Little Health Law Blog

Physicians Brace: the Changing Insurance Landscape Under Georgia’s ACA Insurance Exchange

May 28, 2013 | Little Health Law

In Georgia, seven insurers have announced plans to participate in the Health Insurance Exchange that will exist by virtue of the Affordable Care Act (ACA). The ACA authorized creation of State health insurance “exchanges” (HIX) – an online market place in which consumers can shop for and buy health insurance. The following insurers have indicated they will participate in the Georgia HIX: Blue Cross and Blue Shield of Georgia, Kaiser Foundation Health Plan, Peach State, Alliant, Coventry, Aetna and Coventry. The insurance plans will debut as part of the Georgia HIX in 2014.

When the health insurance plans are available, small businesses, families and individuals will have a new way to get insurance. The ACA intends for consumers to be able to compare the benefits and costs of competing plans and use an online calculator to assist them in determining which plan is best for them. The ACA will expand health insurance coverage, increasing the number of insured patients. Presently, nearly two million non-elderly Georgia residents are uninsured. Purported benefits of the ACA that will affect Georgia patients and providers include: greater ease in obtaining coverage for individuals difficult to insure due to pre-existing conditions; continued cost-saving home- and community-care programs;greater resources for Medicaid, lowering costs of prescription drugs and raising reimbursement to some health care providers; enhanced preventive care coverage; and allowing young adults to stay on parents’ health plans
For physicians, however, more insured patients under the auspices of the ACA is not all good news. While much remains to be seen, some problems have been predicted. For example, some physicians may experience delayed payment under the ACA, under which individuals have a three-month grace period to individuals who have not paid their premiums. Health plans may hold off on processing claims who have not paid for two months. After three months, a health plan may deny claims and leave the doctor to seek payment from the patient. Under traditional insurance, the health plan would remain liable to pay the doctor even if the premium has not been paid. Patients are not accustomed to keeping up with and paying insurance premiums. Further, under the ACA the patient may be able to sign up for another plan in the HIX and begin seeing another doctor. Many of the newly insured patients will also be individuals who have not had insurance before (or for a considerable time) and may therefore involve more complicated health issues.
Continue reading ›

The Plea for Repeal of the Medicare Sustainable Growth Rate

May 4, 2013 | Little Health Law

doc pic.jpg The American Medical Association (AMA) and numerous other medical associations, including the Medical Association of Georgia (MAG), are a strong voice for repealing the Medical Sustainable Sustainable Growth Rate (SGR). Led by the AMA, a very large group of influential medical associations wrote Congress late last year advocating that the SGR is “an enormous impediment to successful health care delivery and payment reforms that can improve the quality of patient care while lowering growth in costs.” The call for repealing SGR is increasingly strong and urgent.

SGR is the method used by the U.S. Centers for Medicare and Medicaid Services (CMS) to set Medicare reimbursement rates for doctors with a formula purportedly tied to economic growth. The SGR issue derives from a well-intended but seriously flawed attempt to curb federal spending. Pursuant to the Balanced Budget Act of 1997, CMS employs SRG as a method to ensure yearly increases in Medicare expenses do not exceed increases in the level of growth in the U.S. Gross Domestic Product. Under the SGR scheme, if spending increases more than a set level, physician payments are adjusted downward; if spending is below a set level, rates are increased.

At first, the SGR formula arguably worked – to a degree – but only while the U.S. economy grew. After the US economy stalled in 2002, SGR number crunching changed for the worst as Medicare expenses exceeded projections, a trend that has continued. As a result, virtually every year for the last decade there has been a risk to physicians of very significant cuts in Medicare reimbursement rates required by law. Rather than repealing or revamping SGR, however, Congress has repeatedly effectuated a last minute, legislative patch “fix” to avert a crisis, deferring a permanent solution for future political wrangling. For example, with the latest “fix,” the American Taxpayer Relief Act of 2012, Congress delayed a 26.5 percent cut in Medicare physician payments for one year. The Congressional Budget Office projects that physician payments under Medicare will be reduced by about 25% in January 2014. Again, some fix will be needed, as the cuts would cause many medical practices to close, denying patients access to medical care. The recurrence of this political issue continues to frustrate physicians in a big way. Many have left the Medicare program; others threaten to do so. Access to medical care is thus diminished, contrary to the essential purpose of Medicare.
Continue reading ›

THE CLOCK IS TICKING: Less Than Six Months to Comply with New HIPAA Requirements for Business Associate Agreements

March 31, 2013 | Little Health Law

As a general rule of thumb for legal issues, being proactive tends to be much less expensive than being reactive. This general rule certainly applies to health care providers, their business associates and, now, business associate subcontractors with respect to changes required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA Omnibus Final Rule (Final Rule), implementing provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act passed in 2009, became law last week on March 26, 2013. The Final Rule significantly modifies HIPPA requirements for compliance and security measures intended to protect health information (PHI), especially business associate agreements. Health care covered entities and their business associates and subcontractors have six months to become compliant with the rule, or face large fines (up to $1.5 million). The deadline for compliance is September 23, 2013, and the clock is ticking. Quickly.

According to the U.S. Department of Health & Human Services (HHS), the Final Rule is intended to bolster privacy and security protections for PHI under HIPAA by greatly enhancing the government’s ability to enforce the law. Health care provider audits are expected to dramatically increase in the coming months and years. Assuming that an audit will not happen is a mistake for any health care provider. Fines for HIPAA violations can be considerable, up to $1.5 million.

Under the Final Rule, parts of the HIPAA “Security Rule” (security requirements for electronic PHI) and “Privacy Rule” (security requirements for privacy of PHI) will now apply directly to business associates so that business associates will be potentially liable for civil and criminal penalties for any non-compliance with the HIPAA regulations, rather than just a breach of contract. Additionally, many subcontractors of business associates will now be covered. Liability for data breaches and other non-compliance can lie with the subcontractor, the business associate or the covered health care entity.

So, who is a “business associate”?

This is an important question because many changes under the Final Rule will profoundly impact not only covered entities and existing business associates, but other entities that now meet the definition of “business associate” and downstream business associate subcontractors whose services touch PHI. The Final Rule broadened the definition of “business associate” so that anyone who creates, receives, maintains, or transmits PHI might be deemed subject to HIPAA rules as a business associate. For example, the new definition includes companies or persons that “maintain” PHI, such as a data storage company or a company that provides data transmission services.

Legal counsel should be consulted to determine what business partners and vendors might be deemed “business associates” by HHS in the event of an audit. The reality is that many (probably most) business associates are currently not compliant with HIPAA and, if they consider the issue at all, may be in denial. HHS has decided it will deal with the issue more aggressively. Prudent health care providers must promptly inventory their business relationships to identify all business partners and vendors that meet the broadened definition of “business associate” under HIPAA rules and ascertain whether business associates are compliant with HIPAA’s risk assessment and other compliance protocol. This process should include evaluation of existing business associate agreements and, ultimately, health care providers should insist that every business associate demonstrate compliance.

Do your business associate agreements need to be updated?

Covered entities, business associates and subcontractors have until September 23, 2013 to execute business associate agreements compliant with the Final Rule. Under the Final Rule, business associate agreements must be updated to require that:

– the business associate comply with applicable requirements of the Security Rule.

– business associate ensure subcontractors that create, receive, maintain or transmit electronic PHI on behalf of the business associate agree to comply with the requirements of the Security Rule.

– the business associate ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such PHI.

– the business associate report breaches of unsecured PHI.

– the business associate carry out a covered health care entity’s obligation under the Privacy Rule (e.g., serving as the privacy official)

– the business associate comply with the requirements of the Privacy Rule that apply to the performance of such obligation.

It is estimated that up to 500,000 existing Business Associates will have to have new business associate agreements.
Continue reading ›

THE TIME IS NOW: MANY HEALTH CARE PROVIDERS AND HEALTH CARE BUSINESSES MUST PROMPTLY REVISE BUSINESS ASSOCIATE AGREEMENTS TO COMPLY WITH HIPAA

March 9, 2013 | Little Health Law

The U.S. Department of Health and Human Services (HHS) published the HIPAA final omnibus rule (Final Rule) on January 25, 2013. The Final Rule deals with required changes for medical practices and other health care providers that HHS determined are necessary to secure protected health information (PHI). As a result of the Final Rule, many health care providers must update existing business associate agreements, revise existing notices of privacy practice, and require some business associates’ subcontractors to execute business associate agreements. For many medical practices and health care businesses, this process may be a tedious undertaking and, therefore, should begin promptly. The deadline for compliance is September 23, 2013.

A “business associate” is a person or entity that acts on behalf of or provides services to a health care provider (a “covered entity”) who, by doing so, obtains access to PHI. The purpose of a business associate agreement is to ensure business associates will appropriately safeguard PHI and limit permissible uses and disclosures of PHI, to protect patient privacy and related purposes advanced by HIPAA. A business associate is directly liable under HIPAA and subject to civil (and potentially criminal) penalties for data breaches and other violations of HIPAA.

The Final Rule is published in the Federal Register (78 FR 5565) and is 523 pages. Under the Final Rule, a “business associate” includes a broader scope of entities. “Business associate” now includes subcontractors and entities that create, receive, maintain, or transmit PHI. How this change will impact particular situations may require determinations on an ad hoc basis. All physicians, physician groups, other health care providers, and health care businesses, should promptly marshal their existing business associate agreements for review and analysis to determine which agreements must be changed to comply with the Final Rule. Additionally, all business arrangements need to be inventoried and reviewed for a determination as to whether the relationship necessitates a business associate agreement under the Final Rule. For every business arrangement that will require a new business associate agreement, the business associate should be contacted now regarding the requirement of a business associate agreement.
Continue reading ›

“SLOPPY PASTING” EHR: A Risky Shortcut

February 21, 2013 | Little Health Law

1066466_dice[1].jpg Our health care system’s slow-but-sure conversion from paper to electronic health records (EHR) continues throughout the United States. The push toward EHR is strong, both as an inevitable industry trend toward efficiency and because of the mandate of federal law. EHR is obviously an integral part of health care reform changes. See January 31, 2013 post. Unintended adverse consequences of going paperless have appeared, however, including an apparent trend by doctors and other health care providers to haphazardly copy and paste identical notes from one patient visit to another.

This phenomenon — dubbed “sloppy and paste,” “sloppy pasting,” “copy-forward” and “cloning” — is a new problem in the industry and appears to be a strong trend. Although EHRs facilitate quick moves through patient records, the tempting ease of copy/pasting lends itself to mistakes. While many such mistakes may be innocuous, as an expansive trend copy/pasting EHR seems to have some meaningful unintended consequences, ranging from serious embarrassment, the appearance of billing fraud, or patient harm.

For example, since by definition coordinated patient care (another integral part of health care reform for which there is strong impetus) involves multiple health care professionals communicating with each other via the patient’s chart, the ability of each provider to rely upon the accuracy of information conveyed in the chart is critical. Proper management of all patient care in an integrated way requires an effective, accurate and timely exchange of information. The reliance of each provider upon inaccurate or misleading information copy/pasted into chart as a short cut can lead to confusion and mistakes and actually prevent “coordinated” care. In one reported example, a physician visited a patient in a coma who had postoperative complications. After reviewing the patient’s chart, the doctor visited with the patient’s very concerned family and commented to them that the patient was only in the third day of recovery, unaware that that the patient had been in recovery for over five weeks. For more than five weeks, the note “post-op day No. 2” was copied and brought forward each day. The highly embarrassed doctor’s credibility with the family was gone.
Continue reading ›

HHS announces first HIPAA breach settlement involving less than 500 patients

February 14, 2013 | Little Health Law

1269437_laptop_and_cellphone[1].jpg A single unencrypted laptop computer containing electronic protected health information (ePHI) cost The Hospice of North Idaho (HONI) $50,000. HONI agreed to pay the U.S. Department of Health and Human Services (HHS) a $50,000 fine to settle potential breaches of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

HONI regularly used laptops in field work. However, according to HHS, HONI did not conduct an accurate and thorough analysis of the risk to the confidentiality of ePHI posed by mobile devices on an on-going basis as part of its security management process in violation of HIPAA. HONI also failed to implement security measures sufficient to ensure the confidentiality of ePHI that it created, maintained and transmitted using portable devices, another alleged HIPAA breach. In addition to the fine, HHS required HONI to enter into a corrective action plan.

The HONI settlement is notable as the first settlement of an alleged HIPAA violation based on breach of ePHI affecting fewer than 500 individuals. The government discovered in its investigation that HONI simply failed to conduct any risk assessment to safeguard ePHI and failed to have policies and procedures to address mobile devices. Leon Rodriquez, the Director of the HHS Office for Civil Rights, explained: “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”
Continue reading ›

BEWARE the HIPAA police: MORE AUDITS COMING. Get a risk assessment.

February 14, 2013 | Little Health Law

1066058_patrol_hat_too[1].jpg The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the U.S. Department of Health and Human Resources (HHS) to conduct audits to ensure health care providers, health care industry organizations, and their business associates comply with HIPAA. The HHS Office for Civil Rights (OCR) audit program scrutinizes policies and procedures (or lack of same) of HIPAA-covered entities. Audit protocol looks at many elements (which may vary based on the type of covered entity audited) categorized as privacy requirements, security requirements, and breach notification requirements. The OCR makes available its audit protocol for public review online. OCR awarded KPMG a $9.2 million contract to create HIPAA auditing protocols and to handle audits. The government is keen on these audits; audits will increase in the near future.

According to OCR, “To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules.” Be prepared. Do not wait for an audit notice. A few of the many factors potentially relevant if your medical practice or other health care business is selected for the review include:

Is there a signed business associate agreement with each business associate?

Do you encrypt protected health information (PHI)?

Do you have policies and procedures in place for employees (new employees, existing employees, terminated employees, etc.)?

Do you have policies in place with regard to the removal of PHI from the medical practice site (e.g. a smartphone)?

Do you have a written policy for ascertaining and reporting a security breach?

Do your policies cover everything you do with PHI?

Do you really do things consistently with your existing policies?

Combatting a National Trend of Physicians Dispensing Unapproved Foreign Drugs

February 1, 2013 | Little Health Law

On January 15, 2013, Dr. Joel I. Bertstein, a La Jolla, California oncologist, pled guilty to a charge that he introduced an unapproved drug into interstate commerce and administering it to patients. The drug is a cancer fighting drug known as “Mabthera.” Mabthera has not been approved by the U.S. Food and Drug Administration (FDA) for use in the United States and is intended for marketing in Turkey. Rituxa is the approved U.S. drug that contains the same active ingredient and is used to fight lymphomas and leukemias.

According to the government’s allegations, Bernstein and his corporate medical practice, Dr. Joel I. Bernstein, M.D. Inc., imported Mabthera at a deep discount, dispensed the drug to unwitting patients, billed Medicare as if the drug was legitimate, and retained profits from the transactions. The government alleged that during the period from 2007 to 2011, Bernstein purchased $3.4 million of unapproved cancer drugs, for significantly less than market value in the U.S., and submitted claims to Medicare at the full reimbursement price using Medicare codes for approved cancer drugs. The government charged that Bernstein submitted reimbursement claims of $1.7 million to Medicare.

The financial recovery for the federal tax payer is not the sole objective for the government’s prosecution of this type of Medicare fraud. Additionally, the government seeks to combat a strong nationwide trend that exposes U.S. patients to risks associated with the use of drugs not vetted and approved by the FDA. Patient welfare is at stake. Indeed, the government considers the problem of counterfeit drugs to be of “epidemic” scale. Numerous federal agencies, including the Department of Justice, the Federal Bureau of Investigation, the FDA, and Homeland Security, are involved in the effort to combat a national crisis of importation counterfeit and unapproved drugs. The government has undertaken significant efforts to discovery fraudulent Medicare schemes that cost the federal taxpaper billions of dollars every year and compromise patient safety.

The FDA’s procedures for approving a drug apply not only to the drug itself but also to labeling and packaging, the facility where the drug was manufactured and shipping protocol. Some oncology medications must be transported at a particular temperature. When a patient consumes an unapproved drug, he is taking a serious chance that the proper conditions for the manufacture and shipment of the drug have not been met. In Dr. Berstein’s case, the government asserted that unapproved chemotherapy drugs “may be fake, ineffective, unsafe and dangerous.”
Continue reading ›

Things to Consider When Moving Your Medical/Dental Practice

January 31, 2013 | Little Health Law

Physicians and dentists often decide to choose a new place to practice. Sometimes it might be in the same area but a different part of town or it can be in another city or state. Whether you are considering opening a new office or simply relocating, it is extremely important to do your homework before making this decision.

Here are a few tips from an experienced Georgia health care lawyer to consider.

One of the primary factors in making this decision is physician density. In areas where there are not as many doctors, it will be far easier to cultivate a new patient base. This is especially true if there are no physicians in the area with your expertise. In areas saturated with doctors, you are provided with the opportunity to expand your area of expertise and set yourself apart from the others.

Another thing to consider is an area with high unemployment. This would mean the people in that area would be less likely to have insurance coverage. This would make them less likely to make routine visits. This may all change under the Patient Protection and Affordable Care Act (PPACA).

Nobody really wants to talk about the costs involved for medical malpractice but it is a decision that has to be faced if considering a move. If you are moving in the same city or same area, this is not of significant concern. However, if you are considering moving to another state or a smaller town, the costs of malpractice insurance could vary greatly.

Lastly, consider what your earnings will be in the area you are considering. Physician compensation in the Midwest is higher than the Southwest. In reality a reputable physician can make a good living in any area he or she chooses to go to. One way to get inside information is to visit with other doctors in the area considering that they might not be entirely honest with their answers.

Unfortunately there is no cookie cutter format for determining the best place for a physician to be; there are issues specific to each practice that will need to be answered. The bottom line is that an experienced physician or dentist will flourish and succeed in any area that they choose.
Continue reading ›

Final HIPAA Rule Becomes Effective March 26, 2013

January 31, 2013 | Little Health Law

The final Health Insurance Portability and Accountability Act (HIPAA) rule was announced on January 17, 2013, modifying the original 1996 version. The rule becomes effective on March 26, 2013, with full compliance mandated by September 23, 2013. After that, enforcement will commence.

Under the new rule, patients have new rights to their health information, greater privacy protection and the government has increased ability to enforce the law.

It is time to begin implementing a reporting plan for covered entities and business associates. Such a plan should consider four factors. Those factors to be considered in determining whether a breach must be reported include: (1) the type of protected health information (PHI) involved; (2) who used the PHI or to whom the PHI was disclosed; (3) whether the PHI was viewed or acquired; and (4) whether the risk to the PHI was mitigated, such as through assurances by trusted third parties that the PHI was destroyed.

Some other changes to be aware of are:

• Business associates are liable for HIPAA privacy and security rule requirements.

• A business associate includes subcontractors that create, receive, maintain or transmit PHI on the behalf of a business associate.

• Subcontractors for business associates are bound by the same compliance obligations no matter how far away the services are from the covered entity.

• A breach is any wrongful use or disclosure of PHI unless the covered entity or business associate assures that there was no compromise of the PHI or a small chance that it was.

• Covered entities have to protect the PHI of a decedent for 50 years following the date of death.

• Patients can request a copy of their electronic medical record (EMR) in an electronic form.

• For all practical purposes the sale of a patient’s PHI is prohibited without their authorization.

• Penalties are enhanced for noncompliance depending upon the level of culpability up to the civil monetary cap of $1.5 million per violation.

Navigating the expanded HIPAA rule and making certain that you are in compliance by September 23, 2013 can be a daunting task for small and large healthcare businesses, physicians, dentists and hospitals.
Continue reading ›