Health Law Update – April 7, 2016

Alerts / April 7, 2016

Welcome to this week's edition of the Health Law Update. In This Issue:

  • I’ll Gladly Pay You 10 Years From Today for Care Already Provided
  • New Medicare Part B Payment Model is Most Recent Payor Response to Increasing Drug Prices
  • Ransomware Targets Healthcare Industry
  • Deeper Dive: The Changing Landscape of Healthcare Data Breaches
  • Caution Ahead: Illinois’ Biometric Information Privacy Act Puts Companies in the Crosshairs
  • Supreme Court Asked to Clarify Limits on Diagnostic Method Patents
  • Webinar: Is Your Organization Compromise Ready?
  • Events Calendar
I’ll Gladly Pay You 10 Years From Today for Care Already Provided

By Robert M. Wolin

Most providers whose claims have been determined to be improper by the Recovery Audit Contractors (RACs) under the Medicare Recovery Audit Program have discovered that the appeals backlog “is incontrovertibly grotesque.” Two Courts of Appeals have recently acknowledged that the Office of Medicare Hearings and Appeals (OMHA) has a 10-year backlog of more than 800,000 appeals, but they have reached differing opinions on whether providers have a right to force the U.S. Department of Health and Human Services (HHS) to expedite their appeals if an administrative law judge fails to conduct a hearing and render a decision within 90 days, as provided under 42 U.S.C. § 1395ff(d)(1)(A).

The D.C. Circuit Court of Appeals in American Hospital Association, et al. v. Burwell, directed the district court to review complaints of systemic Medicare appeal delays in a case brought by the American Hospital Association and several hospitals individually and indicated that the district court could issue a writ of mandamus requiring HHS to assure that appeals are resolved within the applicable statutory time frames, if the court finds “compelling equitable grounds” favoring the hospitals. However, the D.C. Circuit also stated that if the “district court determines on remand that Congress and the Secretary [of HHS] are making significant progress toward a solution, it might conclude that issuing the writ is premature. If so, it could consider such action as ordering the agency to submit status reports updating the court on the level of appropriations, the progress of the AFIRM Act [S. 2368, the Audit & Appeal Fairness, Integrity, and Reforms in Medicare Act (AFIRM) of 2015], and any other relevant information.”

While the ultimate action of the district court in the American Hospital Association case may provide the relief long sought by providers, the Fourth Circuit reached the opposite conclusion in Cumberland County Hospital v. Burwell. While the Fourth Circuit likewise found the appeals backlog appalling, it held that judicial intervention was inappropriate to relieve the backlog because providers had the right to escalate appeals to the Departmental Appeals Board (DAB) and then to federal courts, if the appeal was not addressed within the statutory periods. The Fourth Circuit concluded that the escalation right for delays provided healthcare providers with an adequate alternative remedy and that judicial intervention would circumvent the comprehensive multi-level administrative appeals process included within the statute.

Providers should stay tuned to see how the D.C. district court acts on the remand, and (1) whether and how other courts intervene, and (2) whether the proposed AFIRM Act moves toward passage in Congress to avoid the threatened judicial intervention. In the meantime, hospitals are forced to provide care today and hopefully will see payment 10 years hence.

New Medicare Part B Payment Model is Most Recent Payor Response to Increasing Drug Prices

By Lee H. Rosebush and Nita Garg

Recent activity by the federal government along with commercial payors may be indicative of further changes to how payors, providers, and pharmaceutical manufacturers engage in prescription drug arrangements.

A recently announced proposed rule by CMS would create a new Medicare Part B prescription drug payment model intended to improve quality of care and deliver better value for Medicare Part B beneficiaries. This new payment model represents the federal government’s response to increasing prescription drug prices in the Medicare program. According to a brief released by the HHS Office of the Assistant Secretary for Planning and Evaluation (ASPE), the current Part B payment model does not encourage physicians to choose the lowest cost therapy to effectively treat a patient.

Because Part B pays for most drugs separately, with no reference to other drugs of similar therapeutic effectiveness, there is no monetary incentive for providers, suppliers, or patients to make choices based on both cost and quality, according to the ASPE brief. Currently, Medicare Part B generally pays physicians and outpatient departments the average sales price (ASP) of the drug plus 6 percent. By changing the payment methodology, CMS hopes to “encourage better care, smarter spending, and healthier people by paying providers for what works, unlocking healthcare data, and finding new ways to coordinate and integrate care to improve quality.” Specifically, the new method would both reduce the 6 percent upcharge by nearly half and add a flat fee per drug per day.

The federal government is not the only payor contending with growing costs. Commercial payors have also been working on solutions to the problem of rising drug prices. Some commercial insurers, including Medicare Part D plan sponsors, are utilizing pricing policies or formulary management practices to increase the value of prescription drugs. Last year, in response to the announced price hike by Turing Pharmaceuticals of its drug Daraprim (commonly used by cancer and AIDS patients), at least one pharmacy benefits manager announced that it would contract with a compounding pharmacy to offer an alternative at $1 a pill.

Noting that “Medicare has not been able to employ a variety of formulary management practices that would potentially improve value for beneficiaries and the Program,” the ASPE brief maintains that “substantial savings” could be produced through the implementation of a variety of pricing policies and formulary management practices” under Medicare Part B.

Ransomware Targets Healthcare Industry

By Lynn Sessions and Suchismita Pahi

Just four months into 2016, the healthcare industry is already facing a permanent and increasing threat to hospital operations: ransomware. Previously, BakerHostetler reported that Hollywood Presbyterian Hospital paid 40 bitcoins to access its own electronic health records after its information systems were locked with ransomware. Since then, at least five other healthcare entities have been infected with ransomware.

According to the March 31, 2016, United States Computer Emergency Readiness Team (US-CERT) Ransomware and Recent Variants Alert, ransomware variants “Locky” and “Samas” are the culprits for recent healthcare incidents (Samas/Samsam/MSIL.B/C). Locky has infected computers in healthcare facilities and hospitals in the United States, New Zealand, and Germany. It is acquired through spam emails that have malicious Microsoft Office documents or compressed files attached (.rar, .zip). Samas is acquired through vulnerable webservers.

Although many types of ransomware can be traced to human error and lack of training, such as downloading or installing malicious files, the Samas ransomware targets a specific vulnerability in a type of business software known as JBOSS, and bypasses any human action. Samas, as detailed by Cisco Talos, exploits the software vulnerability in JBOSS using open source codes, such as the JexBoss testing and exploitation framework for JBOSS, to gain access and then spread the ransomware within the network. Cisco Talos has already seen that the ransomware attackers are testing the amount of money they can collect from affected entities. Cisco Talos has also released SNORT rules and ClamAV signatures to help entities detect Samas.

In addition to Cisco’s research team, Microsoft’s Malware Protection Center is also following the Samas ransomware infections and chronicling the changes and patterns of the attack. The guidance from the government and companies working in the cybersecurity space underscores the importance of making sure software is up-to-date and networks are protected.

US-CERT’s recent alert also provides the following preventive measures for individuals and organizations:

  • Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  • Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
  • Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
  • Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
  • Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
  • Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources.
  • Do not follow unsolicited Web links in emails. Refer to the US-CERT Security Tip on Avoiding Social Engineering and Phishing Attacks for more information.
Deeper Dive: The Changing Landscape of Healthcare Data Breaches

We are seeing more healthcare data breaches occur, and our experience shows that the causes and severity of these breaches are changing, as well.

By Lynn Sessions

For the second year in a row, the BakerHostetler Data Security Incident Response Report demonstrates that healthcare breaches continue to be the highest percentage of incidents that we handled in 2015. This year’s Report provides insights generated from the review of more than 300 incidents that our attorneys advised on in 2015. The report confirms the prevalence of public healthcare data breaches as a result of the implementation of the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule. Read more >>

Caution Ahead: Illinois’ Biometric Information Privacy Act Puts Companies in the Crosshairs

Although healthcare entities are exempt from BIPA’s requirements because of HIPAA, they are likely next in line for lawsuits because of their rapid adoption of biometric authentication measures for employees and contractors.

By Suchismita Pahi and Paul G. Karlsgodt

Despite being on the books since 2008, the Illinois Biometric Information Privacy Act (BIPA) has only recently become the subject of litigation – Shutterfly was sued by an individual in Chicago for adding his “faceprint” to Shutterfly’s photo database even though he did not use Shutterfly – Facebook is currently facing a lawsuit in California based on BIPA, and Google has recently been sued in Illinois for compiling “faceprints.” Plaintiffs can potentially recover damages of $1,000 to $5,000 per violation, as well as attorneys’ fees and costs in these suits.

At the same time, companies continue to push the envelope in finding more convenient and secure ways to protect financial and other personal information. On February 22, 2016, a major credit card company announced that it will be rolling out identity authentication through selfies for customers to more easily approve online purchases. Just three days prior to that announcement, HSBC announced that it was rolling out voice recognition for banking customer calls as an alternative to a regular password.

The healthcare industry is also adopting biometric authentication and other similar technologies. Many healthcare entities are using these technologies to verify employees’ identities for access to sensitive information. For example, Arizona’s Children’s Clinics for Rehabilitative Services and Saratoga Hospital in New York use fingerprint readers to prevent unauthorized personnel from accessing patient records. Research institutions require researchers to use fingerprint scanning to access biohazard material, and a major pharmaceutical company requires personnel to provide biometric information for access to secure storage areas. Last but not least, many in the healthcare industry provide their employees with entity-owned mobile devices, such as iPads or iPhones, which have biometric authentication capabilities and store the biometric data.

Although biometric identifiers are safer than traditional password or passcode set-ups used by companies, those that are using biometric identifiers are subject to lawsuits, particularly under BIPA. Entities are prohibited by BIPA from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining a person’s or a customer’s biometric identifier or biometric information without proper notification and consent (740 ILCS 14/15(b)). BIPA also restricts how biometric information can be used, prohibiting entities from selling, leasing, trading, or otherwise profiting from a person’s or a customer’s biometric identifier or biometric information.

To comply with BIPA, an entity has to:

  1. Provide written notice that a biometric identifier or biometric information is being collected or stored;
  2. Provide written notice of the specific purpose and length of term for which the biometric identifier or biometric information is being collected, stored, and used; and
  3. Receive a written release executed by the subject of the biometric identifier or biometric information or the subject’s legally authorized representative.

The most recent lawsuits using BIPA are suits against retailers for collecting fingerprint data without providing proper statutory notice. These suits seek awards of statutory damages regardless of any actual injury. The courts have yet to issue decisions on whether actual injury is a prerequisite to an award of the “liquidated damages” available under the statute, and it is unclear which way the statute will be interpreted.

To ward off any potential lawsuits, companies with operations in Illinois should institute the following prior to collecting fingerprint data or other biometric information:

  • A written policy regarding the biometric data;
  • A data retention schedule; and
  • A written consent form to be signed by each person from whom biometric data is to be collected and stored.

An earlier version of this article contained the following erroneous statement: “BIPA also allows for a company to retroactively inform customers or persons of the biometric identifier use if it does so within three years of coming into possession of the information.” There is no such provision in the statute. We regret any confusion caused by this error.

Supreme Court Asked to Clarify Limits on Diagnostic Method Patents

By Ronald C. Kern Jr., Ph.D.

Arguing that the current state of the law weakens the patent system and poses a danger to life science innovators, biotechnology company, Sequenom, Inc., has filed a writ of certiorari with the U.S. Supreme Court, asking the Court to provide clarification regarding the limits of 35 U.S.C. § 101 as it relates to patent eligibility of diagnostic tests. The Sequenom petition offers an opportunity for the Supreme Court to loosen the seemingly universal prohibition against diagnostic method claims set forth in Mayo Collaborative Services v. Prometheus Labs. The Mayo decision, together with the Court’s holding in Association for Molecular Pathology v. Myriad Genetics, has significantly reduced the ability to obtain patentable subject matter in the life science arena.

Sequenom’s U.S. Patent No. 6,258,540 derives from the discovery that cell-free fetal DNA (cffDNA) may be found in maternal plasma and serum. Applying a combination of known laboratory techniques to their discovery, the inventors implemented a method for detecting and amplifying paternally inherited cffDNA in maternal plasma or serum to determine certain fetal characteristics, such as gender and/or the presence or absence of various genetic defects. In Ariosa Diagnostic, Inc. v. Sequenom, Inc., 788 F.3d 1380 (Fed. Cir. 2015), the Court of Appeals for the Federal Circuit affirmed the Northern District of California’s broad interpretation of Mayo that claims directed to the mere application of naturally occurring products and phenomena constitute unpatentable subject matter. Please see our July 8, 2015 and December 8, 2015 blog posts for additional background.

Sequenom’s petition, which was filed on March 21, 2016, asks the Court to provide clarification regarding the limits of 35 U.S.C § 101 as it relates to patent eligibility of diagnostic tests. Sequenom’s petition asks whether a novel method is patent-eligible where:

  1. A researcher is the first to discover a natural phenomenon;
  2. That unique knowledge motivates such researcher to apply a new combination of known techniques to that discovery; and
  3. The researcher thereby achieves a previously impossible result without preempting other uses of the discovery.

Sequenom is requesting that the Court grant the petition because “[r]ight now, Section 101 doctrine lacks any discernable limits, and so no company can trust in the patent system when deciding whether to invest in bringing an invention to market.”

Ariosa has until April 20, 2016 (extendable with permission from the Court) to file a brief in opposition. As indicated by the number of amici briefs filed in the Federal Circuit, this case is sure to be closely monitored by biotech and pharmaceutical companies, academic medical centers, medical schools, practitioners, professors, universities, associations, international interests, the USPTO, and more.

Webinar: Is Your Organization Compromise Ready?

Please join BakerHostetler’s Privacy and Data Protection team on Wed, Apr 20, 2016 for a webinar to cover the results of the 2016 BakerHostetler Data Security Incident Response Report. Trends, top causes for a security breach, and steps you can take to become compromise ready will all be discussed.

Register Now >>

Events Calendar

April 19, 2016

Houston Associate Suchismita Pahi will give a webinar presentation on “Bulletproof Your Smartphone Policy: Keys to Ensure HIPAA Compliance” during the Progressive Healthcare Conferences webinar.

April 20, 2016

Houston Partner Lynn Sessions will participate on a panel, “Healthcare Data Breach: Another Day, Another Breach,” along with other industry experts, at the 2016 Medical PL Symposium sponsored by the Professional Liability Underwriting Society in Chicago, IL.

April 21, 2016

Houston Partner B. Scott McBride will present on “False Claims Act Enforcement and Investigations” at the UT Law’s 28th Annual Health Law Conference in Houston, TX.

Washington, D.C., Partner Lee H. Rosebush will present on “Drug Pricing in Pharmacy & PBM Contracting – What Does It All Really Mean?” at the Academy of Managed Care Pharmacy (AMCP): Managed Care & Specialty Pharmacy Annual Meeting in San Francisco, CA.

April 22, 2016

Houston Partner Donna S. Clark will present a “Stark Update” at the UT Law’s 28th Annual Health Conference in Houston, TX.

May 16, 2016

Houston Partner Susan Feigin Harris will present “In a Different Voice: Ways Women Can Create Innovative Legal Service Models and Differentiate Themselves in a Competitive Market” at the AHLA Women’s Leadership Institute in Nashville, TN.

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience.

Related Services