backFEATURED ARTICLES
King & Spalding Client Alert: Federal District Court in Texas Grants “Nationwide” Preliminary Injunction Against CTA Enforcement
On December 3, 2024, the U.S. District Court for the Eastern District of Texas issued a nationwide preliminary injunction (the Preliminary Injunction) against enforcement of the Corporate Transparency Act (CTA), including a stay of the CTA’s Beneficial Ownership Information Reporting Rule. King & Spalding’s full Client Alert with additional information and insight is available here. After the issuance of the Preliminary Injunction, FINCEN updated publicly available guidance to advise that reporting companies are not required to file CTA reports during the Preliminary Injunction. The Client Alert will be updated to reflect this new development.
HIPAA Reproductive Healthcare Privacy – Recent Settlement Related to Privacy Rule Violation and Reminder of December 2024 Privacy Rule Compliance Deadline
Last week, HHS Office of Civil Rights (OCR) announced a settlement with a Pennsylvania provider (the Provider) concerning an alleged violation of the HIPAA Privacy Rule. Specifically, the Provider impermissibly disclosed a female patient’s protected health information (PHI)—which included information related to reproductive healthcare—to the patient’s prospective employer. The settlement comes ahead of an impending December 23, 2024, deadline for providers to comply with the HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule (Final Rule). Both the settlement and the Final Rule are described in more detail below.
Provider Settlement
In September 2023, OCR received a complaint alleging that the Provider impermissibly disclosed a female patient’s PHI to the patient’s prospective employer. This information included her surgical, gynecological, and obstetric histories, as well as other sensitive health information concerning reproductive healthcare. Following an investigation, OCR found (1) that the Provider disclosed the patient’s full medical record, which included PHI concerning her reproductive health care; (2) the Provider did not have the patient’s authorization for the broad disclosure of her PHI; and (3) there was no applicable requirement or permission under the HIPAA Privacy Rule for such a broad release of her medical records.
The Provider paid $35,581 to HHS under the Resolution Agreement, and the Provider agreed to implement a corrective action plan (CAP). The CAP includes, but is not limited to, the following actions:
- Submitting a breach notification report to HHS regarding this incident;
- Reviewing, developing, or revising the Provider’s policies and procedures to ensure compliance with the HIPAA Privacy Rule, and submitting all such policies and procedures to HHS for approval;
- Distributing all HHS-approved policies and procedures to the Provider’s workforce and ensuring that each member of the workforce certifies receipt and understanding of the policies and procedures; and
- Training all members of the Provider’s workforce on its HHS-approved policies and procedures, including all workforce members of its affiliated entities.
The Resolution Agreement and CAP is available here.
Final Rule
Earlier this year, OCR published a final rule titled HIPAA Privacy Rule To Support Reproductive Health Care Privacy, which prohibits the disclosure PHI related to lawful reproductive healthcare in certain circumstances. 82 Fed. Reg. 22,976 (Apr. 26, 2024). More information on the Final Rule is available in the King & Spalding Client Alert dated Nov. 27, 2024.
By December 23, 2024, healthcare providers, health plans and healthcare clearinghouses (collectively, Covered Entities) and their business associates are prohibiting from using or disclosing PHI relating to reproductive healthcare—meaning, affecting the health of an individual in all matters relating to the reproductive system and to its functions and processes—for any of the following:
- Conducting a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare;
- Imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare; or
- Identifying any person for either of the above purposes (collectively, Prohibited Purposes).
For certain requested uses or disclosures, the Final Rule requires Covered Entities or their business associates to obtain a written attestation that the PHI is not for a Prohibited Purpose before the PHI potentially related to reproductive healthcare can be used or disclosed.
The Final Rule is available here, and the HHS fact sheet is available here.
Reporter, Ahsin Azim, Washington, D.C., +1 202 626 5516, aazim@kslaw.com.
OIG Publishes the Fall 2024 Semiannual Report to Congress
On December 4, 2024, OIG issued its fall 2024 Semiannual Report to Congress (the Report), which provides a comprehensive overview of the agency’s work completed during the reporting period of April 1, 2024, through September 30, 2024.
The Report highlights over $7 billion in expected recoveries resulting from OIG audits and investigations for FY 2024, including $4.36 billion in expected recoveries during the reporting period. OIG reports 1,548 criminal and civil enforcement actions against individuals and entities suspected of engaging in crimes targeting HHS programs and the people they serve, including settlements resulting from using OIG's civil monetary penalty authorities and criminal convictions. According to the Report, OIG excluded 3,234 individuals and entities from participation in federal health care programs.
Further highlights include:
- Upon review of 100 for-profit nursing homes nationwide, OIG found that twenty-four did not meet federal requirements pertaining to infection prevention. OIG estimates that 2,568 (approximately 1 in 4) for-profit nursing homes nationwide may not have complied with Federal requirements for infection prevention during the review period.
- OIG found Medicare improperly paid hospitals an estimated $79 million for enrollees who had received mechanical ventilation. According to the Report, Hospitals attributed the improper billing to incorrectly counting the hours that enrollees had received mechanical ventilation as well as clerical errors in selecting procedure or diagnosis codes.
- OIG found that Medicare and some enrollees paid 80 percent more when Stelara injections were covered under Part D (i.e., self-administered) versus under Part B (i.e., administered by a physician). Stelara is a high-cost prescription biologic approved to treat certain autoimmune diseases. OIG’s findings indicate that the different methods used to set drug payments under Part B and Part D result in different payment amounts for the same drugs.
The Report is available here.
Reporter, Elizabeth Key, Sacramento, +1 916 321 4821, ekey@kslaw.com.