1st Talk Compliance

First Healthcare Compliance
  • 4.8 (16)
  • BUSINESS NEWS

Tune in to 1st Talk Compliance with your host, Kevin Chmura. On this 30-minute, informative program, Kevin, and his guests will discuss the hottest topics, pain points and learning opportunities related to healthcare compliance management in America. Whether you’re wondering about federal fraud and abuse laws, OSHA, or human resources compliance, tune in to gain insight. Here you can also enjoy our archived library of audio webinars and partner interviews! We help healthcare compliance officers achieve peace of mind and we’re excited to bring some of the brightest minds together to 1st Talk Compliance!

  1. 3D AGO

    Telehealth Extensions & 2026 Compliance Priorities: A Compliance Cliffs Update

    In this episode of 1st Talk Compliance, Kevin Chmura is joined by Robyn Johns, as they discuss recent updates to their November live webinar, Compliance Cliffs: Navigating Telehealth Waivers and Reimbursement Changes. Learn how the policy landscape has shifted in recent months—especially around telehealth flexibilities, controlled substance prescribing, and the 2026 CMS payment rules.   Kevin Chmura Welcome to 1st Talk Compliance. I’m Kevin Chmura, CEO of Panacea Healthcare Solutions. Today we’re bringing you a timely update on our November live webinar, Compliance Cliffs: Navigating Telehealth Waivers and Reimbursement Changes. Since that webinar, several policy changes have moved quickly, especially in telehealth flexibilities. Controlled substance prescribing and 2026 CMS payment rules. Before we jump in, just a quick note. 1st Talk Compliance is brought to you by 1st Healthcare Compliance, a part of Panacea Healthcare Solutions. We help healthcare organizations strengthen their compliance programs with practical education tools and compliance management support. So teams can reduce risk, keep pace with regulatory change and operate with confidence. Now I’m pleased to welcome back Robyn Johns from Med USA. Robyn, thanks for coming back. Robyn Johns Thanks, Kevin. I’m happy to be here. Kevin Chmura  Great. So, let’s jump in. So, in November on the webinar, we spent a lot of time on what people were calling the telehealth cliff, which was creating a tremendous amount of uncertainty on whether flexibilities would expire. Can you catch us up on what the status is now? Robyn Johns  Yeah. The major update is that the spending package released on January 20th includes extensions of the telehealth flexibilities all the way through December 31st of 2027. Kevin Chmura So that’s a pretty meaningful runway. That’s great, but I guess doesn’t eliminate compliance obligations, but it is reducing near-term uncertainty which give everybody some time to standardize workflows. So, it’s in the news, but maybe you could tell. So, what’s in the spending package at a high level and what should healthcare leaders like us be paying attention to? Robyn Johns   Right. So, it was the one from the 20th was a $1.2 trillion spending package released by the House Appropriations Committee and it was just passed yesterday on the 22nd in two separate votes by the full House. So, those bills included the remaining six of the twelve appropriations necessary to avert a government shutdown. So that’s good news for everyone. If we can get them across the finish line, they funded many of the federal government agencies such as HHS, Labor, Defense, HUD, and also Homeland Security. That was a contentious one. That’s why they had to do two separate votes. It funds them through fiscal year 2026, which ends on September 30th of this year. Kevin Chmura  So, OK, so we have a funding package with multiple healthcare policy riders. Not, I guess not too surprising in today’s day and age. So, besides the telehealth through 2027, what else is included in there that compliance and operational leaders should know about? Robyn Johns   So the writers also include PBM reform and it extends hospital at home actually through 2030, which is another one that hit a lot of facilities hard with the government shutdown. It extends Medicare dependent hospital and low volume hospital programs, which is really beneficial for our rural providers and it delays the Medicaid disproportionate share cut again until fiscal year 2028. Notably, for a lot of people, it does not include an extension of the ACA subsidies, which were such a sticking point in the government shutdown last fall. Kevin Chmura  Yeah, that that that last point is operationally really important and coverage instability often turns into eligibility churn and puts real pair mix pressures on the you know same patients, different coverage, right.? And that’s just you know probably increases downstream compliance and documentation stress. Yeah that’s a that’s a tough one. So what’s the timing of congressional action now? Robyn Johns So with the House passing all of the bills, they now send the full appropriations package to the Senate. The Senate will take all of that up when they return from recess on Monday the 26th, and will hopefully pass them all ahead of the January 30th deadline. And hopefully without any significant changes which might require them to go back to the house because the house will be on recess next week. Kevin Chmura  Wow. So split schedule, it’s why we should keep ourselves in a monitoring posture. I guess we should always be monitoring, but things are moving pretty quickly right now and you sort of get into that world of what is expected is not what’s in effect. Which is always, always a tough place to operate, but hey, that’s healthcare, isn’t it? So, given the extension to 2027, in your opinion, what should compliance teams be doing now? Like what’s some practical next steps? Robyn Johns First, you’ll want to make sure that your internal policies and educational materials reflect what’s currently in effect. No major changes since most of those telehealth things were extended, but it’s always good to double check because lots of things change around the beginning of the year. Also validate your payer specific rules. Medicare policy direction is influential, but commercial payers and state laws differ. So, you got to make sure that you are matching up with those differences. And then third, we should we talk about strengthening your auditing of documentation, the modifiers, your place of service, medical necessity, all of those things that can vary depending on the payer and the specific situation of the patient. Kevin Chmura  Yeah, that that payer variation point is where a lot of organizations end up being exposed, I guess, right? Telehealth’s not really governed by one rule. You’ve got federal policy, state overlays, and then you have commercial policy updates really coming at you a number of different ways. So, I guess a good controls to maintain maybe a payer policy matrix and try to align it into your documentation and coding guidance. Probably a solid piece of advice. Robyn Johns   Absolutely. Kevin Chmura   Yeah. So, let’s move on to probably one of the highest risk areas that we covered in the webinar, and that’s controlled substance prescribing via telehealth. What’s the latest there? Robyn Johns   Good news there as well. At the end of the year, DEA and HHS extended the telehealth flexibilities for prescribing controlled substances through this year, December 31st of 2026. There are a few rules that can apply, but because they extended the flexibilities, it’s pretty much status quo until they change it again at the end of the year. Kevin Chmura   Cool, so that’s a critical compliance area because of the high risk profile and it that really includes some regulatory scrutiny and enforcement, not really just a reimbursement issue. Robyn Johns   Yes, it’s highly watched. Kevin Chmura   Yeah. And I guess as well, it should be. So given that, what control should organizations prioritize right now to reduce risk in that area? Robyn Johns  Definitely you’ll want to have clear prescribing policies, good documentation standards, and role-based training. Also, usually they want to include identity verification and required checks when they’re applicable, and consistent auditing to ensure that your process is followed, not just written down. This is another area where state regulations can vary, so you would want to make sure that you are compliant in every state where you see patients. Kevin Chmura   Yes and you’re the expert, not me. But I guess I’d add if you expand health to if you expand the telehealth quickly, take time now to ensure your governance is mature. And I’m thinking credentialing, supervision, documentation and audit trails always the basics that can help you pulled up under scrutiny. Robyn Johns   Definitely. When you expand quickly, sometimes you sacrifice certain things for speed. So, you have a minute now to go back now that you’re sure that those policies aren’t changing anytime soon to just go back and make sure that everything’s in place, all of those areas. Kevin Chmura  Yeah, I mean like any business runs better and with certainty, but at healthcare we rarely have that. So, great. So, moving on to the 2026 CMS updates that that we talked about a little bit. So, there’s been some changes in payment policy that are driving operational changes and it’s where those operational changes come in, where we introduce compliance risks if teams can’t keep pace and often they can’t. So, what are the 2026 physician fee schedule highlights? Robyn Johns   Yeah. So, we talked about these back in November and of course they went into place at the beginning of this year. So, a little bit of good news there with the conversion factor. It included the 2.5% increase that had been mandated by Congress. It also included a .75% increase for clinicians in advanced APMs or a .25% increase for clinicians who participate in MIPS or who are exempt. And then there was also a .49 budget neutrality increase. Kevin Chmura So, so the real impact varies by payer mix, site of service and quality of participation. What about RVU related changes? Robyn Johns   So that’s kind of the devil in the details there. It also implemented a -2.5% efficiency adjustment on certain non-time based services to the physician work RVU and there is also a + or -50% practice expense RVU adjustment for facility based services. So, it’s -50% if it’s facility based services or a +50% for non-facility based services. Kevin Chmura   Wow. So site of

    20 min

  2. 07/14/2025

    Update to the HIPAA Privacy Rule to Support Reproductive Healthcare Privacy Compliance

    In this episode of 1st Talk Compliance, Kevin Chmura is joined by Rachel Rose, JD, MBA, as they discuss recent changes to the HIPAA Privacy Rule to Support Reproductive Health Care and Privacy in relation to recent court rulings. This rule, which went into effect in April of 2024, still has certain components which practices need to know about and adhere to heading into 2026. Learn about how these rulings are, and will, impact this important rule, and what HIPAA regulated organizations need to know concerning these updates. In addition, hear about what might be coming in the future of not only reproductive health regulations, but also various other areas of healthcare with regards to privacy.   Kevin Chmura Hello and welcome to today’s episode of First Talk Compliance. I’m your host, Kevin Chmura, CEO of First Healthcare Compliance and Panacea Healthcare Solutions. And I’m excited to bring you an important discussion about a major legal development that impacts all HIPAA regulated entities. By way of background, on June 18th, 2025, the U.S. District Court for the Northern District of Texas issued a nationwide order striking down the HIPAA Privacy Rule Amendments designed to strengthen reproductive health care privacy. The amendments had been mandatory since December 2024, and this court decision has created a new compliance challenge for covered entities and business associates. To help us understand what happened, why it matters, and what organizations should do now, we’re joined by our expert guest. Rachel V. Rose, J.D. MBA, who’s a leading authority on HIPAA healthcare privacy law. If you listen to our podcast, you’ve heard Rachel many times. In fact, we’ve discussed this particular topic, or issues around it, pretty recently. So it’s great to have her back. So, Rachel, welcome back. Thank you for coming to share your expertise with us today.   Rachel V. Rose Kevin, it’s always my pleasure and thank you for having me back.   Kevin Chmura Yeah, your content is always heavily consumed because it’s very important. So we thank you for being here. So, maybe probably best way to just start off is if I can ask you to just briefly explain what the U.S. District Court’s order did, why it’s significant and who it applies to?   Rachel V. Rose Absolutely. So on June 18th of this year, the United States District Court for the Northern District of Texas, and specifically the Amarillo Division, in the case caption Carmen Purl et all v. United States Department of Health and Human Services et all. And for those who are interested, that case number is 224-CV-228-Z. And the Z, it correlates to the judge at any time you see initials or an initial after a case number, it’s the judge. And I’ll just simply refer to this case as the Purl case, P-U-R-L. Basically, what the court did was to issue an order vacating the April 16th, 2024 HIPAA Privacy Rule to Support Reproductive Health Care and Privacy. And for simplicity’s sake, I’ll just call that the HIPAA Reproductive Privacy Rule. And basically what it did was to leave intact the requirements regarding the updates to the notice of privacy practices, which are due in early 2026. And to focus on that, there really hasn’t been any guidance yet from HHS. But every covered entity and business associate and subcontractor need to be aware that the notice of privacy practices updates, which really incorporate the HIPAA provisions along with 42 CFR part two regulations, are still in play, and the part two regulations specifically relate to the substance use disorder regulation. So that’s something that again, covered entities, business associates and subcontractors should put on their calendar, and look for updates from First Healthcare Compliance, whenever HHS releases some more guidance related to what should be included. As many know who have been in healthcare a long time. Oftentimes HHS and SAMHSA, the Substance Abuse and Mental Health Services Administration, which oversees 42 CFR part two, will issue guidance or form types of agreements or other relevant compliance items. One great example is the Business Associate Agreement. So that’s the part that should be calendar and people should make sure that they are staying abreast of. Now that brings us to what was vacated. And so basically, procedurally, the court granted the plaintiff’s motion for summary judgment. And for those non-lawyers, summary judgment is available when there is no issue of a material fact. In essence, it is judgment as a matter of law, and in doing so, denied the defendants, which in this case is the United States Department of Health and Human Services motion, to dismiss for lack of jurisdiction. And the specific section that was vacated pursuant to five U.S.C. Section 7062, except for the modifications that I mentioned to C.F.R. Section 164.520 with the notice of privacy practices are the provisions associated with what were 45 C.F.R. section 1604 520b, 1, 2, F, G, and H. And so for those who were familiar with what was required under those particular items, that had to do with the reporting requirements and the attestation requirements under law, and that’s distinct from the law enforcement exception. A couple of items that are also notable, Kevin, and other healthcare attorneys in the space have also honed in on this, is that the plaintiff indicated, and the court honed in on this, saying that under the Administrative Procedures Act that the government exceeded its rulemaking authority. However, a lot of lawyers are of the opinion that Congress merely barred rules that supersede state statutes, not those that add reasonable conditions. And so that’s something that I want to emphasize too, as I normally do in our discussions that state laws cannot be overlooked.   Kevin Chmura So that’s significant given that you and I not that long ago discussed some of the updates to HIPAA 2024 rules. So it’s interesting that we’re talking about it this soon thereafter, kind of thought that we were a little bit settled there. So maybe just do a quick check. Are there any other reproductive rights related lawsuits that are significant that that we should know about and be paying attention to?   Rachel V. Rose I would say the one that is very prominent is the recent Supreme Court opinion in United States versus Skrmetti, the attorney general and reporter for the State of Tennessee. And what’s notable about that case is that it was a 6-3 opinion which upheld Tennessee’s ban on puberty blockers and hormone therapy for transgender teenagers. Texas also actually had a similar law, and last year, in 2024, the Texas Supreme Court upheld a state law banning doctors from prescribing gender affirming care to transgender minors ,and a state policy expanding the definition of child abuse to include gender affirming care remains blocked following a state court of appeals decision last year. So notably, the court, actually, has agreed to hear a couple of other transgender related cases, including transgender, participation in female sports. And so this is an area that should be read in conjunction with any HIPAA Privacy, any law enforcement exception, which is found under the HIPAA regulations at 164.51 Q, and just really be conscientious and cautious about what the individual states are requiring, as well as following the United States Supreme Court’s ruling. Because, this particular case, the court held that Tennessee’s law prohibiting certain medical treatments for transgender minors is not subject to heightened scrutiny under the equal protection clause of the 14th Amendment and satisfies rational basis review. So whenever one looks at civil rights issues under a constitution analysis, we have what’s known as strict scrutiny. We have intermediate scrutiny, and then the lowest level of review is rational basis. Strict scrutiny, we typically see applied to those items that are expressly mentioned in the 1964 Civil Rights Act: race, gender, religion. And for those who read any employment agreement with the nondiscrimination provisions, those same items are included there as well. Intermediate scrutiny is a level below, and then we have rational basis, which is the lowest level of review. I would also add that in relation to some of the 14th Amendment issues and strict scrutiny, one cannot overlook any executive order that is being issued right now. And as it relates to discrimination and the DEI initiatives, the executive orders that were published in January of 2025 that relate to this expressly upheld the Civil Rights Act of 1964. So you still cannot run afoul of that.   Kevin Chmura Wow. So just to clarify in question for non-attorney, because that’s amazing. So with respect to Skrmetti, or really any recent Supreme Court cases, well, any of those have or could have an impact on an appeal or the ultimate outcome of the parole case?   Rachel V. Rose I think that’s a great question for three main reasons, Kevin. First and foremost, the Purl case. The judge used, as I mentioned earlier, the Administrative Procedures Act, and that’s very relevant because of the recent Supreme Court Trump versus Casa Inc. And what’s relevant about Casa Inc., even though that’s a completely different area of law, is that the Supreme Court case, Casa, basically held that nationwide injunctions are invalid and they cannot be issued. They’re only specific to the individual parties to that case, right? That was brought, which typically makes sense whenever I’ve used in injunctive relief at the state court level, it’s to either get a temporary hold, so to speak, or to have conduct stop, but it only pertains to the parties. It doesn’t go beyond that. I can’t say every oil company, right, or every healthcare company is involved in this. And so basically what Casa did, and there’s been a lot of debate over nationwide injunctions b

    33 min

  3. 06/11/2025

    The Role of Compliance Programs in Mitigating False Claims Act Liability

    In this episode of 1st Talk Compliance, Kevin Chmura is joined by Rachel Rose, JD, MBA, as they discuss the False Claims Act in detail. The FCA, one of five federal laws built to combat fraud, waste, and abuse, is the government’s primary fraud fighting tool, with the healthcare industry paying the largest contributor in recoveries for over a decade. Learn not only about how to avoid running afoul of this law, but also some details of cases in which it was violated, and the repercussions those who did so faced. In addition, find out how a proper compliance program can protect your practice in various ways, including staying up to date on cybersecurity training. Kevin Chmura Rachel, welcome to the podcast. Thanks for joining us.   Rachel V. Rose Thank you, Kevin, for having me back for another round of a very major healthcare compliance topic.   Kevin Chmura It very much is, yeah. This one generates some revenue for the government. So this is one that I think especially in today’s environment, people should be paying a lot of attention to. So as I said in the intro, we’re here to talk about the False Claims Act. It’s one of the most important fraud, waste and abuse laws that applies to physicians and health care practitioners of all kinds. The healthcare industry has consistently been one of the, if not the highest contributor to funds received under the False Claims Act. And it’s essential to be familiar with the law and maintain compliance programs to mitigate that risk. Rachel, I know you spend a fair amount of time in your practice in and around the False Claims Act defending and representing customers and providers. So you’re perfect to cover this topic for us. Wondering, though, if you could give us a brief synopsis of the False Claims Act and why is it unique?   Rachel V. Rose Absolutely. So as you mentioned, my practice focuses a lot on the False Claims Act, and I am fortunate to do a lot of compliance work not only around the False Claims Act, but HHS. OIG has identified five important federal fraud, waste and abuse laws. The False Claims Act, the Anti-Kickback Statute, the Stark Law, the Exclusion Authorities, and the Civil Monetary Penalties. And Kevin, as you mentioned, the False Claims Act is really the federal government’s primary fraud fighting tool. And in 2024, there were more than $2.9 billion in recoveries and, moreso healthcare represented over two thirds of that amount. That healthcare trend, as you mentioned, being the largest contributor, has gone on for at least the last decade. And what the False Claims Act does that makes it unique are really, I would say, five main things. But first, the False Claims Act goes back to 1863, and it is also known as the Lincoln Law. Its primary purpose, even back during the Civil War, was to root out fraud that was being perpetrated on the government. So how would that be done? Congress thought about it and said, well, the government could do it on its own if they caught wind of something, or they could insert a provision which gave an individual known as a relator, also known as a whistleblower, the potential to bring fraud to the government’s attention and receive a portion of the recovery. It’s very important to note that a relator and I represented several relators successfully, sometimes with co-counsel, sometimes with not, so I get to see the False Claims Act from the whistleblower standpoint as well. But this notion of being able to represent a whistleblower is the first distinguishing factor. And that’s because most other civil cases, a person can represent themselves on a pro say basis, meaning they don’t need a lawyer. There was a provision in the False Claims Act which in fact requires an individual to be represented by a lawyer. So unless the relator is a lawyer, then the individual needs to obtain counsel in order to file a False Claims Act case. That’s the first thing. Secondly, only the government can choose to open a criminal investigation. So even though certain laws like the federal Anti-Kickback Statute can have criminal penalties or civil penalties associated with them, only the federal government, or if a state has a similar type of law, the state can actually move and bring a parallel criminal investigation in potential proceeding. So that notion that only the government can bring in a criminal case is not unique to the False Claims Act. But what is unique is that a private party can bring a type of case, and that’s how the government learns of something to then potentially open a parallel criminal action. The process for the relator’s counsel is also very different. Normally, if I want to file a lawsuit in federal district court, I have to make sure that either a federal question is involved under 1331, or I need to meet the amount in controversy and diversity of the party’s requirement under 1332. While first, the False Claims Act is a federal statute, so it falls under 1331. So that’s the same. What is not the same is that before I even file a case under seal in a United States District Court, I have to provide a disclosure in evidence to the local United States attorney where I’m going to file the case, as well as providing that same information to Main Justice in Washington, D.C.. Another area that is relevant that I just mentioned is the seal. So that’s the third item. And initially, the statute itself provides for 60 days that the case is filed under seal, meaning no one knows about it but the relator, the lawyers, the judge, and whatever the court staff are, and that’s the way it has to stay. Now, the government may request what are known as deal extensions in this type of case. And another provision relates to the breaching of the seal. In the 2016 Supreme Court case, Rigsby versus State Farm, is the case that outlined different fact orders, which first stated A. Just because there may be a seal breached doesn’t mean that the case is automatically dismissed. But the court said we get to apply these factors and make that determination. I will say that even if the court says no, this case doesn’t need to be dismissed and the Government agrees with that, that the government on the back end, when we start to get to the fee issue where the relator can recover, they, the government, has the right to drop the recovery. If there has been a breach of the seal below what the typical statutory threshold is, and I’ll get to that in a moment. The other distinguishing factor in a False Claims, that case is once I filed the case, it’s really in the government’s hands until they make a decision. And there are three ways a case can go. The government can intervene in the case and intervention can occur at different times. I’ve had cases that have settled under seal and then the intervention decision is made and the seal is lifted by the court, so the government has taken the case through settlement, even though there has not been any action in court, so to speak. The second way to intervene is that if the defendant won’t settle while the case is under seal, the government can say, Hey, all right, relator, we like the case, we have adequate resources. And I don’t necessarily mean monetary resources. I made the specific notion of adequate human resources, right? Because the government only employs so many people and so many assistant U.S. attorneys to work on these cases. So the Georgia Tech case is an excellent example where the government intervened and they’re the ones who are leading trial. So in that instance, the relator’s counsel and the relator just sit back, and if the government needs help with something, then they’ll ask. Declining to intervene means that the government is not going to intervene, but they say to myself or other relator’s counsel, if you would like to move forward with the case and prosecuted, you’re able to. And so I’ve had that scenario as well. And then lastly, they can dismiss the case under C two way, and that’s always the government’s discretion. And the Supreme Court case, the Polansky case is a case from 2023 that actually addressed that very issue. Now, penalties and damages, damages can be trebled under these circumstances. Penalties up until 2016 ranged from $1500 to approximately, not  $1500, $5500 to approximately $11,000 per violation. So that was per healthcare claim. Now the absolute minimum is over $11,500, and the upper end of that penalty range per claim is closer to $25,000. Oftentimes we don’t see penalties assessed unless a case goes all the way through to verdict in a trial. But it can still be costly for damages being trebled depending on the type of case. The relator’s recovery, if the government intervenes in the case, is between 15 to 25% of the total recovery. If the government declines, then the relator is entitled to 25 to 30% in the event of a successful recovery. And it’s important to note that the False Claims Act is not an intent based statute.   Kevin Chmura So. Well, wow that was great, that’s so, it’s dense, right. And there’s, yeah there’s a lot there, and expensive for those that find themselves on the wrong end of this, and so super important. And you touched on I think a few of them but I wonder if you could zero in a little bit on what healthcare laws are often included in False Claims Act cases.   Rachel V. Rose Several laws that are included, Kevin, include the Stark Law and the Toomey case, which was brought several years ago and to date is still one of the largest False Claims Act cases involving the Stark Law. It went up to the Fourth Circuit and that had to do with, in essence, paying kickbacks to physicians where a Stark exception was not met and they were getting remuneration outside of what met fair market value in order to refer patients for designated health services. Now, designated health services is a term of art within the Stark

    36 min

  4. 05/12/2025

    HIPAA Privacy Rule to Support Reproductive Healthcare Privacy Compliance

    In this episode of 1st Talk Compliance, Kevin Chmura is joined by Rachel Rose, JD, MBA, to discuss the HIPAA Privacy Rule to Support Reproductive Healthcare Privacy, passed in 2024. With the reproductive healthcare landscape being very dynamic, this new rule has already passed one compliance date, with a second important date coming in February 2026. Tune in to learn about this new rule, and what it means in terms of reproductive health, patient privacy, and the legality between different states. In addition, learn some best practices for implementing the requirements of this rule into your practice. On June 18, 2025, The U.S. District Court for the Northern District of Texas – Amarillo Division (Carmen Purl, et al v. United States Department of Health and Human Services, et al., Case No. 2:24-cv-228-Z (N.D. Tex.)), issued an order vacating the HIPAA Privacy Rule to Support Reproductive Health Care Privacy, published on April 26, 2024, which amended the HIPAA Privacy Rule (Reproductive Health Rule). The decision left intact amendments to the HIPAA rule regarding certain Notice of Privacy Practice provisions pertaining to substance use disorder regulations, which need to be adhered to by early 2026.   Kevin Chmura Rachel, thank you for joining us. Appreciate you joining us and looking forward to a timely discussion.   Rachel V. Rose Thank you, Kevin, for having me, as well as to Panacea and First Healthcare Compliance, it’s always my pleasure to coordinate and converse with you on our favorite healthcare compliance topics.   Kevin Chmura And it’s always great having you helping us with this and your expertise is invaluable. And you helped us and were the contributor, really writer, of an e-book on this particular subject that will be released very soon. Really this podcast is somewhat of a companion piece to that. And so what we’re talking about today is the HIPAA privacy rule to support reproductive health care privacy, passed in 2024. Reproductive health is a prominent and evolving topic within the healthcare policy landscape. It really, major changes have come down in recent years, and so there’s just a ton. So we thought it would be great to publish a book to get everybody up to speed and, but moreover, this podcast is an opportunity for people to hear directly from the person who helped us develop that. And that is Rachel. So, Rachel, I wonder, can you just start off by giving us a synopsis of the 2024 Final Rule, maybe some key terms we should be thinking about?   Rachel V. Rose Sure. As you mentioned, Kevin, the reproductive healthcare landscape is very dynamic and the rule itself was issued on April 22nd of 2024 with an effective date of June 25th of 2024. And basically what an effective date does is to start the clock running as to when certain requirements need to be implemented. In this particular rule, which I will refer to as the HIPAA Reproductive Rule, has two prongs of compliance dates. The first already passed and that had to be done by December 23rd, 2024. And for your clients who were with First Healthcare Compliance or Panacea at the time, they were able to access FAQs. And the first prong of the requirements really addressed every applicable item that I’ll run through, with the exception of the notice of privacy practices. Now, for anyone who’s been in the healthcare sector for a long time, and for anyone who goes to the doctor, a dentist or even a pharmacy to pick something up, we all know we have to sign the HIPAA authorization form, and then covered entities are required to post their notice of privacy practices. So the updated privacy practices, which need to include some of the reproductive health requirements among other items, does not need to be done until February 16 of 2026. So this is similar to the staggering of the compliance dates which we saw with the Final OmnibusRrule, which was published in the Federal Register, it’s hard to believe, but going on over 12 years ago and that was January 25th of 2013. Now specifically, the HIPAA reproductive rule really prohibits the disclosure of protected health information related to in these terms I need you to focus on: lawful reproductive health care in certain circumstances. And the reason it’s important is because legal means that whatever service or good is being sought, it has to be legal within the jurisdiction where the individual is receiving that care or that good, so to speak. And so if we want to take certain types of surgeries or certain types of procedures that in a viable fetus’s life, then you need to be in a jurisdiction or a state where that is permissible. So the terms are the meaning of a person. What is a person? If you read the Final Rule, it means a natural person, meaning a human being that is born alive, a trust or estate, a partnership, corporation, professional association or corporation, or other entity, public or private. And this definition is common. It was adopted by the U.S. Supreme Court several years ago. So when someone says a person, it can mean either an individual human being or one of the other more business-oriented items. Now, public health is also a term. And for this Final Rule, it’s used in terms of public health surveillance, public health investigation and public health intervention, and this means population level activities to prevent disease in, or promote the health of, populations. For those who are familiar with HIPAA, there has always been what’s known as the public health exception, and that has limited applicability. But one of the exceptions is to report a positive test for a communicable disease. We saw this during COVID. It is required for sexually transmitted diseases and other kinds of diseases. We’re seeing it now with all of the media attention on measles and those types of conditions. What’s important to note about public health is that those activities, which include identifying, monitoring, preventing or mitigating ongoing or prospective threats to health or safety, do not include any of the three following purposes, and that’s: to conduct a criminal, civil or administrative investigation into any person for the mere act of seeking, obtaining, providing or facilitating health care. Secondly, to impose criminal, civil or administrative liability on any person for the mere act of seeking, obtaining, providing or facilitating health care. And lastly, to identify any person for the activities that I just described. And I’m often asked, well, Rachel, what do you mean? If I’m seeking and what do you mean about going to a different jurisdiction? And for those who are familiar with the old school drinking age laws, for example, in Louisiana, the age used to be eighteen. So if you were eighteen, even though you were a Texas resident and went over the border to drink in Louisiana, it was legal and there was nothing that Texas could do as you were coming across the border. Now, intoxication while driving is a separate animal. But just because a person went over the border to drink in a jurisdiction or a state where it was legal doesn’t mean that Texas had any recourse against that person so long as they were sober coming back over the border. Right. A similar situation with reproductive health care. And that’s what the focus of this privacy is, if a person goes to a state to seek certain types of care, and the two areas that seem to be at issue particularly are surgical abortions or transgender care, especially as it relates to minors. So the other key term that everyone needs to be familiar with, and that should be in policies and procedures as well as training, is the term reproductive healthcare, and that means healthcare that’s been defined in this particular section, that affects the health of an individual and all matters relating to the reproductive system and to its functions and processes. This definition shall not be construed to set forth the standard of care or regulate what constitutes clinically appropriate reproductive healthcare. So what HHS, OCR said here is we are not looking to step into the shoes of the physician and determine what is appropriate under certain circumstances. We are not involved in the practice of medicine. We are just giving a roadmap of what is particular. And everything I just read really comports with the July 2022 opinion in Dobbs versus Jackson Women’s Health Organization, which overturned Roe v Wade. And what’s important about that opinion is actually Justice Kavanaugh’s concurrence. And it’s important because just as I mentioned, going across state lines to receive care or use the purchase and consumption of alcohol situation, by way of analogy. Justice Kavanaugh expressly stated that nothing in this opinion is meant to contradict or inhibit any other part of the Constitution, and interstate commerce is expressly stated in our Constitution. So really everything is aligned with Dobbs as well as the opinions in the case.   Kevin Chmura Yeah, it’s a great, great rundown. It’s impossible to talk about reproductive health in any context over the last several years in America without intersecting with Dobbs some way or another, right? That’s the seismic shift and I’m glad you touched on that. I think that’s a real critical area. And so, you know, the Final Rule is in concert with, or interacts is I guess a better way of saying it, considers Dobbs in the rule itself in all of the areas of Dobbs, correct?   Rachel V. Rose That’s absolutely correct, Kevin. And it goes back to that legally attainable reproductive health care, right? So if you’re in a jurisdiction where it’s not permissible or it’s not legal, then this rule is not going to help you on that front, right? It’s meant for individuals who are seeking care in a jurisdiction where it’s legal and nothing in this final rule tries to interfere with that. But it does make

    20 min

  5. 03/18/2025

    Employee Snooping & Insider Threats

    1st Talk Compliance features guest Raymond Ribble, CEO and Founder at SPHER, Inc., on the topic of “Employee Snooping & Insider Threats.” Ray joins our host Catherine Short to discuss snooping and insider threats and why user monitoring and ePHI access strategies are vital to the security of sensitive patient information and data protection. With so much attention and money surrounding cybersecurity in the healthcare industry, malicious employees may decide to purposefully disclose patient information. Since employees and contractors may have knowledge of your network setup, vulnerabilities, and access codes, snooping employees with malicious intent hold the key to exposing your organization to a series of unwanted risks and threats. Listen as we identify signs of unauthorized access, provide guidelines to prevent snooping, and offer procedures to detect insider threats. Catherine Short: Welcome, and let’s 1st Talk Compliance. I’m Catherine Short, Manager of Virtual Education at First Healthcare Compliance. Thanks for tuning in. This show is brought to you by First Healthcare Compliance as part of our commitment to provide high quality complementary educational resources. We help create confidence among compliance professionals throughout the United States. Please show your support by taking a moment to provide a review on Google, Facebook or iTunes. You can also follow us on Instagram, Twitter, and subscribe to our YouTube channel. On today’s episode, we are speaking with Raymond Ribble, CEO and founder at SPHER Inc, a market leading compliance analytics cybersecurity solution addressing HIPAA compliance, state privacy laws and ePHI security threats on the topic of “Employee Snooping and Insider Threats.” Snooping and insider threats are exactly why user monitoring and ePHI access strategies are vital to the security of sensitive patient information and data protection. With so much attention and money surrounding cybersecurity in the healthcare industry, malicious employees may decide to purposefully disclose patient information. Since employees and contractors may have knowledge of your network setup vulnerabilities and access codes, snooping employees with malicious intent hold the key to exposing your organization to a series of unwanted risks and threats. Listen, as we identify the signs of employee and contractor unauthorized access, provide guidelines to prevent employee snooping, and offer procedures to detect insider threats. So thank you, Ray, for joining me on First Talk Compliance. It’s a pleasure to have you on. Raymond Ribble Thank you for having me today. It’s great.   Catherine Short Yes, always wonderful to talk to you. So Ray, I have a question for you to start off. I know when people think about threats to their organization, they worry often about external risks such as hackers. Would you say that this is the right focus?   Raymond Ribble  2:15 For an organization, it’s not the wrong focus. It’s what we read about in the press the most. We’re online looking at some healthcare rag, what they’re talking about is some type of external threat that impacts the organizations. And I think from a cost perspective, it is the most impactful. Somebody coming in from the outside, a hacker to use the term, can cause hundreds of thousands if not millions of dollars in damage to an organization. Ransomware would be a perfect example of that. You or I don’t want to have to pay some X number of bitcoins in order to get access back to our data knowing that now that they’ve done that, that they’re probably going to come back and do it again. Having said that, I think the equal component of that is what we talked about in terms of snooping and the insider threat, because an individual snooping and then taking that information that they get through snooping and sharing it through social media, or in gossip to somebody on the outside, potentially could have a financial impact to an organization more so today in 2022, than say 20 years ago, or 30 years ago. So are hackers real? Yes, they are. Is the hacker the thing that you should stay awake at night worrying about? Not as much as you think. 26% of the breach events that are captured by most organizations that are responding to our surveys out there, IBM Parliament being the best, indicate that snooping and insider threats are much more detrimental to the business than the hackers on the outside. I think they’re more prevalent. I think that 67%, if I remember the number correctly, is what we have in terms of the percentage of healthcare breach types come from inside the organization, not outside. I think we tend to focus on what that cost is to the organization if we get caught, when we get caught and so therefore, hackers are more prominent because we use that word as a catch all for everything from phishing, to ransomware to XYZ. Does that make sense?   Catherine Short It does. So all the time in the news and media and everything we hear about ransomware, ransomware there’s a cyber attack. So if you were talking about ransomware and cyber attacks, versus insider snooping, which is one of the topics here and employees snooping, what would you say then? Could you expand on that just a little bit more?   Raymond Ribble I’m more worried about the insider threat personally, I think that there are things that we can do from a technology perspective to significantly limit our exposure to ransomware type events. So if we can educate our end users to not click on anything that comes up on their screen, to not look at third party applications or ads, and click on them to go see if that shirt from China is really interesting, and I really can get something for $25 that I’d have to pay $200 for, is worth it. Because when I click on that, what I’m actually doing is opening up a hole into my data system. So if we can educate people not to do those types of actions, through technology and encryption and such, then we can reduce the exposure to a ransomware event through that. On the other hand, if I have people in my office, who are snooping or worse, in a malicious sense, stealing the credentials, and giving those credentials to somebody else in order to create havoc, that cost is exponential to our organization. That goes back to a major breach, it goes back to being measured in hundreds of thousands, if not millions of dollars. The impact to your organization from a cybersecurity insurance perspective, is significant. The reason we have that feeling, Catherine is because what articles we typically see out there in the press, whether it’s online or in print are stories about ransomware, a hospital being shut down, not being able to access their files. It’s rare that we see a story about a snooping incident, such as say, the Justice Mueller in Chicago, where it makes it to the point of news that’s worthy of being talked about. So it’s kind of a hidden crime in an organization that a lot of people think well is really causing the damage?   Catherine Short So right. Can you give me some examples of what you’re talking about? When you mentioned insider threats or employee snooping?   Raymond Ribble Yeah, the worst one that we’ve had with our organization where we work with a client, was an incident where they were brand new to our technology, we implemented the system for them. And maybe a little bit of background. It is a rural hospital. You and I both know that we love to talk about others. I mean, TV is loaded with shows about other people’s lives and reality TV, but what’s more reality than snooping that what’s happening in my community, viz a viz their healthcare and what they’re coming in, what type of ailments they have. This organization went live with SPHER and in the first month of using the system, they had 1800 snooping alerts. 1800.   Catherine Short   7:50 Wow, that was from one organization   Raymond Ribble That was for one place, it was the hospital and when we sat down with that team, and investigated the 1800s, they were all legitimate. There was no false positives, everything was legitimate. They were they had a very, very bad problem in this hospital.   Catherine Short That was in a month?   Raymond Ribble That was in one month.   Catherine Short Oh, my gosh, there must be a lot of gossiping going on there.   Raymond Ribble  8:22 Yeah. I’m not gonna say where it was, other than it was a rural hospital. It would be bad. But let’s just say yeah, there was a lot of gossiping in an area that’s famous for gossip like that. Everybody listening can say, now that’s my area. But now though, this is one that we probably would all agree upon. We sat down with them and this is where once they understood this was real, then they said, Okay, how are we going to solve this problem? And it really came down to the CIO. In this case, the CISO, saying, Okay, we’re clearly not educating our users on security and we don’t have a culture of compliance in this organization. So she decided to make it very public what they had found, to share some of the analytics without calling anybody out since it was everybody and saying, Okay, this is going to change immediately. We’ve implemented the system to monitor so I’m looking at you, just know that from today. Within two months, the snooping dropped from 1800 to five, five incidents, and those five incidents she told us, could all be explained. So you know, in essence, she said, Yeah, they did look, but here’s the reason they looked and she could accept that so basically, zero. Once people knew that somebody was looking at them looking at other people’s data, they stopped. Maybe they found a new way to do it, but they weren’t using the EHR system or the EMR system as their main source of Office gossip. How’s that?   Catherine Short Wow. So when you have an incident where someone

    29 min

  6. 02/19/2025

    Mastering Defensible Pricing in the Era of Price Transparency

    In this episode of 1st Talk Compliance, we dive into an increasingly crucial topic in healthcare: price transparency and its ever-growing impact on the industry. Kevin Chmura, CEO at Panacea Healthcare Solutions, joins us to share expert insights on strategic pricing and compliance, emphasizing the transformative benefits for healthcare providers. Learn how to proactively engage with CMS regulations and set your organization apart as an ethical leader in the realm of price transparency.

    16 min

  7. 02/18/2025

    RE-RELEASE The Sky’s the Limit: How Price Transparency Can Empower Healthcare Providers

    Grace Walsh speaks with Kevin Chmura, CEO at Panacea Healthcare Solutions, to explore an extremely timely topic: price transparency and its far-reaching impact on how healthcare providers interact with consumers, with each other, and with the market at large. Tune in as Kevin shares some important insights about how price transparency has opened the door to a whole new world of data analysis and strategic business strategies for healthcare providers, and covers what we might expect to see for the future of price transparency. We’ll also include some key resources for listeners hoping to boost their knowledge of CMS price transparency regulations and learn how they can leverage price transparency data to empower their own strategic initiatives.

    27 min

  8. 02/03/2025

    New HCPCS Code Requirements for Supplies: Managing Your CDM to Avoid Claim Denials

    In this episode of 1st Talk Compliance, Kevin Chmura and BreAnn Meadows discuss the challenges healthcare providers face due to payers increasingly denying claims for supplies that are missing HCPCS codes. The issue stems from recent payer policy changes, with supplies that were previously chargeable now being rejected if they lack a corresponding HCPCS code. The conversation tackles the complexities providers face in managing their chargemaster (CDM), maintaining accurate HCPCS coding, and addressing claim denials, which can result in lost revenue. Tune in to equip yourself with actionable strategies to avoid claim denials, as Bre underscores the importance of adopting a strategic, focused approach to managing your CDM, adapting to evolving payer practices, and staying proactive in compliance efforts.

    16 min
See All (263)

4.8
out of 5
16 Ratings

About

Tune in to 1st Talk Compliance with your host, Kevin Chmura. On this 30-minute, informative program, Kevin, and his guests will discuss the hottest topics, pain points and learning opportunities related to healthcare compliance management in America. Whether you’re wondering about federal fraud and abuse laws, OSHA, or human resources compliance, tune in to gain insight. Here you can also enjoy our archived library of audio webinars and partner interviews! We help healthcare compliance officers achieve peace of mind and we’re excited to bring some of the brightest minds together to 1st Talk Compliance!

Information

  • Creator
    First Healthcare Compliance
  • Years Active
    2016 - 2026
  • Episodes
    263
  • Rating
    Clean
  • Copyright
    © 2025 First Healthcare Compliance
  • Show Website
    1st Talk Compliance