Carolyn V. Metnick

Carolyn V. Metnick

Carolyn Metnick concentrates her practice on transactions and business issues affecting healthcare providers. She guides clients through joint ventures, mergers and acquisitions, and reorganizations, and counsels on governance matters, regulatory issues and the federal fraud and abuse laws, including the Anti-Kickback Statute, and the Stark Law.

Subscribe to all posts by Carolyn V. Metnick

Get your Single IRB lined up for Multi-Site Research

Changes to the federal regulations governing the protection of human subjects participating in research (known as the Common Rule) were amended earlier this year. The changes to the Common Rule impact research conducted, supported, or regulated by the federal government. While many of the Common Rule changes go into effect in 2018, the single IRB requirement has a compliance date … Continue Reading

April Showers Bring More HIPAA Settlements

April proved to be a busy month for the U.S. Department of Health and Human Services Office for Civil Rights (OCR) under its newly appointed director, Roger Severino. OCR announced three settlements of potential HIPAA violations totaling nearly $3,000,000.00 in fines. The settling parties include a wireless health services provider, a federally-qualified health center (FQHC), and a pediatric specialty provider. … Continue Reading

Lack of Timely Action and Knowledge of Risk Results in $3.2 Million Civil Monetary Penalty for HIPAA Violations

Children’s Medical Center of Dallas (Children’s) was hit with a $3.2 million civil penalty from the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) for failing to take steps to properly protect patient medical information. The civil penalty is the result of two data breaches caused by a lack of encryption and what was described as … Continue Reading

Best Practices for Safeguarding Protected Health Information in Inclement Weather

As the East Coast prepares for the arrival of Hurricane Matthew, covered entities and business associates should take the opportunity to remind their workforce members to safeguard protected health information (PHI) that is in paper form. Certainly, HIPAA requires covered entities and business associates to protect and secure PHI at all times. However, healthcare providers that deal with volumes of … Continue Reading

Illinois’ Largest Health System Agrees to Stringent HIPAA Breach Settlement

The Department of Health and Human Services Office for Civil Rights (OCR) announced on August 4, 2016, a settlement agreement with Advocate Health Care Network, an integrated healthcare system with ten hospitals and a non-profit medical group of more than 1,500 physicians in Illinois (the System or Advocate). The System agreed to adopt a corrective action plan and to pay … Continue Reading

Breach or No Breach – OCR Weighs in on Ransomware

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released its much-anticipated guidance on ransomware (OCR Ransomware Guidance) this week in response to a number of highly publicized attacks targeting the healthcare sector. Ransomware is a type of malicious software that encrypts data, making it inaccessible until the data owner pays a ransom. … Continue Reading

Business Associates Beware! OCR Is Coming For You

Last week, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced the first HIPAA settlement involving a business associate. Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a nonprofit organization that provides management and information technology services to six wholly-owned skilled nursing facilities, agreed to pay $650,000 and enter into a corrective action … Continue Reading

Lights, Camera, Settlement: OCR says a picture is worth $2.2 million

A New York hospital has settled with the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) for $2.2 million after allowing a TV crew for the ABC documentary series “NY Med” to film patients receiving medical treatment without obtaining prior authorization from the patients or their representatives. The estate of one those patients is also suing … Continue Reading

Not a Check-the-Box Exercise: Failure to Have Signed BAA Results in Substantial Fine

A group practice that was the victim of a silver-harvesting scam has agreed to pay the U.S. Department of Health and Human Services (“HHS”) $750,000 to settle charges that it released protected health information (“PHI”) of its patients to a third party vendor without first obtaining a written business associate agreement. Raleigh Orthopaedic Clinic, P.A. (the “Clinic”) provided x-ray films … Continue Reading

Shhh….OCR Releases New HIPAA Audit Protocol

Just in time for the Phase 2 audits, the Department of Health and Human Services Office for Civil Rights (OCR) quietly posted the updated HIPAA Audit Protocol on its website. The new audit protocol has been updated to include business associates who became subject to HIPAA following the 2013 HIPAA Omnibus Final Rule. The protocol covers Privacy Rule, Security Rule … Continue Reading

Phase 2 of HIPAA Audits Is Underway – Covered Entities and Business Associates Beware

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) recently announced that it has started obtaining and verifying entity contact information to identify covered entities and business associates for potential audit subject pools for the 2016 Phase 2 HIPAA Audit Program. In Phase 2, OCR will review the policies and procedures adopted and employed by covered … Continue Reading

OCR Issues New Guidance on “Reasonable and Cost-Based” Fees Associated with Medical Record Copying and Access

On February 25, 2016, the Office of Civil Rights (OCR) released a set of FAQs directed at healthcare providers and plans that are required to comply with the HIPAA Privacy Rule (the Privacy Rule). The guidance emphasizes that any fees charged for access to or copies of patient information must be “reasonable and cost-based” and specifically addresses what this means … Continue Reading

Evolving Litigation of Data Breach Claims

An Illinois circuit court judge has dismissed five of six claims in a consolidated class action against Advocate Health and Hospital Corporation arising from a data breach in July 2013. The judge’s dismissal with prejudice leaves only a negligence claim, based on a duty to reasonably safeguard information, pending against Advocate. … Continue Reading

Illinois Appellate Court Holds No Standing to Sue for Medical Information Data Breach Where Injury is Speculative

On June 2, 2015, the Second District Illinois Appellate Court affirmed the decisions of two lower courts, which had dismissed breach of privacy cases for lack of standing. The cases were consolidated for the purposes of the appeal. Both cases were brought against Advocate Health and Hospitals Corporation d/b/a Advocate Medical Group (Advocate), an Illinois network of affiliated physicians and … Continue Reading

HHS Announces First Timeline For Medicare Pay Reforms

On Monday, January 26, 2015, the Department of Health and Human Services (“HHS”) announced a timeline for moving physicians and hospitals into new payment systems and tying Medicare reimbursements to quality of care. This will affect hundreds of billions of dollars in Medicare payments (the goals apply to Medicare Parts A and B, which paid out more than $350 billion … Continue Reading

CMS Announces Enforcement of EHR Payment Adjustments in 2015

On December 17, 2014, the Centers for Medicare and Medicaid Services (“CMS”) announced that there would be reductions in Medicare reimbursement for health care providers who do not meet the CMS electronic health record (“EHR”) incentive program’s meaningful use requirements. This announcement comes in the wake of CMS’ decision in October to extend the hardship exception deadline – an exception … Continue Reading

Social Media Use for Clinical Trial Recruitment

Social media can be an effective and easy way to connect with friends and professional contacts. However, it can also serve as a tool for institutions and principal investigators involved in enrolling subjects in clinical research to connect with prospective patients and subjects for clinical trial recruitment.

The research shows that, to-date, there has not been a significant amount of … Continue Reading

CMS launches database of manufacturer and GPO payments to physicians

The Affordable Care Act contains a provision known as the Physician Payments Sunshine Act, which requires the Centers for Medicare and Medicaid Services (CMS) to establish a national databank containing information on the financial relationships between physicians (which includes dentists, chiropractors, and other physician specialties) and teaching hospitals, applicable manufacturers, and group purchasing organizations (GPOs). CMS launched its Open Continue Reading

Illinois Court Dismisses Plaintiffs Privacy Claims Arising out of HIPAA Breach

On July 10, 2014, a Kane County, Illinois Circuit Court granted a motion to dismiss with prejudice in favor of Advocate Health & Hospitals Corporation (Advocate) in a class action case arising out of a breach of patients’ protected health information (PHI). In August 2013, Advocate reported one of the largest data breaches to date under the Health Insurance Portability … Continue Reading

LexBlog