DOJ Archives - OF DIGITAL INTEREST

DOJ

New Proposed CCPA Regulations Add Clarity to Process for Opting Out of Sale of Personal Information

by Jonathan Ende, Amy C. Pimentel and McDermott Will & Emery | Oct 21, 2020 | Consumer Protection, Cybersecurity, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield, Telehealth

On October 12, 2020, the California Department of Justice announced the release of a new, third set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations. The proposed modifications amend a final set of regulations that were approved by the California Office of Administrative Law just two months earlier.

The Third Set of Proposed Modifications to the CCPA Regulations released on October 12 do not make substantial changes to the previously final set of CCPA regulations. The majority of the proposed modifications serve to clarify existing requirements rather than add new requirements or materially alter existing ones. As a result, the new proposed modifications should help businesses better understand what is expected to maintain compliance with certain aspects of the CCPA.

Process for Opting Out of Sale of Personal Information

The Department of Justice proposed to amend Sections 999.306(b)(3) and 999.315(h) to provide more detail about how a business should provide the right to opt out of the sale of personal information. Specifically, the Department of Justice:

Provides illustrative examples of how a business that collects personal information offline can provide its opt-out notice offline—through paper forms, posting signage directing consumers to an online notice or orally over the phone.

Makes clear that the methods for submitting opt-out requests should be easy for consumers to find and execute. For example, consumers should not have to search or scroll to find where to submit a request to opt out after clicking on the “Do Not Sell My Personal Information” link. A business should not use confusing language, try to impair a consumer’s choice to opt out or require a consumer to read through or listen to reasons why they should not opt out before confirming their request. In addition, the process for requesting to opt out shall collect only the amount of personal information necessary to execute the request.

Verifying Authorized Agent

The Department of Justice added language to Section 999.326(a) clarifying what a business may request to verify that an agent is authorized to act on a consumer’s behalf. Specifically, a business may require an authorized agent to provide proof of signed permission from the consumer for the agent to submit the request. In addition, the business may require the consumer to either verify their own identity directly with the business or directly confirm with the business that they provided the authorized agent permission to submit the request. Previously, a business had to go through the consumer to verify the authorized agent. Now, a business can verify the authorized agent directly.

Notices to Consumers Under 16 Years of Age

Finally, the Department of Justice clarified in Section 999.332(a) that all businesses that sell personal information about children must describe in their privacy policies the processes used to obtain consent from the child or parent (as applicable). Previously, the regulations were worded such that only a business that sells the personal information of both consumers under 13 and consumers between 13 [...]

Continue Reading

Uber Criminal Complaint Raises the Stakes for Breach Response

by Todd McClelland, Austin Mooney and McDermott Will & Emery | Sep 3, 2020 | Big Data, Cybersecurity, Data breach, Data Privacy, Enforcement, Mobile Apps

On August 20, 2020, a criminal complaint was filed charging Joseph Sullivan, Uber’s former chief security officer, with obstruction of justice and misprision of a felony in connection with an alleged attempted cover-up of a 2016 data breach. These are serious charges for which Mr. Sullivan has the presumption of innocence.

At the time of the 2016 data breach, Uber was being investigated by the US Federal Trade Commission (FTC) in connection with a prior data breach that occurred in 2014. According to the complaint, the hackers behind the 2016 breach stole a database containing the personal information of about 57 million Uber users and drivers. The hackers contacted Uber to inform the company of the attack and demanded payment in return for their silence. According to the complaint, Uber’s response was to attempt to recast the breach as a legitimate event under Uber’s “bug bounty” program and pay a bounty. An affidavit submitted with the complaint portrays a detailed story of deliberate steps undertaken by Mr. Sullivan to allegedly conceal the 2016 breach from the FTC, law enforcement and the public.

Contemporaneous with the filing of the complaint, the Department of Justice (DOJ) submitted a press release quoting US Attorney for the Northern District of California David L. Anderson:

“We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”

The press release also quoted Federal Bureau of Investigation (FBI) Deputy Special Agent in Charge Craig Fair:

“Concealing information about a felony from law enforcement is a crime. While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.”

Collectively, the case and statements from the DOJ are probably a unicorn based on, if the facts as alleged are true, a case involving a deliberate cover-up of a data breach in the course of an active FTC investigation. However, many of the statements from the DOJ and the specific allegations in the complaint appear to have potentially far-reaching implications (for companies, their executives and cybersecurity professionals) that breach response counsel must seriously consider in future incidents.

A common question when responding to a ransomware or other cyberattack is whether and when to inform law enforcement. The criminal complaint has the potential to make this an even more difficult decision for future cyberattack victims. Further, while the alleged conduct at issue may seem particularly egregious, the DOJ’s statements could cause a blurring of the lines between what the government may contend is illegal concealment of a security incident and activities generally thought to be legitimate security incident risk and exposure mitigation. We explore these and other key takeaways from the criminal complaint in more detail below.

[...]

Continue Reading

DOJ Continues Telemedicine Enforcement in Q2 2019

by McDermott Will & Emery, Amandeep S. Sidhu and Marshall E. Jackson, Jr. | Aug 27, 2019 | Telehealth

During the second quarter of 2019, DOJ continued its focus on enforcement activity in telemedicine. As reported in prior editions of the Quarterly Roundup, telemedicine is an expanding field, causing DOJ to pay particular attention to the industry.

In April 2019, DOJ indicted the owner and operator of 1stCare MD and ProfitsCentric with one count of conspiracy to pay and receive kickbacks. The defendant’s arrest and federal indictment is part of a nationwide law enforcement action, as reported in the Q1 2019 Quarterly Roundup, that targeted 24 defendants involved in alleged extensive healthcare fraud schemes focused on telemedicine and durable medical equipment (DME) marketing. These schemes allegedly resulted in losses amounting to more than $1.2 billion. The indictment alleges that from 2016 to 2019 the defendant defrauded HHS in its administration and oversight of Medicare by conspiring with others by paying and receiving kickbacks and bribes in exchange for doctors’ orders for DME for Medicare beneficiaries. Prosecutors also alleged that the defendants, 1stCare MD and ProfitsCentric, through their network of doctors, generated thousands of doctors’ orders for DME absent a pre-existing doctor-patient relationship and a physical examination, and that the orders were based solely on a short telephone conversation. The indictment alleges that these activities resulted in the submission of approximately $40 million in fraudulent Medicare claims for DME.

Further, in July 2019, DOJ indicted a New York-based anesthesiologist for her alleged role in a $7 million telemedicine conspiracy to fraudulently bill Medicare, Medicare Part D plans and private insurance plans, resulting in more than $3 million in payments on those claims.[51] According to DOJ, the indictment resulted from investigative work by the Criminal Division’s Medicare Fraud Strike Force, a joint initiative of DOJ and HHS. Eastern District of New York prosecutors charged the anesthesiologist with one count of conspiring to commit healthcare fraud by misusing telemedicine channels under agreements with unidentified companies to prescribe DME and drugs to more than 3,000 Medicare beneficiaries. The indictment alleges that, from January 2015 to May 2018, the anesthesiologist and other providers allegedly received kickback payments from unidentified companies for improper telemedicine encounters. The indictment alleges that the anesthesiologist “prescribed and ordered DME and prescription drugs for beneficiaries who were not examined or evaluated by a licensed physician.” The prosecutors alleged that the prescriptions flowing from the alleged telemedicine encounters were for DME and drugs that were neither medically necessary nor the result of genuine physician-patient relationships.

PRACTICE NOTE: Given DOJ’s recent criminal enforcement related to telemedicine, telemedicine companies should closely review their compliance with the federal and state laws that may be implicated through a telemedicine practice. Further, DOJ’s focus on individual accountability is particularly important with respect to telemedicine, given its interest in pursuing criminal actions against physicians.

This blog post was originally published in McDermott’s Health Care Enforcement Quarterly Roundup | Q2 2019. Click here to view the full report.

Three Tips for Tackling Risk in Digital Health

by Dale C. Van Demark and Lisa Mazur | Jul 12, 2019 | Big Data

Digital health companies face a complicated regulatory landscape. While the opportunities for innovation and dynamic partnerships are abundant, so are the potential compliance pitfalls. In 2018 and in 2019, several digital health companies faced intense scrutiny—not only from regulatory agencies, but in some cases from their own investors. While the regulatory framework for digital technology in health care and life sciences will continue to evolve, digital health enterprises can take key steps now to mitigate risk, ensure compliance and position themselves for success.

Be accurate about quality.

Ensuring that you have a high-quality product or service is only the first step; you should also be exactingly accurate in the way that you speak about your product’s quality or efficacy. Even if a product or service does not require US Food and Drug Administration clearance for making claims, you still may face substantial regulatory risk and liability if the product does not perform at the level described. As demonstrated in several recent public cases, an inaccurate statement of quality or efficacy can draw state and federal regulatory scrutiny, and carries consequences for selling your product in the marketplace and securing reimbursement.

Tech companies and non-traditional health industry players should take careful stock of the health sector’s unique requirements and liabilities in this area, as the risk is much higher in this arena than in other industries.

(more…)

Health Care Enforcement Roundup: Increased FCA Enforcement Against EHR Companies

by Amandeep S. Sidhu, James A. Cannatti III and Theodore Alexander | May 9, 2019 | Uncategorized

The federal government has offered substantial incentives to providers to adopt and use certified electronic health record (EHR) technology. As of October 2018, the federal government had paid over $38 billion in EHR incentive payments through the Promoting Interoperability Program (formerly, the Meaningful Use Program). Other federal health care program policies also encourage use of certified EHR technology through enhanced payments or avoidance of decreased reimbursement. These EHR-related payment policies, however, have triggered increased oversight and enforcement attention on EHR vendors who have allegedly misrepresented the capabilities of their EHR software and allegedly paid kickbacks to customers.

In 2017, DOJ announced a settlement with eClinicalWorks (eCW), an EHR vendor, to resolve an FCA lawsuit originally brought as a qui tam action by a whistleblower. DOJ’s complaint-in-intervention alleged that eCW made material false statements and concealed material facts about the capabilities of its software in connection with the government’s EHR certification process.[1] It also alleged that eCW paid purported kickbacks in connection with certain marketing arrangements (i.e., a referral program, site visit program, and a reference program) with influential customers to induce them to recommend eCW’s EHR software, in violation of the federal Anti-Kickback Statute (AKS).[2]

As part of the settlement, eCW agreed to pay $155 million and to enter into a novel, five-year Corporate Integrity Agreement (CIA) with the HHS OIG. Among other things, the CIA required eCW to engage an independent Software Quality Oversight Organization to assess eCW’s software quality control systems and to regularly report to OIG and eCW on its reviews and recommendations. Further, the CIA required eCW to offer free upgrades and data transfers to its current customers. This was a ground-breaking settlement that raised the question of whether this was the beginning of government and whistleblower attention on (and FCA actions against) EHR vendors. This question was seemingly answered in the affirmative when DOJ announced a second settlement with an EHR vendor in early 2019.

On February 6, 2019, EHR vendor Greenway Health LLC (Greenway) entered into a similar settlement to resolve an FCA case filed by the US Attorney’s Office in Vermont. Interestingly, a whistleblower did not initiate the Greenway case. Rather, DOJ pursued it directly. Like eCW, Greenway faced allegations that its EHR system did not function in the way it represented it during the certification process.[3] One specific allegation was that Greenway provided some customers whose EHR software was improperly calculating certain meaningful use measures (which providers are required to achieve to be eligible for incentive payments) with incorrect calculations in order to enable them to receive incentive payments.[4] According to DOJ, this allegedly caused some Greenway customers to submit false claims to HHS for payment under the Promoting Interoperability Program.

Like in the eCW case, the government complaint against Greenway also alleged that certain payments from Greenway to its customers pursuant to certain reference, referral, and site visit programs [...]

Continue Reading

DOJ’s Enforcement Activity Against Individuals: Acute Focus on Telemedicine

by Amandeep S. Sidhu, James A. Cannatti III and Theodore Alexander | May 6, 2019 | Telehealth

DOJ’s focus on individual accountability is particularly important with respect to telemedicine. Telemedicine is a burgeoning field, with a projected market increase of 18 percent annually over the next six years, reaching $103 billion in 2024. In light of this recent surge in profitability, DOJ has begun paying extra attention to telemedicine, with at least one recent HHS-OIG report asserting that more than one-third of all telemedicine claims are improper.

The report’s claim is further supported by a recent increase in telemedicine prosecutions. In April 2019, DOJ announced charges against 24 defendants, including owners of various telemedicine companies, for their alleged involvement in a health care fraud scheme resulting in $1.2 billion in loss. This scheme involved the payment of kickbacks and bribes by durable medical equipment (DME) companies to medical professionals working with telemedicine companies, in exchange for the referral of Medicare beneficiaries. DOJ alleges that the defendants paid doctors to prescribe medically unnecessary DME without ever seeing patients or after only a brief telephone conversation. The prosecution involves charges in at least seven districts across the United States, including New Jersey, Florida, Texas, Pennsylvania, and California. Additionally, DOJ prosecuted several other individuals in connection with unrelated telemedicine schemes in late 2018 (see the agency’s press releases here, here and here). In light of this recent trend, companies should exercise extreme caution and consult with regulatory experts prior to opening telemedicine practices. Companies can expect to see increased scrutiny and further prosecution of telemedicine companies moving forward.

Practice Note: DOJ has recently re-emphasized its willingness to exercise significant discretion and reward companies that invest in strong compliance programs. Looking forward, health care companies should maintain detailed and up-to-date documentation of all compliance programs, in case such an FCA case should arise. A lawyer should be consulted if an updated compliance program is needed.

This blog post was originally published in McDermott’s Health Care Enforcement Quarterly Roundup | Q1 2019. Click here to view the full report.

False Claims Act Settlement with eClinicalWorks Raises Questions for Electronic Health Record Software Vendors

by Daniel F. Gottlieb and Tony Maida | Jul 7, 2017 | Consumer Protection, Data Privacy, General Interest, Uncategorized

On May 31, 2017, the US Department of Justice announced a Settlement Agreement under which eClinicalWorks, a vendor of electronic health record software, agreed to pay $155 million and enter into a five-year Corporate Integrity Agreement to resolve allegations that it caused its customers to submit false claims for Medicare and Medicaid meaningful use payments in violation of the False Claims Act.

Read the full article.

OIG Reports More Than $731 Million in Inappropriate Medicare Meaningful Use Payments

by Amanda Enyeart and Lisa Mazur | Jun 20, 2017 | Big Data, Data Privacy, General Interest, Telehealth

The Electronic Health Records (EHR) Incentive Program run by Centers for Medicare and Medicaid Services (CMS) garnered attention again last week following the release of a report by the Office of Inspector General of the US Department of Health and Human Services (OIG) describing inappropriate payments to physicians under the program. The report follows on the heels of a high-profile settlement under the False Claims Act between the US Department of Justice and an EHR vendor related to certified electronic health record technology (CEHRT) used in the EHR Incentive Program (which we’ve previously discussed in-depth).

The OIG reviewed payments to 100 eligible professionals (EPs) who received EHR incentive payments between May 2011 and June 2014 and identified 14 inappropriate payments. OIG extrapolated the results of the review to the 250,470 total EPs who received incentive payments during that time period and estimated that CMS made approximately $729 million in inappropriate EHR incentive payments out of a total of just over $6 billion in such payments during the review period. (more…)

Texas Changes its Tone on Telemedicine

by McDermott Will & Emery and Lisa Mazur | Jun 1, 2017 | Mobile Apps, Telehealth, Text Messaging

As one of the last states to retain highly restrictive (and arguably anti-competitive) telemedicine practice standards, health care providers, regulatory boards, technology companies, payors and other stakeholders have been actively monitoring Texas’ approach to telemedicine regulation and the related Teladoc case. Texas has eliminated its most restrictive requirement for delivering care via telemedicine in Texas, increasing opportunities for providers to reach patients using technology. Senate Bill 1107 was passed on May 11, 2017, and the House added an amendment in passing Senate Bill 1107, which was approved in the Senate on May 18. The bill was signed into law by Governor Abbott last weekend.

Read the full article.

Texas to Take a Leap Forward in Telehealth – A Proposed Bill Drops the Controversial In-Person Evaluation Requirement

by McDermott Will & Emery, Dale C. Van Demark, Lisa Mazur and Marshall E. Jackson, Jr. | Mar 9, 2017 | General Interest, Telehealth

Texas telehealth requirements will significantly change in the near future if Texas Senate Bill 1107 is passed into law, as it removes the controversial “face-to-face” or in-person consultation requirement to establish a physician-patient relationship and lawfully provide telehealth and telemedicine services within the state. This bill comes after a six-year-long battle between telemedicine stakeholders and the Texas Medical Board, and will better align Texas’ regulations with those found in other states.

Read the full article.

BLOG EDITORS

Amanda Enyeart

Marshall E. Jackson, Jr.

BLOG EDITORS

STAY CONNECTED

TOPICS

ARCHIVES

RECENT POSTS