Phishing has long been a favorite tactic for threat actors (hackers) to commence a cyberattack. The rapid expansion of more adaptable and available artificial intelligence (AI) technologies, such as natural language processing and large language models, now fuels more ferocious phishing campaigns. The effects are being felt in many industries, perhaps most notably the healthcare industry. One indicator of that may be the recent Office for Civil Rights (OCR) announcement of its “First Ever Phishing Cyber-Attack Investigation.” Read more.

Many HIPAA covered entities and business associates struggle with developing and implementing a sanctions policy. What should it say, is zero-tolerance required, do we have to impose discipline in every case, etc. These are examples of frequent and thorny questions that arise in connection with the development and implementation of these policies. But they are important questions to answer, especially considering the federal Office for Civil Rights (OCR) position concerning these policies. Read more.

What do ransomware, Yelp, and website tracking technologies all have in common? They are troubling areas of concern for HIPAA covered entities and business associates, according to one official from the federal Office for Civil Rights (OCR) which enforces the HIPAA privacy and security rules. Recently, the Executive Editor of Information Security Media Group’s (ISMG’s) HealthcareInfoSecurity.com media site, Marianne Kolbasuk McGee, sat down with Susan Rhodes, the OCR’s acting deputy for strategic planning and regional manager to discuss these issues. Read more.

The healthcare sector is a prime target for data breaches. According to a summary by the HIPAA Journal, 32% of all data breaches between 2015 and 2022 were in the healthcare sector, “almost double the number recorded in the financial and manufacturing sectors.” Industry analysts cite to many reasons for this, including the sensitivity of health data and its value on the black market compared to other forms of data. Evidently, another driver of data breaches for healthcare entities is M&A activity. Read more.

Recently, things may have sped up a little in your doctor’s office. The notes for your recent visit may have been organized and filed a little more quickly. You might have received assistance sooner than expected with a physician letter to your carrier concerning a claim. You also may have received copies of those medical records you have been waiting for, earlier than usual. Greasing the skids in these areas could be due to the use of generative AI technologies, such as ChatGPT, being leveraged in a myriad of ways across all industries, not just healthcare. Read what our Privacy, Data Management & Security colleagues have to say about steps to consider before sharing protected health information with a third party.

The EEOC has filed suit in federal court against a home care provider, alleging it unlawfully discriminated against employees when it changed their work assignments to accommodate client preferences. EEOC v. ACARE HHC d/b/a Four Seasons Licensed Home Health Care, 23-cv-5760 (E.D.N.Y. July 31, 2023).

The suit alleges the home care provider “routinely would accede to racial preferences of patients in making home health aide assignments, including by removing Black and Hispanic home health aides based on clients’ race and national origin-based requests. Those aides would be transferred to a new assignment or, if no other assignment were available, lose their employment completely.” The EEOC contends this conduct violates Title VII of the Civil Rights Act of 1964. The EEOC seeks compensatory and punitive damages for the affected employees, and injunctive relief to remedy and prevent future discrimination based on employees’ race and national origin.

The issue of accommodating patient or client preferences in making assignments is a familiar one for healthcare providers. We previously reported in 2016 about a case in which a federal district court ruled a respiratory therapist could proceed with her civil rights claims because questions remained about whether her hospital employer intended to honor a patient’s request that he not be treated by black employees. That case arose under 42 U.S.C. §1981, which prohibits discrimination in making and enforcing contracts but, unlike Title VII, does not require evidence of an “adverse employment action.” Thus, the court rejected the hospital’s defense that the plaintiff did not suffer an alteration in terms and conditions of employment, which is currently required under Title VII. The Supreme Court recently accepted for review  a case that challenges the Title VII adverse employment action requirement. Muldrow v. City of St. Louis, Mo., No. 22-193. Removing the adverse employment action requirement could make it easier for employees to prevail in cases where healthcare providers change employee assignments based on patients’ racial or national origin preferences.

While healthcare providers strive to accommodate a wide range of patient preferences, they must be careful that such accommodations do not run afoul of applicable state and federal employment discrimination laws. Much has been written in scholarly journals and trade publications regarding strategies for dealing with patients refusing treatment by providers based on race and national origin. One such resource is the American Medical Association’s article, “When Patients Are Prejudiced, Here’s What Physicians Should Do.” This article and the EEOC’s suit against this home care provider are reminders of the importance of training all patient-facing staff on your organization’s commitment to maintaining a work environment free from unlawful discrimination.

Members of the Jackson Lewis Healthcare Industry Group routinely advise clients on anti-discrimination policies and diversity, equity, and inclusion strategies and provide training on preventing workplace discrimination. Please contact your Jackson Lewis attorney if you would like to learn more about these services. 

On July 25, 2023, the tri-agencies of the Departments of Treasury, Labor, and Health and Human Services (the Departments) issued a compendium of guidance designed to facilitate compliance with the Nonquantitative Treatment Limitation (NQTL) comparative analysis requirements added by the Consolidated Appropriations Act, 2021 (CAA, 2021) as they relate to the Mental Health Parity and Addiction Equity Act (MHPAEA). The guidance signals that employer-sponsored group health plans will have some work to do to improve their mental health and substance abuse treatment provider networks, their data collection efforts to better evaluate the parity in care, and the production of sufficient NQTL comparative analysis reports. Read more.

The Department of Health and Human Services and the Federal Trade Commission have sent a joint letter to approximately 130 hospital systems and telehealth providers to emphasize the risks and concerns about the use of technologies, such as the Meta/Facebook pixel and Google Analytics, that can track a user’s online activities. Read more.

On June 16, 2023, Nevada’s Governor signed Senate Bill (SB) 370, which enacts certain protections for consumer health data. The law is similar to Washington’s My Health, My Data Act, which was passed in April. The Future of Privacy Forum prepared a useful chart comparing the Washington and Nevada laws. Nevada’s law becomes operative on March 31, 2024. Read more.

Liability in False Claims Act (FCA) suits depends on whether a defendant subjectively believed its claims were false, not on whether it can offer an objectively reasonable basis for its claims, the U.S. Supreme Court has held in a unanimous decision authored by Justice Clarence Thomas. U.S. ex. rel. Schutte v. SuperValu Inc., No. 21-1326, together with U.S. ex rel. Proctor v. Safeway, Inc., No. 22-111 (June 1, 2023). Following the Court’s decision, Medicare and Medicaid providers and other federal contractors should practice caution when submitting claims to the U.S. government. Read more.