HHS Issues Practical New Cybersecurity Guidance for Healthcare Businesses of all Sizes

Dustin BergerSarah BimberBy Dustin Berger and Sarah Bimber on Posted in Data Privacy and Security, National

In late January, the U.S. Department of Health and Human Services’ Healthcare & Public Health Sector Coordinating Council issued a new cybersecurity guidance document for healthcare businesses of all sizes. The guidance document, entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” available at https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx, provides concrete and practical guidance for addressing what the Council has identified as the “most impactful threats . . . within the industry” and serves as a renewed call to action for implementation of appropriate cybersecurity practices. This document is critical reading for healthcare business managers faced with ever-increasing cybersecurity risks and the attending risks to patient safety and operational continuity, business reputation, financial stability, and regulatory compliance. Continue Reading

Washington Supreme Court Announces Zero-Tolerance Approach to Sexual Harassment in Places of Public Accommodation

Jim ShoreDustin BergerBy Jim Shore and Dustin Berger on Posted in Employment Law, Washington

The Washington Law Against Discrimination (WLAD) prohibits “places of public accommodation” from discriminating against their customers on the basis of several protected characteristics, including, without limitation, sex, race, national origin, and sexual orientation. Sexual harassment is one prohibited form of such sex-based discrimination.  Generally speaking, a place of public accommodation is any business that is open to the public.

On January 31, 2019, the Washington Supreme Court announced a new sexual harassment standard for places of public accommodation. In so ruling, the Court held that, under the WLAD, employers are “directly liable for the sexual harassment of members of the public by their employees, just as they would be if their employees turned customers away because of their race, religion, or sexual orientation.” Floeting v. Group Health, Inc., No. 95205-1. Continue Reading

Effects of State Individual Mandates on Employer Group Health Plans

Abbey HendricksHoward Bye-TorreBy Abbey Hendricks and Howard Bye-Torre on Posted in Insurance Law, Legislation, National

Late last year, Congress passed the Tax Cuts and Jobs Act, which included a provision  effectively repealing the requirement for most Americans to have health insurance.  This “individual mandate” was originally imposed by the Affordable Care Act (“ACA”). Beginning in 2019, the tax penalty individuals face if they do not enroll in health coverage considered minimum essential coverage (“MEC”) will drop to zero.

For many Americans, the individual mandate was satisfied by the health coverage provided by employers. From an employer perspective, the repeal of the individual mandate penalty might first appear to have little effect. The ACA’s employer shared responsibility provisions (also known as the “pay-or-play penalties”) remain intact, and applicable large employers (“ALEs”)  will likely continue to provide group health coverage to employees and their dependents even though the individual mandate is no longer in effect. And though the Congressional Budget Office projected that an additional 4 million individuals will go uninsured when the federal penalty disappears, most of these individuals were previously insured in the individual market, not the group market.

But the repeal of the federal penalty has spurred activity at the state level that will require employer attention. Many states are concerned that the resulting increase in uninsured individuals will further strain state safety nets, resulting in accelerated efforts to strengthen state insurance markets by imposing state-law individual mandates to reduce the rate of uninsured individuals. Continue Reading

Short-Term Health Plans Hit Roadblock in Washington State

Kara MorseBy Kara Morse on Posted in Health Plans, Washington

Washington’s Insurance Commissioner Rolls Back Federal Attempt to Expand Access to Short-Term Health Plans

On October 17, 2018, the Office of the Insurance Commissioner (“OIC”) adopted a final rule that defines minimum standards for short-term limited-duration health insurance plans (“short-term plans”) in Washington State and rejects federal efforts to expand their availability. Short-term plans are exempt from many of the minimum requirements applicable to most health plans under the Affordable Care Act (“ACA”) and Washington State law. The OIC rulemaking is a direct response to recent federal changes that removed many restrictions that previously curbed access to short-term plans. See our previous post for more information on the federal rule, which went into effect October 2, 2018 and is expected to result in a dramatic increase in the use of short-term plans.

Federal rules now allow short-term plans to cover an individual for up to 364 days in a year, and make it possible for someone to have short-term plan coverage for up to 36 months by using consecutive plans, all while side-stepping consumer protection requirements such as essential health benefits and the prohibition on exclusions for preexisting conditions. The new OIC rules would basically roll back these federal changes in Washington State, making it clear that short-term plans are not a viable alternative to more traditional insurance coverage.

The final rule:

  • Limits the duration of any short-term plan to three months, including any renewal period.
  • Prohibits a carrier from issuing a short-term plan if it would result in more than three months of coverage under a short-term plan in the same 12-month period. In other words, a consumer could not cobble together multiple short-term plans to cover more than the three-month limit.
  • If preexisting conditions are excluded, limits the lookback period to up to 24 months prior to the application date.
  • Requires minimum benefit coverage, including hospital, surgical and medical expense coverage of at least one million dollars, and a copayment or coinsurance of not more than 50%.
  • Prohibits the issuance of a short-term plan during open enrollment for individual coverage on the Washington State health benefit exchange.
  • Requires that potential enrollees be given a standard disclosure form, acknowledged by their signature, describing the limits of the coverage being offered. The disclosure must include specific language advising of the short-term plan’s limited nature, including that it may not cover preexisting conditions and that it does not include benefits required by the ACA. The disclosure then provides details about the timing, duration and extent of the coverage.
  • Requires OIC approval for any short-term plan, which may be withdrawn at any time for cause.
  • Is applicable to plans with an effective date on or after January 1, 2019.

The OIC acknowledges that short-term plans should be available as a stop-gap option for consumers who seek health coverage for a short period of time until more permanent health insurance may be obtained. With these rules, however, the OIC has largely restored the limitations which existed prior to the recent federal changes. The move sends a signal to carriers and consumers that any attempt to circumvent consumer protections or to use short-term plans as a long-term alternative to the traditional individual market will hit a roadblock in Washington State.

Was the Response Responsive Enough? The Oregon Court of Appeals Weighs In On “Failure to Respond” to the Board of Dentistry

Rachel LeeBy Rachel Lee on Posted in Oregon

Angle v Board of Dentistry, No. A162472, decided by the Oregon Court of Appeals on October 17, 2018, is a statutory interpretation case that may inform how dentists respond to requests for information from the Oregon Board of Dentistry.

ORS 679.170(6) provides that no person shall “fail to respond” to a written request from the Board of Dentistry for information.  Does a “nonresponsive” reply count as a failure to respond?  In this case, the Oregon Court of Appeals decides that just saying something is not sufficient to comply with ORS 679.170(6).  Instead, responses must be responsive.  According to the court, telling the board to go fly a kite or writing a letter about the history of Rome will not pass muster.  However, a “curt and not overly helpful” response may work. Continue Reading

Anthem Pays OCR $16 Million in Record-Breaking HIPAA Data Breach Settlement

Sarah BimberBy Sarah Bimber on Posted in Data Privacy and Security, HIPAA

The Office of Civil Rights (OCR) announced in a press release this week that Anthem, Inc. (Anthem), one of the nation’s largest health benefit companies, has agreed to pay $16 million and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. This settlement is the largest in HIPAA-enforcement history, far exceeding the previous record of $5.5 million paid by Memorial Healthcare in 2017.

OCR investigated Anthem following its report that a series of cyber attacks in 2014 and 2015 resulted in theft of the electronic protected health information (ePHI) of nearly 79 million members of  its affiliated and other covered entity health plans. In addition to Anthem’s failure to implement sufficient safeguards to prevent and detect the inappropriate access to its systems, OCR also found that Anthem had:

  • Failed to conduct an enterprise-wide risk analysis
  • Insufficient procedures to regularly review records of information system activity
  • Failed to identify and respond to suspected or known security incidents
  • Failed to implement adequate minimum access controls to prevent unauthorized access to ePHI

A link to the Resolution Agreement between Anthem and OCR is available here.

It is not surprising that the largest HIPAA breach to date would result in the largest settlement to date, and this is a strong signal of this administration’s interest in leveraging its penalty authority to make an example of organizations that have large data breaches. Organizations of all sizes should take note, however.  While penalties are imposed in only a small fraction of the incidents reported to OCR, any significant data breach will result in an OCR investigation that may bring inadequacies of privacy and security safeguards to light.

If you have questions or concerns about your HIPAA compliance posture or your information security and governance plans, we are ready to help.

Oregon Declines to Follow New Federal AHP Regulations

Bethany BacciBy Bethany Bacci on Posted in Health Plans, Oregon

The Oregon Division of Financial Regulation (the “Division”) recently issued a bulletin clarifying Oregon law and guidance applicable to association health plans (“AHPs”), which are multiple employer welfare arrangements (“MEWAs”) under ERISA. In Bulletin No. DFR 2018-07 (the “Bulletin”), the Division declined to adopt the more flexible criteria established by the recent U.S. Department of Labor (“DOL”) final regulation on AHPs (the “AHP Rule”).

The AHP Rule modified the definition of “employer” under ERISA to provide new options for small businesses and working owners to join together and be treated as a single large employer sponsor of a group health plan. AHPs are attractive to small employers who can then purchase health insurance without the additional requirements imposed on small groups under the Affordable Care Act. The DOL claims the AHP Rule will expand access to and lower the cost of insurance policies for small businesses. Opponents, including states such as Oregon, say the rule will destabilize the individual and small group market, increase fraud and abuse, decrease comprehensive health coverage, and result in higher health insurance costs overall. Oregon joined a coalition of states in a lawsuit filed this summer challenging the AHP Rule.

The AHP Rule does not modify or otherwise limit state insurance law or authority to regulate MEWAs; it also explicitly preserves the DOL’s pre-rule guidance used to determine whether an association is “bona fide” and should be recognized as a single employer under ERISA.  Given Oregon’s position on the AHP Rule, it is not surprising that the Bulletin indicates the Division will continue to enforce Oregon’s pre-rule guidance (see  Bulletin INS 2013-3) without modification  on the type of associations and MEWAs that may purchase or issue a health plan in Oregon.

The Bulletin provides a helpful summary of how associations can comply with Oregon requirements while reminding insurers, associations, MEWAs, agents, and producers that the Division would take action “for any failure to comply with or attempt to circumvent Oregon statutory or regulatory requirements with respect to health benefit plan coverage offered by or to an association.”

Ruling in the Eleventh Circuit Highlights Both the Breadth and Potential Limitations of AKS’s Employment Safe Harbor

Timothy HatfieldBy Timothy Hatfield on Posted in AKS

Health care lawyers have long debated whether the AKS safe harbor provides full protection for employees who are paid to market a supplier’s services.  In Carrel v. AIDS Healthcare Foundation, 898 F.3d 1267 (Aug. 7, 2018), the Eleventh Circuit might have come a step closer to answering this question.  The Carrel court affirmed the dismissal of a False Claims Act suit against the AIDS Healthcare Foundation, Inc. (the “Foundation”), holding that the Anti-Kickback Statute (“AKS”) safe harbor for employment relationships protected bonuses the Foundation paid to employees who referred HIV/AIDS patients to the Foundation for treatment. The outcome of this case was unsurprising given the facts and relevant precedents in the Eleventh Circuit, but highlights an important potential limitation to the AKS’s employment safe harbor.

Carrel Put the Strict Terms of the Employment Safe Harbor to the Test

The AKS criminalizes knowingly and willfully offering, paying, soliciting, or receiving any remuneration to induce or reward referrals of items or services reimbursable by a federal health care program (e.g., Medicare or Medicaid). 42 U.S.C. § 1320a-7b(b). One of the most common AKS safe harbors protects “any amount paid by an employer to an employee (who has a bona fide employment relationship with such employer) for employment in the provision of covered items or services.” 42 U.S.C. § 1320a-7b(b)(3)(B). Regulations provide a parallel exemption for “any amount paid by an employer to an employee … for employment in the furnishing of any item or service for which payment may be made in whole or in part under Medicare, Medicaid, or other Federal health care programs.” 42 C.F.R. § 1001.952(i).

The plaintiffs in Carrel alleged that the Foundation violated the AKS by paying its employees bonuses for each HIV-positive individual they referred to the Foundation for treatment. Specifically, the Foundation had a contract with the State of Florida under which it conducted HIV testing. The contract (funded by the federal Ryan White Act) required the Foundation to refer clients with positive test results to health care providers for treatment, and compensated the Foundation for such referral services. In an apparent effort to incentivize these referrals, the Foundation offered cash bonuses to employees for each HIV-positive patients they successfully directed to the Foundation for follow-up medical care. The bonuses were allegedly not available if the patients received follow-up care from a provider that was not affiliated with the Foundation. Continue Reading

Welcome to Health Law Insider!

Timothy HatfieldBy Timothy Hatfield on Posted in Uncategorized

Welcome to Stoel Rives’ newest blog: Health Law Insider. Health Law Insider will provide insights from our team of experts on the full spectrum of legal issues that are shaping the health care industry, including data privacy and security, fraud and abuse, health care transactions, antitrust, taxation, and insurance regulation.

The health care delivery system is in the midst of a transformation. While the end state is unknown, it is almost certain to involve greater provider accountability for health outcomes, as well as increased reliance on data and technology. This blog will seek to inform those who are the agents of health delivery transformation about the ever-changing laws and regulations that govern the industry.

So please read on. We encourage you to subscribe for email updates and follow us on Twitter, Facebook or LinkedIn (see the sidebar on the right)

CMS Rule Extends Short-Term Health Insurance

Manmeet DhamiBy Manmeet Dhami on Posted in Health Plans, Insurance Law, National

On August 1, 2018, the Centers for Medicare & Medicaid Services issued a final rule that allows individuals to purchase short-term limited-duration health plans. Under the rule, short-term health plans can span an initial period of less than 12 months, with renewals and extensions capped at 36 months. Under the Affordable Care Act (“ACA”), lower-grade coverage options were restricted to three months without an option to renew and were typically used to bridge a coverage gap of a few months or less.

These short-duration health plans are not required to comply with ACA requirements around preexisting conditions or essential health benefits, and individuals can be denied coverage based on medical history. Insurers of short-term health plans can also choose not to cover categories of benefits, such as prescription drugs and substance use disorder treatment. Because these plans are not considered “qualifying health plans” under the ACA, individuals who purchase these plans in 2018 will owe a penalty for being uninsured (unless they qualify for an exemption). Beginning in 2019, purchasers of short-term health plans will face no penalty.

It is estimated that 200,000 individuals, mostly young beneficiaries, will exit the ACA exchange market under the rule, which could destabilize the ACA’s health insurance pools and raise premiums. The rule does not preempt states from imposing shorter limits on these plans, or banning the plans altogether, as Massachusetts, New Jersey, and New York have done.

LexBlog