The U.S. Department of Health and Human Services (“HHS”) has expanded upon its recent Healthcare Sector Cybersecurity Concept Paper (which we covered in a prior blog post), issuing cybersecurity performance goals (“CPGs”) for the healthcare and public health (“HPH”) sector. These CPGs aim to help healthcare organizations protect against

The U.S. Department of Health and Human Services (HHS) recently issued a strategy paper highlighting key aspects of its plan to revamp cybersecurity requirements in the healthcare industry. Citing a 93% increase in large data breaches in healthcare from 2018 to 2022 and a rapid increase in ransomware attacks against

On June 27, 2023, the Office of Inspector General (“OIG”) for the U.S. Department of Health and Human Services (“HHS”) released its final rule (“Final Rule”) implementing penalties for information blocking.

The Final Rule codifies the prohibition on “information blocking” introduced by the 21st Century Cures Act (“Act”), which was enacted on December 13, 2016. In the Act, “information blocking” was defined as any activity that, in part, is “likely to interfere with, prevent, or materially discourage access, exchange, or use” of electronic health information (“EHI”).[1] The Final Rule provides an enforcement process for alleged information blocking violations by health information networks, health information exchanges, and developers of health IT certified by the HHS Office of the National Coordinator for Health Information Technology (“ONC”). Enforcement of the information blocking penalties will begin on September 1, sixty days after publication of the final rule in the Federal Register.

On June 16, 2023, the Supreme Court (the “Court”) in United States ex rel. Polansky v. Executive Health Resources affirmed the federal government’s power to dismiss a False Claims Act (“FCA”) action brought under the qui tam provisions whenever it chooses to intervene. Polansky is the second FCA case this summer in which the Court has ruled in favor of the federal government—i.e., the Department of Justice, acting through the Attorney General (“DOJ”). Writing for an 8-1 majority, Justice Kagan explained that DOJ receives considerable deference, even over the objection of the individual who raised the action (i.e., the relator or whistleblower), to dismiss cases that are inconsistent with DOJ’s interests.

In a unanimous opinion, the United States Supreme Court (“Court”) recently held that the False Claims Act’s (“FCA”) scienter requirement refers to a defendant’s knowledge and subjective beliefs, rather than what a hypothetical reasonable person could have known or believed.  As supported by the text of the FCA itself and by its common‑law roots, the Court explained that the “focus is what a defendant thought when submitting a claim—not what a defendant may have thought after submitting it.”  Consequently, the Court vacated the holding of the Seventh Circuit and remanded the matter for further proceedings consistent with the Court’s opinion.  Because the Seventh Circuit had affirmed a Federal district court’s grant of the defendants’ motions for summary judgment, the Court’s opinion effectively revives the FCA claim against the defendants.

We previously wrote about the United States Department of Justice’s (“DOJ”) Civil Cyber-Fraud Initiative (“CCFI”), which “aims to hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”  In that post, we summarized DOJ’s first two False Claims Act (“FCA”) resolutions pursuant to the CCFI, which amounted to more than $9 million in recoveries.

On March 2, 2023, the Federal Trade Commission (FTC) announced that it had reached a $7.8 million settlement with mental health and online counseling platform, BetterHelp, Inc. (“BetterHelp”). The FTC alleged that BetterHelp shared  consumers’ sensitive health data combined with other personal information (PI) with third party advertising platforms without

On July 20, 2022, the Office of Inspector General for the Department of Health and Human Services (“OIG”) issued a special fraud alert (“Alert”) advising “practitioners to exercise caution when entering into arrangements with purported telemedicine companies.” The Alert is only one of four such “special fraud alerts” that the OIG has issued in the past decade and it illustrates the importance of OIG’s statements.

OIG Flags Seven Characteristics of Telehealth Fraud

In the Alert, OIG cautions that certain companies that purport to provide telehealth, telemedicine, or telemarketing services (collectively, “Telemedicine Companies”) have carried out fraudulent schemes by: (i) aggressively recruiting physicians and non-physician practitioners (collectively, “Providers”) and (ii) paying kickbacks to such Providers in exchange for the ordering of unnecessary items or services, including durable medical equipment, genetic testing, and other prescription items. According to OIG, the fraudulent schemes have varied in design and operation and involved a variety of individuals, Providers, and health care vendors, including call centers, staffing companies, and marketers.

The Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”), recently issued new regulatory guidance relating to covered entities’ HIPAA-compliant use of remote communication technologies for audio-only telehealth services. This guidance is a direct response to a December 2021 Executive Order that tasked HHS with developing HIPAA guidance for telehealth services, with the stated goals of improving “patient experience and convenience” as the COVID-19 public health emergency subsides. HHS has issued this guidance in anticipation of the national public health emergency ending, at which time OCR’s Telehealth Notification loses effect.

The new HIPAA guidance affects covered entities in four key ways.

The Department of Health and Human Services (“HHS”) has issued a formal request for information from the public about how regulated entities are implementing industry recognized security practices. The request for information represents a chance for the private sector to contribute to HHS regulation. Interested parties have until June 6,