue Reading
As a condition of doing business in the healthcare field, persons and companies must generally obtain the appropriate licenses or approvals. In addition to requirements that apply to all businesses, such as registering corporate entities with the Secretary of State or obtaining local business licenses known as business tax receipts, there are also substantive requirements that vary based on the type of services to be provided. To properly assess whether a person or a company meets the minimum substantive qualifications for licensure, state agencies require the submission of license applications. These applications request information on topics such as education, training, experience, and financial requirements. Continue Reading
Covered entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) have the chance to provide input on two amendments to the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”). The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) recently issued a Request for Information (“RFI”) seeking public input regarding:
- How covered entities and business associates (collectively, “regulated entities”) are voluntarily implementing “recognized security practices” as identified in the HITECH Act and demonstrating how such practices are in use throughout the organization.
- The types of harms that should be considered in distributing civil monetary penalties (“CMPs”) and monetary settlements to harmed individuals and potential methodologies for sharing and distributing CMPs and settlement funds to harmed individuals.
We discuss the two topics covered in the RFI in more detail below.
Recognized Security Practices
The HITECH Act was amended effective January 5, 2021 (“Amendment”) to require that HHS consider whether a regulated entity has adequately demonstrated that it had in place for at least the previous twelve months “recognized security practices.” The existence of those recognized security practices may mitigate potential fines, result in early termination of audit activities, and mitigate other remedies that might be agreed to in resolving potential violations of the HIPAA Security Rule following an investigation, compliance review, or audit. The goal of the Amendment is to encourage regulated entities to do “everything in their power to safeguard patient data.”
The Amendment defines “recognized security practices” as:
- the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act;
- the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015; and
- other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.
Notably, the HITECH Act does not require regulated entities to implement recognized security practices, nor does it specify how regulated entities should select which category of recognized security practices to implement. However, to be considered for mitigation of fines and other remedial requirements, organizations must be able to demonstrate that they have fully implemented the recognized security practices for the preceding twelve months. Simply providing initial documentation of the adoption of the security practices is insufficient. Rather, the regulated entity must demonstrate that such practices and procedures have been in continuous operation for at least twelve months. The statute does not specify what triggers the beginning of the twelve-month look-back period.
The RFI requests that regulated entities provide input to OCR regarding their voluntary implementation of recognized security practices, including addressing the following questions:
- What recognized security practices have regulated entities implemented and what recognized security practices do regulated entities plan to implement?
- What standards, guidelines, and procedures developed under section 2(c)(15) of the NIST Act do regulated entities rely on when establishing and implementing recognized security practices?
- What approaches promulgated under section 405(d) of the Cybersecurity Act of 2015 do regulated entities rely on when establishing and implementing recognized security practices?
- What other programs and processes that address cybersecurity (besides those developed under section 2(c)(15) of the NIST Act or section 405(d) of the Cybersecurity Act of 2015) and that are developed, recognized, or promulgated through regulations under other statutory authorities do regulated entities rely on when establishing and implementing recognized security practices?
- What steps do covered entities take to ensure that recognized security practices are in place?
- What steps do covered entities take to ensure that recognized security practices are in use throughout their enterprise and what constitutes implementation throughout the enterprise?
- What steps do covered entities take to ensure that recognized security practices are actively and consistently in use continuously over a 12-month period?
Notably, in the RFI OCR refers to “regulated entities” in the first four questions and “covered entities” in the last three questions above. Based on the full text of the RFI, it is unclear why OCR appears to limit the last three requests to covered entities and exclude business associates.
Sharing Civil Monetary Penalties and Settlements with Individuals
The HITECH Act also requires HHS to establish by regulation a methodology under which an individual harmed by a potential violation of the HIPAA Privacy, Security, and/or Breach Notification Rules may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense. The methodology must be based on recommendations submitted by the General Accounting Office (“GAO”). OCR must base its determinations of appropriate penalty amounts on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. Under the HIPAA Enforcement Rule, OCR may consider physical harm, financial harm, reputational harm, and harms that hinder one’s ability to obtain health care as aggravating factors in assessing a CMP or proposed settlement amount. However, the HITECH Act does not define “harm” generally nor the specific types of harm that OCR may consider in assessing CMPs or settlement amounts. How OCR ultimately defines what constitutes compensable harm could have far-reaching consequences beyond enforcement of HIPAA.
The GAO has recommended that OCR consider three models for the methodology to distribute a portion of CMPs and settlement amounts to individuals:
- The Individualized Determination Model, where the plaintiff bears the burden of proof with respect to the harm suffered by the plaintiff and the liability incurred by the defendant;
- The Fixed Recovery Model, where awards are either fixed or calculated by a formula established by law; and
- The Hybrid Model, which combines elements of the Individualized Determination Model and the Fixed Recovery Model.
To assist it in evaluating the methodologies recommended by the GAO, OCR seeks input from all stakeholders regarding:
- How to define “harm,” including what constitutes compensable harm for violations of HIPAA and whether harm should include non-economic harms such as emotional harm;
- What bases should be used for deciding which injuries are compensable;
- What factors should be considered in establishing a methodology for calculating the amount to be set aside for distribution to individuals;
- Whether there are circumstances in which funds should not be set aside for distribution to individuals; and
- How to provide notice to affected individuals that monetary distribution may be available.
HIPAA covered entities, business associates, and other stakeholders that want to respond to one or both topics in the RFI must submit comments to OCR by June 6, 2022. While OCR assesses how it will respond to comments, covered entities and business associates should consider: (i) implementing recognized security practices; and (ii) how they will document that such practices are in continuous use throughout the organization to avail themselves of the mitigation afforded by the Amendment. Covered entities and business associates should consult healthcare attorneys for assistance in this analysis.
The No Surprises Act (the Act) continues to bump through its initial implementation phase. As we discussed in our prior blog, out-of-network physicians and facilities (OON Providers), and their allies, are pushing back against portions of the recently issued interim final rule with comment period (the Interim Rule). Most recently, they succeeded in doing so when the Texas Medical Association, a trade association representing more than 55,000 physicians, and Dr. Adam Corley filed and won a lawsuit against the Departments of Health and Human Services (HHS), Labor, and Treasury, and the Office of Personnel Management (collectively, the Departments). The plaintiffs successfully argued that the Interim Rule unfairly protects group health plans and health insurance issuers (collectively, Plans) to the detriment of patients and OON Providers. Continue Reading
It may seem as though the pandemic is coming to an end, but while COVID cases are declining, they have not ceased. As the pandemic continues, the Department of Health and Human Services (HHS) Office for Civil Rights issued new guidance on February 4, 2022 to remind healthcare providers that federal disability laws remain in place.
The new guidance recognizes that during a public health emergency, such as the one caused by the pandemic, when resources can be scarce, individuals with disabilities may be victims of healthcare rationing. So HHS reminds providers that Section 504 of the Rehabilitation Act (Section 504) and Section 1557 of the Affordable Care Act (Section 1557) (collectively, the Anti-Discrimination Laws) both prohibit discrimination on the basis of disability. These Anti-Discrimination Laws require healthcare providers who receive HHS funds to ensure individuals with disabilities are not excluded from services, programs, or activities on the basis of disability. Continue Reading
Florida is continuing its efforts to improve patient safety in hospitals and ambulatory surgical centers (ASCs). The Florida Legislature previously approved a requirement that hospitals and ambulatory surgical centers (ASCs) conduct patient safety surveys and tasked the Agency for Health Care Administration (AHCA) with implementing a rule specifying the submission process for these surveys. AHCA’s proposed rule (Proposed Rule) was announced on November 4, 2021.