encrypted dataAfter roughly seven months since the last announced settlement, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human services has announced a settlement of alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). The first OCR settlement of 2018 concerns a HIPAA security breach of electronic data. At the same time, a recently announced settlement of a private class action against Aetna highlights the importance of HIPAA privacy and the continuing relevance of paper records.

The settlement concerns 21st Century Oncology, Inc. (21CO), a large oncology practice with treatment centers in 17 states and overseas. In 2015, 21CO was notified by the Federal Bureau of Investigation that its patient records had been compromised and were being sold illegally. In total, the records of 2,213,597 patients were affected. The information breached included names, social security numbers, diagnoses, treatments, and insurance information.

Continue Reading The First Health Privacy Settlements of 2018 Highlight the Ongoing Importance of HIPAA Privacy and Security

  • Draft guidance documents propose a framework for clinical and patient decision software and explain policy changes driven by 21st Century Cures Act
  • Final guidance document adopts International Medical Device Regulators Forum principles for addressing “clinical evaluation” of Software as Medical Device
  • Public Workshop (January 2018) will discuss progress of pilot precertification program

The FDA’s December 8 announcement of the availability of three new guidance documents, and of a public workshop to be held in January 2018, demonstrates the agency’s commitment to prioritizing the development of digital health software policy. As we previously reported here, Commissioner Gottlieb made it the subject of his first public statement and shortly afterward led the FDA’s rollout of a framework – the Digital Health Innovation Action Plan – for ensuring that its policies enable innovators to efficiently deliver safe and effective digital health technologies to patients and consumers. The publication of these documents and announcement of the workshop fulfill a few of the ambitious promises contained in the agency’s Action Plan.

Continue Reading Regulating at the Speed of Digital: FDA Implementation of Key Aspects of Digital Health Innovation Action Plan Progressing Quickly

Last week, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) released new guidance related to the sharing of mental health, behavioral health, and substance abuse disorder treatment information. The guidance focuses on how such information may be shared with the patient’s family and other caregivers under the Health Insurance Portability and Accountability Act (HIPAA) and 42 C.F.R. Part 2 (the regulations governing the use and disclosure of substance abuse treatment records) in various scenarios.

The guidance includes both fact sheets and decision-trees and highlights several scenarios related to caregiver relationships, such as parents of teenage or adult children with mental health or substance abuse issues, parents serving as “personal representatives,” when parents can access minor children’s mental health information, and how to access treatment information about a loved one. The guidance additionally touches on opioid addiction, which is a key focus under the Trump Administration. Within its corresponding press release, HHS reported that it will work to develop model training programs and materials for healthcare providers, patients, and their families pertaining to permitted uses and disclosures of mental and behavioral health information.

Venable’s Healthcare team has significant experience in health information privacy and security and will address any additional questions pertaining to the above. Please contact any of the authors if you have any questions.

The new Tax Bill (H.R. 1), which President Trump is expected to sign soon, will have an impact on healthcare in the U.S.

First, the Tax Bill will permit a taxpayer to deduct medical expenses that exceed 7.5% of the taxpayer’s adjusted gross income (which has been reduced from the previously 10% threshold). This will allow more Americans to deduct their medical expenses.

Second, and more notably, the Tax Bill repeals the “individual mandate” under the Affordable Care Act (“ACA”), effective January 2019. While the repeal of individual mandate is estimated to reduce the Federal deficit—its impact on the health insurance market is difficult to estimate. Back in November of 2017, the Congressional Budget Office (“CBO”) reported that the repeal of the individual mandate would increase the number of uninsured Americans by 4 million in 2019 and 13 million by 2027. Additionally, the CBO projected that the repeal would likely increase average premiums by 10% in the individual insurance market. The CBO cited the fact that, without a tax penalty, fewer healthy Americans would purchase health insurance as the primary reason for these projections. The CBO also noted that the likely increase in premiums would further result in fewer insureds, especially in the individual insurance market, because the premiums would become less affordable. The Tax Bill leaves the ACA’s “employer mandate” and the corresponding employer reporting requirements untouched.

Interestingly, the Tax Bill did not repeal the Cadillac tax on health coverage or the medical device tax.

Venable’s Healthcare attorneys are happy to address any specific questions you may have on the Tax Bill’s effects on healthcare.

The Office for Civil Rights (“OCR”) within the U.S. Department of Health and Human Services, the federal agency that enforces the HIPAA Privacy, Security, and Breach Notification Rules, recently released its preliminary results for Covered Entities participating in its Phase 2 HIPAA compliance audit program.  Overall, the audit shows significant compliance gaps for the entities audited.

While the Phase 2 audits examined Covered Entities and Business Associates, the preliminary results are limited to the 166 audited Covered Entities.  The audits of Business Associates, 41 in total, are still in process.  The vast majority of Covered Entities audited (90%) were healthcare providers and the rest were health plans or healthcare clearinghouses.

The 166 Covered Entities surveyed were broken up into two groups.  There were 103 Covered Entities reviewed for privacy and breach notice compliance and another 63 assessed on security compliance efforts.

Continue Reading Preliminary Results for Covered Entities Participating in the Phase 2 HIPAA Audit Program

No two health care companies are alike, but many face similar challenges when managing their data risk. Many of these challenges arise due to the competing desires with which every modern organization now struggles—one between innovation and growth on the one hand and compliance and legal risk on the other.

Specifically, the following five issues are top of mind:

  1. The tension between data growth and analytics and data minimization;
  2. Handling connected devices and mobile apps;
  3. Creating effective cross-functional privacy and security teams;
  4. The data implications of acquisitions; and
  5. Effective and tiered vendor management.

We discuss these issues and offer practical guidance on each.

Continue Reading Top Five Privacy and Data Security Issues Facing Healthcare Companies

Last week, Senators Lindsey Graham of South Carolina and Bill Cassidy of Louisiana (with their co-sponsors, Senators Dean Heller (R-NV) and Ron Johnson (R-WI)) released the “Graham-Cassidy-Heller-Johnson Amendment” (“Graham-Cassidy bill”), which, if passed, would have repealed major sections of the Patient Protection and Affordable Care Act (ACA).

Specifically, the bill would have repealed the ACA’s individual and employer mandates, ended the Medicaid expansion in 2020, replaced the ACA’s subsidy program with state block grants (which would have allowed states to decide how their healthcare system would operate), weakened restrictions against pre-existing condition protections, and defunded Planned Parenthood.

Continue Reading The Senate Will Not Vote on the Latest ACA Repeal Effort (the Graham-Cassidy Bill)

*Originally published August 23, 2016 by AHLA

On May 18, finalized regulations were published implementing nondiscrimination requirements set forth in Section 1557 of the Affordable Care Act (ACA).

What Is Section 1557?

Section 1557 is the nondiscrimination law set forth in the ACA. It prohibits covered entities from discriminating on the basis of race, color, national origin, sex (which includes gender identity), age, or disability in health programs and activities.

Applicability?

Covered entities are entities that provide or administer health-related services or insurance coverage and receive “federal financial assistance.” Federal financial assistance includes Medicare, Children’s Health Insurance Program and Medicaid, meaningful use payments, U.S. Department of Health and Human Services (HHS) grants, Centers for Medicare & Medicaid Services gain-sharing demonstration projects, federal premium and cost-sharing subsidies, etc.  Continue Reading What Hospitals and Other Providers Need to Know About New Federal Non-Discrimination Rules

The fast-growing field of digital health is transforming healthcare by bringing together digital communications technology, electronic health information, electronic prescribing, connected medical devices, and telehealth. These technologies are being deployed by healthcare entities ranging from small health tech startups to large, established hospital systems, medical device companies, and other traditional healthcare companies. Telehealth systems are already in use for applications as varied as direct-to-consumer urgent care and remote provider-to-provider consultations for treatment of complex conditions such as strokes or rare genetic diseases. With these exciting new developments comes a new set of regulatory challenges and concerns for companies in the space. This alert provides a brief overview of some of the laws and regulations that may apply to health companies engaging in digital health.

Continue Reading Digital Health Law: What Digital Health Companies Need to Keep in Mind

  • Opens application process and public comment period for precertification pilot program
  • Nine companies to be chosen by September 1, 2017

Last June, FDA Commissioner Scott Gottlieb made his first public statement as Commissioner by announcing the imminent rollout of a new “Digital Health Innovation Plan.” This statement signaled his intent to prioritize the agency’s efforts to create – and clearly articulate – a regulatory regime that promises to “help innovators navigate a new, modern regulatory process” that will efficiently enable the delivery of safe and effective digital health technologies to patients and consumers.

On July 28, FDA formally rolled out its Digital Health Innovation Action Plan, along with a process for companies to apply to participate in one key component: the Software Precertification Pilot Program. The Action Plan describes several concrete deliverables that the agency plans to complete by the first quarter of 2018 to put a “reimagined” regulatory regime for digital health technologies in place. This will include:

Continue Reading FDA Launches Action Plan for Digital Health Regulation