Month: November, 2016

The Future Is Uncertain For the Patient Protection and Affordable Care Act

With the election of Donald Trump to the office of President of the United States, Republicans and their supporters began implementing plans for the repeal and replacement of President Obama’s signature legislation, the Patient Protection and Affordable Care Act (“ACA”). President-Elect Trump’s selection of Representative Tom Price (R-GA) to the position of Secretary of Health and Human Services signaled the next step in those efforts.

Dr. Price, an orthopedic surgeon, has been a regular voice in opposition to the ACA and many in Congress and the media see this selection as confirmation that every effort will be made to replace the ACA. Several Democrats have already come forth indicating they plan to challenge Dr. Price’s selection as they see any threat to the ACA as a threat to thousands of patients that have only received insurance as a result of the ACA.

While a repeal of the ACA is still not guaranteed and many are already challenging whether it could even be effectuated without significant impacts on the health insurance industry and millions of Americans, it is nevertheless important to understand what a replacement program might look like. Dr. Price has previously submitted one of the more detailed Republican plans to replace the ACA. His previously proposed legislation is known as the Empowering Patients First Act.

Unlike the ACA, Dr. Price’s legislation seeks to minimize government’s role in health care. The following are five key elements of Dr. Price’s prior proposal:

  1. Fixed tax credits that rise with age so that patients can purchase their own insurance on the private market, including across state lines. The tax credits would not fluctuate based on income.
  2. Expand health savings accounts to further incentivize patients to contribute to such accounts to pay co-pays and deductibles.
  3. Preexisting conditions would continue to be excluded as a basis to deny coverage but only if the patient has had continuous insurance for eighteen months prior to selecting a new policy. If not, coverage might be denied for up to eighteen months under the new policy.
  4. Limiting the amount of money companies can deduct from their taxes for employee health insurance expenses.
  5. States would be paid federal funds to set up high risk pools to assist those with preexisting conditions that cannot afford insurance on the private market.

While Dr. Price has indicated his willingness to negotiate and compromise on what the ultimate replacement looks like, it remains to be seen how flexible he and the Republicans will be on a substitute for the ACA. Regardless of the final form, one cannot forget that as Secretary of HHS, Dr. Price would ultimately control the authoring of the enabling regulations to implement the new legislation.

It is anticipated that during President-Elect Trump’s first 100 days in office this issue will be addressed.

OCR and FTC Detail Overlapping Interests Between HIPAA and the FTC Act

On October 21, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) issued joint guidance highlighting agencies’ common interest in protecting individuals’ health information.

The health care industry is familiar with the restrictions on use and disclosure of protected health information (PHI) imposed by HIPAA.  In general, other than as required by the HIPAA Privacy Rule or for treatment, payment or health care operations, HIPAA requires a valid, signed authorization from the individual before any further use or disclosure of their PHI can occur.   This authorization must be in “plain language,” not be combined with any other type of authorization, and include specific terms and descriptions of the information sought and the proposed use or disclosure.

The FTC’s interest in the healthcare sector’s information security practices is less well known, however.  Many may be surprised by the FTC’s longstanding position that its broad power to regulate unfair and deceptive practices under Section 5 of the FTC Act includes overlapping jurisdiction with OCR concerning the privacy and security practices of HIPAA-regulated entities.

The FTC Act prohibits a contemplated use or disclosure of health information from being a “deceptive or unfair” act or practice.  Among other things, this means that individuals may not be “mislead” about how their PHI may be being used or disclosed.   The FTC therefore recommends that entities consider all of their consumer-facing messaging to ensure it is free from any deceptive or misleading statements.   Moreover, the FTC explicitly cautions against burying key facts regarding use and disclosure of health information in links to a privacy policy, terms of use, or HIPAA authorizations.  It also warns against manipulating font sizes or colors online in a manner which would make disclosure statements deceptive.  Instead, it recommends that all disclosure statements be “clear and conspicuous” from a consumer’s perspective.

OCR and the FTC have a history of collaboration and joint enforcement in the security area.  In February 2009, OCR entered into a $2.25 million settlement agreement with CVS Pharmacy, Inc. (CVS) and required implementation of a detailed corrective action plan to ensure the proper disposal of PHI.  Simultaneously, in a separate but related agreement, CVS resolved FTC charges that it failed to implement reasonable and appropriate procedures for handling personal information about customers and employees, did not adequately train employees, did not use reasonable measures to assess compliance with its policies and procedures for disposing of personal information, and did not employ a reasonable process for discovering and remedying risks to personal information.

A year later, in July 2010, Rite Aid Corporation entered into a similar resolution agreement, paying $1 million to OCR and implementing a corrective plan of action while simultaneously settling a FTC complaint which alleged it failed to properly dispose of personal information, inadequately trained employees, did not sufficiently assess compliance with its disposal policies, and did not employ a reasonable process for discovering and remedying risks to personal information.

In addition, the FTC has not hesitated to bring enforcement actions on its own against healthcare entities.  Most notably, the FTC has doggedly pursued LabMD, a former clinical laboratory which no longer operates, for failure to protect patients’ sensitive personal information.  This resulted in a July 2016 unanimous opinion from the FTC which found LabMD’s security practices unreasonable, “lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.”  A motion to stay the FTC’s enforcement order has recently been filed in the Eleventh Circuit by LabMD. See, LabMD, Inc. v. FTC, 11th Cir., No. 16-16270, motion to stay filed, Oct. 7, 2016.

It remains to be seen whether this recent joint statement from OCR and FTC foreshadows a more robust collaboration between the two agencies which builds on their efforts in the CVS and Rite Aid cases and expands into the HIPAA Privacy Rule area.  Even if that does not immediately occur, the FTC remains active in pursuing cases on its own, such as LabMD.  Whatever the outcome, businesses in the healthcare sector should remain sensitive to the FTC’s mandates, along with those from OCR.