Filefax, Inc. (“Filefax”), an Illinois company that intimately handled sensitive Personal Health Information (“PHI”), paid $100,000 to the Department of Health and Human Services (“HHS”) to settle potential violations of the Health Insurance Portability and Accountability Act (“HIPAA”). The payment stemmed from, when still in business, Filefax allegedly improperly disclosing the PHI of approximately 2,150 people when not properly securing such information in an unlocked truck on Filefax property, as well as granting access to PHI to people who should not have been granted access. Pursuant to the Resolution Agreement, the court appointed receiver for Filefax did not admit liability on behalf of Filefax but, however, did agree to enter into a Corrective Action Plan to help mitigate potential exposure.

On its face, the Filefax case may appear to be just like other settlements with HHS resulting from a HIPAA violation, but this case is different for one critical reason—Filefax is no longer in business!

Yes, Filefax, a company no longer operating and which was involuntarily dissolved on August 11, 2017, settled these potential violations of HIPAA, making it clear that, just because the doors close, HIPAA still applies. Roger Severino, director of the Office of Civil Rights (“OCR”), the HHS enforcement arm of HIPAA, stated “[c]overed entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.”

Business owners, especially those that handle PHI on a day-to-day basis, must continue to take seriously the rules and guidelines HHS sets forth with respect to HIPAA and are on notice that penalties may still apply even if you are no longer conducting business. The Filefax case should serve as a stark warning to all business owners that you cannot escape liability and/or penalties under HIPAA by closing your doors.

2018 Government Shutdown

Just as everyday Americans were preparing their lives for a second United States government shutdown since the turn of the New Year, President Donald J. Trump signed into law a bipartisan (well, as bipartisan as it gets with this Congress) budget deal, focusing on some of the core issues facing us today and, in particular, those directly impacting healthcare.

While pundits, analysts and deficit hawks will argue back and forth about the excessive spending and items that Congress and the administration missed on this deal, one issue that Congress finally started allocating resources to and which hits home for so many people is the opioid crisis—allocating $6 billion to help combat this tragic public health emergency.  Enough is enough when more than 110 babies have tragically died since 2010 due to either being born dependent on opioids or for lack of care from their parents.

Some other important items, among others, in the budget deal include:

  • Re-authorizing community health centers, which serve over 25 million people, for an additional 2 years with approximately $7 billion in funding;
  • Allocating $4 billion to help Veterans Administration hospitals provide the care that our veterans rightfully deserve; and
  • Extending the Children’s Health Insurance Program (CHIP) for 10 years.

Just after reaching the deal, House Speaker Paul Ryan said “[u]ltimately, neither side got everything it wanted in this agreement, but we reached a bipartisan compromise that puts the safety and well-being of the American people first.” Even though it took a second, but brief, government shutdown and many continuing resolutions to light a fire under Congress to pass a budget, the budget they passed is an important step forward for our Country, especially when it comes to improving our healthcare system.

On January 5, 2018, the United States Department of Health and Human Services released for public comment a draft Trusted Exchange Framework, which seeks to accomplish interoperability with respect to patients’ Electronic Health Information (“EHI”) through the creation of Health Information Networks (“HINs”). The 21st Century Cures Act, which Congress enacted in 2016, has the goal of creating a trusted exchange focusing on streamlining patient EHI and establishing a network designed to “achieve a system where individuals are at the center of their care and where providers have the ability to securely access and use health information from different sources.” The Trusted Exchange Framework is the federal government’s attempt to achieve that goal.

The draft Trusted Exchange Framework is broken down into two parts:

Part A—Principles for Trusted Exchange

Part B—Minimum Required Terms and Conditions for Trusted Exchange

Part A sets forth and relies on six principles:

(1) Standardization (adherence to industry standards and best practices);

(2) Transparency (an open free flowing exchange);

(3) Cooperation and Non-Discrimination (collaboration from all stakeholders);

(4) Privacy, Security, and Patient Safety (data protection and integrity);

(5) Access (conveniently obtain EHI); and

(6) Data-driven Accountability (streamlined process for a cohort of patients to help lower cost of care).

These principles are guidelines qualified HINs need to follow to help build a trusting relationship between participants and patients and, without adherence to this foundation, a new modernized system cannot properly flourish.

Part B sets forth the minimum required terms and conditions participants must adopt and follow to ensure a trusted exchange of EHI. This is accomplished through a trusted exchange framework and common agreement (“TEFCA”). The TEFCA seeks to ensure, among other things, that there is “[c]ommon authentication processes of trusted health information network participants, [a] common set of rules for trusted exchange, and [a] minimum core of organizational and operational policies to enable the exchange of EHI among networks.” A sample TEFCA can be found in the draft Trusted Exchange Framework.

In sum, it is clear that the federal government is finally taking a serious look at how our healthcare system can become more efficient and modernized in our ever-changing society. Putting into place a final Trusted Exchange Framework, with input from all stakeholders, is a great step towards reaching that goal.

The deadline for public comment is February 18, 2018.

Stemming from the recent drinking water crisis in Flint, Michigan, which has had life-lasting effects for many of its residents, including children, due to unsafe lead-related toxicity levels in the drinking water, New York State Governor, Andrew M. Cuomo, announced that various New York municipalities were awarded $20 million dollars in the aggregate to replace lead service lines as part of the New York Clean Water Infrastructure Act of 2017 (the “Act”). The Lead Service Line Replacement Program (the “LSLRP”), a critical part of the Act, provides $2,445,452 to Long Island, including $611,363 to the City of Glen Cove and $611,363 to the Town of Hempstead. Other awardees include New York City ($5,323,904), Buffalo ($567,492), as well as many other cities, towns and counties throughout the state.  In his press release, Governor Cuomo stated “[t]hese critical improvements to New York’s drinking water infrastructure are vital to protecting public health and to laying the foundation for future growth and economic prosperity in these communities”.

The LSLRP was introduced in 2017 and is intended to provide funding to municipalities to replace residential lead service lines, especially those that have corroded, from the public water system. The program empowers the New York State Department of Health to award funds to certain municipalities determined by the “percentage of children with elevated blood levels, median household income, and the number of homes built before 1939”. In fact, homes built before 1930 are more likely to contain lead in its pipes because at that time the government neither regulated this area nor the applicable construction practices.

In addition to the Act, New York has increased its attention to this cause, especially focused on children, who are most at risk for lead-related negative health effects, by requiring health providers to test every child for lead in his or her blood when reaching 1 and 2 years old. Further, in 2016, Governor Cuomo took a bold step by requiring all public schools to test their water for lead as well as mandating those results be made public.

It appears that Governor Cuomo and the New York State legislature have learned the very valuable lessons their counterparts in Michigan have taught us, and the important steps our government has since taken will help ensure the better health and quality of life for all of us that live in the Empire State.

The New York State Department of Labor (the “DOL”) issued an emergency regulation clarifying its minimum-wage rules regarding home care employees. The emergency regulation provides that sleep and meal times for home care aides who work shifts of 24 hours or more are not counted as hours worked. Recently, there has been a ringing dissonance between the DOL and decisions set forth by the New York State Appellate Divisions, First and Second Departments, regarding whether home care workers should be paid for an entire 24-hour shift, including sleep and meal time. In fact, the DOL expressly cited the fact that the emergency regulation is being promulgated in direct reaction to decisions issued by the New York State Appellate Divisions. For reference, the decisions triggering the emergency regulation are: Moreno v. Future Care Health Servs., Inc., 2017 N.Y. App. Div. LEXIS 6462 (2d Dept Sept. 13, 2017); (2d Dep’t Sept. 13, 2017); Andreyeyeva v. New York Health Care, Inc., 2017 N.Y. App. Div. LEXIS 6408 (2d Dep’t Sept. 13, 2017); and Tokhtaman v. Human Care, LLC, 149 A.D.3d 476 (1st Dep’t Apr. 11, 2017).

The above-referenced decisions effectively flipped the New York home care industry on its head, each holding, in sum, that home care workers were entitled to pay for all 24 hours worked, including sleep and meal time. Enter the DOL, on October 5, 2017, who quickly put any remaining ambiguity to rest once and for all stating “that hours worked may exclude meal periods and sleep times for home care aides who work shifts of 24 hours or more”. The DOL reasoned that “[t]his regulation is needed to preserve the status quo, prevent the collapse of the homecare industry, and avoid institutionalizing patients who could be cared for at home, in the face of recent decisions by the State Appellate divisions that treat meal periods and sleep time [as hours worked]”.

The emergency regulation is expected to return the home care industry back to normalcy and prevent home care agencies from ceasing to provide “vital, lifesaving care” to thousands of New Yorkers who depend on it. The DOL explained that this “emergency adoption amends the relevant regulations to codify the Commissioner’s longstanding and consistent interpretations that such meal periods and sleep times do not constitute hours worked for purposes of minimum wage and overtime requirements”. And so, the longstanding rule about sleeping on the job still stands: you won’t get paid for it in New York.

Note:  Special thanks to our law clerk, Nicholas G. Moneta, for his assistance in drafting this blog post.

In the wake of some of the worst storms our country has ever faced, as seen in the devastation caused by Hurricane Harvey in Texas, Hurricane Irma in Florida, and now Hurricane Maria in Puerto Rico and the U.S. Virgin Islands, it is important to understand some of the actions the United States federal government can take to assist victims of Mother Nature. How broad is the federal government’s authority? Who is that authority bestowed upon? Well, one such mechanism is the declaration of a Public Health Emergency by the Secretary of Health and Human Services (“HHS”) under Section 319 of the Public Health Service Act (“PHSA”).

Under Section 319 of the PHSA, the Secretary of HHS is empowered to declare a public health emergency, after consulting with public health officials, when the public is faced with either a (1) disease or disorder; or (2) public health emergency exists, including, but not limited to, an epidemic or bioterrorist attack.  Upon making such a declaration, the Secretary of HHS is authorized and empowered to “take such action as may be appropriate to respond to the public health emergency, including making grants, providing awards for expenses, and entering into contracts and conducting and supporting investigations into the cause, treatment, or prevention of a disease or disorder.” The Secretary’s expanded authority is not perpetual and only remains in effect for 90 days, or until the emergency ceases to exist if sooner than 90 days, with the option of a one-time renewal for an additional 90 days that can be made on the basis of new or the same facts underlying the initial declaration. However, once a declaration, and any renewal, if applicable, is made, the Secretary of HHS must inform the Congress, in writing, within 48 hours.

Practically speaking, what actions can the HHS Secretary take? Some discretionary actions include, but are not limited to: (1) waiving certain prescription and dispensing requirements under the Federal Food, Drug, and Cosmetic Act; (2) waiving or modifying particular requirements under Medicare, Medicaid, the Children’s Health Insurance Program and the Health Insurance Portability and Accountability Act; and (3) appointing temporary personnel for up to one year. These actions, in addition to others, help bring emergency relief to those in need.

On September 19, 2017, now former Secretary of HHS, Tom Price, declared a Public Health Emergency under Section 319 of the PHSA for the benefit of Puerto Rico and the U.S. Virgin Islands following the devastation caused by Hurricane Maria, and stated, in his press release, that “[d]eclaring a public health emergency for Puerto Rico and the U.S. Virgin Islands will aid in the department’s response capabilities – particularly as it relates to ensuring that individuals and families in those territories with Medicare, Medicaid and the Children’s Health Insurance Program (CHIP) maintain access to care.”  While this declaration is limited in scope, the actions authorized thereunder will help start the long recovery for the people who reside in Puerto Rico and the U.S. Virgin Islands.

Please kindly consider how you can get involved to help the people who have been negatively impacted by the devastation caused by Hurricanes Harvey, Irma and Maria.

On August 15, 2017, the Secretary of Health and Human Services, Tom Price, issued a press release reporting that almost $105 million dollars will be bestowed upon 1,333 health centers across the United States, including its territories; and Washington D.C. Secretary Price stated “Americans deserve a healthcare system that’s affordable, accessible, of the highest quality, with ample choices, driven by world-leading innovations, and responsive to the needs of the individual patient. Supporting health centers across the country helps achieve that mission.”

According to the Health Resources & Services Administration, also known as HRSA, federally qualified health centers (FQHC) “are community-based and patient-directed organizations that deliver comprehensive, culturally competent, high-quality primary health care services.”  The main function of a health center is to provide health services to underprivileged patients where affordable healthcare is either lacking or nonexistent. Services include, but are not limited to, mental health support, substance abuse aid, dental health and many other services. While there are numerous requirements for an organization to qualify as a FQHC, one interesting qualification is that the organization must elect members of the community to serve on its governing board—ensuring that the community has a role when it comes to its own healthcare.

Even though the concept of a health center may be foreign to many in the United States, health centers play an important role in our society.  HRSA has concluded that, based on data from its Uniform Data System, almost 26 million individuals (which equals 1 in every 12 people living in the United States) depended on a health center for health services in 2016, including more than 330,000 veterans. The study also found that 1 in every 3 people living in poverty relied on a health center in 2016.

Living in a politically toxic climate on the topic of healthcare and its reforms, as we currently do today, brings in a breath of fresh air to see our tax dollars being put to good use. Health centers have served as a unique and beneficial service for the underserved and underprivileged for the last 50 years, and the federal government’s continued support appears to be unwavering.

Effective March 1, 2017, the New York State Department of Financial Services promulgated regulations to help protect against cybercriminals and their efforts to exploit sensitive electronic data. These cybersecurity regulations apply to all individuals and entities that “operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law”, with a few exceptions.  This will undoubtedly result in insurance companies and other related healthcare entities, which hold sensitive patient health information, beefing up their internal and external rules and policies.  New York’s proactive stance should be taken with the utmost seriousness seeing that there are more than 400 cyberattacks each day over the internet, or almost 3 every minute.

The United States Congress has enacted a similar law to protect health information, the Health Insurance Portability and Accountability Act (“HIPAA”). However, because HIPAA was enacted and modified years prior to cybersecurity becoming a prominent threat to our society, HIPAA does not provide as much protection to patients’ electronic data as the New York regulations do.  HIPAA does provide important guidelines and safeguards to ensure the integrity and confidentiality of protected health information, but does not elaborate on many of the issues presented in New York’s cybersecurity regulations.

New York’s cybersecurity regulations require all “Covered Entities”, as defined in the regulations, to maintain a cybersecurity program to guard the confidentiality of Nonpublic Information, which includes a risk assessment and a comprehensive cybersecurity policy.  In addition, Covered Entities are now required to designate an individual to serve as the Chief Information Security Officer (“CISO”).  The CISO is tasked with overseeing, implementing and enforcing the Covered Entity’s cybersecurity policy, and is required to report, in writing and at least annually, to the Covered Entity’s Board of Directors or similar governing body.  The CISO’s report must include, as applicable, information on “(1) the confidentiality of Nonpublic Information and the integrity and security of the Covered Entity’s Information Systems; (2) the Covered Entity’s cybersecurity policies and procedures; (3) material cybersecurity risks to the Covered Entity; (4) overall effectiveness of the Covered Entity’s cybersecurity program; and (5) material Cybersecurity Events involving the Covered Entity during the time period addressed by the report.”

Compliance with the cybersecurity regulations will be transitioned over a two-year period with full compliance required by March 1, 2019.