RSS Feed LinkedIn Instagram Twitter Facebook
FMG Law Blog Line

Posts Tagged ‘department of health and human services’

Cyber Attack on HHS is a Reminder for Businesses to Remain Vigilant About Cybersecurity During the COVID-19 Pandemic

Posted on: March 17th, 2020

By: Renata Hoddinott

Amidst all the information and news flooding the internet regarding COVID-19, another troubling headline emerged this morning: an unknown actor launched a cyber attack on the Department of Health and Human Services (HHS) on Sunday. The attack was not a hack in the traditional sense, and no data was stolen from HHS’s systems. Rather it was an attempt to slow down HHS’s COVID-19 response by flooding the site with millions of requests over the course of several hours. It was a distributed denial of service – or DDOS – attack. The distinction is important because there was no apparent breach of the system of the lead agency responding to the coronavirus pandemic, and none of HHS’s critical functions were interrupted. HHS’s system was largely able to repel the intrusion, the agency was fully functioning at all times, and its site never crashed. But while the attack was unsuccessful, it is a harbinger of things to come and businesses should take note.

Most corporations and firms with the capability to do so have permitted, encouraged, or even mandated their employees to work from home for an extended amount of time to limit the spread of the virus. All of that remote access may be on potentially less secure networks should raise some concerns for those businesses. Bad actors will no doubt use the opportunity to gain access to less secure devices and networks to penetrate systems they may not have had access to previously due to the security in place for devices “in-house.”

Now is the time to remind remote employees to practice basic sense and security in ensuring they are only accessing company systems on private, password-protected networks. Employees also need to be watching for social engineering and phishing attacks. It may seem as though the email from the boss asking for password information or the firm’s credit card number is legitimate because employees do not have the ability to walk down the hall and ask.

And, for some smaller enterprises who may be new to remote-access, some systems may have been rolled out untested in certain circumstances to ensure business continuity. In those cases, it will be important to ensure that when restrictions are lifted and employees are able to return to work that those remote system are analyzed and secured from future threats.

This pandemic has unexpectedly and almost immediately changed the way business is conduct day-to-day around the globe. It remains to be seen whether those changes will be permanent. While most people are pulling together in this outbreak, malicious actors will always be looking for every opportunity to take advantage of the situation. During the period of social distancing and self-quarantining, individuals are desperate for up to the minute information on the crisis. Businesses need to be aware that attackers will attempt to exploit the human element now more than ever. And, as we all know, there is almost always a human element – whether an honest mistake or negligence – in most cybersecurity incidents.

In addition, FMG has formed a Coronavirus Task Force to provide up-to-the-minute information, strategic advice, and practical solutions for our clients. Our group is an interdisciplinary team of attorneys who can address the multitude of legal issues arising out of the coronavirus pandemic, including issues related to Healthcare, Product Liability, Tort Liability, Data Privacy, and Cyber and Local Governments. For more information about the Task Force, click here.

You can also contact your FMG relationship partner or email the team with any questions at [email protected].

**DISCLAIMER: The attorneys at Freeman Mathis & Gary, LLP (“FMG”) have been working hard to produce educational content to address issues arising from the concern over COVID-19. The webinars and our written material have produced many questions. Some we have been able to answer, but many we cannot without a specific legal engagement. We can only give legal advice to clients. Please be aware that your attendance at one of our webinars or receipt of our written material does not establish an attorney-client relationship between you and FMG. An attorney-client relationship will not exist unless and until an FMG partner expressly and explicitly states IN WRITING that FMG will undertake an attorney-client relationship with you, after ascertaining that the firm does not have any legal conflicts of interest. As a result, you should not transmit any personal or confidential information to FMG unless we have entered into a formal written agreement with you. We will continue to produce educational content for the public, but we must point out that none of our webinars, articles, blog posts, or other similar material constitutes legal advice, does not create an attorney client relationship and you cannot rely on it as such. We hope you will continue to take advantage of the conferences and materials that may pertain to your work or interests.**

Office of Inspector General Approves Warranty Program for Medical Device Manufacturer

Posted on: November 5th, 2018

By: Ali Sabzevari

The Department of Health and Human Services Office of Inspector General recently approved a medical device manufacturer’s proposed warranty program, which provides a refund to the hospital at which a patient underwent joint replacement surgery using the manufacturer’s knee or hip implant and related products, if the patient was readmitted within 90 days because of a surgical site infection or need for implant replacement surgery. The proposed model could serve as a road map for these kinds of risk sharing arrangements.

Advisory Opinion No. 18-10, which can be accessed here, set forth that although the suggested warranty implicates the safe harbor regulations to the anti-kickback statute, 42 C.F.R. § 1001.952, the “Proposed Arrangement poses a sufficiently low risk of fraud and abuse under the anti-kickback statute.”

The anti-kickback statute makes it a criminal offense to knowingly and willfully offer, pay, solicit, or receive any remuneration to induce or reward referrals of items or services reimbursable by a Federal health care program. See section 1128B(b) of the Act. Where remuneration is paid purposefully to induce or reward referrals of items or services payable by a Federal health care program, the anti-kickback statute is violated. By its terms, the statute ascribes criminal liability to parties on both sides of an impermissible “kickback” transaction. For purposes of the anti-kickback statute, “remuneration” includes the transfer of anything of value, directly or indirectly, overtly or covertly, in cash or in kind. The statute has been interpreted by several federal courts to cover any arrangement where one purpose of the remuneration was to obtain money for the referral of services or to induce further referrals.

The U.S. Department of Health and Human Services has promulgated safe harbor regulations that define practices that are not subject to the anti-kickback statute because such practices would be unlikely to result in fraud or abuse. See 42 C.F.R. § 1001.952. The safe harbors set forth specific conditions that, if met, assure entities involved of not being prosecuted or sanctioned for the arrangement qualifying for the safe harbor. However, safe harbor protection is afforded only to those arrangements that precisely meet all of the conditions set forth in the safe harbor.

The Advisory Opinion concludes that the Proposed Arrangement would not generate prohibited remuneration under the anti-kickback statute. Value-based care and risk sharing models continue to gain appeal, and the Office’s approval of this warranty program shows that the era of value-based care is here to stay.

If you have any questions or would like more information, please contact Ali Sabzevari at [email protected].

New HIPAA Rule Brings Sweeping Changes

Posted on: May 2nd, 2013

By: David Cole

The wait is over. The new HIPAA omnibus rule that the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued in January officially took effect on March 22, 2013. The deadline for compliance with most provisions is 180 days later on September 23, 2013. This means that covered entities, business associates, and subcontractors have limited time to ensure compliance. As discussed below, taking proper steps now is important, because the new rules implement a number of significant changes to HIPAA that expand the types of entities responsible for protecting patient data and reporting data breaches.

Extension to Business Associates

One of the biggest changes is that business associates are now directly responsible for complying with the Privacy Rule and Security Rule of HIPAA. A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (“PHI”) on behalf of, or provides services to, a covered entity. These functions and activities include claims processing, data analysis, billing, benefit management, or services such as legal, actuarial, accounting, and financial.

In addition, the new rule adds “subcontractors” to the definition of “business associate,” which means that subcontractors that perform functions for or provide services to a business associate are also deemed business associates when they create, receive, maintain or transmit PHI on behalf of the business associate.  This broad, new definition means that any subcontractor, no matter how far removed from the original contractor, is considered a HIPAA “business associate” if it handles PHI.

Because the new rule applies the HIPAA Privacy Rule directly to business associates, both business associates and their subcontractors must now make “reasonable efforts” to limit their use, disclosure, and request for PHI to the “minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” This will likely change the flow of PHI from business associates and subcontractors by making these organizations focus on the specific PHI they need to use, disclose, or request in order to perform their services.

The new rule also makes business associates and their subcontractors directly responsible for the HIPAA Security Rule. As a result, business associates and their subcontractors must develop comprehensive, written HIPAA security policies and procedures. They also must implement the specific administrative, physical, and technical safeguards of the data that is required by the Security Rule. In addition, business associates must now enter into written contracts with subcontractors that contain specific provisions required by the HIPAA Privacy and Security Rules, whereas they previously were only required to “ensure” that subcontractors agree to the same restrictions on the use and disclosure of PHI.

Breach Notification

The new rule also changes the requirements for breach notifications. Previously, the rules defined a “breach” as occurring only when the compromise of PHI presented a “significant risk of financial, reputational, or other harm to the individual.” This harm threshold will remain in effect until the interim compliance period ends on September 23, 2013. After that time, a new definition of breach will come into play.

Under the new rules, HHS eliminated the harm threshold and replaced it with a standard under which any use or disclosure of PHI that is not allowed by the Privacy Rule is presumed to be a reportable breach unless the covered entity or business associate can demonstrate, through a documented risk assessment, that there is a “low probability” that the PHI has been compromised. This risk assessment must include consideration of the following four factors: (1) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated.

Enforcement and Penalties

Under the new rule, HHS has retained the high penalty structure currently in effect, meaning that penalties can range anywhere from $100 to $50,000 per violation, depending on culpability, up to an annual maximum cap of $1.5 million on a per provision basis. The difference is that business associates and subcontractors are now directly liable for their violations. Of course, covered entities still can be penalized for their violations as well. In addition, HHS is now required to conduct compliance reviews if willful negligence is indicated following a preliminary review of the facts.

These are just a few of the changes made by the new HIPAA rule. In addition, the new rule includes “genetic information” as a new type of health information subject to HIPAA rules, and thus imposes restrictions prohibiting health plans from using genetic information for underwriting purposes. The new rule addresses multiple privacy issues related to uses and disclosures of PHI, such as communications for marketing or fundraising, exchanging PHI for remuneration, disclosures of PHI to persons involved in a patient’s care or payment for care, and disclosures of student immunization records.

The National Practitioner Data Bank

Posted on: June 6th, 2012

By: Scott Rees

From talking to medical providers and other individuals associated with medical care, there is a lot of mystery and unknowns about the National Practitioner Data Bank (NPDB).

In fact, almost without exception, at some point during the first fifteen minutes of the initial meeting with a doctor who has been sued for malpractice, that doctor will express fear about the NPDB and want to discuss the reporting requirements and what impact, if any, it will have on him or her.

It is apparent that fear of the NPDB derives more from what physicians do not know about the NPDB than what they do. Usually, after a brief question and answer session, the doctor’s concerns are substantially diminished.

Below is a primer that covers the basics and is a good starting point to learn and understand more about the NPDB.

What is it? The NPDB was created to promote patient safety across state lines by giving hospitals a tool to check a physician’s history for “competence and conduct.” To achieve this goal, the NPDB requires that specific information be reported by specific entities.

What is reported? The information required to be reported includes payments made on behalf of physicians and other health care practitioners involving judgments, arbitration awards, and settlements. Malpractice insurers must report payments made on behalf of all licensed practitioners, no matter the amount. In addition, state licensing boards must report adverse actions taken against a provider’s license, and hospitals must report instances where staff privileges are affected for more than thirty (30) days.

What if payment information is not reported? Failure to report a payment may result in a penalty of up to $11,000, and attempts to circumvent the system are severely punished in order to deter such conduct. Responsibility for enforcement lies with the Secretary of the Department of Health and Human Services.

Who has access to the information? NPDB records may be released only to authorized entities, including hospitals and other health care entities, state licensing boards, professional societies, and practitioners requesting their own records. However, a plaintiff’s attorney can access a physician’s information if there is a lawsuit filed against a hospital, the physician is a defendant in that lawsuit, and the hospital neglected to submit a query regarding that physician as required during the credentialing process. Thus, it is not unusual for a plaintiff’s attorney to request in discovery proof that a hospital made the required search.

What if the information is wrong? Because the reported information may have an impact on licensure, privileges, and insurability, it is important for the individuals reporting the information and the affected healthcare professionals to carefully review all information submitted. If the information published in a report is inaccurate, a physician may dispute the content within sixty (60) days from receiving notice of the report from the NPDB. Occasionally, hospitals are the target of defamation type claims from providers as a result of reporting privilege issues to the NPDB. In such instances, hospitals are provided with statutory immunity if the report stems from a “professional review action” based on a physician’s “competence or professional conduct.”

What are the criticisms of the NPDB? As with all things, the NPDB is not perfect. Perhaps the most frequently criticized aspect of the system is the requirement that all settlements be reported. Critics claim that this is an impediment to the efficient resolution of claims involving lower damages which might otherwise be settled for nuisance value because physicians with a consent clause in their insurance policy routinely refuse to settle for any amount in order to avoid the mandatory reporting requirements. Critics also allege that the NPDB is flawed because there is no uniformity as to what gets reported. For example, based on the same set of facts, one hospital may take an action that would trigger reporting requirements while a different hospital may not. Also, hospitals may take a less severe action than they otherwise would under the same circumstances solely to avoid having to report a physician, such as requiring medical education but no loss of privileges, or revoking a physician’s privileges for twenty-nine (29) days or less.

What are the consequences of having a settlement reported? Anecdotally, it appears that the reporting of a single settlement that is not excessively large does not have much of an impact on the reported physician. From our experience, it is only when a doctor has multiple settlements reported, or one that is very large, that the NPDB can present obstacles for the provider with respect to state licensure issues, obtaining hospital privileges, and finding affordable malpractice insurance.