On Wednesday, the U.S. Department of Health and Human Services, Office for Civil Rights announced a $400,000 settlement with Metro Community Provider Network arising from MCPN’s alleged failure to implement adequate security management processes to safeguard electronic protected health information in accordance with the Health Insurance Portability and Accountability Act Security Rule. This settlement followed an investigation that OCR undertook in response to a breach report that MCPN filed on January 27, 2012. While OCR found that MCPN took necessary corrective action in response to the reported breach, OCR determined that MCPN had never conducted a security risk analysis to assess the potential threats to its ePHI environment and concluded that MCPN did not have appropriate risk management policies in place at the time of the breach. OCR further found that the security risk analyses that MCPN ultimately did undertake following the breach were insufficient to satisfy the requirements of HIPAA’s Security Rule. Violations of the Security Rule have been a consistent focus of the OCR within the past year. The OCR’s willingness to go after a federally qualified health center, a safety net health care provider, in this settlement further underscores the importance of conducting robust security risk analyses to identify, assess, and address potential threats and vulnerabilities to a covered entity or business associate’s ePHI environments.

In what appears to be one of the largest class action settlement in the history of ERISA litigation in New Jersey, a federal judge approved $33 million settlement, including $11 million in attorneys’ fees, between Horizon Healthcare Services, Inc. (“Horizon”) and plaintiff chiropractors.

The underlying lawsuit stemmed from allegations that Horizon made “across-the-board” denials of certain types of claims that were submitted by chiropractic physicians.  Plaintiff’s complaint followed an October 7, 2009 cease and desist order by the New Jersey Department of Banking and Insurance.  In a subsequent class action complaint filed in New Jersey federal court against Horizon, plaintiff asserted that the Horizon Blue Cross Blue Shield of New Jersey improperly and systematically bundled various Current Procedural Terminology (“CPT”) codes that contracted and non-contracted chiropractic physicians billed to Horizon.  Plaintiff claimed that Horizon summarily denied reimbursement for non-CMT (chiropratic maniupulative therapy) services and unilaterally determined that the non-CMT services were bundled with Horizon’s payment for CMT services.  Thus, Plaintiff asserted that Horizon failed to determine whether the non-CMT billed services were separate and distinct from the CMT services.  On behalf of the all chiropractic physicians that submitted claims under ERISA plans that Horizon administers, Plaintiff’s complaint sought benefits due to the chiropractor physicians from plan member’s assignment under 29 U.S.C. § 1132(a)(1)(B), and also alleged that Horizon’s conduct constituted a failure to provide full and fair review pursuant to ERISA, 29 U.S.C. § 1133.  The remaining counts for non-ERISA plans alleged violation of New Jersey law, breach of contract and breach of covenant of good faith and fair dealings.  On or about June 1, 2015, the federal court certified two classes, including an ERISA class.

On October 13, 2016, Judge William Martini approved the settlement agreement and granted the Plaintiff’s Motion for Award of Attorneys’ Fees.   The court agreed to require Horizon to deposit $33 million for the settlement fund and awarded $11 million of the settlement fund as attorneys’ fees to class counsel.  Among other things, the Court noted that Plaintiff’s counsel conducted significant research and discovery, including review of 200,000 pages of documents, number of depositions and analyzed claims data for more than 19 million records.

This case highlights the significant exposure under ERISA that may result from improper billings and reimbursements for health plan administrators, insurers and providers.

On August 24, 2016, Judge Edgardo Ramos of the Southern District of New York approved a settlement in which Mount Sinai Health System (Mount Sinai) will pay $2.95 million to New York and the federal government to resolve allegations that it violated the False Claims Act (FCA) by withholding Medicare and Medicaid overpayments in contravention of the 60-day overpayments provision of the Affordable Care Act (ACA).  The provision creates FCA liability for healthcare providers that identify overpayments but fail to return them within 60 days, and the Mount Sinai settlement is the first one that specifically resolves allegations of violations of the provision.

The settlement stems from the qui tam action Kane v. Healthfirst, Inc., No. 1:11-cv-02325-ER, in which it was alleged that employee Robert Kane alerted Continuum Health Partners, Inc. (now a part of Mount Sinai) to hundreds of potential overpayments, and, instead of pursuing the refund of overpayments, Continuum fired Kane and delayed further inquiry.  Last year, as we discussed in a previous post, Judge Ramos denied Mount Sinai’s motion to dismiss and provided first-of-its-kind guidance on what it means to “identify” an overpayment and start the 60-day clock created by the ACA.  He opined that a provider has identified an overpayment if it has been “put on notice” that a certain claim may have been overpaid.  In February of this year, CMS released its final 60-day overpayment rule, largely adopting the same interpretation of “knowledge” and “identified” that Judge Ramos used.

Although the Kane court did not hold that the “mere existence” of an obligation under the ACA established an FCA violation, the 60-day period in the statute clearly carries a heightened risk of potential liability for providers that fail to carry out compliance activities or undertake an investigation once they have been given credible evidence of the existence of overpayments.  The settlement further signals to providers the importance of taking any allegation related to overpayments seriously, and to take swift action in order to be ready for the start of the 60-day clock deadline for returning any overpayments.

Our colleagues at Data Law Insights have written about the HHS Office of Civil Rights’ $750,000 settlement with the University of Washington Medicine (“UWM”) announced this week.  This third settlement in as many weeks confirms that the security risk analysis continues to be a linchpin of OCR enforcement under the HIPAA Security Rule.  Indeed, the focus on risk assessments is not unique to OCR – a security risk analysis is also a CMS requirement under the Medicare/Medicaid EHR Incentive Programs.  Throughout 2015, there appeared to be an increasing trend of regulators (such as OIG, OCR, and others) conducting audit and enforcement activities related to IT security.  To prevent future scrutiny for violations, health care entities should commit to performing and strengthening their security risk analyses in 2016.