Recent remarks made by the Centers for Medicare & Medicaid Services (“CMS”) Acting Administrator Andy Slavitt at a healthcare conference indicated that CMS will be ending the “meaningful use” electronic health record (“EHR”) Incentive Program in 2016, five years ahead of its original final end date of 2021. Acting Administrator Slavitt did not elaborate on the specifics of what will replace meaningful use, but stated it would likely be tied to the implementation of the Medicare Access and CHIP Reauthorization Act of 2015 (“MACRA”) and would include various streamlined quality reporting programs. MACRA emphasizes a new Merit-Based Incident Payment System and alternative payment models, and according to Acting Administrator Slavitt, this new law warrants a new streamlined regulatory approach to EHR as well.

Cancer Care Group, P.C. settled alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules on September 2 with the U.S. Department of Health & Human Services Office for Civil Rights (OCR) for $750,000. Cancer Care, a radiation oncology private physician practice located in Indiana, also agreed to adopt a corrective action plan to remedy defects in its HIPAA compliance program.

A New York district court issued the first judicial opinion Monday, Aug. 3 on the Affordable Care Act’s “60-day rule,” which requires that a Medicare or Medicaid overpayment be reported and returned within 60 days of the date on which the overpayment was “identified.” The decision by Judge Edgardo Ramos provided a definition of what it means to “identify” an overpayment and thus begin the 60-day time period in which overpayments must be reported and returned. Given that the 60-day rule maintains that any person who knowingly fails to comply with this obligation within the 60-day timeframe has violated the False Claims Act (“FCA”), the potential implications of Judge Ramos’s decision are significant.

The District of Columbia reached a settlement agreement with Children’s Hospital, Children’s National Medical Center Inc. and its affiliates (collectively, “CNMC”) on June 15, 2015, to resolve allegations that CNMC violated the False Claims Act by submitting false cost reports and other applications to the U.S. Department of Health & Human Services (“HHS”) as well as to the Virginia and District of Columbia Medicaid programs. Further details can be found in the Department of Justice’s press release announcing the settlement.

The state of Georgia reached a civil settlement agreement on April 23, 2015, with Grady Health System based on allegations that Grady incorrectly coded claims for neonatal intensive care unit (NICU) patients, resulting in overpayments by Georgia Medicaid. For more details, read the Georgia Attorney General’s press release announcing the settlement.

By now you have probably heard about the ongoing FIN4 cyber attacks on publicly traded entities in the healthcare and pharmaceutical industries. If not, here’s a brief recap.

On Sunday, Nov. 30, security consulting firm FireEye published a report on the current hacking efforts of a group dubbed FIN4. FIN4 has targeted more than 100 organizations, 68 percent of them publicly traded healthcare and pharmaceutical companies, stealing non-public information for illicit trading advantage. Additional targets include law firm partners and M&A consultants privy to proprietary information on imminent merger and acquisition transactions or other non-public, market-moving developments.