Under the HIPAA Breach Notification Rule, Covered Entities must report to the Secretary of the U.S. Department of Health and Human Services (HHS) breaches of unsecured protected health information  affecting fewer than 500 individuals (“small breaches”) no later than 60 days after the end of the calendar year in which the breaches were discovered. This year’s small breach reporting deadline is Thursday, March 1, 2018. Covered Entities must submit their reports of small breaches discovered in 2017 electronically on the HHS Office for Civil Rights website (located here) if they have not done so already.

Recent enforcement actions highlight the importance of the timely reporting of small breaches to HHS and impacted individuals. For example, in a resolution agreement announced in 2017, a large healthcare system agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a two-year corrective action plan following one large breach and several small breaches. Moreover, earlier this month, a large kidney dialysis provider entered into a $3.5 million resolution agreement and a two-year corrective action plan with HHS to settle potential HIPAA violations stemming from five separate small breaches. (For more information regarding the settlement with the large dialysis provider, click here.)

Covered Entities should take note of the significance HHS places on timely breach reporting—even for breaches that are “small.”

A new administrative rule issued by the New Jersey Attorney General took effect last month that places significant limitations on the payments and gifts that pharmaceutical manufacturers can provide to prescribers licensed in the Garden State.  The rule, “Limitations on and Obligations Associated with Prescriber Acceptance of Compensation from Pharmaceutical Manufacturers,” is set forth at N.J. Admin. Code 13:45J.

Unlike other so-called sunshine laws and the PhRMA Code of Ethics, this new rule applies directly to prescribers in the state, including physicians, podiatrists, physician assistants, advanced practice nurses, dentists, and optometrists.  Prescribers who violate the law may be subject to disciplinary action by their licensing board (including revocation or suspension of their license) and civil monetary penalties.  However, pharmaceutical manufacturers should also familiarize themselves with the particulars of the new rule and adjust their own internal policies, procedures, and prescriber arrangements accordingly, to assist their prescriber partners with these new compliance obligations.

Notable aspects of the new administrative rule include the following:

$10,000 Annual Cap on Payments for Services.  Effective for contracts entered into on or after January 16, 2018, a prescriber licensed in New Jersey may not accept more than $10,000 in the aggregate from all pharmaceutical manufacturers in any calendar year for providing services such as speaking at promotional activities, participating on advisory boards, or consulting.  The cap does not apply to payments for presentations at educational events, research activities, or royalties and licensing fees.

Written Agreement.  For new arrangements entered into on or after January 16, 2018, a prescriber providing services to a pharmaceutical manufacturer must have a written agreement with the manufacturer formalizing the services to be provided.  The written agreement must:

  • Describe the services that the prescriber will provide;
  • Include the dollar value of the payment and other consideration to be received by the prescriber, which must be based on the fair market value of the services;
  • Require that meetings held in association with the services occur in venues and other circumstances conducive to the services provided and that the activities related to the services be the primary focus of the meeting; and
  • Describe or include the following:
    • The legitimate need for services;
    • The connection between the competence, knowledge, and expertise of the prescriber and the purpose of the arrangement;
    • How participation of the prescriber is reasonably related to achieving the identified purpose;
    • The manner by which the prescriber will maintain records concerning the arrangement and the services provided by the prescriber; and
    • An attestation that the prescriber’s decision to render services is not unduly influenced by a pharmaceutical manufacturer’s agent.

Permitted Gifts and Payments.  A prescriber licensed in New Jersey may accept the following from a pharmaceutical manufacturer or its agent:

  • Meals valued at $15 or less provided through the event organizer at an educational event, provided the meals facilitate the educational program to maximize prescriber learning;
  • Meals valued at $15 or less provided by a manufacturer to a non-faculty prescriber during promotional activities;
  • Items designed primarily for educational purposes for the patients or prescriber that have minimal or no value to the prescriber outside of his or her professional responsibilities, such as anatomical models or materials directly related to patient care or prescriber education;
  • A subsidized registration fee for an education event, provided that the subsidized fee is available to all event participants;
  • Payment for bona fide services (subject to the cap and written agreement requirements summarized above);
  • Reasonable payment for travel, lodging, and other personal expenses in connection with research activities or employment recruitment; and
  • Sample medications that are intended to be used exclusively for the benefit of the prescriber’s patients.

Prohibited Gifts and Payments.  A prescriber licensed in New Jersey may not accept the following from a pharmaceutical manufacturer or its agent:

  • Entertainment or recreational items, such as tickets to theater or sporting events, or leisure or vacation trips
  • Any item of value that does not advance disease or treatment education, including:
    • Pens, note pads, mugs, or other items with a company or product logo
    • Any item intended for the personal benefit of the prescriber or his or her staff, such as floral arrangements, sporting equipment, artwork, or electronic devices
    • Any payment in cash or a cash equivalent, such as a gift card
    • Any payment or subsidy associated with attending an educational event or promotional activity, unless the prescriber is a speaker at the event
  • Meals valued at more than $15

Late last week, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced a $3.5 million settlement with a large provider of kidney dialysis services (the “Provider”) for multiple violations of the Health Insurance Portability and Accountability Act and its associated regulations (HIPAA).  In early 2013, the Provider filed five separate breach reports for incidents that occurred in 2012 and involved several of its facilities.  These breaches involved, among other things, theft of desktop computers from a medical office, theft of a USB drive from a workforce member’s car, loss of a computer hard drive, and theft of a laptop from a parked car.

As part of its settlement with OCR, the Provider entered into a corrective action plan (CAP) that requires the company to improve its policies and procedures for the protection of patient health information.  The CAP specifically requires the Provider to conduct a thorough, system-wide risk analysis of potential risks to and vulnerabilities of the confidentiality, integrity, and availability of its ePHI; review and revise its policies and procedures, including those concerning device and media controls and facility access controls; and revise and enhance its health privacy training program.

This settlement once again emphasizes the importance of a comprehensive, up-to-date risk analysis.  It also highlights the fact that mobile device privacy and security continue to be important issues for a range of healthcare providers.  Moreover, it is a reminder that OCR can, and does, take interest in smaller breaches.  Each of the five reported breaches affected fewer than 500 individuals.  Contact a member of Venable’s health law team to discuss how your organization can stay ahead of the curve in today’s enforcement environment.

Please find the OCR press release here.

encrypted dataAfter roughly seven months since the last announced settlement, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human services has announced a settlement of alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). The first OCR settlement of 2018 concerns a HIPAA security breach of electronic data. At the same time, a recently announced settlement of a private class action against Aetna highlights the importance of HIPAA privacy and the continuing relevance of paper records.

The settlement concerns 21st Century Oncology, Inc. (21CO), a large oncology practice with treatment centers in 17 states and overseas. In 2015, 21CO was notified by the Federal Bureau of Investigation that its patient records had been compromised and were being sold illegally. In total, the records of 2,213,597 patients were affected. The information breached included names, social security numbers, diagnoses, treatments, and insurance information.

Continue Reading The First Health Privacy Settlements of 2018 Highlight the Ongoing Importance of HIPAA Privacy and Security

  • Draft guidance documents propose a framework for clinical and patient decision software and explain policy changes driven by 21st Century Cures Act
  • Final guidance document adopts International Medical Device Regulators Forum principles for addressing “clinical evaluation” of Software as Medical Device
  • Public Workshop (January 2018) will discuss progress of pilot precertification program

The FDA’s December 8 announcement of the availability of three new guidance documents, and of a public workshop to be held in January 2018, demonstrates the agency’s commitment to prioritizing the development of digital health software policy. As we previously reported here, Commissioner Gottlieb made it the subject of his first public statement and shortly afterward led the FDA’s rollout of a framework – the Digital Health Innovation Action Plan – for ensuring that its policies enable innovators to efficiently deliver safe and effective digital health technologies to patients and consumers. The publication of these documents and announcement of the workshop fulfill a few of the ambitious promises contained in the agency’s Action Plan.

Continue Reading Regulating at the Speed of Digital: FDA Implementation of Key Aspects of Digital Health Innovation Action Plan Progressing Quickly

Last week, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) released new guidance related to the sharing of mental health, behavioral health, and substance abuse disorder treatment information. The guidance focuses on how such information may be shared with the patient’s family and other caregivers under the Health Insurance Portability and Accountability Act (HIPAA) and 42 C.F.R. Part 2 (the regulations governing the use and disclosure of substance abuse treatment records) in various scenarios.

The guidance includes both fact sheets and decision-trees and highlights several scenarios related to caregiver relationships, such as parents of teenage or adult children with mental health or substance abuse issues, parents serving as “personal representatives,” when parents can access minor children’s mental health information, and how to access treatment information about a loved one. The guidance additionally touches on opioid addiction, which is a key focus under the Trump Administration. Within its corresponding press release, HHS reported that it will work to develop model training programs and materials for healthcare providers, patients, and their families pertaining to permitted uses and disclosures of mental and behavioral health information.

Venable’s Healthcare team has significant experience in health information privacy and security and will address any additional questions pertaining to the above. Please contact any of the authors if you have any questions.

The new Tax Bill (H.R. 1), which President Trump is expected to sign soon, will have an impact on healthcare in the U.S.

First, the Tax Bill will permit a taxpayer to deduct medical expenses that exceed 7.5% of the taxpayer’s adjusted gross income (which has been reduced from the previously 10% threshold). This will allow more Americans to deduct their medical expenses.

Second, and more notably, the Tax Bill repeals the “individual mandate” under the Affordable Care Act (“ACA”), effective January 2019. While the repeal of individual mandate is estimated to reduce the Federal deficit—its impact on the health insurance market is difficult to estimate. Back in November of 2017, the Congressional Budget Office (“CBO”) reported that the repeal of the individual mandate would increase the number of uninsured Americans by 4 million in 2019 and 13 million by 2027. Additionally, the CBO projected that the repeal would likely increase average premiums by 10% in the individual insurance market. The CBO cited the fact that, without a tax penalty, fewer healthy Americans would purchase health insurance as the primary reason for these projections. The CBO also noted that the likely increase in premiums would further result in fewer insureds, especially in the individual insurance market, because the premiums would become less affordable. The Tax Bill leaves the ACA’s “employer mandate” and the corresponding employer reporting requirements untouched.

Interestingly, the Tax Bill did not repeal the Cadillac tax on health coverage or the medical device tax.

Venable’s Healthcare attorneys are happy to address any specific questions you may have on the Tax Bill’s effects on healthcare.

The Office for Civil Rights (“OCR”) within the U.S. Department of Health and Human Services, the federal agency that enforces the HIPAA Privacy, Security, and Breach Notification Rules, recently released its preliminary results for Covered Entities participating in its Phase 2 HIPAA compliance audit program.  Overall, the audit shows significant compliance gaps for the entities audited.

While the Phase 2 audits examined Covered Entities and Business Associates, the preliminary results are limited to the 166 audited Covered Entities.  The audits of Business Associates, 41 in total, are still in process.  The vast majority of Covered Entities audited (90%) were healthcare providers and the rest were health plans or healthcare clearinghouses.

The 166 Covered Entities surveyed were broken up into two groups.  There were 103 Covered Entities reviewed for privacy and breach notice compliance and another 63 assessed on security compliance efforts.

Continue Reading Preliminary Results for Covered Entities Participating in the Phase 2 HIPAA Audit Program

No two health care companies are alike, but many face similar challenges when managing their data risk. Many of these challenges arise due to the competing desires with which every modern organization now struggles—one between innovation and growth on the one hand and compliance and legal risk on the other.

Specifically, the following five issues are top of mind:

  1. The tension between data growth and analytics and data minimization;
  2. Handling connected devices and mobile apps;
  3. Creating effective cross-functional privacy and security teams;
  4. The data implications of acquisitions; and
  5. Effective and tiered vendor management.

We discuss these issues and offer practical guidance on each.

Continue Reading Top Five Privacy and Data Security Issues Facing Healthcare Companies

Last week, Senators Lindsey Graham of South Carolina and Bill Cassidy of Louisiana (with their co-sponsors, Senators Dean Heller (R-NV) and Ron Johnson (R-WI)) released the “Graham-Cassidy-Heller-Johnson Amendment” (“Graham-Cassidy bill”), which, if passed, would have repealed major sections of the Patient Protection and Affordable Care Act (ACA).

Specifically, the bill would have repealed the ACA’s individual and employer mandates, ended the Medicaid expansion in 2020, replaced the ACA’s subsidy program with state block grants (which would have allowed states to decide how their healthcare system would operate), weakened restrictions against pre-existing condition protections, and defunded Planned Parenthood.

Continue Reading The Senate Will Not Vote on the Latest ACA Repeal Effort (the Graham-Cassidy Bill)