American Health Care Act Passes House, But May Be Stalled in the Senate
Yesterday afternoon, the U.S. House of Representatives passed its health care reform bill — the American Health Care Act of 2017, H.R. 1628 — by a vote of 217 to 213. Twenty house Republicans joined all 193 House Democrats in voting no. The House vote on Thursday occurred before the Congressional Budget Office (“CBO”) had released a new analysis of the revised bill’s economic impact. Our summary of the CBO’s analysis of the first version of the bill is available here.
Although the AHCA passed its first major legislative hurdle, it now faces uncertainty in the Senate, where Republican senators have been pressured by Medicaid-expansion state governors concerned about constituents losing Medicaid coverage. To date, 31 states and Washington, DC have expanded Medicaid under the Affordable Care Act. Instead of debating the House version of the AHCA, Senate Majority Whip John Cornyn (R-Texas) and Senator Charles Grassely (R – Iowa) have signaled that the AHCA will be stalled in the Senate while Senate Republicans work to draft their own health care reform bill. We will continue to monitor and report on the AHCA’s legislative path.
Three HIPAA Corrective Actions Announced in April; First Settlement with Wireless Health Services Provider Costs $2.5 Million
April 2017 was a busy month for the U.S. Department of Health & Human Services, Office for Civil Rights (“OCR”), as it issued three separate press releases relating to Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) enforcement actions. The first settlement, involving a provider’s failure to conduct a HIPAA security risk assessment, was described in our April 13, 2017 update. Next, on April 20, 2017, OCR announced that the Center for Children’s Digestive Health (“CCDH”), a seven-clinic pediatric sub-specialty practice in Illinois, had paid OCR $31,000 and entered into a two-year corrective action plan with OCR to settlement potential violations of HIPAA relating to its failure to enter into a HIPAA business associate agreement (“BAA”) with its medical record storage company. According to the press release, In August 2015, OCR initiated a compliance review of CCDH following an investigation of a business associate, FileFax, Inc., which stored records containing protected health information (“PHI”) for CCDH. Although CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed Business Associate Agreement (“BAA”) prior to Oct. 12, 2015. While the settlement amount is not particularly noteworthy, the settlement demonstrates OCR’s willingness to audit a covered entity’s HIPAA practices in event of a business associate’s HIPAA violation. In addition to the $31,000 settlement, the corrective action plan requires that CCDH revise its policies and procedures to include, among other things: (1) the designation of an individual responsible for HIPAA BAAs,(2) the creation of a template BAA, (3) the implementation of a process to assess current and future business associate relationships, and (4) HIPAA training for employees.
Most recently, on April 24, 2017, OCR announced its first settlement with a wireless health services provider, CardioNet. According to the press release, CardioNet agreed to pay $2.5 million and enter into a corrective action plan to settle potential noncompliance with the HIPAA. CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias. In January 2012, CardioNet reported to the OCR that an employee’s laptop containing the electronic PHI of 1,391 individuals was stolen from the employee’s car. OCR’s investigation revealed that CardioNet (i) had an insufficient risk analysis and risk management processes in place at the time of the theft (ii) had not implemented its HIPAA policies and procedures, which were still in draft form, and (iii) was unable to produce any final policies or procedures regarding the implementation of safeguards for electronic PHI, including those for mobile devices. As mobile devices are increasingly used in the health care sector, HIPAA covered entities and business associates need to take particular care to ensure their policies and procedures adequately address risks specific to mobile devices, including theft and loss. OCR has gathered tips and information to help protect and secure health information when using mobile devices. That information is available here.
Blood Testing Laboratory to Pay $6 Million to Settle Allegations of Kickbacks and Unnecessary Testing
On April 28, 2017, the Department of Justice (“DOJ”) announced that Quest Diagnostics Inc. (“Quest”) has agreed to pay $6 million to resolve allegations that a company it acquired in 2011 (Berkeley HeartLab Inc.) (“Berkeley”) violated the False Claims Act by paying kickbacks to physicians and patients to induce the use of Berkeley for blood testing services and by charging for medically unnecessary tests. Specifically, the government’s complaint alleged that in order to induce physicians and patients to choose Berkeley over other laboratories, Berkeley (i) paid kickbacks to referring physicians disguised as “process and handling” fees and (ii) paid kickbacks to patients by routinely waiving patient copayments. The government’s complaint further alleged that these illegal practices resulted in medically unnecessary cardiovascular tests being charged to federal health care programs. The lawsuit was initially filed by under the qui tam, or whistleblower, provisions of the False Claims Act. The whistleblower’s award has not yet been announced.