Category: Compliance

Auto Added by WPeMatico


Lessons Learned from 2017 OCR HIPAA Enforcement Actions

So far 2017 is proving to be an active year for Health Insurance Portability and Accountability Act (HIPAA) enforcement. This comes on the heels of 2016, which saw an unprecedented level of enforcement actions, with 13 total settlements and nearly a 300 percent increase in total collected fines over 2015. To date in 2017, nine actions have been settled and the average settlement amount continues to outpace 2016.

Three Tips to Help Reduce the Risk of a HIPAA Violation

Several themes have emerged from these enforcement actions that HIPAA-regulated entities should be mindful of to help reduce the risk of a HIPAA violation occurring and to reduce the potential resulting fine in the event of enforcement.

1. Conduct Risk Analyses Regularly. One of the most consistent themes that has emerged from the 2017 settlement and corrective action plans announced by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) is that organizations subject to HIPAA must regularly conduct risk analyses in accordance with the Security Rule to assess risk and vulnerabilities in an organization’s ePHI environment. The Security Rule does not proscribe a specific risk analysis methodology given that the analysis will vary depending on an organization’s size and capabilities. However, the risk analysis should comply with available OCR guidance, including the Guidance on Risk Analysis Requirements under the HIPAA Security Rule.

[A] lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.
– OCR Acting Director Robinsue Frohboese

2. Implement a Risk Management Plan and Reasonable Safeguards. While conducting a risk analysis is critical, equally important is the risk management plan and the reasonable safeguards an organization adopts in light of any risks or vulnerabilities that are identified in the risk analysis. For example, OCR assessed a $3.2 million civil monetary penalty against a hospital in February, after noting that the hospital continued to use unencrypted devices even after reporting a breach in 2009 involving the loss of an unencrypted, non-password protected device. Note that the issuance of a penalty is rare, as most OCR enforcement actions result in a settlement, not a penalty. Here, however, the hospital chose to pay the penalty as opposed to negotiate with OCR.

hipaa3. Report Breaches in Timely Manner. A settlement announced in January made headlines as the first HIPAA settlement based on the untimely reporting or notification of a breach under the HIPAA Breach Notification Rule. OCR found that the healthcare network failed, with unreasonable delay, to notify OCR, the affected individuals, and the media within the required 60-day timeframe. Instead, the notifications were made over 100 days after discovery of the breach. This settlement highlights the importance of having clear policies and procedures that workforce members have been trained on in order to respond within HIPAA’s breach notification timeframes.

OCR Updated Web Tool

OCR recently announced the release of an updated web tool to provide enhanced transparency to the HIPAA breach reporting tool. New features include: 1) breaches currently under investigation and reported within the last 24 months; 2) an archive of all older data breaches; 3) tips for consumers; and 4) navigation to additional breach information.

Foley regularly assists clients with implementing HIPAA compliance programs, handling data breach notification requirements, and responding to OCR audits and investigations. For more information contact: Jennifer Rathburn, Jennifer Hennessy, or Julie Kadish.

Powered by WPeMatico

New Attorney General Issues Guidance on Corporate Compliance Programs


The US Department of Justice (DOJ) Fraud Section has published new guidance for corporate entities on corporate compliance programs.  The guidance, titled, “Evaluation of Corporate Compliance Programs” (Compliance Program Evaluation)  provides companies – and their compliance teams – with key insights into how government regulators will assess efforts taken to develop, implement and evaluate the program.  The Compliance Program Evaluation provides the first DOJ guidance issued under Attorney General Jeff Sessions and the new administration and should signal that DOJ will continue to adhere to the principles set forth in the United States Attorney’s Manual and other publications in its assessment of corporate compliance programs.

The Compliance Program Evaluation begins by noting that it is nothing new.  Rather, the DOJ urges that it be understood in the familiar context of the United States Sentencing Guidelines and the U.S. Attorney’s Manual requirements for evaluating whether to charge business organizations.  In addition, the Compliance Program Evaluation invokes the Resource Guide to the Foreign Corrupt Practices Act, jointly published by the Securities and Exchange Commission and the DOJ, published corporate resolutions and other compliance guidance.  However, the Fraud Section, with its own compliance consultant in place hired to assist the Section in program evaluation,  has now provided helpful and comprehensive direction to companies.

The Compliance Program Evaluation recognizes that an assessment of the effectiveness of a compliance program is an “individualized determination.” However, in the view of the Fraud Section, there are topics and questions its prosecutors “frequently found relevant” in their review of compliance programs.  The questions have been divided into  the following 11 sections:

  1. Analysis and Remediation of Underlying Conduct
  2. Senior and Middle Management
  3. Autonomy of Resources
  4. Policies and Procedures
  5. Risk Assessment
  6. Training and Communications
  7. Confidential Reporting and  Investigation
  8. Incentives and Disciplinary Measures
  9. Continuous Improvement; Periodic Testing and Review
  10. Third-Party Management
  11. Mergers and Acquisitions

These topical sections make clear the DOJ, in its assessment of a compliance program, will examine the effectiveness of a program through a process that covers all aspects of the program’s operations and functions.  These include the tone set by management, the commitment of a board and managers, and the resources provided to those with responsibility for the program. How can the Compliance Program Evaluation be applied, in substance, to developing and sustaining a program that is effective in light of the industry, risk profile and needs of the company?   Here are three key points.

It Begins At the Top

Government regulators continually have made it clear that effective compliance programs begin with a commitment from company leadership that it is clear and apparent through affirmative actions of the CEO, the board and company leaders. Senior managers are expected to inspire a strong ethical culture that permeates through the entire organization.  This can be accomplished by proactive audits, corrective action, remediation where there are red flags, or direct examinations of questionable conduct, for example.  The Compliance Program Evaluation refers to the relevant Sentencing Guidelines chapter, which enumerates carrots and sticks that senior leaders should employ to ensure all employees are acting lawfully.

Risk and Resources

Risk assessments are critical. One potential question that could be posed by the DOJ will be”[w]hat methodology has the company used to identify, analyze and address the particular risks it faced?”  This question highlights that regulators will review the operations of a company’s compliance function to determine whether the company properly evaluated its risks in all segments of the business.  And, after such an assessment, the Compliance Program Evaluation evaluates whether the company appropriately adopted policies, practices and procedures to manage the identified risks.

Train, Test and Improve

Once a compliance program is implemented and the compliance personnel are in place is not the time for a company to turn its attention away from the importance of the compliance function.  As set forth in the Resource Guide, “DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”  Regular review, updates and training requires use of internal and sometimes external resources to test, examine and reevaluate whether the program effectively helps a company manage its risks.


The Evaluation of Corporate Compliance Programs presents a useful tool for compliance professionals as they work to assess and put in place the resources necessary to manage a credible  program that may one day face government scrutiny.  It also provides an important tool for discussions with and among those who have a fiduciary obligation to monitor the corporate governance functions of a company.

Powered by WPeMatico

HRSA Announces Final Rule on Civil Monetary Penalties for Drug Manufacturers that Overcharge 340B Covered Entities


A new regulation issued by the Health Resources and Services Administration (“HRSA”) sets forth a process by which civil monetary penalties may be imposed on drug manufacturers that knowingly and intentionally charge 340B covered entities for covered outpatient drugs more than the statutory ceiling price. The regulation addresses the ceiling price calculation for drugs purchased pursuant to the 340B Drug Pricing Program (“340B Program”), and provides that drug manufacturers may be subject to a civil monetary penalty of up to $5,000 for each instance of overcharging. The regulation finalizes a proposal dating back to June 2015. The regulation will be enforced beginning on April 1, 2017.

The civil monetary penalties would not be calculated and imposed by HRSA’s Office of Pharmacy Affairs, but by the Office of Inspector General (“OIG”). The civil monetary penalties would be in addition to any refunds to covered entities that may be required by the 340B Program. The final rule does not provide a mechanism for covered entities to file a complaint against a drug manufacturer for overcharging for 340B drugs. Once HRSA’s 340B administrative dispute resolution rules are finalized and the appropriate system has been established, a covered entity could submit a claim against a manufacturer for an instance of overcharging for administrative dispute resolution.

The new regulation requires drug manufacturers to calculate the 340B ceiling price for each covered outpatient drug, by National Drug Code (NDC), on a quarterly basis. The 340B ceiling price is based on the Average Manufacturer Price (AMP) for the prior quarter, minus a Unit Rebate Amount. For new drugs, manufacturers will need to estimate the 340B ceiling price and then calculate the actual 340B ceiling price once the appropriate data is available. If an overcharge has a occurred as a result of this estimation, drug manufacturers must refund or credit a covered entity the difference between the estimated and actual 340B ceiling price within one hundred and twenty days. Overcharges may also occur if a drug manufacture does not credit or refund a covered entity after subsequent recalculations of the ceiling price by the Centers for Medicare and Medicaid Service (“CMS”). Overcharges are determined on an NDC code basis, and may not be offset by other discounts the manufacturer provides on any other NDC. Drug manufacturers are also required to ensure that 340B discounts are provided through distribution arrangements made by the manufacturer.

The new regulation is based upon a requirement set forth in the Affordable Care Act, and comes at a time when drug prices and the 340B Program are receiving heightened scrutiny by the incoming Congress and administration. We will continue to report on modifications to the 340B Program as they develop.

Powered by WPeMatico

Hawai’i Receives Approval for the First State Innovation (Section 1332) Waiver


The federal Department of Health and Human Services and Department of Treasury (the Departments) agreed that certain small employer health insurance coverage provisions of the Affordable Care Act (ACA) would be waived for the state of Hawai’i, beginning with January 1, 2017. The waiver was authorized pursuant to Section 1332 of the ACA, which allows states to apply for a State Innovation Waiver.

Hawai’i’s waiver is the first of its kind.

Section 1332 State Innovation Waivers offer states flexibility to waive key insurance coverage provisions of the ACA, including the requirement for individuals and employers to maintain insurance coverage for themselves or their employees (the individual and employer mandates), requirements related to the scope of available benefits provided through insurance (essential health benefits), requirements for creation of a marketplace for purchasing health insurance coverage (exchanges), requirements for the credentialing of health plans offered through the exchanges (QHPs), and limits on deductibles and cost sharing for QHPs. State Innovation Waivers also allow states to request waivers of cost sharing reductions and tax credits available for individuals and businesses pursuant to the ACA; the amount of these reductions and tax credits are available to the state for the operation of a replacement program.

Under its approved application, Hawai’i will cease operation of the Small Business Health Options Program (SHOP) required by the ACA effective January 1, 2017, for a 5 year period which may be extended. Instead, Hawai’i will operate the business insurance program, known as “Prepaid,” that has been in place since 1974. Under Hawai’s Prepaid Health Care Act, employers are required to provide insurance to employees that meet requirements established by state law. To receive approval from the Departments for the waiver, and as a condition of receiving federal funds, Hawai’i demonstrated that its program met or exceeded the scope of coverage that would have been available under the ACA, provided coverage and cost sharing protection that are at least as affordable as available under the ACA, and provided coverage to at least as many residents as under the ACA. Hawai’i will receive quarterly payments from the federal government for the operation of this program, equal to the estimated amount of tax credits that would have been provided to small employers in Hawai’i pursuant to the SHOP program.

The awarding of the section 1332 waiver to Hawai’i represents the first State Innovation Waiver to modify requirements of the ACA. Section 1332 was developed as part of the ACA to allow states, such as Hawai’i, to maintain coverage programs that predated the ACA or to allow states to experiment with coverage programs that are more robust or that differ from the form required by the ACA. Currently, at least 9 states have enacted laws authorizing state officials to analyze or submit an application for a section 1332 waiver. As discussions about the ACA are taken up by the new Congress and new administration, section 1332 waivers will continue to influence how states and stakeholders evaluate their options.

Powered by WPeMatico