False Claims Act Settlement with eClinicalWorks Raises Questions for Electronic Health Record Software Vendors

On May 31, 2017, the US Department of Justice announced a Settlement Agreement under which eClinicalWorks, a vendor of electronic health record software, agreed to pay $155 million and enter into a five-year Corporate Integrity Agreement to resolve allegations that it caused its customers to submit false claims for Medicare and Medicaid meaningful use payments in violation of the False Claims Act.

Read the full article.

Round Two: Significant Telehealth Expansion Re-Proposed in Bipartisan Senate Bill

On May 3, 2017, the Creating Opportunities Now for Necessary and Effective Care Technologies for Health Act of 2017 (S. 1016) (CONNECT Act of 2017) was reintroduced by the same six senators who had initially introduced the legislation in early 2016 and referred to the Senate Committee on Finance. As we previously reported on February 29, 2016, this iteration of the proposed bill also focuses on promoting cost savings and quality care under the Medicare program through the use of telehealth and remote patient monitoring (RPM) services, and incentivizing such digital health technologies by expanding coverage for them under the Medicare program—albeit using different terminology. Chiefly, the CONNECT Act of 2017 serves as a way to expand telehealth and RPM for Medicare beneficiaries, makes it easier for patients to connect with their health care providers and helps reduce costs for patients and providers. As with the previous iteration, the CONNECT Act of 2017 has received statements of support from over 50 organizations, including the American Medical Association, American Telemedicine Association, Healthcare Information and Management Systems Society, Connected Health Initiative, Federation of State Medical Boards, National Coalition on Health Care and an array of vendors and health systems. Continue Reading

OIG Reports More Than $731 Million in Inappropriate Medicare Meaningful Use Payments

The Electronic Health Records (EHR) Incentive Program run by Centers for Medicare and Medicaid Services (CMS) garnered attention again last week following the release of a report by the Office of Inspector General of the US Department of Health and Human Services (OIG) describing inappropriate payments to physicians under the program. The report follows on the heels of a high-profile settlement under the False Claims Act between the US Department of Justice and an EHR vendor related to certified electronic health record technology (CEHRT) used in the EHR Incentive Program (which we’ve previously discussed in-depth).

The OIG reviewed payments to 100 eligible professionals (EPs) who received EHR incentive payments between May 2011 and June 2014 and identified 14 inappropriate payments. OIG extrapolated the results of the review to the 250,470 total EPs who received incentive payments during that time period and estimated that CMS made approximately $729 million in inappropriate EHR incentive payments out of a total of just over $6 billion in such payments during the review period. Continue Reading

Texas Changes its Tone on Telemedicine

As one of the last states to retain highly restrictive (and arguably anti-competitive) telemedicine practice standards, health care providers, regulatory boards, technology companies, payors and other stakeholders have been actively monitoring Texas’ approach to telemedicine regulation and the related Teladoc case. Texas has eliminated its most restrictive requirement for delivering care via telemedicine in Texas, increasing opportunities for providers to reach patients using technology.  Senate Bill 1107 was passed on May 11, 2017, and the House added an amendment in passing Senate Bill 1107, which was approved in the Senate on May 18.  The bill was signed into law by Governor Abbott last weekend.

Read the full article.

China’s Network Security Law Comes into Effect: What It Means for Your Company

Today, China’s much anticipated Network Security Law comes into effect after two years of review, revisions over three drafts and a public commenting process. The law is a historical development for China’s legislative coverage of information security and data protections. It also represents one of the strictest approaches in any jurisdiction worldwide, and a continuation of a broader effort at demonstrating the government’s cyber-sovereignty goals through control and regulation of data and the internet.

Overview of the Network Security Law

Commonly referred to as the “Cybersecurity Law,” the new piece of legislation has a broad scope and covers a range of issues related to data privacy, security and cross-border transfers, including:

  • Increasing security measures and strengthening data security through a variety of specific obligations
  • Ensuring consent for collection of personal information through the principles of legality, proper justification and necessity
  • Screening equipment and products for security testing and certification
  • Ensuring real-name registration for users
  • Strengthening requirements to cooperate with government agencies during criminal investigations or to protect national security
  • Requiring personal information to be stored in China under some circumstances
  • Increasing confidentiality measures for user information
  • Setting up a complaint and reporting platform for network security

Continue Reading

Recent $2.5 Million OCR Settlement Is a Warning to Wireless Health Service Providers

On April 24, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement in the amount of $2.5 million based on the impermissible disclosure of unsecured electronic protected health information (ePHI) by a provider of remote mobile monitoring, with a focus on patients who are at risk for cardiac arrhythmias.

In January 2012, the remote monitoring company reported that a workforce member’s laptop containing the ePHI of over a thousand individuals was stolen from a parked vehicle outside of the employee’s home. A little over one year later, the same company reported a second breach that compromised the ePHI of twice as many individuals (details regarding this breach were not provided by OCR).

OCR’s investigation revealed that the company allegedly had insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, the company’s draft policies and procedures implementing the standards of the HIPAA Security Rule had never been implemented, and the company was also unable to produce final versions of any policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

Continue Reading

Guide from the Italian Data Protection Authority on the Application of the GDPR: Recommendations on How to Get Started!

On April 28, 2017, the Italian Data Privacy Authority published a Guide on the application of the new General Data Protection Regulation (GDPR). The Guide does not set out implementing rules of the GDPR but rather provides a summary of “what will remain the same” and “what will change” in the main six areas covered by the GDPR:

  1. Legal basis for the processing
  2. Information to be provided to data subjects
  3. Data subjects’ rights
  4. Data controller,  data processor and persons in charge of the processing
  5. Data privacy risk assessment and accountability
  6. International transfer of data

In addition, for each of the above six macro areas, the Guide provides recommendations on the measures that companies and public entities can already put in place, in order to ensure compliance with specific provisions of the GDPR, which do not need further intervention at a national level for their implementation.

The Guide will be amended, updated or supplemented in light of the development of the debate at a national and European level on the application of the GDPR. The data protection authorities of France and the Netherlands published similar guides respectively on March 15 and April 13, 2017, which are however structured in a slightly different way, as they propose (especially the French one) a more systematic “step by step” methodology in order to help organizations get ready for the GDPR.

Elisabetta Pagone contributed to this blog post.

More Federal Legislation Aimed at Expanding Medicare Coverage of Telehealth Services

Late last month, Senator Cory Gardner (R-CO) and Senator Gary Peters (D-MI) introduced Senate Bill 787, the Telehealth Innovation and Improvement Act (Telehealth Improvement Act), which is focused on expanding Medicare’s currently limited coverage of telehealth services and opportunities for innovation.

The Telehealth Improvement Act would require the Center for Medicare and Medicaid Innovation (CMMI) to test the effect of including telehealth services in Medicare health care delivery reform models. More specifically, the Act would require CMMI to assess telehealth models for effectiveness, cost and quality improvement, and if the telehealth model meets these criteria, then the model will be covered through the Medicare program. Continue Reading

New York AG Settlement with App Developers Serves as a Warning for the Need for Evidence-Backed Commercial Claims

On March 23, 2017, the New York Attorney General’s office announced that it has settled with the developers of three mobile health (mHealth) applications (apps) for, among other things, alleged misleading commercial claims. This settlement highlights for mHealth app developers the importance of systematically gathering sufficient evidence to support their commercial claims.

Read the full article.

The TCPA: An Unexpected Deterrent to Patient Engagement Tools

In an age where providers are increasingly taking the management of their patient’s health online and out of the doctor’s office, the creation of scalable and nimble patient engagement tools can serve to improve patient experience, health care outcomes and health care costs. While the level of enthusiasm for these tools is at an all-time high, there is a growing concern about the unexpected deterrent to the adoption of these tools from an unlikely source: the Telephone Consumer Protection Act of 1991 (TCPA).

Many professionals in the health industry have come to share two misconceptions about the TCPA: first, that the TCPA only applies to marketing phone calls or text message “spam,” and second, that the TCPA does not apply to communications from HIPAA covered entities to their patients/health plan members. These misconceptions can be costly mistakes for covered entities that have designed their patient engagement outreach programs without include a TCPA compliance strategy.

Compliance Challenges

As discussed in a previous post, the TCPA was originally intended to curb abusive telemarketing calls. When applying the law to smarter and increasingly innovative technologies (especially those that we see in the patient engagement world), the TCPA poses significant compliance challenges for the users of these tools that arguably threaten to curb meaningful progress on important public health and policy goals.

Despite its initial scope of addressing robocalls, the TCPA also applies to many automated communications between health care providers and their patients, and between plans and their members. There is a diverse array of technical consent requirements that apply depending on what type of phone call you make. For instance, most auto-dialed marketing calls to cell phones require prior express written consent, meaning that the caller must first obtain written consent before making the call. To make compliance more compliance, callers remain responsible for proving consent and the accuracy of the numbers dialed.

Indeed, the TCPA presents a serious challenge for patient engagement tools, especially when violations of the TCPA can yield statutory damages of up to $1,500 per call or text message. While Federal Communications Commission orders over the past several years have added some clarity and a “safe harbor” for HIPAA-covered entities to help entities achieve compliance, there is still no “free pass” from the TCPA’s requirements. Therefore, covered entities and the business associates who work for them should not assume that compliance with HIPAA offers any security of defense against a successful claim under the TCPA.

Continue Reading

LexBlog