Trusiak Law - Buffalo Attorney, HERO act, HIPAA Law


SuperUser Account
/ Categories: General

2020 Work Plan Essentials Using 2019 as the Guidepost

This second installment of my 2020 compliance discussion addresses the spectrum of 2020 Work Plan deliverables in addition to HIPAA compliance as contained in my previous article. Effective compliance programs recognize the need to follow developments across a broad-spectrum including litigation, legislation, and issues affecting privacy, security, and public health.

The Allina court decision and October 2019 Executive Order

The June 2019 decision by the US Supreme Court in Azar v. Allina Health Services, 139 S. Ct. 1804(2019) created opportunities for health care providers to push back on False Claims Act (FCA) or whistleblower actions, or criminal matters advanced on regulatory and informal guidance. The court decision emphasized that the Medicare Act requires the Department of Health and Human Services (HHS) must engage in notice-and-comment rulemaking prior to adopting any substantive legal standard. Material in manuals and other guidance documents alone cannot be the basis for actions against providers. (See my blog for a brief discussion of the Allina decision) An October 2019 Executive Order re-emphasized the requirement that any action taken by the government must be based on law and regulation.

The Opioid Crisis

2020 requires health care providers to engage in critical introspection to address any historical compliance prescribing concerns as well as ensure appropriate auditing for opioid prescribers on a going forward basis. Providers should consider the following action steps​

  • Stay informed
    • Stay informed about what is happening on the regulatory, legislative, enforcement and judicial fronts with regards to opioids.
    • Collaborate with internal departments, patient advocacy groups, clinical experts and other to develop strategies to handle risk areas related to opioid fraud and abuse.
    • View the podcast entitled OIG's Work Against the Opioid Epidemic at
  • Monitor
    • Coordinate with internal personnel to initiate internal data monitoring that specifically targets opioid fraud and abuse.
    • Have an interdisciplinary team to review prescriber analysis and treatment protocols.
    • Establish an opioid diversion prevention and detection program through which pharmacists can ensure the supply of opioids are used appropriately and prevent misuse through diversion.
    • Pharmacists can use data from the NYS Prescription Monitoring Program Registry or applicable state registry to track prescribing practices and patient behaviors that lead to abuse.
    • Review the OIG Report entitled Toolkit: Using Data Analysis to Calculate Opioid Levels and Identify Patients at Risk of Misuse or Overdose.
    • Mimic the toolkit data metrics for your organization.
  • Policies
    • Update and monitor policies pertaining to physical, administrative and technical medication safeguards, inventory management and risk identification.
  • Governance
    •  Inform your governing boards, or board compliance committee, of an overview and updates on new opioid regulations and changes in the law.

New York State SHIELD Act

In July 2019, New York enacted the Stop Hacks and Improve Electronic Data Security Act (the "SHIELD Act") making key changes to New York's data breach notification and cybersecurity laws. I have included a Decision Tree with key provisions that are required under this statute. Further, the SHIELD act added "Data Security Protections" in a new Section 899-bb of the General Business Law that becomes effective March 21, 2020. See my November blog that compares SHIELD and HIPAA requirements.

Privacy and Security

Security of information and the protection of privacy continue to be two key areas for not only health care entities, but also in New York State with the passage of the Shield Act (see above). The Office of Civil Rights (OCR) is vigorously prosecuting health care entities that fail to follow HIPAA requirements. In November and December 2019, the OCR announced over $6 million in penalties for entities who failed to follow basic HIPAA requirements. As noted in our January 2019 blog, a Security Risk Analysis is an essential effort to identify and protect an organization and its information. As the scope of information that is exchanged between providers, insurance providers, individuals, and governmental entities continues to expand, more attention is focused on the interoperability of this information sharing. Each point of contact introduces additional risk of unauthorized access and vulnerability

Be sure to update your Security Risk Assessment on an annual basis. See my discussion of the HIPAA security risk assessment.


2019 saw some significant proposed rules that will be operationalized in 2020. In September, the Centers for Medicare and Medicaid (CMS) announced a final rule expanding CMS's authority to deny or revoke enrollment in the Medicare program as a result of "bad actor" affiliations. Providers and suppliers will be required to disclose any and all affiliations that they have or, had within the previous five years, with former of current providers or suppliers that have a disclosable event. "Disclosable events" included (1) uncollected debt with Medicare, Medicaid or CHIP; (2) payment suspension under a federal health care program; (3) exclusion from Medicare, Medicaid, or CHIP; and (4) the denial, revocation or termination of billing privileges. CMS plans to phase this disclosure process in by focusing on specific providers and suppliers that it determines have at least one affiliation with a provider who has a disclosable event. The program will continue to expand to all providers following the initial phase-in. Medicaid plans are also required to ensure compliance with these disclosure requirements. To prepare to meet these requirements, providers should begin to inventory their relationships with other providers and suppliers with special focus on entities with possible disclosable events.

In October 2019, CMS issues a proposed rule to modernize and clarify the physician self-referral law which is commonly called the Stark law. The proposed rule would allow physicians and other healthcare providers to coordinate care of the patients they serve, allowing providers across different healthcare settings to work together to ensure patients receive the highest quality of care. There are also proposals to advance value-based healthcare and delivery systems. Interested parties had until December 31, 2019 to comment on these proposed changes. Comments and the final rule should appear in the Federal Register in the early part of 2020.

Based on a November 2019 Executive Order, CMS is issuing two rules to increase price transparency. The first rule is the Calendar Year (CY)2020 Outpatient Prospective Payment System (OPPS) & Ambulatory Surgical Center (ASC) Price Transparency Requirements for Hospitals to Make Standard Charges Public Final Rule. The second rule is the Transparency in Coverage Proposed Rule. Both of these rules require that pricing information be made publicly available. One of the requirements that hospitals and insurance carriers are fighting is the requirement to disclose negotiated rates for in-network providers and allowed amount paid for out-of-network providers. In order to ensure that hospitals comply with the requirements, the final rule provides CMS with new enforcement tools including monitoring, auditing, corrective action plans, and the ability to impose civil monetary penalties of $300 per day. CMS is finalizing that the effective date of the final rule will be January 1, 2021 to ensure that hospitals have the time to be compliant with these policies.

In a similar vein, Governor Cuomo proposed that NYS hospitals must submit pricing information for specific services for publication on a state-wide website. The proposal did not negate the requirement that hospitals also provide information on their external websites regarding pricing.

Cannabis Policy Trends

  • The Secure and Fair Enforcement Banking Act (SAFE Banking Act) is currently pending. This legislation would allow banks to work with marijuana companies rather than the current cash model.
  • The Food and Drug Administration (FDA) may assume a more active role in CBD regulation.
  • The US Department of Agriculture released an interim rule in October 2019 for hemp production. It also allows hemp businesses to access insurance and banking.

Federal Enforcement Actions in 2019

Following a slight downtown in fiscal 2018 recoveries of $2.9 billion by the US Department of Justice (DOJ), 2019 saw marked increase to $3.05 billion in judgments and settlements under the False Claims Act (FCA). Recoveries from drug and medical device makers, hospitals and pharmacies accounted for $2.6 billion in restitution. There were recoveries of $252.1 million involving the US Department of Defense, more than double the defense-related recoveries of $107.5 million in fiscal 2018. Whistleblower suits helped the DOJ recoup $2.1 billion and the whistleblowers were awarded $265 million for their role. According to information released by the DOJ, the single biggest FCA recovery was a $500 million settlement with drug maker Reckitt Benckiser in sales and marketing tactics for its opioid addition treatment Suboxone. This was part of a broader $1.4 billion criminal and civil settlement. There was also a $112.5 million settlement with Duke University over claims of grant fraud.

It is always important to consider consulting with an experienced health care attorney to ensure all aspects of your situation have been thoroughly reviewed and analyzed in detail.

Previous Article 2020 Compliance Work Plan Matters: HIPAA Compliance Enforcement Trends 2019 - Past is Prologue
Next Article Change in NYS Compliance Certification Process


Call and schedule your meeting today! Contact Trusiak Law