Don’t Just Phone It In – Avoiding Fraud in Telehealth Contracts

To facilitate the provision of care during the pandemic, the federal government and many state governments enacted changes that encouraged physicians and other nonphysician practitioners (collectively, Practitioners) to use telehealth services. While this new flexibility increased access to care, it also increased opportunities for fraud. On July 20, 2022, the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) issued a Special Fraud Alert cautioning Practitioners about potential fraudulent telemedicine contracts (Fraud Alert).

The Fraud Alert is derived from the lessons learned during the OIG’s coordinated enforcement action with the Department of Justice (DOJ) and other agencies that resulted in criminal charges against 36 defendants involving more than $1.2 billion in fraudulent telemarketing services identified as telehealth. The Fraud Alert highlights these common themes in telehealth arrangements that raised red flags to the OIG and DOJ investigators:

Florida Legislation Authorizing Pharmacy Technicians to Administer Vaccines Contains Some Surprises

By Martin R. Dix on July 28, 2022 Posted in Government Affairs, Licensure & Regulatory, Healthcare Law, Pharmacy, Drugs, Medical Devices & Equipment

Chapter 2022-60, Laws of Florida (http://laws.flrules.org/2022/60), that went into effect July 1, 2022, allows registered pharmacy technicians to seek certification to provide immunizations and become “Certified Registered Pharmacy Technicians.” These pharmacy technicians will be allowed to administer all of the vaccines listed by the CDC in the Adult Immunization Schedule or recommended by the CDC for international travel, as well as any vaccines authorized by the FDA under an emergency use authorization or by the Florida Board of Pharmacy in response to a state of emergency declared by the Governor. This is a big jump compared to the 2007 legislative session when the legislation first allowing pharmacists themselves to administer only the flu vaccine was enacted, and only after a hard-fought legislative battle when most other states already allowed pharmacists to administer vaccines. Fast forward to 2022 and pharmacy technicians are allowed to administer not just the flu vaccine, but nearly all the vaccines that a pharmacist can. The law still reserves to pharmacists the authority to vaccinate children 7 years of age and older.

Healthcare Providers: Add OCR’s Latest Right of Access Settlements to Your Summer Reading List

By Elizabeth F. Hodge and Lauren Gandle on July 26, 2022 Posted in Electronic Health Records & Medical Records, HIPAA, Privacy, and Data Security, Hospitals & Health Systems, Physicians

The Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) announced on July 15, 2022, that it has resolved 11 investigations conducted under the Health Insurance Portability and Accountability Act (“HIPAA”) Right of Access Initiative. These settlements remind providers that, as OCR Director Lisa J. Pino stated, “OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.” With these latest settlements, OCR has resolved 38 enforcement actions in its Right of Access Initiative, which continues to have momentum.

ALERT! Your COVID-19 Policies and Procedures Need a BOOSTER!

By Lauren Gandle, Kirk S. Davis and Karen M. Buesing on July 25, 2022 Posted in Healthcare Law, HIPAA, Privacy, and Data Security, Labor Relations & Employment Law

Employers who are conducting automatic COVID-19 testing of employees or gathering test results of employees’ families should beware: the Equal Employment Opportunity Commission (“EEOC”) has issued new guidance limiting the former and has penalized a healthcare practice recently for doing the latter.

Healthcare Cyber Insurance? Fortify Your Defenses

By Kirk S. Davis and Danielle C. Gordet on July 6, 2022 Posted in Healthcare Law, Healthcare Litigation, Hospitals & Health Systems, Physicians

Healthcare breaches, including ransomware attacks, continue to increase. As a result, many healthcare organizations seeking cyber coverage to help defray the costs associated with a ransomware attack or other data incident may find that carriers have increased premiums, reduced coverage, and tightened underwriting requirements. Healthcare organization leaders should understand that implementing reasonable administrative, technical, and physical safeguards to protect the organization’s information and operational systems is not only required by laws such as HIPAA, but is increasingly required to obtain cyber coverage.

A recent report by Sophos, a technology security company, confirms this new reality. Sophos reported that one of the reasons for the growing demand for cyber insurance by healthcare organizations is the rampant growth in ransomware (Sophos Report). According to the Sophos Report, ransomware has led to more payouts and less profit for insurers, making cyber insurance coverage difficult and expensive to obtain, even driving some insurers out of the market. Continue Reading

OCR Releases Guidance on HIPAA Compliance When Providing Audio-Only Telehealth

By Elizabeth F. Hodge and Lauren Gandle on June 28, 2022 Posted in Health Insurers & Managed Care Organizations, Healthcare Law, HIPAA, Privacy, and Data Security, Hospitals & Health Systems

The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) recently released new guidance (the “Guidance”) to help ensure that individuals may continue to benefit from audio-only telehealth services and clarify for health care providers and health plans how they can provide such services while complying with the HIPAA Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”). The Guidance is the strongest signal yet from OCR that it intends to resume imposing penalties against covered entities that do not comply with the HIPAA Rules when providing telehealth. Healthcare providers and health plans should ensure that they can continue to provide telehealth while safeguarding the privacy and security of individuals’ protected health information (PHI).

OCR recognizes that, despite the explosive growth of telehealth during the COVID-19 pandemic, there are still individuals in the U.S. that, for a variety of factors such as lack of sufficient broadband or cell coverage, financial resources, internet access, disability, or limited English proficiency, have difficulty accessing audio-visual telehealth and must rely on audio-only telehealth. Continue Reading

SCOTUS May Resolve Circuit Split on the Specificity Required of False Claims Act Claims: Relief or More FCA Grief for Providers?

By William J. Spratt, Jr., Jeremy Burnette and Lauren Gandle on June 17, 2022 Posted in Fraud & Abuse & False Claims Act

Currently, providers have different risks of potential False Claims Act (“FCA”) liability depending on where they are geographically located due to the difference in the standards required by the U.S. Courts of Appeals regarding the level of specificity when relators (whistleblowers) plead FCA violations. The FCA imposes civil liability on any person requesting government funds or property who “knowingly presents . . . a false or fraudulent claim for payment or approval.” 31 U.S.C. § 3729(a)(1)(A). A pleading, “alleging fraud or mistake . . . must state with particularity the circumstances constituting fraud or mistake.” Fed. R. Civ. P. 9(b) (emphasis added). And the Circuits of the U.S. Courts of Appeals are split on what information is required in a relator’s FCA complaint under Rule 9(b) to avoid a dismissal of the complaint. The U.S. Supreme Court may resolve the difference in the standards if it grants certiorari in Johnson, et al. v. Bethany Hospice & Palliative Care of Ga., LLC. Continue Reading

Biden Administration Signals MHPAEA Enforcement a Priority with Fiscal 2023 Budget

By Beth Alcalde, Montaye Sigmon and Jeremy Burnette on June 15, 2022 Posted in Government Affairs, Licensure & Regulatory, Health Care Providers, Health Insurers & Managed Care Organizations, Healthcare Law, Hospitals & Health Systems, Physicians

The Biden Administration’s proposed budget for fiscal year 2023 serves as a warning to all plan issuers and administrators that enforcement of the Mental Health Parity and Addiction Equity Act (MHPAEA) is a top priority for the federal government. The proposed budget reflects a substantial and sustained commitment to ramp up enforcement efforts, with specific funding for MHPAEA audit activity, including $275 million for the Department of Labor over a 10-year period and $125 million for state grants to support their MHPAEA enforcement efforts. The Biden Administration has also proposed that Congress: (1) grant the Department of Labor (DOL) the ability to pursue civil monetary penalties against entities that provide administrative services to group health plans and do not comply with the MHPAEA; and (2) amend ERISA to allow participants and beneficiaries to recover losses due to parity violations through private rights of action. Plan issuers and administrators should take heed of these developments to get ahead of enforcement efforts and review their procedures, documents, and activities to ensure they meet the government’s stringent requirements. Continue Reading

Must Watch Summer Viewing Coming Soon: OCR’s Upcoming Video Presentation on the HITECH Act’s Recognized Security Practices

By Elizabeth F. Hodge on June 14, 2022 Posted in Health Care Providers, Healthcare Law, Hospitals & Health Systems

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced June 10, 2022 that it is producing a video presentation on “recognized security practices” as set forth in the recent amendment of the Health Information Technology for Economic Health Act (HITECH Act) and is seeking questions from the public that OCR could address during the presentation. The video is expected to be available for viewing this summer and will be welcomed by those covered entities and business associates as the statutory amendment is short on details about how OCR will implement the new provisions.

The HITECH Act now requires OCR to consider in certain Security Rule enforcement and audit activities whether a covered entity or business associate (a regulated entity) has adequately demonstrated that it had recognized security practices in place for the prior twelve months. Regulated entities that can demonstrate to OCR that they have had recognized security practices in place for the prior twelve months may qualify for mitigation of fines and other remedial measures. Continue Reading

U.S. Supreme Court Holds Healthcare Entities Not Liable for Emotional Injury Damages Under Certain Anti-Discrimination Statutes

By Danya Blair on May 3, 2022 Posted in Health Care Providers, Healthcare Law, Healthcare Litigation, Hospitals & Health Systems

Healthcare facilities and other entities receiving federal financial assistance can breathe a little easier after a U.S. Supreme Court decision issued last week barring the recovery of emotional damages for certain discrimination claims.

Many federal anti-discrimination statutes allow recovery for “emotional injuries” that include humiliation, trauma, mental anguish, anxiety, depression, and other non-physical symptoms a plaintiff claims to have suffered as a result of discrimination. Federal appeals courts have been split on whether such damages are available to plaintiffs bringing discrimination claims under the Rehabilitation Act of 1973 (Rehab Act) and the Patient Protection and Affordable Care Act (ACA). The U.S. Supreme Court has now decided the issue, holding that emotional injuries are not recoverable under either the Rehab Act or the ACA. Continue Reading