Healthcare Cyber Insurance? Fortify Your Defenses

By Kirk S. Davis and Danielle C. Gordet on Posted in Healthcare Law, Healthcare Litigation, Hospitals & Health Systems, Physicians

Healthcare breaches, including ransomware attacks, continue to increase. As a result, many healthcare organizations seeking cyber coverage to help defray the costs associated with a ransomware attack or other data incident may find that carriers have increased premiums, reduced coverage, and tightened underwriting requirements. Healthcare organization leaders should understand that implementing reasonable administrative, technical, and physical safeguards to protect the organization’s information and operational systems is not only required by laws such as HIPAA, but is increasingly required to obtain cyber coverage.

A recent report by Sophos, a technology security company, confirms this new reality. Sophos reported that one of the reasons for the growing demand for cyber insurance by healthcare organizations is the rampant growth in ransomware (Sophos Report). According to the Sophos Report, ransomware has led to more payouts and less profit for insurers, making cyber insurance coverage difficult and expensive to obtain, even driving some insurers out of the market. Continue Reading

OCR Releases Guidance on HIPAA Compliance When Providing Audio-Only Telehealth

By Elizabeth F. Hodge and Lauren Gandle on Posted in Health Insurers & Managed Care Organizations, Healthcare Law, HIPAA, Privacy, and Data Security, Hospitals & Health Systems

The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) recently released new guidance (the “Guidance”) to help ensure that individuals may continue to benefit from audio-only telehealth services and clarify for health care providers and health plans how they can provide such services while complying with the HIPAA Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”).  The Guidance is the strongest signal yet from OCR that it intends to resume imposing penalties against covered entities that do not comply with the HIPAA Rules when providing telehealth.  Healthcare providers and health plans should ensure that they can continue to provide telehealth while safeguarding the privacy and security of individuals’ protected health information (PHI).

OCR recognizes that, despite the explosive growth of telehealth during the COVID-19 pandemic, there are still individuals in the U.S. that, for a variety of factors such as lack of sufficient broadband or cell coverage, financial resources, internet access, disability, or limited English proficiency, have difficulty accessing audio-visual telehealth and must rely on audio-only telehealth.  Continue Reading

SCOTUS May Resolve Circuit Split on the Specificity Required of False Claims Act Claims: Relief or More FCA Grief for Providers?

By William J. Spratt, Jr., Jeremy Burnette and Lauren Gandle on Posted in Fraud & Abuse & False Claims Act

Currently, providers have different risks of potential False Claims Act (“FCA”) liability depending on where they are geographically located due to the difference in the standards required by the U.S. Courts of Appeals regarding the level of specificity when relators (whistleblowers) plead FCA violations.  The FCA imposes civil liability on any person requesting government funds or property who “knowingly presents . . . a false or fraudulent claim for payment or approval.” 31 U.S.C. § 3729(a)(1)(A).  A pleading, “alleging fraud or mistake . . . must state with particularity the circumstances constituting fraud or mistake.” Fed. R. Civ. P. 9(b) (emphasis added).  And the Circuits of the U.S. Courts of Appeals are split on what information is required in a relator’s FCA complaint under Rule 9(b) to avoid a dismissal of the complaint. The U.S. Supreme Court may resolve the difference in the standards if it grants certiorari in Johnson, et al. v. Bethany Hospice & Palliative Care of Ga., LLC. Continue Reading

Biden Administration Signals MHPAEA Enforcement a Priority with Fiscal 2023 Budget

By Beth Alcalde, Montaye Sigmon and Jeremy Burnette on Posted in Government Affairs, Licensure & Regulatory, Health Care Providers, Health Insurers & Managed Care Organizations, Healthcare Law, Hospitals & Health Systems, Physicians

The Biden Administration’s proposed budget for fiscal year 2023 serves as a warning to all plan issuers and administrators that enforcement of the Mental Health Parity and Addiction Equity Act (MHPAEA) is a top priority for the federal government. The proposed budget reflects a substantial and sustained commitment to ramp up enforcement efforts, with specific funding for MHPAEA audit activity, including $275 million for the Department of Labor over a 10-year period and $125 million for state grants to support their MHPAEA enforcement efforts. The Biden Administration has also proposed that Congress: (1) grant the Department of Labor (DOL) the ability to pursue civil monetary penalties against entities that provide administrative services to group health plans and do not comply with the MHPAEA; and (2) amend ERISA to allow participants and beneficiaries to recover losses due to parity violations through private rights of action. Plan issuers and administrators should take heed of these developments to get ahead of enforcement efforts and review their procedures, documents, and activities to ensure they meet the government’s stringent requirements. Continue Reading

Must Watch Summer Viewing Coming Soon: OCR’s Upcoming Video Presentation on the HITECH Act’s Recognized Security Practices

By Elizabeth F. Hodge on Posted in Health Care Providers, Healthcare Law, Hospitals & Health Systems

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced June 10, 2022 that it is producing a video presentation on “recognized security practices” as set forth in the recent amendment of the Health Information Technology for Economic Health Act (HITECH Act) and is seeking questions from the public that OCR could address during the presentation. The video is expected to be available for viewing this summer and will be welcomed by those covered entities and business associates as the statutory amendment is short on details about how OCR will implement the new provisions.

The HITECH Act now requires OCR to consider in certain Security Rule enforcement and audit activities whether a covered entity or business associate (a regulated entity) has adequately demonstrated that it had recognized security practices in place for the prior twelve months.  Regulated entities that can demonstrate to OCR that they have had recognized security practices in place for the prior twelve months may qualify for mitigation of fines and other remedial measures. Continue Reading

U.S. Supreme Court Holds Healthcare Entities Not Liable for Emotional Injury Damages Under Certain Anti-Discrimination Statutes

By Danya Blair on Posted in Health Care Providers, Healthcare Law, Healthcare Litigation, Hospitals & Health Systems

Healthcare facilities and other entities receiving federal financial assistance can breathe a little easier after a U.S. Supreme Court decision issued last week barring the recovery of emotional damages for certain discrimination claims.

Many federal anti-discrimination statutes allow recovery for “emotional injuries” that include humiliation, trauma, mental anguish, anxiety, depression, and other non-physical symptoms a plaintiff claims to have suffered as a result of discrimination. Federal appeals courts have been split on whether such damages are available to plaintiffs bringing discrimination claims under the Rehabilitation Act of 1973 (Rehab Act) and the Patient Protection and Affordable Care Act (ACA). The U.S. Supreme Court has now decided the issue, holding that emotional injuries are not recoverable under either the Rehab Act or the ACA. Continue Reading

“The No Surprises Act” a/k/a “The Act that Continues Surprising Providers”

By Kirk S. Davis and Danielle C. Gordet on Posted in Health Insurers & Managed Care Organizations, Healthcare Law, Healthcare Litigation, Hospitals & Health Systems, Physicians

The No Surprises Act (the “Act”) continues muddling through its implementation period. We have discussed the Act in prior posts, and most recently on March 8, 2022. The surprises have continued, with new updates coming out almost daily! There has been legal movement as health care providers and facilities (collectively, “Providers”) have brought lawsuits against the Departments of Health and Human Services (“HHS”), Labor, and Treasury, and the Office of Personnel Management (collectively, “Departments”).  In addition, the Centers for Medicare & Medicaid Services (“CMS”) issued answers to new frequently asked questions (“FAQs”). Continue Reading

Common Errors in State Licensing Applications

By Bruce D. Platt and Thomas A. Range on Posted in Government Affairs, Licensure & Regulatory, Healthcare Law

As a condition of doing business in the healthcare field, persons and companies must generally obtain the appropriate licenses or approvals. In addition to requirements that apply to all businesses, such as registering corporate entities with the Secretary of State or obtaining local business licenses known as business tax receipts, there are also substantive requirements that vary based on the type of services to be provided. To properly assess whether a person or a company meets the minimum substantive qualifications for licensure, state agencies require the submission of license applications. These applications request information on topics such as education, training, experience, and financial requirements. Continue Reading

Help Wanted: OCR Seeks Public Input on “Recognized Security Practices” and Sharing Settlements with Harmed Individuals Under the HITECH Act

By Elizabeth F. Hodge on Posted in Healthcare Law, HIPAA, Privacy, and Data Security

Covered entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) have the chance to provide input on two amendments to the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”). The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) recently issued a Request for Information (“RFI”) seeking public input regarding:

  1. How covered entities and business associates (collectively, “regulated entities”) are voluntarily implementing “recognized security practices” as identified in the HITECH Act and demonstrating how such practices are in use throughout the organization.
  2. The types of harms that should be considered in distributing civil monetary penalties (“CMPs”) and monetary settlements to harmed individuals and potential methodologies for sharing and distributing CMPs and settlement funds to harmed individuals.

We discuss the two topics covered in the RFI in more detail below.

Recognized Security Practices

The HITECH Act was amended effective January 5, 2021 (“Amendment”) to require that HHS consider whether a regulated entity has adequately demonstrated that it had in place for at least the previous twelve months “recognized security practices.” The existence of those recognized security practices may mitigate potential fines, result in early termination of audit activities, and mitigate other remedies that might be agreed to in resolving potential violations of the HIPAA Security Rule following an investigation, compliance review, or audit. The goal of the Amendment is to encourage regulated entities to do “everything in their power to safeguard patient data.”

The Amendment defines “recognized security practices” as:

  • the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act;
  • the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015; and
  • other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.

Notably, the HITECH Act does not require regulated entities to implement recognized security practices, nor does it specify how regulated entities should select which category of recognized security practices to implement. However, to be considered for mitigation of fines and other remedial requirements, organizations must be able to demonstrate that they have fully implemented the recognized security practices for the preceding twelve months. Simply providing initial documentation of the adoption of the security practices is insufficient. Rather, the regulated entity must demonstrate that such practices and procedures have been in continuous operation for at least twelve months. The statute does not specify what triggers the beginning of the twelve-month look-back period.

The RFI requests that regulated entities provide input to OCR regarding their voluntary implementation of recognized security practices, including addressing the following questions:

  • What recognized security practices have regulated entities implemented and what recognized security practices do regulated entities plan to implement?
  • What standards, guidelines, and procedures developed under section 2(c)(15) of the NIST Act do regulated entities rely on when establishing and implementing recognized security practices?
  • What approaches promulgated under section 405(d) of the Cybersecurity Act of 2015 do regulated entities rely on when establishing and implementing recognized security practices?
  • What other programs and processes that address cybersecurity (besides those developed under section 2(c)(15) of the NIST Act or section 405(d) of the Cybersecurity Act of 2015) and that are developed, recognized, or promulgated through regulations under other statutory authorities do regulated entities rely on when establishing and implementing recognized security practices?
  • What steps do covered entities take to ensure that recognized security practices are in place?
  • What steps do covered entities take to ensure that recognized security practices are in use throughout their enterprise and what constitutes implementation throughout the enterprise?
  • What steps do covered entities take to ensure that recognized security practices are actively and consistently in use continuously over a 12-month period?

Notably, in the RFI OCR refers to “regulated entities” in the first four questions and “covered entities” in the last three questions above.  Based on the full text of the RFI, it is unclear why OCR appears to limit the last three requests to covered entities and exclude business associates.

Sharing Civil Monetary Penalties and Settlements with Individuals

The HITECH Act also requires HHS to establish by regulation a methodology under which an individual harmed by a potential violation of the HIPAA Privacy, Security, and/or Breach Notification Rules may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense. The methodology must be based on recommendations submitted by the General Accounting Office (“GAO”). OCR must base its determinations of appropriate penalty amounts on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. Under the HIPAA Enforcement Rule, OCR may consider physical harm, financial harm, reputational harm, and harms that hinder one’s ability to obtain health care as aggravating factors in assessing a CMP or proposed settlement amount. However, the HITECH Act does not define “harm” generally nor the specific types of harm that OCR may consider in assessing CMPs or settlement amounts. How OCR ultimately defines what constitutes compensable harm could have far-reaching consequences beyond enforcement of HIPAA.

The GAO has recommended that OCR consider three models for the methodology to distribute a portion of CMPs and settlement amounts to individuals:

  • The Individualized Determination Model, where the plaintiff bears the burden of proof with respect to the harm suffered by the plaintiff and the liability incurred by the defendant;
  • The Fixed Recovery Model, where awards are either fixed or calculated by a formula established by law; and
  • The Hybrid Model, which combines elements of the Individualized Determination Model and the Fixed Recovery Model.

To assist it in evaluating the methodologies recommended by the GAO, OCR seeks input from all stakeholders regarding:

  • How to define “harm,” including what constitutes compensable harm for violations of HIPAA and whether harm should include non-economic harms such as emotional harm;
  • What bases should be used for deciding which injuries are compensable;
  • What factors should be considered in establishing a methodology for calculating the amount to be set aside for distribution to individuals;
  • Whether there are circumstances in which funds should not be set aside for distribution to individuals; and
  • How to provide notice to affected individuals that monetary distribution may be available.

HIPAA covered entities, business associates, and other stakeholders that want to respond to one or both topics in the RFI must submit comments to OCR by June 6, 2022.  While OCR assesses how it will respond to comments, covered entities and business associates should consider: (i) implementing recognized security practices; and (ii) how they will document that such practices are in continuous use throughout the organization to avail themselves of the mitigation afforded by the Amendment.  Covered entities and business associates should consult healthcare attorneys for assistance in this analysis.

UPDATE: No Surprises Here – Portions of the No Surprises Act Regulations Invalidated

By Kirk S. Davis and Danielle C. Gordet on Posted in Health Insurers & Managed Care Organizations, Healthcare Law, Healthcare Litigation, Hospitals & Health Systems, Physicians

The No Surprises Act (the Act) continues to bump through its initial implementation phase. As we discussed in our prior blog, out-of-network physicians and facilities (OON Providers), and their allies, are pushing back against portions of the recently issued interim final rule with comment period (the Interim Rule). Most recently, they succeeded in doing so when the Texas Medical Association, a trade association representing more than 55,000 physicians, and Dr. Adam Corley filed and won a lawsuit against the Departments of Health and Human Services (HHS), Labor, and Treasury, and the Office of Personnel Management (collectively, the Departments). The plaintiffs successfully argued that the Interim Rule unfairly protects group health plans and health insurance issuers (collectively, Plans) to the detriment of patients and OON Providers. Continue Reading

LexBlog