On December 12, 2020, the European Commission (the “EC”) issued a highly anticipated draft of newly revised standard contractual clauses (“new SCCs”) that may be used by European Union-based companies to safeguard data transfers of personal data to third countries, such as the US, in compliance with GDPR Art. 46(1). The release comes at a decidedly inopportune time as it follows on the heels of the Court of Justice of the European Union’s (CJEU) Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (“Schrems II”) decision which casts serious doubt on the adequacy of SCCs alone to safeguard against the “high-risks” involved in EU to US data transfers. And for many data protection experts, the language of the revised SCCs only adds to the confusion, raising even more questions. But one question in particular seems to be prominent among others—for transfers to importers, directly subject to GDPR, are SCCs really necessary?
The regulation of hedge funds has largely been unchecked allowing big Wall Street players to manipulate the market for the benefit and at the detriment of other investors. But forced by an unprecedented movement of retail investors, Wall Street is being forced to reckon with the hypocrisy of their practices.
The current social and political climate, as well as our planet’s environmental climate, have shown the new role that corporations play in society. The pandemic and the current social upheaval seen worldwide have increased the need for real and meaningful corporate commitment to social responsibility.
Yet another privacy and data security-related lawsuit has been filed against Zoom Video Communications, Inc. (“Zoom Inc.”). Zoom Inc. has been the subject of several complaints related to its video-conferencing service since its meteoric and spectacular rise in popularity due to the Coronavirus pandemic and related quarantine measures beginning in March 2020. In this particular case, there are compliance lessons to be learned from the unfair and deceptive practices claims alleged against Zoom Inc. in the plaintiff’s D.C. Superior Court filing.
On October 9, 2019, the Centers for Medicare & Medicaid Services (CMS) issued a proposed rule to modernize and clarify the regulations that interpret the Medicare physician self-referral law (often called the “Stark Law”), which has not been significantly updated since it was enacted in 1989. As CMS tries to reconstruct the healthcare field, it is imperative for compliance programs to prepare for the changes in regulations to come. The following discussion provides a brief overview of the proposed changes but is not an exhaustive list of all rulemakings related to the physician self-referral law.
Workplace wellness programs — efforts to get workers to lose weight, eat better, stress less and sleep more — are an $8 billion industry in the U.S. Recently, Centers for Medicare and Medicaid Services (CMS) launched a pilot project for states to implement health-contingent wellness programs in the individual market. The project is part of a mandate under the Affordable Care Act that added a provision to the Public Health Service Act calling for health-contingent wellness programs to be tested in the individual market through a pilot project operated by HHS, the Department of Labor and the Treasury Department.
On September 5, 2019, the Centers for Medicare and Medicaid Services (“CMS”) released its final rule with comments on Program Integrity Enhancements to the Provider Enrollment Process (“ The Program Integrity Enhancements”). The final rule gives CMS the power to revoke Medicare, Medicaid, and Children’s Health Insurance Program (CHIP) enrollments of providers or suppliers who have an “affiliation” with previously sanctioned entities, even if those providers and suppliers aren’t directly violating any existing rules themselves. CMS says that this new authority will help to “stop fraud before it happens.”
In March 2019, Rush University Medical Center (“Rush University”) sent out breach notification letters to approximately 45,000 patients. The letter advises patients that a privacy incident occurred that may have involved the patients’ personal information. The privacy incident was caused by an employee of a third-party financial services vendor. The employee released a file that contained patient information to an unauthorized person. According to the breach notification letter, law enforcement and regulatory officials were involved in the investigation of the privacy incident. Rush University sent the breach notification letter in compliance with the Health Insurance Portability and Accountability Act’s privacy and security rules.
The Common Rule, the Federal policy protecting human subjects of biomedical and behavioral research, was published in 1991. The process to update the policy has taken place over the last several years, leading to the final rule revisions which were effective as of July 19, 2018. After January 20, 2019, institutions are now permitted to implement the entirety of the revised Common Rule. Any institution receiving funds, supervision, or review from any of the twenty Federal Departments and Agencies that have codified the Common Rule must implement this revised rule in their compliance programs.
On January 31, 2019, the Trump administration proposed yet another regulation in efforts to control rising prescription costs for Americans. If the regulation becomes final, drug manufacturers and Pharmacy Benefit Managers (“PBM”) will no longer be able to harbor from Anti-Kickback violations when negotiating discounts with Medicare and Medicaid managed care programs. The Administrations, continuing the tone of transparency, will instead provide Medicare Part D beneficiaries with the ability to receive discounted prices at the pharmacy counter. The administration hopes this will allow patients to not endure high out-of-pocket costs by purchasing medications at a more affordable price necessary to sustain their health.