This past July, the Federal Communications Commission (“FCC”) released a ruling (the “Ruling”) interpreting the Telephone Consumer Protection Act (“TPCA”) restrictions on certain communications to wireless telephone numbers. The Ruling significantly restricts business’ ability to use auto-dialers and artificial / prerecorded voices for contacting wireless telephone numbers, including via text message (“automated contact system ”), prior to obtaining customer consent. Fortunately for the many health care providers who rely on this type of technology for important patient correspondence such as appointment reminders, the FCC has provided a significant exception for providers’ automated contact systems that meet certain criteria set forth in the Ruling. While the criteria are not overly burdensome, they are numerous and specific, so health care providers with automated contact systems should review them carefully to ensure ongoing compliance with the TPCA.
Following the Ruling, health care providers with automated contact systems must either obtain patient consent prior to using automated contact systems, or be sure that their automated contact system comply with the Ruling. Generally, to be exempt from obtaining prior express consent from patients calls to wireless numbers using automated contact systems:
- must not be charged to patient-recipients;
- must be for specific, health-related purposes;
- must include easy opt-out options; and
- are subject to volume and brevity restrictions.
The Ruling describes in greater detail the steps that health care providers must take to meet the above standards.
The FCC ruling is available here. Contact a member of the Benesch team if you have any questions about your automatic contact system after the FCC’s recent ruling.
On May 20, 2015, CareFirst BlueCross BlueShield (“CareFirst”) announced that it was the latest victim of a major cyberattack, with as many as 1.1 million plan customers affected. Current and former CareFirst members and individuals who do business with CareFirst online who registered to use CareFirst’s websites prior to June 20, 2014 are impacted by this event.
CareFirst said that although the hackers may have acquired customer names, email addresses, birthdates, customer-created user names and subscriber identification numbers, they did not obtain sensitive financial or medical information like Social Security numbers, medical claims, credit card or employment information or passwords associated with the user names. The company has stated that those affected by the cyberattack will be provided two free years of credit monitoring and identity theft protection.
As an explanation of how CareFirst learned of the breach, Chet Burrell, CareFirst’s chief executive, said that after cyber attacks on other insurers earlier this year, he created a task force to review the company’s information technology systems. CareFirst then hired Mandiant, a division of FireEye, to perform a forensic review of its systems. Last month, Mandiant determined a breach had occurred in June 2014 allowing unauthorized access to a single database with the information listed above.
Just hours after the announcement of the breach, class action law firms were already investigating the circumstances of the breach and seeking plaintiffs who may have been affected. Now that state claims may be brought based on HIPAA as a standard of care, the suits will likely consider potential harm due to the disclosure and whether CareFirst adequately protected the information and provided timely notice. These are the same types of claims brought in the numerous class action lawsuits after the Anthem cyber-attack in February 2015.
The cyber-attack and pending lawsuits should serve as a reminder for healthcare companies to review and properly implement their HIPAA privacy and security policies and procedures. For more information on HIPAA, health care compliance or related issues, please feel free to contact Daniel Meier or any member of our health care practice group for a further discussion.
The Centers for Medicare & Medicaid Services (“CMS”) recently released the final rule for Medicare’s Physician Fee Schedule for 2014 Calendar Year (“CY). While physicians are expected to see a 20.1% reduction to their Medicare payments, the Fee Schedule also includes expanded coverage for telehealth services and increased reimbursement payments for such services. Continue reading
Posted in DHHS, Final Rule, Health & Human Services, Health Care, Health Care Providers, Health Information Technology, Medicare, Physicians, Regulation, Reimbursement
Tagged rural, telehealth services, telemedicine
A recent Office of the Inspector General (OIG) Report reviews progress made by the Office for Civil Rights (OCR) toward enforcement of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule following the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH) amendments. The OIG found OCR enforcement to be meeting Federal HIPAA requirements in some key areas, but to be wanting in others.
OCR enforcement activities meeting Federal requirements include, (1) making available guidance promoting compliance with the Security Rule; (2) the investigation process for responding to reported Security Rule violations; and (3) proper application of penalties for covered entities found in violation of the Security Rule. Continue reading