U.S. Healthcare System Faces Mounting Cybersecurity Risks

The heightened use of technology in healthcare is coupled with mounting cyberattacks. Recently, the healthcare industry experienced a global cyberattack when malicious software targeted the industry. The attack hit Britain’s National Health Service the hardest, affecting sixty-five of its hospitals. Cyberattackers stole healthcare information after using phishing emails to take control of the organizations’ computers, encrypting the computers’ information, and threatening to release the patient information contained on the systems if the organizations failed to satisfy payment demands.

According to the U.S. Department of Health and Human Service’s Office for Civil Rights, over 100 million Americans’ health records were divulged in 2015. In early 2017, Experian predicted the health care industry would be the biggest target for an attack. Moreover, an Identity Theft Resource Center report revealed that more than 25% of all data breaches occurred in the healthcare industry, costing an estimated $5.6 billion each year.

Congress created the Health Care Industry Cybersecurity Task Force through the Cybersecurity Act of 2015 to examine the healthcare industry’s vulnerabilities and create solutions to the cyber threats that place millions of patients’ information at risk each year. In light of the recent attack, the task force investigated the state of health information systems security in the U.S. and found a desperate need to increase health IT security.

In its report to Congress, the task force made a series of recommendations that suggested how to fend off the increasing threats. Among others, the recommendations include creating programs to cleanse healthcare organizations of vulnerable hardware and software and inserting more people with security skills into the healthcare field. The report emphasizes that failure to intervene could lead to catastrophic losses for organizations and patients.

The task force notes that the successful implementation of its recommendations will require significant time and resources, but it hopes the government will promptly respond to its report with efforts to improve cybersecurity in healthcare organizations.

The task force notes that the successful implementation of its recommendations will require significant time and resources, but it hopes the government will promptly respond to its report with efforts to improve cybersecurity in healthcare organizations.

 

© 2017 Vandenack Weaver LLC
For more information, Contact Us

Final Regulations Issued for Non-Discrimination in Health Programs

Section 1557 of the Patient Protection and Affordable Care Act (ACA) allows the Secretary of Health and Human Services (HHS) to issue regulations pertaining to non-discrimination. Earlier in May of 2016, the Secretary of HHS issued such regulations, which bans the denial of healthcare or health coverage to individuals on the basis of race, color, national origin, sex, age, or disability.

This final rule, the first federal civil rights law that broadly prohibits discrimination on the basis of sex, applies to any federally funded health plan. Although the law prohibits discrimination based upon sex, HHS failed to fully define certain issues, such as whether this covers discrimination based upon sexual orientation. However, HHS’s Office for Civil Rights (OCR), the agency tasked with enforcement, has stated an intention to review all claims in this area to determine whether the discrimination can be addressed under the regulations.

This rule will become effective on July 18, 2016, and will be enforced by OCR. Although OCR is tasked as a primary regulator, compliance burdens will fall to all entities covered by the new regulations, as well as individual citizens because the regulations include a private right of action for violations. Further details can be found at the following link. https://federalregister.gov/a/2016-11458

© 2016 Vandenack Williams LLC
For more information, Contact Us

Nebraska Legislature Adopts Stronger Prescription Drug Monitoring System

by M. Tom Langan, II

A recently adopted law in Nebraska calls for the state to create a prescription drug monitoring system designed to help prevent the misuse of controlled substances, namely prescription pain medicine.  The system will require physicians and pharmacists to enter into a database patient information when prescribing and dispensing certain medications. Patients are not allowed to opt out of the database. A goal is to help prevent so-called “doctor-shopping” – or when a patient visits multiple doctors to obtain multiple prescriptions.

Physicians and pharmacists should be aware that the system is required to be implemented by January 1, 2017.

© 2016 Vandenack Williams LLC
For more information, Contact Us

New Nebraska Law Creates Mandatory Reporting of Controlled Substance Prescriptions for 2017

The over-prescribing of an opioid drug can create significant criminal and civil liability for a prescriber, as illustrated in the recent People v. Tseng decision and the proposed $1.1 billion White House initiative to combat prescription opioid and heroin abuse. To aid physicians and prescribers in controlling prescription opioids, every state, with the exception of Missouri, authorized a prescription drug monitoring program (PDMP).

The PDMP collects information on the prescription of controlled substances, but the specific substances monitored will vary state by state. Usually, however, it will be a mix of drugs considered controlled substances under state and federal law. The information stored in the database is accessible only by certain individuals, such as pharmacists, physicians, and other prescribers. The goal is to provide information about patient prescriptions to those with prescribing power, to ensure that over-prescribing of drugs, such as opioid drugs, does not occur.

In Nebraska, the PDMP was established by law in 2011, but the system was not truly implemented at that time. Until a February 2016 law, prescriber participation was not required and, regardless, the system was not truly operational. Moreover, until the 2016 law, patients that paid via Medicare or cash could opt-out of participation, removing a significant population of patients. However, the new law requires that all prescriptions of controlled substances be reported by the prescriber, starting January 1, 2017. Similarly, all prescription information, including patient information, must be reported to the PDMP starting January 1, 2018. The new law also eliminates the previous loopholes for patients to opt-out of the reporting requirements. Notably, however, the prescriber does not have an obligation to check the system prior to prescribing a controlled substance, such as an opioid drug, but they will have free access to check the PDMP. Of course, the Dr. Tseng decision highlights the potential for either criminal or civil liability for over-prescribing.

To see further information on the Dr. Tseng decision, please visit: https://vwhealthlaw.wordpress.com/2016/02/19/new-criminal-precedent-for-physicians-over-prescribing-opioid-drugs/

© 2016 Vandenack Williams LLC
For more information, Contact Us

New Criminal Precedent for Physicians Over-Prescribing Opioid Drugs

In October of 2015, a jury convicted a physician of second degree murder for over-prescribing a drug that resulted in a fatal overdose for three patients. People v. Tseng is the first conviction of a physician for murder due to over-prescribing, but the Centers for Disease Control and Prevention note that physicians are a significant contributor to the 17,000 plus opioid overdose deaths a year.

After the conviction, in February of 2016, Dr. Tseng was sentenced to 30 years to life in prison for the fatalities due to over-prescription. Although this was the first conviction of its kind, the prosecution of physicians for reckless or intentional over-prescription of certain types of drugs is significantly increasing. An example of the new focus, early in 2016, the White House proposed a $1.1 billion initiative to combat the prescription opioid and heroin use problem.

In the Tseng conviction, the physician had prior incidents of over-prescribing and all three individuals purposefully sought her out for the prescriptions. While she maintains that she was relatively untrained in opioid based prescriptions, thus leading to the over-prescribing, she is not eligible for parole for 30 years.

© 2015 Vandenack Williams LLC
For more information, Contact Us

IRS issues final regulations on employer sponsored health insurance

In December of 2015, the Internal Revenue Service (IRS) issued final regulations that addressed some of the questions pertaining to whether employer sponsored health insurance meets the Patient Protection and Affordable Care Act minimum value requirements.  Amongst a variety of miscellaneous items pertaining to minimum value, the final regulations clarify the impact of a health reimbursement arrangement (HRA) on affordability. The regulations also clarify some of the rules regarding eligibility for the health insurance premium tax credit.

Under the final regulations, the new amounts made available by an employer to an employee in a HRA that can be used to pay health insurance premiums, when the employer also offers qualifying health coverage, will be counted towards affordability. Similarly, if the new amounts are available to an employee in a HRA integrated with qualified employer coverage, and the new amount can only be used to reduce cost-sharing, that new amount will be counted for minimum value purposes.

The health insurance premium tax credit had rules finalized in the same regulations. One rule includes the eligibility of a household that has income from a child. The premium tax credit is based on household income and when a parent includes a child’s income on their income tax return for tax credit eligibility purposes, the amount used is the child’s modified adjusted gross income, not the gross income reported on the child’s tax return.

The final regulations also addressed the impact of wellness incentives on the health insurance premium tax credit. The regulations clarify that wellness incentives that reduce the cost of health insurance premiums to an employee will not be included in the calculation for minimum value or affordability, instead the regulations assume the employee will not qualify for the incentive. This rule has one exception, which is if the incentive is based on tobacco use. If so, the regulations assume that the employee will qualify for the incentive and the incentive can be used in the minimum value and affordability calculation. Thus, only tobacco use wellness incentives can be used in the minimum value and affordability calculation for purposes of premium tax credit eligibility.

Overall, a variety of miscellaneous rules regarding health insurance were finalized in the regulation. The entirety of the IRS regulation can be found at the following link: https://www.federalregister.gov/articles/2015/12/18/2015-31866/minimum-value-of-eligible-employer-sponsored-plans-and-other-rules-regarding-the-health-insurance

© 2015 Vandenack Williams LLC
For more information, Contact Us

Physician Conflict of Interest Reporting Requirements

The Physician Payments Sunshine Act was adopted as part of the Patient Protection and Affordable Care Act in 2010. The act allows patients to know if their physician may have an outside motivation when providing care, such as incentives provided by medical product manufacturers. These incentives could include simple monetary payments or any type of transfer of valuable goods. By making this information public, the hope is to ensure that physicians make the best possible decisions for their patients, not their own personal interests.

The Act requires physicians to disclose to the Centers for Medicare and Medicaid Services (CMS) any payment or “transfer of value” made to the physician or teaching hospital by a medical product manufacturers. This Act also requires a group purchasing organization or medical manufacturer to disclose any physician ownership. The information is then published online for patients and others to research, with the first set of data published in 2014. Despite the initial publication, CMS withheld some information due to technical difficulties and the outcome of this publicity remains unclear. For 2015 and 2016, CMS implemented changes to the reporting process for physicians as a result of the first release.

Despite the lack of clarity surrounding the outcome of making this information public, some lawmakers are trying to expand the law to include nurse practitioners and others that have prescribing authority. However, at the current time, the law remains limited to physicians, medical product manufacturers, and group purchasing organizations. To view the information and search for physicians, please visit the following website: https://www.cms.gov/openpayments/

© 2015 Houghton Vandenack Williams
For more information, Contact Us

Healthcare Organization Boards’ Responsibilities for Compliance Plan Oversight

The governing board of any health care organization has critical oversight responsibilities for the organization’s compliance plan.  To help boards meet these responsibilities, the U.S. Department of Health and Human Services Office of Inspector General (OIG) has issued a new practical guide outlining health care boards’ compliance obligations.   The guide, entitled “Practical Guidance for Health Care Governing Boards on Compliance Oversight” was created by the OIG in collaboration with the American Health Lawyers Association (AHLA), the Association of Healthcare Internal Auditors (AHIA) and the Health Care Compliance Association (HCCA).

While not intended to set particular standards of conduct, the guide attempts to provide practical guidance to help governing boards of health care organizations understand and address their compliance responsibilities.   The guide emphasizes the practical, with sections on the OIG’s expectations for board oversight of compliance programs and the interrelationship of audit, compliance and legal functions.  The guide also addresses mechanisms for identifying risks and reporting issues to the board, along with methods of encouraging accountability to achieve compliance objectives.

Although not every compliance measure addressed in the guide may be appropriate for every organization, every board may benefit from additional insight to the regulators’ compliance expectations.  The guide can be found at the following link: https://oig.hhs.gov/compliance/compliance-guidance/docs/Practical-Guidance-for-Health-Care-Boards-on-Compliance-Oversight.pdf

© 2015 Houghton Vandenack Williams

For more information, Contact Us

Provider Preparation for Infectious Diseases

Most hospitals and health-care providers have protocols and procedures for contending with infectious diseases, including those creating public-panic, such as the Ebola outbreak. However, when a new crisis hits, many of these protocols may have been forgotten or ignored. This was seen with the Nebraska Medical Center firing two health workers that treated an Ebola patient because they violated the Health Information Portability and Accountability Act (HIPAA). In light of a public health scare, maintaining current policy standards will help limit liability.

 

Beyond existing rules and regulations, with each specific outbreak, both federal and state agencies may update protocols and guidance to contend with the unique nature of that disease. As an example of outbreak specific guidance, in response to Ebola, the Center for Disease Control and Prevention (CDC) issued new guidance on personal protection equipment (PPE) for use in connection with the disease. Other guidance includes new Occupational Safety and Health Act (OSHA) standards, designed to protect the healthcare worker. This was seen at Texas Health Presbyterian Hospital in Dallas, when two nurses were infected with the disease. Failure to properly comply with newly issued, as well as existing, OSHA and CDC regulations may result in significant potential liability both to patients and workers.

 

Although many providers may believe they are properly equipped to handle potential Ebola patients, careful consideration must be paid to the newest guidance and regulations, without forgetting existing policy. Failure to do so could result in significant civil liability. As the examples in Texas and Nebraska teach us, hospital and health-care providers should take extra steps to limit their potential liability.

 

*CDC Guidance: http://www.cdc.gov/vhf/ebola/hcp/procedures-for-ppe.html ; http://www.cdc.gov/vhf/ebola/pdf/hospital-checklist-ebola-preparedness.pdf

*OSHA Guidance: https://www.osha.gov/Publications/OSHA_FS-3756.pdf 

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us

How Does the Affordable Care Act (Obamacare) Affect My Business?

 

How the Affordable Care Act will affect your business depends, in part, on the size of your business. If you are a business that has 50+ employees then you have certain requirements regarding proving health insurance or paying a penalty. If you are an employer who has less than 50 employees, there are some tax credit opportunities available to you if you do provide health insurance to your employees.

© 2014 Parsonage Vandenack Williams LLC

For more information, contact us