U.S. Healthcare System Faces Mounting Cybersecurity Risks

The heightened use of technology in healthcare is coupled with mounting cyberattacks. Recently, the healthcare industry experienced a global cyberattack when malicious software targeted the industry. The attack hit Britain’s National Health Service the hardest, affecting sixty-five of its hospitals. Cyberattackers stole healthcare information after using phishing emails to take control of the organizations’ computers, encrypting the computers’ information, and threatening to release the patient information contained on the systems if the organizations failed to satisfy payment demands.

According to the U.S. Department of Health and Human Service’s Office for Civil Rights, over 100 million Americans’ health records were divulged in 2015. In early 2017, Experian predicted the health care industry would be the biggest target for an attack. Moreover, an Identity Theft Resource Center report revealed that more than 25% of all data breaches occurred in the healthcare industry, costing an estimated $5.6 billion each year.

Congress created the Health Care Industry Cybersecurity Task Force through the Cybersecurity Act of 2015 to examine the healthcare industry’s vulnerabilities and create solutions to the cyber threats that place millions of patients’ information at risk each year. In light of the recent attack, the task force investigated the state of health information systems security in the U.S. and found a desperate need to increase health IT security.

In its report to Congress, the task force made a series of recommendations that suggested how to fend off the increasing threats. Among others, the recommendations include creating programs to cleanse healthcare organizations of vulnerable hardware and software and inserting more people with security skills into the healthcare field. The report emphasizes that failure to intervene could lead to catastrophic losses for organizations and patients.

The task force notes that the successful implementation of its recommendations will require significant time and resources, but it hopes the government will promptly respond to its report with efforts to improve cybersecurity in healthcare organizations.

The task force notes that the successful implementation of its recommendations will require significant time and resources, but it hopes the government will promptly respond to its report with efforts to improve cybersecurity in healthcare organizations.

 

© 2017 Vandenack Weaver LLC
For more information, Contact Us

Advertisements

U.S. Supreme Court Interpretation Permits Thousands of “Church Plans” – Including Many for Hospitals and Health Systems – to Remain Exempt from ERISA

On June 5, 2017, the United States Supreme Court unanimously adopted a “broad” interpretation of the exemption allowed under the Employee Retirement Income Security Act (“ERISA”) for “church plans.”   The decision effectively permits thousands of retirement plans adopted by church-affiliated organizations – including numerous hospitals, schools and social-service organizations – to remain exempt from most ERISA requirements.

Plaintiffs in the case of Advocate Health Care Network v. Stapleton argued that a “narrow” interpretation of the “church plan” exemption was appropriate, and that they were damaged by their employers failing to comply with ERISA’s various requirements designed to protect employee retirement savings.  Advocates of the “narrow” interpretation argued that only plans actually established by a church should be eligible for the exemption.

A split among the United States Courts of Appeal between the “broad” and “narrow” interpretations of the exemption had left plan sponsors and participants in an uncertain state where the applicable plan was maintained by a church-affiliated group and not established by the church itself.

A considerable number of plans in question related to church-affiliated hospitals and health systems.  A “narrow” interpretation would render such plans subject to ERISA.

In an 8-0 decision authored by Justice Elena Kagan, the Supreme Court concluded that principles of statutory interpretation favored the conclusion that Congress chose language indicating a “broad” exemption.  The “broad” exemption had been employed in interpretive materials, advisory opinions and private letter rulings of the Internal Revenue Service and Department of Labor, so the decision eliminates, for now, the uncertainty that had arisen with respect to plans that had relied on said interpretation.

© 2017 Vandenack Weaver LLC
For more information, Contact Us

Another Delay in Implementation of the Medicare Part D Prescriber Enrollment Rule

The Centers for Medicare and Medicaid Services finalized a rule in March 2014 that required healthcare providers prescribing medication, where the prescription is paid for by a Medicare Part D plan, to enroll in Medicare as a prescriber. The enforcement date has been delayed several times and was slated to take effect on February 1, 2017, but has recently been delayed again until January 1, 2019.

 

Under the final rule, if a provider is not enrolled in Medicare as a prescriber, the patient’s prescribed drugs will not be covered by the Part D plan. Part D plans will be required to notify patients that the prescriber is not enrolled and the plan will not cover prescriptions from that provider. The most recent delay is aimed at ensuring that prescribers are aware of the rule and reduce the immediate burden placed on the estimated 250,000 prescribers not enrolled in Medicare and the 5.25 million beneficiaries that would be impacted.  

© 2016 Vandenack Weaver LLC
For more information, Contact Us

Healthcare Entities Required to Post New Non-Discrimination Notice

The Patient Protection and Affordable Care Act (ACA) prohibits health care entities from discriminating on the basis of race, color, national origin, sex, age, or disability. The ACA prohibition on discrimination applies to covered entities, which means those healthcare entities that receive federal financial assistance through the Department of Health and Human Services (HHS). For example, a covered entity includes a physician or pharmacy that accepts Medicare or Medicaid, health insurers that offer a plan on the healthcare exchange, and any entity that offers a Medicare part D plan.

In an effort to enforce the non-discrimination law, HHS issued a new rule in May of 2016 that requires all covered entities to post new non-discrimination notices. Although the rule was finalized in May of 2016, health care entities had until October 16, 2016 to post a new notice of non-discrimination. The new notice must state that the health care entity does not discriminate, that language assistance for the patient is available, and delineate how an individual can file a discrimination complaint with HHS. The new notice is intended to decrease discrimination by helping consumers become more aware of their rights.

For further information or to find example HHS non-discrimination notices, visit the following link:
http://www.hhs.gov/civil-rights/for-individuals/section-1557/translated-resources/index.html

© 2016 Vandenack Weaver LLC
For more information, Contact Us

Final Regulations Issued for Non-Discrimination in Health Programs

Section 1557 of the Patient Protection and Affordable Care Act (ACA) allows the Secretary of Health and Human Services (HHS) to issue regulations pertaining to non-discrimination. Earlier in May of 2016, the Secretary of HHS issued such regulations, which bans the denial of healthcare or health coverage to individuals on the basis of race, color, national origin, sex, age, or disability.

This final rule, the first federal civil rights law that broadly prohibits discrimination on the basis of sex, applies to any federally funded health plan. Although the law prohibits discrimination based upon sex, HHS failed to fully define certain issues, such as whether this covers discrimination based upon sexual orientation. However, HHS’s Office for Civil Rights (OCR), the agency tasked with enforcement, has stated an intention to review all claims in this area to determine whether the discrimination can be addressed under the regulations.

This rule will become effective on July 18, 2016, and will be enforced by OCR. Although OCR is tasked as a primary regulator, compliance burdens will fall to all entities covered by the new regulations, as well as individual citizens because the regulations include a private right of action for violations. Further details can be found at the following link. https://federalregister.gov/a/2016-11458

© 2016 Vandenack Williams LLC
For more information, Contact Us

Pending Increases for False Claims Act Civil Penalties

The False Claims Act (“FCA”) creates a civil penalty for any person that knowingly submits for payment a false or fraudulent claim to the federal government. This usually includes any government contractor, but will often arise in the healthcare industry. In 2015, for example, the federal government collected over $3.5 billion resulting from these civil penalties, with approximately $1.9 billion from the healthcare industry.

In December of 2015, the Bipartisan Budget Act was enacted and it included a section titled the Federal Civil Penalties Inflation Adjustment Act Improvements Act (“Act”). This Act amends a prior 1990 act, requiring inflation adjustments to the civil penalties in the False Claims Act. Due to the length of time between the last adjustment, the Act requires a catch-up adjustment and annual adjustments thereafter. The Act is slated to be implemented at all federal agencies by July 1st, with the new rates to take effect by August 1st of 2016.

The first federal agency to issue an interim final rule to implement the catch up adjustment was the Railroad Retirement Board, doing so on May 2, 2016. The interim rule changed the minimum FCA civil penalty from $5,500 per violation to $10,781 per violation, nearly doubling the per violation penalty. As the other agencies look to implement this rule, such as the Centers for Medicare and Medicaid, similar increase are expected. For those working on a government contract, especially those submitting claims to the government in the healthcare industry, taking due care in compliance efforts will be magnified because of the pending increases in FCA civil penalties.

© 2016 Vandenack Williams LLC
For more information, Contact Us

 

Nebraska Legislature Adopts Stronger Prescription Drug Monitoring System

by M. Tom Langan, II

A recently adopted law in Nebraska calls for the state to create a prescription drug monitoring system designed to help prevent the misuse of controlled substances, namely prescription pain medicine.  The system will require physicians and pharmacists to enter into a database patient information when prescribing and dispensing certain medications. Patients are not allowed to opt out of the database. A goal is to help prevent so-called “doctor-shopping” – or when a patient visits multiple doctors to obtain multiple prescriptions.

Physicians and pharmacists should be aware that the system is required to be implemented by January 1, 2017.

© 2016 Vandenack Williams LLC
For more information, Contact Us

Delay Announced in CMS Star Rating System for Hospitals

Originally, the Centers for Medicare and Medicaid Services (CMS) intended to release a star rating system on hospitals, beginning April 21, 2016. However, CMS recently announced plans to delay the rating system until July, or potentially later. The exact timing will depend upon the development of the methodology for rating a hospital.

When the star rating system was designed, the purpose was to create a simple tool for consumers to evaluate hospitals. This system largely incorporated the previous, more complicated, performance measures that follows more than 100 quality measures. While the new star system will not replace the more complicated system, it will be in addition to the prior measures and make the review process simpler for consumers. The new star system incorporates factors such as readmission rates, mortality rates, timeliness of care, safety of care, and other patient driven statistics.

The delay is largely attributed to hospital and lawmaker complaints that the new rating system will impact consumer perceptions, when it may not have a direct bearing on the specific services sought. Moreover, a concern regarding the quality of the data, including the methodology for ensuring accuracy, remained a significant worry for the hospitals. It is unclear when the star rating system will be implemented, but hospitals and consumers should expect further information, if not the unveiling of the star rating system, this summer.

© 2016 Vandenack Williams LLC
For more information, Contact Us

New Nebraska Law Creates Mandatory Reporting of Controlled Substance Prescriptions for 2017

The over-prescribing of an opioid drug can create significant criminal and civil liability for a prescriber, as illustrated in the recent People v. Tseng decision and the proposed $1.1 billion White House initiative to combat prescription opioid and heroin abuse. To aid physicians and prescribers in controlling prescription opioids, every state, with the exception of Missouri, authorized a prescription drug monitoring program (PDMP).

The PDMP collects information on the prescription of controlled substances, but the specific substances monitored will vary state by state. Usually, however, it will be a mix of drugs considered controlled substances under state and federal law. The information stored in the database is accessible only by certain individuals, such as pharmacists, physicians, and other prescribers. The goal is to provide information about patient prescriptions to those with prescribing power, to ensure that over-prescribing of drugs, such as opioid drugs, does not occur.

In Nebraska, the PDMP was established by law in 2011, but the system was not truly implemented at that time. Until a February 2016 law, prescriber participation was not required and, regardless, the system was not truly operational. Moreover, until the 2016 law, patients that paid via Medicare or cash could opt-out of participation, removing a significant population of patients. However, the new law requires that all prescriptions of controlled substances be reported by the prescriber, starting January 1, 2017. Similarly, all prescription information, including patient information, must be reported to the PDMP starting January 1, 2018. The new law also eliminates the previous loopholes for patients to opt-out of the reporting requirements. Notably, however, the prescriber does not have an obligation to check the system prior to prescribing a controlled substance, such as an opioid drug, but they will have free access to check the PDMP. Of course, the Dr. Tseng decision highlights the potential for either criminal or civil liability for over-prescribing.

To see further information on the Dr. Tseng decision, please visit: https://vwhealthlaw.wordpress.com/2016/02/19/new-criminal-precedent-for-physicians-over-prescribing-opioid-drugs/

© 2016 Vandenack Williams LLC
For more information, Contact Us

Public Policy in Physician Non‐Competition Agreements

Non‐competition agreements take many forms and arise in virtually every industry, but many will encounter these agreements in employment contracts. Generally, in Nebraska, should the employer draft the non‐competition agreement properly, a court is likely to enforce it. For a physician, however, a non‐competition agreement with a practice group or similar entity can raise public policy concerns.

The purpose of a non‐competition agreement in an employment context is to protect trade secrets and customers. In the physician context, the effect of a non‐compete agreement is that a patient cannot see the physician of their choice. In most industries, a similar public policy issue will not arise, but for healthcare providers, this creates a unique problem.

For employers of physicians in Nebraska, the state has not addressed the public policy concern arising with physicians. Other states, for example, have enacted laws that address the policy concern in the physician context and how a non‐compete must be drafted, including specific provisions protecting the patients. In Nebraska, the limited law on the issue upholds the non‐competition agreement against physicians, if the agreement is reasonable. However, as with any law, it is subject to change and potential evolution to keep up with the modern practice of medicine. For a physician or a practice group, prior to drafting or signing a non‐competition agreement, it may be wise to discuss the implications with an attorney.

© 2016 Vandenack Williams LLC
For more information, Contact Us