Little Health Law Blog

THE TIME IS NOW: MANY HEALTH CARE PROVIDERS AND HEALTH CARE BUSINESSES MUST PROMPTLY REVISE BUSINESS ASSOCIATE AGREEMENTS TO COMPLY WITH HIPAA

March 9, 2013 | Little Health Law

The U.S. Department of Health and Human Services (HHS) published the HIPAA final omnibus rule (Final Rule) on January 25, 2013. The Final Rule deals with required changes for medical practices and other health care providers that HHS determined are necessary to secure protected health information (PHI). As a result of the Final Rule, many health care providers must update existing business associate agreements, revise existing notices of privacy practice, and require some business associates’ subcontractors to execute business associate agreements. For many medical practices and health care businesses, this process may be a tedious undertaking and, therefore, should begin promptly. The deadline for compliance is September 23, 2013.

A “business associate” is a person or entity that acts on behalf of or provides services to a health care provider (a “covered entity”) who, by doing so, obtains access to PHI. The purpose of a business associate agreement is to ensure business associates will appropriately safeguard PHI and limit permissible uses and disclosures of PHI, to protect patient privacy and related purposes advanced by HIPAA. A business associate is directly liable under HIPAA and subject to civil (and potentially criminal) penalties for data breaches and other violations of HIPAA.

The Final Rule is published in the Federal Register (78 FR 5565) and is 523 pages. Under the Final Rule, a “business associate” includes a broader scope of entities. “Business associate” now includes subcontractors and entities that create, receive, maintain, or transmit PHI. How this change will impact particular situations may require determinations on an ad hoc basis. All physicians, physician groups, other health care providers, and health care businesses, should promptly marshal their existing business associate agreements for review and analysis to determine which agreements must be changed to comply with the Final Rule. Additionally, all business arrangements need to be inventoried and reviewed for a determination as to whether the relationship necessitates a business associate agreement under the Final Rule. For every business arrangement that will require a new business associate agreement, the business associate should be contacted now regarding the requirement of a business associate agreement.
Continue reading ›

“SLOPPY PASTING” EHR: A Risky Shortcut

February 21, 2013 | Little Health Law

1066466_dice[1].jpg Our health care system’s slow-but-sure conversion from paper to electronic health records (EHR) continues throughout the United States. The push toward EHR is strong, both as an inevitable industry trend toward efficiency and because of the mandate of federal law. EHR is obviously an integral part of health care reform changes. See January 31, 2013 post. Unintended adverse consequences of going paperless have appeared, however, including an apparent trend by doctors and other health care providers to haphazardly copy and paste identical notes from one patient visit to another.

This phenomenon — dubbed “sloppy and paste,” “sloppy pasting,” “copy-forward” and “cloning” — is a new problem in the industry and appears to be a strong trend. Although EHRs facilitate quick moves through patient records, the tempting ease of copy/pasting lends itself to mistakes. While many such mistakes may be innocuous, as an expansive trend copy/pasting EHR seems to have some meaningful unintended consequences, ranging from serious embarrassment, the appearance of billing fraud, or patient harm.

For example, since by definition coordinated patient care (another integral part of health care reform for which there is strong impetus) involves multiple health care professionals communicating with each other via the patient’s chart, the ability of each provider to rely upon the accuracy of information conveyed in the chart is critical. Proper management of all patient care in an integrated way requires an effective, accurate and timely exchange of information. The reliance of each provider upon inaccurate or misleading information copy/pasted into chart as a short cut can lead to confusion and mistakes and actually prevent “coordinated” care. In one reported example, a physician visited a patient in a coma who had postoperative complications. After reviewing the patient’s chart, the doctor visited with the patient’s very concerned family and commented to them that the patient was only in the third day of recovery, unaware that that the patient had been in recovery for over five weeks. For more than five weeks, the note “post-op day No. 2” was copied and brought forward each day. The highly embarrassed doctor’s credibility with the family was gone.
Continue reading ›

HHS announces first HIPAA breach settlement involving less than 500 patients

February 14, 2013 | Little Health Law

1269437_laptop_and_cellphone[1].jpg A single unencrypted laptop computer containing electronic protected health information (ePHI) cost The Hospice of North Idaho (HONI) $50,000. HONI agreed to pay the U.S. Department of Health and Human Services (HHS) a $50,000 fine to settle potential breaches of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

HONI regularly used laptops in field work. However, according to HHS, HONI did not conduct an accurate and thorough analysis of the risk to the confidentiality of ePHI posed by mobile devices on an on-going basis as part of its security management process in violation of HIPAA. HONI also failed to implement security measures sufficient to ensure the confidentiality of ePHI that it created, maintained and transmitted using portable devices, another alleged HIPAA breach. In addition to the fine, HHS required HONI to enter into a corrective action plan.

The HONI settlement is notable as the first settlement of an alleged HIPAA violation based on breach of ePHI affecting fewer than 500 individuals. The government discovered in its investigation that HONI simply failed to conduct any risk assessment to safeguard ePHI and failed to have policies and procedures to address mobile devices. Leon Rodriquez, the Director of the HHS Office for Civil Rights, explained: “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”
Continue reading ›

BEWARE the HIPAA police: MORE AUDITS COMING. Get a risk assessment.

February 14, 2013 | Little Health Law

1066058_patrol_hat_too[1].jpg The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the U.S. Department of Health and Human Resources (HHS) to conduct audits to ensure health care providers, health care industry organizations, and their business associates comply with HIPAA. The HHS Office for Civil Rights (OCR) audit program scrutinizes policies and procedures (or lack of same) of HIPAA-covered entities. Audit protocol looks at many elements (which may vary based on the type of covered entity audited) categorized as privacy requirements, security requirements, and breach notification requirements. The OCR makes available its audit protocol for public review online. OCR awarded KPMG a $9.2 million contract to create HIPAA auditing protocols and to handle audits. The government is keen on these audits; audits will increase in the near future.

According to OCR, “To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules.” Be prepared. Do not wait for an audit notice. A few of the many factors potentially relevant if your medical practice or other health care business is selected for the review include:

Is there a signed business associate agreement with each business associate?

Do you encrypt protected health information (PHI)?

Do you have policies and procedures in place for employees (new employees, existing employees, terminated employees, etc.)?

Do you have policies in place with regard to the removal of PHI from the medical practice site (e.g. a smartphone)?

Do you have a written policy for ascertaining and reporting a security breach?

Do your policies cover everything you do with PHI?

Do you really do things consistently with your existing policies?

Combatting a National Trend of Physicians Dispensing Unapproved Foreign Drugs

February 1, 2013 | Little Health Law

On January 15, 2013, Dr. Joel I. Bertstein, a La Jolla, California oncologist, pled guilty to a charge that he introduced an unapproved drug into interstate commerce and administering it to patients. The drug is a cancer fighting drug known as “Mabthera.” Mabthera has not been approved by the U.S. Food and Drug Administration (FDA) for use in the United States and is intended for marketing in Turkey. Rituxa is the approved U.S. drug that contains the same active ingredient and is used to fight lymphomas and leukemias.

According to the government’s allegations, Bernstein and his corporate medical practice, Dr. Joel I. Bernstein, M.D. Inc., imported Mabthera at a deep discount, dispensed the drug to unwitting patients, billed Medicare as if the drug was legitimate, and retained profits from the transactions. The government alleged that during the period from 2007 to 2011, Bernstein purchased $3.4 million of unapproved cancer drugs, for significantly less than market value in the U.S., and submitted claims to Medicare at the full reimbursement price using Medicare codes for approved cancer drugs. The government charged that Bernstein submitted reimbursement claims of $1.7 million to Medicare.

The financial recovery for the federal tax payer is not the sole objective for the government’s prosecution of this type of Medicare fraud. Additionally, the government seeks to combat a strong nationwide trend that exposes U.S. patients to risks associated with the use of drugs not vetted and approved by the FDA. Patient welfare is at stake. Indeed, the government considers the problem of counterfeit drugs to be of “epidemic” scale. Numerous federal agencies, including the Department of Justice, the Federal Bureau of Investigation, the FDA, and Homeland Security, are involved in the effort to combat a national crisis of importation counterfeit and unapproved drugs. The government has undertaken significant efforts to discovery fraudulent Medicare schemes that cost the federal taxpaper billions of dollars every year and compromise patient safety.

The FDA’s procedures for approving a drug apply not only to the drug itself but also to labeling and packaging, the facility where the drug was manufactured and shipping protocol. Some oncology medications must be transported at a particular temperature. When a patient consumes an unapproved drug, he is taking a serious chance that the proper conditions for the manufacture and shipment of the drug have not been met. In Dr. Berstein’s case, the government asserted that unapproved chemotherapy drugs “may be fake, ineffective, unsafe and dangerous.”
Continue reading ›

Things to Consider When Moving Your Medical/Dental Practice

January 31, 2013 | Little Health Law

Physicians and dentists often decide to choose a new place to practice. Sometimes it might be in the same area but a different part of town or it can be in another city or state. Whether you are considering opening a new office or simply relocating, it is extremely important to do your homework before making this decision.

Here are a few tips from an experienced Georgia health care lawyer to consider.

One of the primary factors in making this decision is physician density. In areas where there are not as many doctors, it will be far easier to cultivate a new patient base. This is especially true if there are no physicians in the area with your expertise. In areas saturated with doctors, you are provided with the opportunity to expand your area of expertise and set yourself apart from the others.

Another thing to consider is an area with high unemployment. This would mean the people in that area would be less likely to have insurance coverage. This would make them less likely to make routine visits. This may all change under the Patient Protection and Affordable Care Act (PPACA).

Nobody really wants to talk about the costs involved for medical malpractice but it is a decision that has to be faced if considering a move. If you are moving in the same city or same area, this is not of significant concern. However, if you are considering moving to another state or a smaller town, the costs of malpractice insurance could vary greatly.

Lastly, consider what your earnings will be in the area you are considering. Physician compensation in the Midwest is higher than the Southwest. In reality a reputable physician can make a good living in any area he or she chooses to go to. One way to get inside information is to visit with other doctors in the area considering that they might not be entirely honest with their answers.

Unfortunately there is no cookie cutter format for determining the best place for a physician to be; there are issues specific to each practice that will need to be answered. The bottom line is that an experienced physician or dentist will flourish and succeed in any area that they choose.
Continue reading ›

Final HIPAA Rule Becomes Effective March 26, 2013

January 31, 2013 | Little Health Law

The final Health Insurance Portability and Accountability Act (HIPAA) rule was announced on January 17, 2013, modifying the original 1996 version. The rule becomes effective on March 26, 2013, with full compliance mandated by September 23, 2013. After that, enforcement will commence.

Under the new rule, patients have new rights to their health information, greater privacy protection and the government has increased ability to enforce the law.

It is time to begin implementing a reporting plan for covered entities and business associates. Such a plan should consider four factors. Those factors to be considered in determining whether a breach must be reported include: (1) the type of protected health information (PHI) involved; (2) who used the PHI or to whom the PHI was disclosed; (3) whether the PHI was viewed or acquired; and (4) whether the risk to the PHI was mitigated, such as through assurances by trusted third parties that the PHI was destroyed.

Some other changes to be aware of are:

• Business associates are liable for HIPAA privacy and security rule requirements.

• A business associate includes subcontractors that create, receive, maintain or transmit PHI on the behalf of a business associate.

• Subcontractors for business associates are bound by the same compliance obligations no matter how far away the services are from the covered entity.

• A breach is any wrongful use or disclosure of PHI unless the covered entity or business associate assures that there was no compromise of the PHI or a small chance that it was.

• Covered entities have to protect the PHI of a decedent for 50 years following the date of death.

• Patients can request a copy of their electronic medical record (EMR) in an electronic form.

• For all practical purposes the sale of a patient’s PHI is prohibited without their authorization.

• Penalties are enhanced for noncompliance depending upon the level of culpability up to the civil monetary cap of $1.5 million per violation.

Navigating the expanded HIPAA rule and making certain that you are in compliance by September 23, 2013 can be a daunting task for small and large healthcare businesses, physicians, dentists and hospitals.
Continue reading ›

The Electronic Medical Records (EMR) Mandate

January 31, 2013 | Little Health Law

While only slightly more than two-thirds of primary care physicians in the United States used electronic medical records (EMR) in 2012, this is an increase of 50% over the 46% that reported using them in 2009. This data is documented in a Commonwealth Fund International Health Policy Survey, which was published in Health Affairs.

The use of electronic medical records can make physicians’ offices more efficient and improve the quality of patient care by making their medical history available to any physician treating them. Unfortunately, many physicians still prefer to maintain voluminous files containing patient information and illegible handwritten comments and progress notes.

Make no mistake about it, electronic medical records are the way of the future for medical practices of all sizes. With the passage of the Patient Protection and Affordable Care Act (PPACA), and its constitutionality ruling by the United States Supreme Court last June 28, 2012, healthcare reform is on its way. A mandate requiring electronic medical records for all practitioners is a part of PPACA and is set to take effect in 2014. Some mandates included in the Health Insurance Portability and Accountability Act (HIPAA) have been included in and strengthened under the PPACA.

Funding for the EMR legislation will cover a span of 10 years. By the end of that time, it is hoped that all practices will have implemented electronic medical records. Incentive programs are available through the federal government. Some professionals meeting federal requirements for EMRs can get up to $44,000 through the Medicare Electronic Health Records Incentive Program. Others who are providing service to patients in a Health Professional Shortage Area might qualify for incentives in excess of $44,000. Incentives for institutions are significantly higher, starting at $2 million, but the requirements are stiffer than for individual professionals.

Naturally there are requirements established by the federal government to make certain the incentive funding is being used properly. For example, there are specific formats for use in the areas of medical billing, patient medical history and employee communication.

Ultimately, the use of modern technology to comply with the electronic records mandate of PPACA will make our healthcare system better, provide better care to the patients and make it more affordable to all.
Continue reading ›

Seven Arrested, Charged with $22 Million Detroit-area Home Health Care Fraud Scheme

January 25, 2013 | Little Health Law

Federal law enforcement agents arrested one Chicago-area resident and six Detroit-area residents based on allegations of home health care fraud. In an 18-count indictment unsealed on January 17, 2013, the federal government contends that the seven parties effectuated a scheme to defraud Medicare based on claims for in-home health services at Royal Home Health Care Inc., Prestige Home Health Care Services Inc., Platinum Home Health Services Inc. and Empirical Home Health Care Services Inc. According to the indictment, Medicare was defrauded of over $22 million based on false claims for services since August 2008.

The Medicare Program is a federal health care program that provides benefits to the disabled and persons over age 65. It is administered by the Centers for Medicare and Medicaid Services (“CMS”), a division of the United States Department of Health and Human Services Office of Inspector General (“HHS-OIG”). In order for a health care provider to participate in Medicare, the provider must agree to abide by Medicare polices and procedures, rules, and regulations published by the federal government. When a provider is certified as a participant in the program, the provider receives a provider identification number for billing purposes, known as a “PIN.” A provider uses the PIN to submit claims for reimbursement to the government for services rendered to a patient, or “beneficiary.” A Medicare beneficiary has a Medicare beneficiary number that is used for billing purposes.

Combating Medicare fraud has been a major priority and focus of the federal government for many years. Since March 2007, the federal government’s Medicare Fraud Strike Force, which involves HHS-OIG, the FBI and other federal law enforcement, have charged more than 1,480 defendants who have falsely billed Medicare for over $4.8 billion. This indictment is part of the effort of the government’s Medicare Fraud Strike Force to effectively combat Medicare Fraud in an effort to curb the spiraling costs of the Medicare Program and otherwise for the benefit of the federal taxpayer.

According to the indictment, the home health care companies purported to provide in-home physical therapy, occupational therapy, speech pathology and/or skilled nursing services to patients. Royal, Prestige, Platinum and Empirical were Medicare providers that submitted claims directly to Medicare using PINs and beneficiary numbers. The individuals named in the indictment were either owners and/or officers of the home health care companies, or were employed as therapists or patient recruiters. The indictment charges that the defendants offered and paid kickbacks and bribes in the forms of cash payments and/or prescription narcotics to Medicare beneficiaries for the purpose of such beneficiaries arranging for the use of their Medicare beneficiary numbers by the conspirators as the bases of claims for physical therapy and other services. The indictment further alleges that Medicare claims were submitted to the government for physical therapy services and other services that were not provided and/or were not medically necessary. The indictment states that the defendants used false medical documents to support the fraudulent claims.
Continue reading ›

How The PPACA Can Affect Your Medical/Dental Practice

January 19, 2013 | Little Health Law

US SUP CT.jpg

According to an economist with Moody’s Analytics, the new health care law is set to negatively impact hiring in 2013; this is based on what human resource firms are saying, anyways. They are predicting that some businesses are going to be taking on more part-time employees rather than hiring full-time employees, in addition to reducing the hours for permanent employees.

The reason is the Patient Protection and Affordable Care Act (PPACA). Under PPACA, businesses that have 50 or more full time employees must provide health insurance to employees who work at least 30 hours a week. If employers fail to offer health insurance, they will face a penalty of $2,000 for every worker in excess of the first 30.

This mandate for employers does not take effect until January 1, 2014. However, in order to determine whether employees average enough hours to qualify for benefits, employers have to track their work schedules for at least three months and up to 12 months before 2014. As a result, employers are already starting to restructure their payrolls and will continue to do so into 2014.

Approximately 25 percent of businesses do not provide health insurance to employees who work at least 30 hours per week, according to a consulting firm study. The survey further revealed that 50 percent of those businesses intend to make necessary changes so that fewer employees will meet the 30 hour threshold provided by PPACA.

The companies intending to grow that have 40 to 45 employees are most affected, since they are apprehensive about crossing over the 50 employee threshold. For example, a Melville advertising group with 45 employees had intended to hire another 10 but will no longer do so to stay under the limit. Others simply intend to have more part-time employees that they do not need to offer health coverage to.

Employers who have a large number of part-time or low-wage employees will especially be burdened. Under the PPACA, employees are supposed to pay no more than 9.5 percent of their wages for health insurance premiums, causing employers to be forced to contribute more for low-wage employees than those who are higher paid.

According to the International Franchise Association, 31 percent of all franchisees surveyed intend to reduce their number of employees to get below the magic 50 employee threshold. Additionally, employers have indicated that they plan to reduce the work schedule of employees to get below the 30 hour per week requirement.

The constitutionality of the Patient Protection and Affordable Care Act (PPACA) was upheld by the United States Supreme Court on June 28, 2012. This complex act is focused on reducing the number of people who do not have health care. Contained in it are numerous mandates, subsidies and tax credits which employers need to be educated about.
Continue reading ›