Americans hear about cybersecurity incidents on a frequent basis. As the adage goes, it is not a matter of “if” a breach or security hack occurs; it is a matter of “when.” At no time was that more evident earlier this year when the healthcare industry was hit with the widespread ransomware attack on Change Healthcare, a subsidiary of the United Health Group. Because of the nature of the Change Healthcare shutdown and its impact across the industry, the U.S. Department of Health & Human Services (HHS) and its HIPAA enforcement arm, the Office for Civil Rights (OCR), conducted investigations and issued FAQ responses for those impacted by the cybersecurity event. Continue Reading HIPAA Gets a Potential Counterpart in HISAA
On July 1, 2024, Texas May Have the Strongest Consumer Data Privacy Law in the United States
It’s Bigger. But is it Better?
They say everything is bigger in Texas which includes big privacy protection. After the Texas Senate approved HB 4 — the Texas Data Privacy and Security Act (“TDPSA”), on June 18, 2023, Texas became the eleventh state to enact comprehensive privacy legislation.[1]
Like many state consumer data privacy laws enacted this year, TDPSA is largely modeled after the Virginia Consumer Data Protection Act.[2] However, the law contains several unique differences and drew significant pieces from recently enacted consumer data privacy laws in Colorado and Connecticut, which generally include “stronger” provisions than the more “business-friendly” laws passed in states like Utah and Iowa. Continue Reading On July 1, 2024, Texas May Have the Strongest Consumer Data Privacy Law in the United States
Ransomware Attacks at Record Levels; Healthcare Organizations Must Be Ready Via Data Security and Disaster Response Policies and Procedures
Healthcare providers continue to rely on interconnected information technology systems and digital care delivery to improve healthcare outcomes. In response, ransomware attacks are increasing, both in number and in sophistication. The attacks threaten the clinical and clerical operations of healthcare enterprises of all sizes. JAMA published an alarming study to show that the number of ransomware attacks targeting healthcare organizations doubled in the last five years. These attacks disrupted care and exposed the personal health information of nearly 42 million patients.
Ransomware attacks usually involve the installation of malicious software on vulnerable systems and technology through any number of vulnerabilities, such as email phishing links or disguised as software updates. Once installed, the ransomware software locks healthcare organizations out of their own data, whole data storage systems, or targeted technology devices. The cybercriminals behind ransomware attacks then threaten to release, permanently encrypt, or delete patient data—in some cases, all three—unless the organization pays the ransom demand. Continue Reading Ransomware Attacks at Record Levels; Healthcare Organizations Must Be Ready Via Data Security and Disaster Response Policies and Procedures
Annual OCR Breach Report Deadline is Approaching; Are You Ready?
By March 2, 2022, HIPAA covered entities (healthcare providers, health plans, and healthcare clearinghouses) must report all 2021 breaches of unsecured PHI that affected fewer than 500 individuals to the Office for Civil Right for the U.S. Department of Health & Human Services (OCR). Covered entities must submit these reports through the HHS web portal, located here.
This is a separate reporting process from breaches that affect more than 500 individuals, which must be reported to the OCR and local media when they occur.
Covered entities should have a detailed HIPAA incident log for each breach incident. Such a log helps with easier reporting to OCR and should include the following items:
- Breach tracking number (if you have one)
- Breach dates, start and end
- Breach discovery date
- Number of individuals affected by the breach
- Type of breach (i.e., hacking incident, improper disposal, lost, theft, unauthorized access, etc.)
- Location of breach (i.e., desktop, EMR/EHR, email, mobile device, server, paper, etc.)
- Type of PHI involved (i.e., clinical, demographic, financial, sensitive information, etc.)
- Brief description of the breach
- Safeguards in place prior to the breach
- Dates for transmission of individual notices
- Substitute notice options (if applicable)
- Media notice (if applicable)
- Mitigation efforts and other actions take in response to the breach
Further information on Breach Portal Required Information can be found here.
Please plan accordingly for your reporting needs. While you may submit all breach reports on one date, you must submit a separate report for each breach incident. And if you discover additional information that supplements, modifies, or clarifies a previously submitted report, you should amend your report by addendum through the OCR portal, referencing the transaction number from the initial breach report.
Supreme Court Splits Decisions on Vaccine Mandates
As more fully discussed in the in-depth summary by our colleague, Taylor White, the U.S. Supreme Court blocked the OSHA emergency standard mandating vaccines in the American workplace. This ruling nullifies OSHA’s intended enforcement of the mandate after January 10, 2021.
The primary rationale for blocking the OSHA mandate was that it was a “broad public health” measure, while OSHA’s overriding purpose is workplace safety. The Supreme Court acknowledged that COVID-19 presents workplace safety concerns, but that the proposed rule addresses public health safety, which Congress did not authorize OSHA to oversee.
Where does this leave the vaccine mandate directed to healthcare workers? Well, the Supreme Court leaves it in place…. for now.
Much like the OSHA emergency standard, the healthcare worker mandate is an interim final rule with comment period (IFR) issued by the Centers for Medicare and Medicaid Services (CMS). The IFR revises Medicare conditions of participation (COPs) such that healthcare facilities that participate as providers in Medicare and Medicaid must ensure that their covered personnel are vaccinated against COVID-19. See 85 Fed. Reg. 61555 (Nov. 5, 2021). While Congress did not authorize OSHA to oversee public health safety, Congress has authorized the Secretary of Health and Human Services to analyze and implement COPs to ensure effective and safe healthcare environments, including conditions related to infection control and prevention.
As with other mandates, a number of states filed two separate lawsuits to challenge the CMS directive. US district courts sided with the states and enjoined enforcement of the IFR. CMS appealed to the Supreme Court when intermediate courts of appeal declined to stay the district court injunctions.
In its 5-4 ruling, the Supreme Court affirmed that one of the most basic functions of CMS is to “ensure that the health care providers who care for Medicare and Medicaid patients protect the patients’ health and safety.” Biden v. Missouri, Case No. 21A240 (Jan. 13, 2022); Becerra v. Louisiana, Case No. 21A241 (Jan. 13, 2022), 2. The types of providers to which this oversight function applies include twenty-one industry segments such as hospitals, nursing homes, ambulatory surgery centers, hospices, rehab facilities, community mental health centers, and FQHCs.
In considering the IFR, the Court majority held that the “health and safety” language in various authorizing statutes broadly applied to Medicare and Medicaid providers, even if such language was not in all relevant, applicable statutes. The majority also determined that the HHS Secretary “routinely imposes [COPs] that relate to the qualifications and duties of healthcare workers themselves.” Id. at 6.
By finding that CMS acted within its authority to issue the IFR, the Court stayed the preliminary injunctions in the two lawsuits pending resolution of the underlying lawsuits, both of which are currently on appeal to the Fifth and Eight Circuits.
So for now, any healthcare facility provider that accepts Medicare and Medicaid must comply with the CMS requirement that their healthcare workers receive the COVID vaccine.
Winstead Shareholder Taylor White discusses U.S. Supreme Court Blocks OSHA’s Vaccine-Related Emergency Temporary Standard. View Here.
Disclaimer: Content contained within this article provides information on general legal issues and is not intended to provide advice on any specific legal matter or factual situation. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional counsel.
Winstead Shareholders Katy Carmical, Corinne Smith and Kevin Wood discuss Medical Timeshares in a new American Health Law Association Article
Winstead Shareholders Katy Carmical, Corinne Smith and Kevin Wood recently discussed Medical Timeshares in a new American Health Law Association article.
The article can be read here: Medical Timeshares Require More Than What You Learned in Kindergarten
Top 5 Takeaways from Winstead’s Physician Roll-up Transactions Event
Featuring Epiphany Dermatology, WellMed Medical Management, & Allied OMS
In September, Winstead hosted a virtual event entitled “Physician Roll-Up Transactions.” The event, which was moderated by Winstead shareholder Justin Hoover, featured Torie Berkowitz, Corporate Counsel & Director of Legal Affairs at Epiphany Dermatology, Joanne Comer, Sr. VP, Corporate Development at WellMed Medical Management, and Daniel Hosler, CEO and Co-Founder of Allied OMS. During the event, the speakers explored some of the different strategies, trends, and challenges surrounding physician roll-up transactions, as well as the world of Physician Practice Management. Here are some of the key takeaways from the event:
- In the broader business world, companies are fundamentally valued based on their cash flow. Accordingly, an important step in physician roll-up transactions includes closely examining the practice’s cash flow and getting a glimpse of how the practice’s financials look after year-end distributions to the owners of the practice.
- In the private equity buyer market, when doctors partner with many of these firms, they often take a pay cut post-closing, with that pay cut generally corresponding to additional cash payments received at closing. Also, private equity firms generally want to see an alignment of interests, so they may buy up to 90 percent of a practice but still expect physicians to reinvest alongside them.
- Another key trend relates to changing views regarding the private practice of medicine between new doctors and more seasoned doctors. With the increasing costs of higher education, more and more people are reliant on student loans. As a result, there is a change in mindset with newer doctors. Some of them are not sure they want to be the owner of a practice. This shift is instilling fear in some older doctors as they are not sure whether they will be able to find a buyer or a similar market (as when they entered the field) when they are ready to sell their practice.
- Preparation is very important in these transactions—and to help with this process, physicians should practice patience and seek the input of third-party advisors. This is especially important because this process is new to them and often involves procedures and measures they are not familiar with. As such, preparing for a transaction in advance, including seeking out the help of trained advisors, can help to make the process much smoother and less stressful.
- Finally, physicians can help prepare for a transaction by getting started on document compilation and other preparatory due diligence early on. This is important as physicians must still manages their practice while at the same time trying to execute on a transaction.
Contact
Justin Hoover | 817-420-8225| jhoover@winstead.com
Upcoming Webinar: Physician Roll-Up Transactions
Webinar: Physician Roll-Up Transactions
Join Winstead for a webinar on physician roll-up transactions. During the webinar, guest speakers will discuss various strategies and structures for successfully effecting roll-up transactions, including how physician groups should prepare in advance of exploring a potential transaction in order to maximize their value. The panel will also discuss current trends, developments, opportunities and challenges related to physician roll-up transactions and the Physician Practice Management space.
Date: Wednesday, September 8, 2021
Time: 12:00 p.m. Central Time
Moderator:
Justin Hoover, Shareholder, Winstead
Speakers:
Torie Berkowitz, Corporate Counsel & Director of Legal Affairs, Epiphany Dermatology
Joanne Comer, Sr. VP, Corporate Development, WellMed Medical Management
Daniel Hosler, CEO and Co-Founder, Allied OMS
Taylor White in Texas Lawyer: Employers Get Clarity on Mandatory COVID-19 Vaccination Policies in the Workplace
Winstead PC Shareholder Taylor White published his column in Texas Lawyer about labor and employment issues and trending topics. The article is titled ‘Employers Get Clarity on Mandatory COVID-19 Vaccination Policies in the Workplace.’ The article is below:
For months, employers and employment attorneys have navigated a number of considerations and governmental guidance documents regarding COVID-19 vaccinations in the workplace. A key question has been whether employers can implement policies requiring employees entering the workplace to be vaccinated against COVID-19. Notwithstanding the business consideration of whether such policies should be implemented, the consensus among practitioners has been that mandatory COVID-19 vaccinations in the workplace are legally permissible. Two recent developments have generally confirmed that consensus: the Equal Employment Opportunity Commission’s May 28, 2021, updates to its technical assistance guidance, and a recent federal court order dismissing claims brought by employees against their employer based on the employer’s mandatory vaccination policy.
Multiple States Looking at Pharmacy Benefit Managers (PBMs)
Last week, the Wall Street Journal (WSJ) reported on investigations and audits by several states into the contractual relationships with pharmacy benefit managers, also known as PBMs. As noted in the article, state Medicaid programs are taking a closer look at their PBM contractors’ compliance practices, both contract and regulatory, to determine whether the PBMs received any potential overpayments. According to the WSJ, certain states—including Ohio, Mississippi, Arkansas, Kansas, Georgia and New Mexico—have hired outside legal counsel to assist in the investigation. The current investigations could have significant implications for the state healthcare programs and Medicaid PBMs moving forward. One state attorney general quoted in the article notes that other states are examining their relationships with PBMs and the number of states bringing complaints against PBMs may increase. The full WSJ article (subscription required) is available here.