Fraud and Abuse and Other Regulatory Guidance

Despite the announcement made last week by the Department of Health and Human Services Office for Civil Rights (OCR) about certain reduced penalty caps under the Health Insurance Portability and Accountability Act (HIPAA), OCR has shown in this week’s settlement that it still plans to vigorously enforce HIPAA.

New Maximum Annual Penalty Caps

On April 30, 2019, OCR announced in a Notification of Enforcement Discretion new annual penalty caps for identical violations of a requirement or prohibition under HIPAA. Specifically, under HIPAA, the penalty tiers are based on four levels of culpability. Until the announcement, the annual cap for identical violations was $1.5 million for every level of culpability. Now, after the announcement, only the last tier (willful neglect-not corrected) is subject to that higher cap of $1.5 million. The lower three tiers of culpability have lesser annual caps for identical violations—specifically, willful neglect-corrected – $250,000; reasonable cause – $100,000, and no knowledge – $25,000. The settlement announced this week signals that OCR is still willing to pursue enforcement of HIPAA violations and to seek big settlements for those violations.

Continue Reading New Settlement with OCR Reminds Healthcare Companies of the Importance of a Timely and Thorough Investigation of Security Incidents

  • Draft guidance documents propose a framework for clinical and patient decision software and explain policy changes driven by 21st Century Cures Act
  • Final guidance document adopts International Medical Device Regulators Forum principles for addressing “clinical evaluation” of Software as Medical Device
  • Public Workshop (January 2018) will discuss progress of pilot precertification program

The FDA’s December 8 announcement of the availability of three new guidance documents, and of a public workshop to be held in January 2018, demonstrates the agency’s commitment to prioritizing the development of digital health software policy. As we previously reported here, Commissioner Gottlieb made it the subject of his first public statement and shortly afterward led the FDA’s rollout of a framework – the Digital Health Innovation Action Plan – for ensuring that its policies enable innovators to efficiently deliver safe and effective digital health technologies to patients and consumers. The publication of these documents and announcement of the workshop fulfill a few of the ambitious promises contained in the agency’s Action Plan.

Continue Reading Regulating at the Speed of Digital: FDA Implementation of Key Aspects of Digital Health Innovation Action Plan Progressing Quickly

Last week, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) released new guidance related to the sharing of mental health, behavioral health, and substance abuse disorder treatment information. The guidance focuses on how such information may be shared with the patient’s family and other caregivers under the Health Insurance

*Originally published August 23, 2016 by AHLA

On May 18, finalized regulations were published implementing nondiscrimination requirements set forth in Section 1557 of the Affordable Care Act (ACA).

What Is Section 1557?

Section 1557 is the nondiscrimination law set forth in the ACA. It prohibits covered entities from discriminating on the basis of race, color, national origin, sex (which includes gender identity), age, or disability in health programs and activities.


Covered entities are entities that provide or administer health-related services or insurance coverage and receive “federal financial assistance.” Federal financial assistance includes Medicare, Children’s Health Insurance Program and Medicaid, meaningful use payments, U.S. Department of Health and Human Services (HHS) grants, Centers for Medicare & Medicaid Services gain-sharing demonstration projects, federal premium and cost-sharing subsidies, etc. 
Continue Reading What Hospitals and Other Providers Need to Know About New Federal Non-Discrimination Rules

The Office for Civil Rights within the U.S. Department of Health and Human Services (OCR) has taken its first enforcement action against a business associate. On June 30, 2016, OCR announced that it entered into a resolution agreement and corrective action plan with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) to settle potential HIPAA violations stemming from the theft of an employee’s company-issued cell phone that contained the particularly sensitive protected health information (PHI) of 412 nursing home residents. CHCS is a nonprofit organization that, at the time of the theft, provided management and information technology services to six nursing homes in the Philadelphia region, in addition to its other services for the benefit of the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS. As part of the settlement, CHCS is required to pay a resolution amount of $650,000. This announcement comes nearly three years after OCR was vested with direct enforcement authority over business associates.

Continue Reading Three Years in the Making: OCR Takes Its First HIPAA Enforcement Action Against a Business Associate