On May 17, 2023, the Federal Trade Commission (“FTC”) announced an enforcement action (“Enforcement Action”) against Illinois-based Easy Healthcare Corporation (“Easy Healthcare”), which operates the Premom application, for allegedly violating Section 5 of the FTC Act and the Health Breach Notification Rule (“HBNR”). Easy Healthcare has developed, advertised, and distributed a mobile application called the Premom Ovulation Tracker (“Premom”) that allows users to input and track various types of personal and health information. In the complaint (“Complaint”), the FTC alleges that Easy Healthcare deceived users by disclosing users’ sensitive health data with third parties and failed to notify consumers of these unauthorized disclosures in violation of the HBNR. The proposed order (“Proposed Order”), which was brought by the U.S. Department of Justice on behalf of the FTC, imposes a civil penalty of $100,000 and prohibits Easy Healthcare from sharing user personal health data with third parties for advertising, among other requirements. As part of a related action, Easy Healthcare has agreed to pay an additional $100,000 to Connecticut, the District of Columbia, and Oregon for violating their respective laws.

Continue Reading FTC Announces Enforcement Action Against Ovulation Tracking App Premom

On January 19, 2022, the U.S. Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) published the Trusted Exchange Framework and Common Agreement (TEFCA) for health information exchange. The Trusted Exchange Framework established a set of non-binding, foundational principles for trust policies and practices to help facilitate

On March 2, 2023, the Federal Trade Commission (“FTC”) announced an enforcement action against California-based online counseling service BetterHelp, Inc. (“BetterHelp”) for allegedly sharing consumers’ health information, including sensitive information about mental health challenges, for advertising purposes in violation of Section 5 of the FTC Act.

This latest enforcement action comes just one month after

Earlier this week, the United States Department of Health and Human Services (“HHS”) released a Notice of Proposed Rulemaking (“NPRM”) that proposes to make sweeping changes to regulations at 42 C.F.R. part 2 (“Part 2”) governing the confidentiality of substance use disorder (“SUD”) records. These modifications, which implement provisions of section 3221 of the Coronavirus

The Russia-Ukraine conflict is increasing the risk of ransomware attacks and other cyber threats for U.S. companies, and those in the health care industry may be targeted. In a recent analyst note from the Department of Health & Human Services (“HHS”), HHS describes the cyber capabilities of Russia, one of the world’s major cyberpowers, and analyzes two malware variants most likely to impact the U.S. health care and public health sector.
Continue Reading Increased Cyber Risk for Health Care Organizations Due to the Russia-Ukraine Conflict

On January 18, 2022, the U.S. Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) and the entity chosen as a contracting partner, The Sequoia Project, Inc., published the long-awaited Trusted Exchange Framework and Common Agreement (TEFCA) for health information exchange. In simple terms, TEFCA is a framework that health information networks (HINs) may enter into to share health data with other HINs, individuals, and entities. The stated goal of TEFCA is to develop uniform policies and technical requirements to scale health information exchange nationwide and ensure that HINs, health care providers, health plans, individuals, and other stakeholders can access real-time, interoperable health information.
Continue Reading ONC Releases a Framework for Nationwide Health Information Exchange

This article was originally published in Corporate Compliance Insights.

Both your company’s data supply chain and its physical version have fundamentally similar business risks. Given the consequences of unethical practices along both, enterprises can no longer ignore how data is sourced, how it is managed or where it is going.

While many organizations go to great lengths to monitor their physical supply chain, their data supply chain often gets short shrift. For any company interacting with large sets and various streams of information, this can represent a significant exposure to risk.

Since the first investigation under the U.S. FCPA concerning a third party acting on behalf of a U.S. company was initiated nearly 40 years ago, upholding integrity in global supply chains has garnered attention. Rightfully so, as compounding risks in physical production and movement of goods abound upstream (e.g., forced labor, conflict materials, environmental impact) and downstream (e.g., bribery, fraud, misuse).
Continue Reading Is Your Data Supply Chain Ethical? Don’t Restrict Due Diligence to Physical Operations.

On May 14, 2021, CMS published FAQs addressing questions that have been raised regarding the Interoperability and Patient Access final rule published May 2020.  CMS is careful to note that the FAQs “do not have the force and effect of law and are not meant to bind the public in any way, unless specifically incorporated into a contract, as directed by a program.”  CMS has provided links and other guidance, including regarding technical standards, best practices, and privacy and security resources, and has directly addressed questions raised by trade associations and others.

We summarize some of the key points addressed in the FAQs.  We encourage you to review the full CMS response where questions arise in your implementation.
Continue Reading CMS Issues First FAQs on the CMS Interoperability and Patient Access Rule

Earlier this month, OIG issued a Special Fraud Alert on Speaker Programs warning drug and device companies and health care providers that it has significant concerns about payments for “speaker programs.” Based on recent investigations and enforcement activity, the OIG has found that a number of speaker programs sponsored by drug and device manufacturers violate the federal Anti-Kickback Statute (AKS). OIG is skeptical about the educational value of speaker programs provided under circumstances that are not conducive to learning and to audience members who have no legitimate reason to attend. Additionally, OIG questions the value of such events given that health care providers can access the same or similar information online, on the product’s package insert, third-party educational conferences, medical journals, and more. Because all of this material is already available, OIG warns “that at least one purpose of remuneration associated with speaker programs is often to induce or reward referrals” in violation of the federal Anti-Kickback Statute (AKS).

OIG defined speaker programs as drug or device “company-sponsored events at which a [outside] physician or other health care professional (collectively, “HCP”) makes a speech or presentation to other [outside] HCPs about a drug or device product or a disease state on behalf of the company” using a presentation developed and approved by the company. HCPs are paid an honorarium and attendees are paid generally through free meals and drinks, for example.

Based on its investigations to date, OIG provided an illustrative list of speaker program characteristics that result in higher level of scrutiny with respect to AKS violations:

Continue Reading OIG Sends a Special Fraud Alert on Speaker Programs

On October 29, 2020, the Departments of Health and Human Services, Labor, and the Treasury (“the Departments”) issued a final rule requiring private-sector health insurers and self-insured health plans to disclose treatment prices and cost-sharing information with consumers.  The Transparency in Coverage rule comes in response to President Trump’s executive order aiming to increase transparency in the healthcare industry. It is slated to become effective on January 11, 2021.

The final rule contains three main parts: (1) requirements for plans and issuers to disclose estimated costs associated with covered items or services furnished by a particular provider; (2) requirements for plans and issuers to publicly disclose reimbursement rates; and (3) amendments to the medical loss ratio program rules to allow issuers to receive credit for enrollees’ savings. Each part is discussed below.

Estimated Costs

First, insurers and employer-sponsored health plans will be required to provide price estimates, including in-network and out-of-network negotiated rates, for health care items and services upon request.  The regulation requires these estimates beginning in 2023 for the 500 most “shoppable” items and services on an internet-based self-service tool (and in paper form, if requested by the participant, beneficiary, or enrollee).  Among the 500 “shoppable services” are mammograms, physician visits, colonoscopies, and various blood tests, biopsies, and X-rays, and the full list is specified in the regulations.  Then, beginning in 2024, price estimates for all remaining items and services offered, including procedures, drugs, durable medical equipment, must be disclosed. The price transparency requirements include disclosure of the following:

Continue Reading HHS Finalizes Health Plan Price Transparency Rule