Volume 13 | January 2021
Chilivis Grubman Dalbey & Warner LLP

is pleased to announce that

formerly of King & Spalding LLP
has joined the firm as an Associate.
Andrew is a tremendous asset to the firm and our clients, given his extensive experience representing financial institutions, hospital groups, Big Tech companies, retailers, and private equity firms and the like in investigations and related civil litigation. Andrew has worked on cases involving the False Claims Act, securities fraud, insider trading, the Foreign Corrupt Practices Act, money laundering, data security, antitrust, and environmental laws. Through his efforts, Andrew was able to obtain declinations from DOJ and SEC in massive bet-the-company investigations.  
Supreme Court Remains Silent on Dismissal of FCA Claim Based on Statistical Evidence

Last month, the Supreme Court declined to review the Fifth Circuit Court of Appeals’ decision in U.S. ex rel. Integra Med Analytics, LLC v. Baylor, Scott & White Health, et al., which affirmed the dismissal of a False Claims Act complaint that relied predominantly on statistical analysis to state a claim. 

While FCA whistleblower lawsuits are most often brought by insiders with direct knowledge of fraudulent conduct, Integra Med is a data analytics company that has brought a number of FCA claims by relying on analysis of publicly available healthcare data. In this particular lawsuit, Integra alleged that Baylor Scott & White Health (“Baylor”) engaged in a scheme to fraudulently overbill Medicare by upcoding secondary diagnosis codes to include a complication or comorbidity (CC) and major complication or comorbidity (MCC). To support its allegations, Integra Med analyzed inpatient claims data and determined that Baylor claimed MCCs significantly above the national average for hospitals, which could not be explained by patient characteristics, demographic data, the attending physicians, or regional differences. Baylor moved to dismiss Integra Med’s claim arguing that it failed to meet the requisite pleading standard. 

In affirming the dismissal, the Fifth Circuit found that Integra Med’s statistical analysis was consistent both with a fraudulent scheme to upcode and the mere fact that Baylor was ahead of most healthcare providers in following new CMS guidance. In 2007, CMS reduced the standardized reimbursement amount to hospitals, but increased the number of secondary diagnoses identified as CCs and MCCs. In so doing, CMS encouraged providers to take full advantage of coding opportunities to maximize reimbursement and stated that it expected reimbursements to increase under the new coding guidelines. The statistical data in Integra Med’s complaint showed that the healthcare industry as a whole was following in Baylor’s trajectory. Thus, the facts “strongly indicate that a legal and obvious alternative explanation for the statistical data” exists and Integra Med’s allegations of false claims are simply conclusory. The Court does not foreclose the use of statistical data, but concludes that such data cannot meet the pleading requirements if the data is also consistent with a legal and obvious alternative explanation.

Integra Med petitioned for certiorari to the Supreme Court noting the decision “signals an impossible standard for FCA relators relying in part on statistical analyses, as they would need to anticipate and rule out every possible alternative explanation” of the data. The Supreme Court declined to accept the case, leaving the Fifth Circuit’s adverse ruling intact.

While a blow to serial relators like Integra Med, the decision may not be fatal. Other cases relying on statistical data, including one brought by Integra Med against a provider in California, are still percolating in the courts. Whether other circuit courts join the Fifth Circuit remains to be seen, but until there is uniformity, use of statistical data (by corporate whistleblowers and traditional relators alike) is likely to continue. 
New OCR Enforcement Discretion Related to Use of Web-Based Scheduling Applications for COVID-19 Vaccination Scheduling

On January 19, 2021, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced its new Notification of Enforcement Discretion. Under the Notification, OCR will not impose penalties for HIPAA rule violations related to the good faith use of web-based scheduling applications (“WBSAs”) for scheduling COVID-19 vaccinations. “A WBSA is a non-public facing online or web-based application that provides scheduling of individual appointments for services in connection with large-scale COVID-19 vaccination … [and] does not include appointment scheduling technology that connects directly to electronic health records (EHR) systems used by covered entities.”

The Notification arises from OCR’s recognition that healthcare providers may need to quickly schedule individuals for COVID-19 vaccinations and providers may use WBSAs to perform this task. However, some WBSAs, or the manner that covered entities and business associates use them, may violate HIPAA rules. According to OCR, “the vendors of such applications may not be aware that HIPAA covered health care providers are using their products to create, receive, maintain, or transmit electronic protected health information (ePHI), and that a WBSA vendor may, as a result, meet the definition of business associate under the HIPAA Rules.” Accordingly, OCR will not impose penalties for non-compliance with HIPAA rules against covered entities and business associates, in connection with the good faith use of WBSAs for scheduling appointments for COVID-19 vaccination during the COVID-19 nationwide public health emergency. The enforcement discretion also applies to WBSA vendors meeting the definition of business associate, whether the vendor has actual or constructive knowledge of its status as a business associate. 

What Is Not Covered

The Notification does not apply to activities other than scheduling COVID-19 vaccinations, including the handling of PHI unrelated to the scheduling of COVID-19 vaccinations. The Notification does not apply to a covered entity or business associate (including WBSA vendors) that do not act in good faith. Below is a non-exhaustive list of actions OCR will not consider good faith:

  1. Use of a WBSA whose terms of service prohibit using the WBSA for scheduling healthcare services or provide that the WBSA may sell personal information it collects.
  2. Use of a WBSA to conduct services other than scheduling appointments for COVID-19 vaccination (e.g. to determine eligibility for COVID-19 vaccination).
  3. Use of a WBSA to screen individuals for COVID-19 before in-person health care visits.
  4. Use of a WBSA without reasonable security safeguards (e.g. access controls) to prevent PHI from being readily accessed or viewed by unauthorized persons.

Recommended Reasonable Safeguards

The Notification provides entities and business associates using WBSAs recommendations and encouragement to implement reasonable safeguards to protect PHI. These recommendations include disclosing the minimum PHI necessary for scheduling an appointment (e.g. name and phone number). Also, using encryption technology and enabling all available privacy settings to protect PHI. Other recommendations require examination of the WBSA’s capabilities and vendor terms. OCR recommends that covered entities and business associates (1) ensure that the WBSA stores PHI and metadata temporarily (e.g. PHI is returned or destroyed as soon as practicable, but no later than 30 days after the appointment); and (2) ensure the WBSA vendor does not use or disclose ePHI inconsistent with HIPAA rules (e.g. selling ePHI collected). 

OCR also encouraged the use of WBSA vendors willing to enter business associate agreements and who represent that their WBSAs support compliance with HIPAA. Importantly, “failure to implement the recommended reasonable safeguards above will not, in itself, cause OCR to determine that a covered health care provider or its business associate failed to act in good faith for purposes of this Notification.”  

This enforcement discretion is effective immediately and has a retroactive effect to December 11, 2020. It expires when the public health emergency declaration expires or is rescinded. The Notification of Enforcement Discretion can be read here
There is still time to sign up for our FREE webinar entitled New Year, Same Risks: Healthcare Fraud and Abuse in the Biden Era, presented by Scott Grubman and Christian Dennis. The webinar will take place this Friday, January 29, at 10 am. Register for FREE here.
DOJ Releases False Claims Act Statistics
for Fiscal Year 2020

In a press release on January 14, the U.S. Department of Justice released its False Claims Act Statistics for Fiscal Year 2020. In total, the federal government recovered over $2.2 billion in settlements and judgments from False Claims Act cases brought against companies and individuals. Acting Assistant Attorney General Jeffrey Bossert Clark of the Department of Justice’s Civil Division highlighted the Department’s continued efforts to combat fraud against the U.S. government despite the difficulties presented by the COVID-19 pandemic. As in previous years, health care fraud was the leading source of False Claims Act recoveries, totaling more than $1.8 billion of the $2.2 billion total. The driving force behind these recoveries continues to be qui tam suits brought by whistleblowers on behalf of the government. In FY 2020, the government recovered $1.6 billion from defendants in investigations stemming from qui tam suits filed by relators, resulting in $309 million paid out to individual relators.

The Department’s press release highlighted a number of high value settlements reached in 2020. By far, the largest settlement was with Novartis Pharmaceuticals Corporation, which paid over $591 million to resolve claims of a kickback scheme designed to increase prescriptions written for its drugs by physicians. In another settlement, Novartis and Gilead Sciences paid over $148 million to resolve claims that they illegally paid patients’ copays for their drugs. In the ongoing effort to combat the opioid crisis, the government entered into a $145 million settlement with electronic health records company Practice Fusion, Inc. to resolve claims of an alleged kickback scheme with Purdue Pharma designed to increase prescriptions for OxyContin. The Department made note of its continued efforts to hold individuals accountable for their role in defrauding the government. Notably, the government reached a $4.25 million settlement with individual physicians in Pennsylvania and a $3.25 million settlement with individual physicians in Massachusetts, highlighting the potential legal exposure to physicians and physician groups from False Claims Act suits.

2020 marks a downward trend of False Claims Act recoveries during President Trump’s four years in office from a total of $3.4 billion in FY 2017 to the $2.2 billion in FY 2020. Undoubtedly, the COVID-19 pandemic will have had an impact on the False Claims Act recoveries realized by the government in 2020. In its press release, the Department noted two massive pending False Claims Act recoveries that were not included in the statistics for FY 2020, as the settlements were reached after the end of the fiscal year on September 30, 2020. These two settlements alone represent $3.3 billion recovered under the False Claims Act. In October, the government reached a resolution with Purdue Pharma over its alleged unlawful promotion and inducement of OxyContin prescriptions, obtaining a $2.8 billion unsecured bankruptcy claim. Individual members of the Sackler family, the owners of Purdue Pharma, agreed to pay $225 million for their conduct in efforts to market OxyContin. In another settlement, Indivior agreed to pay $300 million to resolve claims that it unlawfully promoted its opioid addiction treatment drug, Suboxone. FY 2021 will dwarf FY 2020 with its total recoveries from False Claims Act litigation. As the Biden administration implements new policies and priorities at the Department of Justice, expect to see an increased emphasis on white-collar crime and consequences for individual defendants. The expected recoveries for FY 2021 are likely to serve as a springboard for the Department of Justice under President Biden to increase enforcement actions against companies and individuals under the False Claims Act.
DOJ Settles FCA Lawsuit Against DME Supplier for $40.5 Million

The DOJ announced it recently settled with durable medical equipment supplier Apria Healthcare to resolve allegations of fraudulent billing practices related to the rental of non-invasive ventilators (“NIVs”). 

The case was originally brought in the Southern District of New York under the qui tam provisions of the False Claims Act by three former Apria employees and the government subsequently decided to intervene. In its complaint, the government alleged that beginning in 2014, Apria prioritized the expansion of its rental program for NIVs, complex pieces of respiratory equipment capable of dynamically adjusting the pressure of air delivery based on patient needs, because federal healthcare programs reimbursed providers up to $1,400 per month per NIV. That expansion, however, came at the expense of compliance with billing requirements.

Per the terms of the settlement agreement, Apria admitted to and accepted responsibility for the following misconduct: 

  • Lack of Medical Necessity. Apria encouraged physicians to order NIVs for their patients. In its promotional materials, Apria indicated that respiratory therapists would monitor patients’ usage of NIVs to ensure compliance with physicians’ instructions and to ensure that continued usage was medically necessary. Despite those representations, Apria’s respiratory therapists failed to conduct the in-home visits to verity that patients were continuing to use the NIVs. Despite this failure, and in some instances even with evidence that continued use was no longer medically necessary, Apria continued to seek reimbursement for the NIV rental. 
  • Failure to Use Cheaper Alternative to NIV. Apria also encouraged physicians to order NIVs when a bi-level pressure support setting, PAC mode, was medically indicated for a patient. Apria, however, failed to disclose to physicians that the PAC mode setting was available on a different, cheaper device called the VPAP S9. This resulted in Apria renting more expensive equipment, when cheaper alternatives would have satisfied patients’ needs. 
  • Offering to Waive Co-Pay. Apria also offered co-pay waivers to certain patients and encouraged its salespeople to discuss the availability of waivers, even before patients raised concerns about the ability to pay for NIVs. Apria also offered waivers to patients as an inducement to patients to rent NIVs from Apria instead of other DME suppliers
Apria is required to pay $40.5 million to settle the claims, with $37,632,789.89 being paid to the United States and the remaining amount to be paid to various states. 
Georgia Man That Pled Guilty to Touting Unproven Drugs as COVID-19 Treatment Permanently Barred from Selling Unproven Drugs

The U.S. District Court for the Southern District of Georgia issued a permanent injunction barring Matthew Ryncarz and his companies, Fusion Health and Vitality LLC (d/b/a Pharm Origins) and Fusion Ionz LLC (also d/b/a Pharm Origins), from selling unapproved drugs. The unapproved drugs were marketed as treatments for COVID-19, according to a U.S. Department of Justice (DOJ) press release. The defendants, who entered into a Consent Decree of Permanent Injunction, must also take additional actions, such as retaining a drug expert to comprehensively review the defendants’ product labeling, retaining a dietary supplement expert to comprehensively inspect the defendants’ facility and manufacturing process, and complying with various reporting requirements.

According to the DOJ, the defendants sold products, purportedly containing Vitamin D3, that the defendants claimed would cure, mitigate, or treat COVID-19 and other diseases. These products were sold through the defendants’ websites, labeled “Immune Shot,” “Immune Boost,” and “Core.” The DOJ alleged the defendants violated the Federal Food, Drug, and Cosmetic Act (FDCA) by introducing unapproved drugs into interstate commerce. The DOJ also noted that the defendants’ claims lacked credible scientific evidence and “none of the products were generally recognized as safe and effective by qualified experts for any of the uses promoted by the defendants.” 

In a separate but related action, DOJ criminally charged Mr. Ryncarz and his companies for violating the FDCA. The defendants’ charges stemmed from allegedly selling drugs claiming to treat COVID-19, which the government claims constituted misbranding under 21 U.S.C. § 352(a)(1). According to the DOJ, during the height of the COVID-19 pandemic in March 2020, Mr. Ryncarz sold “Immune Shot” for $19 per bottle through his company’s websites. The websites marketed the “Immune Shot” by touting to prospective consumers, “YOU will learn in JUST MINUTES … how to LOWER your risk of COVID-19 by nearly 50%.” The DOJ also alleged that Mr. Ryncarz targeted individuals age 50 and older with heavy-handed sales pitches, such as: “Immune Shot is Not a Luxury, It is a Necessity Right Now,” and “Is Your Life Worth $19? Seriously, Is It?” Mr. Ryncarz and his company were charged by way of Information. On September 29, 2020, Mr. Ryncarz and his company pled guilty and admitted that labeling for the “Immune Shot” product amounted to misbranding under the FDCA, as it falsely claimed it would lower the risk of contracting COVID-19.  

These actions resulted from cross-agency collaborations between the DOJ, FBI, and the Food and Drug Administration. CG attorneys have written about the government’s continued use of cross-agency collaborations and how such collaborations have resulted in significant takedowns. Related to unproven drug claims, Deputy Assistant Attorney General Daniel J. Feith made the DOJ’s intentions clear: “[t]he Department of Justice will not allow individuals to take advantage of consumers during a public health emergency by making unproven claims about unapproved drugs to profit from public panic … [w]e will continue to work closely with the Food and Drug Administration to halt such conduct.” 
DOJ Announces First Civil Settlement Alleging PPP Fraud

In April 2020, CG attorneys wrote about the increased risk of government scrutiny for recipients of the CARES Act Paycheck Protection Program (PPP), which initially provided over $349 billion in forgivable PPP loans to small businesses. As Congress authorized hundreds of billions in additional funds, recipient compliance and the government’s enforcement efforts have come to the forefront. 

In May 2020, CG attorneys discussed the first federal prosecution for PPP loan fraud. Then in September 2020, CG attorneys wrote about Acting Assistant Attorney General Brian Rabbitt’s remarks about the PPP. In his remarks, Rabbitt stated that then Attorney General Bill Bar instructed the U.S. Department of Justice (DOJ) to focus on pandemic-related fraud, including fraud schemes related to the PPP. Rabbitt also noted that the DOJ set up a “team dedicated to PPP fraud, began investigating immediately, and brought our first cases within months of the PPP being announced.”

On January 12, 2021, the DOJ announced the first civil settlement to resolve allegations related to PPP loan fraud. According to the press release, an internet retail company, SlideBelts Inc., and its owner, Brigham Taylor, admitted to falsely stating to federally insured banks that SlideBelts was not in bankruptcy to obtain a PPP loan for $350,000. SlideBelts and Taylor also admitted that the false statements caused false claims to be made to the Small Business Administration (SBA) in connection with the PPP. The admitted acts were alleged violations of the False Claims Act (FCA), according to the press release. The acts were also alleged violations of the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA), which “allows the government to impose civil penalties for violations of enumerated federal criminal statutes, including those that affect federally-insured financial institutions.”  Taylor and SlideBelts returned the $350,000 in PPP funds received and agreed to pay $100,000 in damages and penalties to resolve the allegations.

There are no indications the government’s enforcement efforts will decline, and recipients of PPP funds should ensure compliance with the program. The government will continue its inter-agency collaborations, which CG attorneys have discussed, to identify and investigate potential fraud. “The Department of Justice and our partners at the SBA will use all tools at our disposal, including civil fraud statutes, to aggressively pursue those who exploit federal programs intended to help those in need during this national emergency,” warned U.S. Attorney McGregor W. Scott. 
EEOC Updates Guidance on Employer Mandated COVID-19 Vaccines

As the COVID-19 pandemic continues and new treatments arise, the legal implications for employers also continue to evolve. Since the start of the COVID-19 pandemic, many have speculated about the legal implications of workplace vaccine policies. Now that a vaccine exists and is becoming increasingly available, the Equal Employment Opportunity Commission (EEOC) has updated its guidance regarding the applicability of the Americans with Disabilities Act (ADA), Title VII, and Title II of the Genetic Information Nondiscrimination Act (GINA). 


The ADA limits an employer’s ability to make disability-related inquiries or require medical examinations. A medical examination is “a procedure or test usually given by a health care professional or in a medical setting that seeks information about an individual’s physical or mental impairments or health” (e.g., vision tests; blood, urine, and breath analyses; blood pressure screening; cholesterol testing; etc.). 

Per the EEOC’s guidance, a COVID-19 vaccination is not a medical examination. If a vaccine is being administered for protection against contracting COVID-19, the employer is not seeking information about an individual’s impairment or health status. Although the EEOC appears to have greenlighted workplace vaccination policies, it cautions that an employer’s authority to do so is not carte blanche. The CDC has advised healthcare professionals to ask certain pre-screening questions before administering the vaccine to ensure that there is no medical reason preventing a person from receiving the vaccine, which may implicate the ADA’s provision on disability-related inquiries. If such pre-screening questions do elicit information about a disability, an employer must show that the questions are job-related and consistent with business necessity. 

To avoid implicating the ADA’s provision regarding disability-related inquiries, the EEOC offers two suggestions. First, employers can offer the vaccine on a voluntary basis. If an employee refuses to answer pre-screening questions, the employer can decline to administer the vaccine but may not retaliate against, intimidate, or threaten the employee for refusing to answer questions. Second, employers can require that employees get vaccinated from a third-party unaffiliated with the employer (e.g. pharmacy or personal healthcare provider) and simply require the employee provide proof of the vaccination. The EEOC does not consider requesting proof of vaccination to be a disability-related inquiry because it is not likely to elicit information about a disability. If, however, employees indicate that they are unable to receive a vaccine, asking why might elicit information about a disability that would be subject to ADA protections. 

If an employee indicates that she is unable to get the vaccine due to a disability, an employer can only exclude that employee from the workplace if she poses a direct threat due to the significant risk of substantial harm to the health or safety of the individual or others that cannot be eliminated or reduced by a reasonable accommodation. If no reasonable accommodation can be provided to reduce the risk of an unvaccinated employee from entering the workplace, then an employer can exclude the employee from physically entering the workplace. However, that does not mean that the employer can automatically fire the unvaccinated employee. The employer must consider other rights the employee might have under other federal employment or state laws. 

Title VII

The EEOC also recognizes that some employees may object to getting the vaccine because of a sincerely held religious belief or practice. Under Title VII, an employer may not discriminate against an employee on the basis of their religion, which is defined broadly and protects beliefs, practices, and observances with which an employer may not be familiar. Employers must provide reasonable accommodations to such employees unless doing so poses an “undue hardship.” The EEOC encourages employers to assume employees have a sincerely held religious belief if they request a reasonable accommodation, but if an employer has an objective basis for questioning the religious nature of a belief or whether it is a belief sincerely held by the employee, the employer may be justified in requesting additional information from the employee. 

Just like with the ADA, if a reasonable accommodation does not exist for an employee who cannot be vaccinated due to a sincerely held religious belief, the employer may lawfully exclude that employee from the workplace but cannot automatically terminate the employee without considering whether the employee has rights under other applicable laws. 


Under Title II of GINA, employers may not (1) use genetic information to make decisions related to the terms, conditions, and privileges of employment; (2) acquire genetic information except in limited circumstances; or (3) disclose genetic information. The EEOC contends that administering a COVID-19 vaccine or requiring employees to provide proof that they have been vaccinated does not violate GINA because it does not involve the use of genetic information to make employment decisions, nor does it involve the acquisition of genetic information. 

However, like with the ADA, the screening questionnaires for the vaccine may implicate GINA. Genetic information is defined by GINA to include, among other things, not only information about an individual’s genetic tests, but also the manifestation of a disease or disorder in a family member (i.e. family medical history). If the screening questionnaire does not include questions about genetic information, then asking the questions does not implicate GINA (although it might still implicate the ADA). If the pre-screening questionnaire does ask about genetic information, employers should consider simply requesting proof of vaccination rather than administering the vaccine themselves. GINA does not prohibit an employee’s own healthcare provider from asking about genetic information. 

Employers should remain mindful of changes in the pandemic, CDC and other public health guidance, and how any employment practice may implicate federal and state employment laws. 
Florida Finally Introduces
COVID-19 Legislation

Several states, including Georgia, have passed laws regarding COVID-19 civil liability in the wake of the public health pandemic that dominated 2020 and continues to rage. Florida has come to the fold, with the introduction of House Bill 7 (HB7) on January 6, 2021. 
HB7 would create Florida Statute § 768.38, establishing a civil cause of action for COVID-19 related liability. The bill creates liability protections for businesses, educational institutions, government entities, religious organizations, and other entities, such that a covered entity that makes a “good faith effort to substantially comply” with applicable COVID-19 guidance would be immune from civil liability for a COVID-19-related civil action. Healthcare providers are not covered entities and are not afforded COVID-19 liability protection under the bill.

The bill sets forth the following standards for a COVID-19-related civil action against a covered entity:

  • The plaintiff must plead his or her complaint with particularity.

  • At the time of filing suit, the plaintiff must submit a physician’s affidavit confirming the physician’s belief that the plaintiff’s COVID-19 related injury occurred because of the defendant’s acts or omissions.

  • The court will determine whether the defendant made the requisite “good faith effort to substantially comply” with applicable COVID-19 guidance.  

  • If the court determines the defendant made a good faith effort, the defendant is immune from civil liability.

  • If the court determines that the defendant did not make a good faith effort, the case may proceed to a jury.

  • The plaintiff must prove, by clear and convincing evidence, that the defendant acted with at least gross negligence.  

  • The bill affords a one-year statute of limitations.

  • If passed, the law would apply retroactively.

Other states, like Tennessee, have established similar legislation including standards for COVID-19 lawsuits. It will be interesting to see if HB 7, and its sister bill in the Florida Senate, become law.  
Appeals Court Affirms District Court’s Dismissal of Lawsuit Challenging New Hospital Price Transparency Rule

In November 2019, CG Attorneys wrote about the Centers for Medicare & Medicaid Services’ (CMS) price transparency rule requiring hospitals to publish prices for services beginning in 2021. Under the rule, hospitals must provide customers the “standard charges” for all services and supplies. Standard charges include gross charges, discounted cash prices, payer-specific negotiated charges, de-identified minimum negotiated charges, and de-identified maximum negotiated charges. The standard charges must be provided in a machine-readable format on a searchable platform in a prominent location online or in written form, when requested. Also, hospitals must describe the services in plain language. Under the rule, CMS may impose a civil monetary penalty (CMP) for violations or request a corrective action plan, and hospitals are afforded appeal rights. After exhaustion of the appeal process, any imposition of a CMP must be paid within 60 calendar days after the final decision.

In response to the price transparency rule, three hospitals and four healthcare associations (the American Hospital Association (AHA), the Association of American Medical Colleges (AAMC), The Federation of American Hospitals (FAH), and the National Association of Children’s Hospitals, Inc. (CHA)) sued the U.S. Department of Health and Human Services (HHS). The lawsuit alleges that the price transparency rule violates the First Amendment, is arbitrary and capricious, and will cause “concrete and imminent harm absent judicial intervention.” In a joint statement released by the associations, FAH President and CEO Chip Kahn explained: “CMS’ final rule fails to offer patients easy-to-understand information regarding their out-of-pocket obligations for care – so we feel obligated to contest the regulation. We contend the agency exceeded its authority and should go back to the drawing board.”  

In June 2020, U.S. District Judge Carl Nichols in Washington, D.C. granted summary judgment for HHS and dismissed the lawsuit. The hospitals and healthcare associations appealed. On December 29, 2020, two days before the rule went into effect, the U.S. Court of Appeals for the District of Columbia Circuit affirmed the district court’s grant of summary judgment. The Court rejected the plaintiffs’ arguments that the price transparency rule should be subjected to strict scrutiny and noted that HHS met the reasonableness standard: “The Association does not dispute that the government has a legitimate interest in promoting price transparency and lowering healthcare costs. Instead, it contends that the rule bears no reasonable relationship to those governmental interests … [but] the Secretary, relying on complaints from consumers, studies of state initiatives, and analysis of industry practices, reasonably concluded that the rule’s disclosure scheme will help the vast majority of consumers.” The Court also held that the plaintiffs did not show a burden on speech to support the First Amendment claim.  

The final rule is downloadable here
OCR’s Right of Access Initiative Continues Strong in 2021 with $200K Settlement

In 2019, the U.S. Department of Health and Human Services’(HHS) Office of Civil Rights (OCR) announced its Right of Access Initiative and promised to “vigorously enforce” patients’ right to access their medical records. Under this initiative, OCR investigated and settled allegations involving medical practices that potentially violated the HIPAA Privacy Rule’s right of access requirements (45 C.F.R. § 164.524). In November 2020, Director Roger Severino commented on OCR’s HIPAA Right of Access Initiative, noting: “We will continue to prioritize HIPAA Right of Access cases for enforcement until providers get the message.” 

OCR’s enforcement actions have been broad, affecting small practices and major healthcare systems. The monetary settlements have been equally broad, ranging from less than $5,000 to more than $150,000. Also, the frequency of settlements has been increasing. There were only two settlements in the last quarter of 2019. OCR settled eleven enforcement actions under the Right of Access Initiative in the last quarter of 2020. CG attorneys have monitored and alerted readers to many of these settlements, including the tenth,  eleventhtwelfth, and thirteenth settlements. CG attorneys cautioned readers to heed OCR’s warnings regarding a patient’s right to access their medical records and noted that heightened enforcement efforts under the Right of Access Initiative would likely continue. OCR did not disappoint.

On January 12, 2021, OCR announced its first settlement of 2021 (its fourteenth settlement overall) under the Right of Access Initiative. According to the press release, OCR received two complaints against Banner Health ACE. In the first complaint, a patient allegedly requested access to her records in December 2017 but did not receive the records until 5 months later. The second complaint had similar allegations. In the second complaint, the patient allegedly requested electronic copies of his records in September 2019, but the records were not sent until 5 months later in February 2020.  

OCR opened an investigation and found that Banner Health ACE’s failure to provide timely access to medical records were potential violations of the HIPAA right of access requirements. Banner Health ACE agreed to pay $200,000 to settle the potential violations of the HIPAA Privacy Rule’s right of access standard. Banner Health ACE also entered into a corrective action plan that includes monitoring for two years. 

OCR’s announcement is a clear message that its enforcement efforts will continue. According to Director Severino, “[t]his first resolution of the year signals that our Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records.” Providers and medical practice administrators should familiarize themselves with patients’ rights under HIPAA to access protected health information by reviewing the related statutes (45 C.F.R. § 165.524) and HHS guidance.  


I never doubted my ability, but when you hear all
your life you're inferior, it makes you wonder if the
other guys have something you've never seen before.
If they do, I'm still looking for it.


To read all of this month’s client alerts, please visit our website blog by clicking our link below: