Yet another privacy and data security-related lawsuit has been filed against Zoom Video Communications, Inc. (“Zoom Inc.”). Zoom Inc. has been the subject of several complaints related to its video-conferencing service since its meteoric and spectacular rise in popularity due to the Coronavirus pandemic and related quarantine measures beginning in March 2020. In this particular case, there are compliance lessons to be learned from the unfair and deceptive practices claims alleged against Zoom Inc. in the plaintiff’s D.C. Superior Court filing.
On October 9, 2019, the Centers for Medicare & Medicaid Services (CMS) issued a proposed rule to modernize and clarify the regulations that interpret the Medicare physician self-referral law (often called the “Stark Law”), which has not been significantly updated since it was enacted in 1989. As CMS tries to reconstruct the healthcare field, it is imperative for compliance programs to prepare for the changes in regulations to come. The following discussion provides a brief overview of the proposed changes but is not an exhaustive list of all rulemakings related to the physician self-referral law.
Workplace wellness programs — efforts to get workers to lose weight, eat better, stress less and sleep more — are an $8 billion industry in the U.S. Recently, Centers for Medicare and Medicaid Services (CMS) launched a pilot project for states to implement health-contingent wellness programs in the individual market. The project is part of a mandate under the Affordable Care Act that added a provision to the Public Health Service Act calling for health-contingent wellness programs to be tested in the individual market through a pilot project operated by HHS, the Department of Labor and the Treasury Department.
On September 5, 2019, the Centers for Medicare and Medicaid Services (“CMS”) released its final rule with comments on Program Integrity Enhancements to the Provider Enrollment Process (“ The Program Integrity Enhancements”). The final rule gives CMS the power to revoke Medicare, Medicaid, and Children’s Health Insurance Program (CHIP) enrollments of providers or suppliers who have an “affiliation” with previously sanctioned entities, even if those providers and suppliers aren’t directly violating any existing rules themselves. CMS says that this new authority will help to “stop fraud before it happens.”
In March 2019, Rush University Medical Center (“Rush University”) sent out breach notification letters to approximately 45,000 patients. The letter advises patients that a privacy incident occurred that may have involved the patients’ personal information. The privacy incident was caused by an employee of a third-party financial services vendor. The employee released a file that contained patient information to an unauthorized person. According to the breach notification letter, law enforcement and regulatory officials were involved in the investigation of the privacy incident. Rush University sent the breach notification letter in compliance with the Health Insurance Portability and Accountability Act’s privacy and security rules.
The Common Rule, the Federal policy protecting human subjects of biomedical and behavioral research, was published in 1991. The process to update the policy has taken place over the last several years, leading to the final rule revisions which were effective as of July 19, 2018. After January 20, 2019, institutions are now permitted to implement the entirety of the revised Common Rule. Any institution receiving funds, supervision, or review from any of the twenty Federal Departments and Agencies that have codified the Common Rule must implement this revised rule in their compliance programs.
On January 31, 2019, the Trump administration proposed yet another regulation in efforts to control rising prescription costs for Americans. If the regulation becomes final, drug manufacturers and Pharmacy Benefit Managers (“PBM”) will no longer be able to harbor from Anti-Kickback violations when negotiating discounts with Medicare and Medicaid managed care programs. The Administrations, continuing the tone of transparency, will instead provide Medicare Part D beneficiaries with the ability to receive discounted prices at the pharmacy counter. The administration hopes this will allow patients to not endure high out-of-pocket costs by purchasing medications at a more affordable price necessary to sustain their health.
In December 2018, Dr. Christopher Duntsch lost his appeal and the court upheld his life sentence. The name may not sound familiar, but to the medical community in Dallas, Texas, Christopher Duntsch represents what happens when every part of the medical regulatory system fails to protect patients. Christopher Duntsch was given the nickname “Dr. Death” in November 2016 when the DMagazine ran a cover story on him and his victims. In 2018, Wondery produced a six-part podcast series named “Dr. Death” detailing Duntsch’s educational and medical history and the acts that led him to incarceration.
In August, the U.S. Department of Health and Human Services (“HHS”) Office of Inspector General (“OIG”) made an additional focus in its Work Plan for the oversight of nursing facility staffing levels. These changes were made in the light of backlash from a July 2018 news article which reported that nearly 1,400 nursing homes had fewer qualified staff on duty than they were required or failed altogether to provide reliable staffing information to the Centers for Medicare and Medicaid Services (“CMS”).
Protected Health Information is seeing a surge of breaches on the cyber security front due to contractor error. It’s also impacting the most consumers in comparison to other data breaches and, in some cases, has the power to cause chaos in national infrastructure. Advances in technology and compliance measures can stem the tide and protect the most valuable information in consumers lives.