UPMC Finally Settles Data Breach Lawsuit for $2.7 Million

UPMC’s employment records were hacked by criminals in 2014.  A civil class action lawsuit was filed on behalf of approximately 66,000 employees, and criminal cases were filed by federal prosecutors against a number of individuals and 4 have already pled guilty in connection with the hacking of the UPMC human resources data and using some of the information to commit federal income tax fraud.

In what has been referred to as a landmark opinion, the Pennsylvania Supreme Court declared that employers have a common law duty to use reasonable information security safeguards to protect employee’s personal information.

Under the proposed $2.7 million settlement, UPMC will establish a settlement fund for direct monetary relief to the settlement class members, pay up to $200,000 for administrative costs, $750,000 of Plaintiff’s attorney’s fees and implement significant cybersecurity improvements.

Ongoing Federal Telehealth Fraud Enforcement

In previous Med Law Blog posts, we have featured examples of increased enforcement in the telehealth area, including the recent creation of the National Rapid Response Strike Force, announced by the Department of Justice on September 30, 2020, and OIG Takedowns in the DME and telehealth arenas.

Now, the OIG work plan includes at least 7 audits targeted at telehealth, identified in the attached PDF.

Commentators are expecting increased activity with respect to:

  1. Improper coding for telehealth services,
  2. Improper or inappropriate use of telehealth technology, especially when combined with state telehealth laws defining the parameters of the delivery of telehealth services,
  3. Evaluation of the appropriate state or billing requirements for the establishment of medically appropriate doctor patient relationships,
  4. Increasing cybersecurity activity with respect to HIPAA and data privacy laws, and
  5. Audit of appropriate uses of COVID-19 relief funds from multiple programs, i.e. provider relief and paycheck protection, which incidentally was also mentioned in the April 21, 2021 post “Medical Practices Face Liability for COVID Accelerated and Advance Payments and PPP Loans” at the following link: https://www.medlawblog.com/2021/04/articles/articles-1/medical-practices-face-liability-for-covid-accelerated-and-advance-payments-and-ppp-loans/



Medical Practices Face Liability for COVID Accelerated and Advance Payments and PPP Loans

Medical practices are now beginning to encounter Medicare payment claw backs by CMS for COVID Accelerated and Advanced Payments (CAAP) and Department of Justice (DOJ) prosecution for Paycheck Protection Program (PPP) abuses.

Please check the following links below for additional information.


Proposed HIPAA Changes Intended to “Empower Patients” and “Improve Coordination of Care”

On December 10, 2020, the Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR) collaborated on announcing proposed HIPAA changes, intended to “empower patients” and “improve coordination of care”.

That’s encouraging, although one would have thought that to be unnecessary by now.  HIPAA was enacted in 1996.  It is a little surprising this remains a problem.

The announcement and proposals occupy approximately 350 pages, accessible through this link, so we are going to wait until we get something more specific to discuss actual language, but the changes that appear to have the most potential impact are as follows:

  • Allowing patients to take images and make notes with respect to electronic records rather than waiting for paper copies
  • Facilitating the use of an “EHR pathway”, so that the patients can share records with multiple providers online
  • Providing exceptions to the “minimum necessary disclosure” language which would allow more sharing for the purpose of improving coordination of care
  • Allowing disclosure of PHI when the providers determine in good faith that it would be in the best interest of the patients, i.e. disclosure to family
  • Allowing more disclosures to law enforcement when there is a serious and reasonably foreseeable threat

2021 Medicare Fee Schedule Conversion Factor Reduction Reversed

CY 2021 Physician Fee Schedule Update

On December 27, 2020, the Consolidated Appropriations Act modified the Calendar Year (CY) 2021 Medicare Physician Fee Schedule (MPFS):

  • Provided a 3.75% increase in MPFS payments for CY 2021
  • Suspended the 2% payment adjustment (sequestration) through March 31, 2021
  • Reinstated the 1.0 floor on the work Geographic Practice Cost Index through CY 2023
  • Delayed implementation of the inherent complexity add-on code for evaluation and management services (G2211) until CY 2024

CMS has recalculated the MPFS payment rates and conversion factor to reflect these changes. The revised MPFS conversion factor for CY 2021 is 34.8931. The revised payment rates are available in the Downloads section of the CY 2021 Physician Fee Schedule final rule (CMS-1734-F) webpage.