Best Lawyers
Super Lawyers
American Health Lawyers Association
AV Preeminent
Avvo Clients' Choice Award 2014
Avvo Clients' Choice Award 2017
Avvo Rating
Top Rated Lawyers
View Profile on Avvo
Lexis Nexis
International Association of Defense Counsel
Avvo Reviews

1177227_vintage_alarm_clock.jpgAs a general rule of thumb for legal issues, being proactive tends to be much less expensive than being reactive. This general rule certainly applies to health care providers, their business associates and, now, business associate subcontractors with respect to changes required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA Omnibus Final Rule (Final Rule), implementing provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act passed in 2009, became law last week on March 26, 2013. The Final Rule significantly modifies HIPPA requirements for compliance and security measures intended to protect health information (PHI), especially business associate agreements. Health care covered entities and their business associates and subcontractors have six months to become compliant with the rule, or face large fines (up to $1.5 million). The deadline for compliance is September 23, 2013, and the clock is ticking. Quickly.

According to the U.S. Department of Health & Human Services (HHS), the Final Rule is intended to bolster privacy and security protections for PHI under HIPAA by greatly enhancing the government’s ability to enforce the law. Health care provider audits are expected to dramatically increase in the coming months and years. Assuming that an audit will not happen is a mistake for any health care provider. Fines for HIPAA violations can be considerable, up to $1.5 million.

Under the Final Rule, parts of the HIPAA “Security Rule” (security requirements for electronic PHI) and “Privacy Rule” (security requirements for privacy of PHI) will now apply directly to business associates so that business associates will be potentially liable for civil and criminal penalties for any non-compliance with the HIPAA regulations, rather than just a breach of contract. Additionally, many subcontractors of business associates will now be covered. Liability for data breaches and other non-compliance can lie with the subcontractor, the business associate or the covered health care entity.

So, who is a “business associate”?

This is an important question because many changes under the Final Rule will profoundly impact not only covered entities and existing business associates, but other entities that now meet the definition of “business associate” and downstream business associate subcontractors whose services touch PHI. The Final Rule broadened the definition of “business associate” so that anyone who creates, receives, maintains, or transmits PHI might be deemed subject to HIPAA rules as a business associate. For example, the new definition includes companies or persons that “maintain” PHI, such as a data storage company or a company that provides data transmission services.

Legal counsel should be consulted to determine what business partners and vendors might be deemed “business associates” by HHS in the event of an audit. The reality is that many (probably most) business associates are currently not compliant with HIPAA and, if they consider the issue at all, may be in denial. HHS has decided it will deal with the issue more aggressively. Prudent health care providers must promptly inventory their business relationships to identify all business partners and vendors that meet the broadened definition of “business associate” under HIPAA rules and ascertain whether business associates are compliant with HIPAA’s risk assessment and other compliance protocol. This process should include evaluation of existing business associate agreements and, ultimately, health care providers should insist that every business associate demonstrate compliance.

Do your business associate agreements need to be updated?

Covered entities, business associates and subcontractors have until September 23, 2013 to execute business associate agreements compliant with the Final Rule. Under the Final Rule, business associate agreements must be updated to require that:

– the business associate comply with applicable requirements of the Security Rule.

– business associate ensure subcontractors that create, receive, maintain or transmit electronic PHI on behalf of the business associate agree to comply with the requirements of the Security Rule.

– the business associate ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such PHI.

– the business associate report breaches of unsecured PHI.

– the business associate carry out a covered health care entity’s obligation under the Privacy Rule (e.g., serving as the privacy official)

– the business associate comply with the requirements of the Privacy Rule that apply to the performance of such obligation.

It is estimated that up to 500,000 existing Business Associates will have to have new business associate agreements.
Continue reading ›

1221952_to_sign_a_contract_3.jpgThe U.S. Department of Health and Human Services (HHS) published the HIPAA final omnibus rule (Final Rule) on January 25, 2013. The Final Rule deals with required changes for medical practices and other health care providers that HHS determined are necessary to secure protected health information (PHI). As a result of the Final Rule, many health care providers must update existing business associate agreements, revise existing notices of privacy practice, and require some business associates’ subcontractors to execute business associate agreements. For many medical practices and health care businesses, this process may be a tedious undertaking and, therefore, should begin promptly. The deadline for compliance is September 23, 2013.

A “business associate” is a person or entity that acts on behalf of or provides services to a health care provider (a “covered entity”) who, by doing so, obtains access to PHI. The purpose of a business associate agreement is to ensure business associates will appropriately safeguard PHI and limit permissible uses and disclosures of PHI, to protect patient privacy and related purposes advanced by HIPAA. A business associate is directly liable under HIPAA and subject to civil (and potentially criminal) penalties for data breaches and other violations of HIPAA.

The Final Rule is published in the Federal Register (78 FR 5565) and is 523 pages. Under the Final Rule, a “business associate” includes a broader scope of entities. “Business associate” now includes subcontractors and entities that create, receive, maintain, or transmit PHI. How this change will impact particular situations may require determinations on an ad hoc basis. All physicians, physician groups, other health care providers, and health care businesses, should promptly marshal their existing business associate agreements for review and analysis to determine which agreements must be changed to comply with the Final Rule. Additionally, all business arrangements need to be inventoried and reviewed for a determination as to whether the relationship necessitates a business associate agreement under the Final Rule. For every business arrangement that will require a new business associate agreement, the business associate should be contacted now regarding the requirement of a business associate agreement.
Continue reading ›

1066466_dice[1].jpgOur health care system’s slow-but-sure conversion from paper to electronic health records (EHR) continues throughout the United States. The push toward EHR is strong, both as an inevitable industry trend toward efficiency and because of the mandate of federal law. EHR is obviously an integral part of health care reform changes. See January 31, 2013 post. Unintended adverse consequences of going paperless have appeared, however, including an apparent trend by doctors and other health care providers to haphazardly copy and paste identical notes from one patient visit to another.

This phenomenon — dubbed “sloppy and paste,” “sloppy pasting,” “copy-forward” and “cloning” — is a new problem in the industry and appears to be a strong trend. Although EHRs facilitate quick moves through patient records, the tempting ease of copy/pasting lends itself to mistakes. While many such mistakes may be innocuous, as an expansive trend copy/pasting EHR seems to have some meaningful unintended consequences, ranging from serious embarrassment, the appearance of billing fraud, or patient harm.

For example, since by definition coordinated patient care (another integral part of health care reform for which there is strong impetus) involves multiple health care professionals communicating with each other via the patient’s chart, the ability of each provider to rely upon the accuracy of information conveyed in the chart is critical. Proper management of all patient care in an integrated way requires an effective, accurate and timely exchange of information. The reliance of each provider upon inaccurate or misleading information copy/pasted into chart as a short cut can lead to confusion and mistakes and actually prevent “coordinated” care. In one reported example, a physician visited a patient in a coma who had postoperative complications. After reviewing the patient’s chart, the doctor visited with the patient’s very concerned family and commented to them that the patient was only in the third day of recovery, unaware that that the patient had been in recovery for over five weeks. For more than five weeks, the note “post-op day No. 2” was copied and brought forward each day. The highly embarrassed doctor’s credibility with the family was gone.
Continue reading ›

1269437_laptop_and_cellphone[1].jpgA single unencrypted laptop computer containing electronic protected health information (ePHI) cost The Hospice of North Idaho (HONI) $50,000. HONI agreed to pay the U.S. Department of Health and Human Services (HHS) a $50,000 fine to settle potential breaches of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

HONI regularly used laptops in field work. However, according to HHS, HONI did not conduct an accurate and thorough analysis of the risk to the confidentiality of ePHI posed by mobile devices on an on-going basis as part of its security management process in violation of HIPAA. HONI also failed to implement security measures sufficient to ensure the confidentiality of ePHI that it created, maintained and transmitted using portable devices, another alleged HIPAA breach. In addition to the fine, HHS required HONI to enter into a corrective action plan.

The HONI settlement is notable as the first settlement of an alleged HIPAA violation based on breach of ePHI affecting fewer than 500 individuals. The government discovered in its investigation that HONI simply failed to conduct any risk assessment to safeguard ePHI and failed to have policies and procedures to address mobile devices. Leon Rodriquez, the Director of the HHS Office for Civil Rights, explained: “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”
Continue reading ›

1066058_patrol_hat_too[1].jpgThe Health Information Technology for Economic and Clinical Health (HITECH) Act requires the U.S. Department of Health and Human Resources (HHS) to conduct audits to ensure health care providers, health care industry organizations, and their business associates comply with HIPAA. The HHS Office for Civil Rights (OCR) audit program scrutinizes policies and procedures (or lack of same) of HIPAA-covered entities. Audit protocol looks at many elements (which may vary based on the type of covered entity audited) categorized as privacy requirements, security requirements, and breach notification requirements. The OCR makes available its audit protocol for public review online. OCR awarded KPMG a $9.2 million contract to create HIPAA auditing protocols and to handle audits. The government is keen on these audits; audits will increase in the near future.

According to OCR, “To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules.” Be prepared. Do not wait for an audit notice. A few of the many factors potentially relevant if your medical practice or other health care business is selected for the review include:

Is there a signed business associate agreement with each business associate?

Do you encrypt protected health information (PHI)?

Do you have policies and procedures in place for employees (new employees, existing employees, terminated employees, etc.)?

Do you have policies in place with regard to the removal of PHI from the medical practice site (e.g. a smartphone)?

Do you have a written policy for ascertaining and reporting a security breach?

Do your policies cover everything you do with PHI?

Do you really do things consistently with your existing policies?

Continue reading ›

1238683_untitled.jpgOn January 15, 2013, Dr. Joel I. Bertstein, a La Jolla, California oncologist, pled guilty to a charge that he introduced an unapproved drug into interstate commerce and administering it to patients. The drug is a cancer fighting drug known as “Mabthera.” Mabthera has not been approved by the U.S. Food and Drug Administration (FDA) for use in the United States and is intended for marketing in Turkey. Rituxa is the approved U.S. drug that contains the same active ingredient and is used to fight lymphomas and leukemias.

According to the government’s allegations, Bernstein and his corporate medical practice, Dr. Joel I. Bernstein, M.D. Inc., imported Mabthera at a deep discount, dispensed the drug to unwitting patients, billed Medicare as if the drug was legitimate, and retained profits from the transactions. The government alleged that during the period from 2007 to 2011, Bernstein purchased $3.4 million of unapproved cancer drugs, for significantly less than market value in the U.S., and submitted claims to Medicare at the full reimbursement price using Medicare codes for approved cancer drugs. The government charged that Bernstein submitted reimbursement claims of $1.7 million to Medicare.

The financial recovery for the federal tax payer is not the sole objective for the government’s prosecution of this type of Medicare fraud. Additionally, the government seeks to combat a strong nationwide trend that exposes U.S. patients to risks associated with the use of drugs not vetted and approved by the FDA. Patient welfare is at stake. Indeed, the government considers the problem of counterfeit drugs to be of “epidemic” scale. Numerous federal agencies, including the Department of Justice, the Federal Bureau of Investigation, the FDA, and Homeland Security, are involved in the effort to combat a national crisis of importation counterfeit and unapproved drugs. The government has undertaken significant efforts to discovery fraudulent Medicare schemes that cost the federal taxpaper billions of dollars every year and compromise patient safety.

The FDA’s procedures for approving a drug apply not only to the drug itself but also to labeling and packaging, the facility where the drug was manufactured and shipping protocol. Some oncology medications must be transported at a particular temperature. When a patient consumes an unapproved drug, he is taking a serious chance that the proper conditions for the manufacture and shipment of the drug have not been met. In Dr. Berstein’s case, the government asserted that unapproved chemotherapy drugs “may be fake, ineffective, unsafe and dangerous.”
Continue reading ›

1084630_question_mark_1.jpg

Physicians and dentists often decide to choose a new place to practice. Sometimes it might be in the same area but a different part of town or it can be in another city or state. Whether you are considering opening a new office or simply relocating, it is extremely important to do your homework before making this decision.

Here are a few tips from an experienced Georgia health care lawyer to consider.

One of the primary factors in making this decision is physician density. In areas where there are not as many doctors, it will be far easier to cultivate a new patient base. This is especially true if there are no physicians in the area with your expertise. In areas saturated with doctors, you are provided with the opportunity to expand your area of expertise and set yourself apart from the others.

Another thing to consider is an area with high unemployment. This would mean the people in that area would be less likely to have insurance coverage. This would make them less likely to make routine visits. This may all change under the Patient Protection and Affordable Care Act (PPACA).

Nobody really wants to talk about the costs involved for medical malpractice but it is a decision that has to be faced if considering a move. If you are moving in the same city or same area, this is not of significant concern. However, if you are considering moving to another state or a smaller town, the costs of malpractice insurance could vary greatly.

Lastly, consider what your earnings will be in the area you are considering. Physician compensation in the Midwest is higher than the Southwest. In reality a reputable physician can make a good living in any area he or she chooses to go to. One way to get inside information is to visit with other doctors in the area considering that they might not be entirely honest with their answers.

Unfortunately there is no cookie cutter format for determining the best place for a physician to be; there are issues specific to each practice that will need to be answered. The bottom line is that an experienced physician or dentist will flourish and succeed in any area that they choose.
Continue reading ›

files.jpg

The final Health Insurance Portability and Accountability Act (HIPAA) rule was announced on January 17, 2013, modifying the original 1996 version. The rule becomes effective on March 26, 2013, with full compliance mandated by September 23, 2013. After that, enforcement will commence.

Under the new rule, patients have new rights to their health information, greater privacy protection and the government has increased ability to enforce the law.

It is time to begin implementing a reporting plan for covered entities and business associates. Such a plan should consider four factors. Those factors to be considered in determining whether a breach must be reported include: (1) the type of protected health information (PHI) involved; (2) who used the PHI or to whom the PHI was disclosed; (3) whether the PHI was viewed or acquired; and (4) whether the risk to the PHI was mitigated, such as through assurances by trusted third parties that the PHI was destroyed.

Some other changes to be aware of are:

• Business associates are liable for HIPAA privacy and security rule requirements.

• A business associate includes subcontractors that create, receive, maintain or transmit PHI on the behalf of a business associate.

• Subcontractors for business associates are bound by the same compliance obligations no matter how far away the services are from the covered entity.

• A breach is any wrongful use or disclosure of PHI unless the covered entity or business associate assures that there was no compromise of the PHI or a small chance that it was.

• Covered entities have to protect the PHI of a decedent for 50 years following the date of death.

• Patients can request a copy of their electronic medical record (EMR) in an electronic form.

• For all practical purposes the sale of a patient’s PHI is prohibited without their authorization.

• Penalties are enhanced for noncompliance depending upon the level of culpability up to the civil monetary cap of $1.5 million per violation.

Navigating the expanded HIPAA rule and making certain that you are in compliance by September 23, 2013 can be a daunting task for small and large healthcare businesses, physicians, dentists and hospitals.
Continue reading ›

records.jpg

While only slightly more than two-thirds of primary care physicians in the United States used electronic medical records (EMR) in 2012, this is an increase of 50% over the 46% that reported using them in 2009. This data is documented in a Commonwealth Fund International Health Policy Survey, which was published in Health Affairs.

The use of electronic medical records can make physicians’ offices more efficient and improve the quality of patient care by making their medical history available to any physician treating them. Unfortunately, many physicians still prefer to maintain voluminous files containing patient information and illegible handwritten comments and progress notes.

Make no mistake about it, electronic medical records are the way of the future for medical practices of all sizes. With the passage of the Patient Protection and Affordable Care Act (PPACA), and its constitutionality ruling by the United States Supreme Court last June 28, 2012, healthcare reform is on its way. A mandate requiring electronic medical records for all practitioners is a part of PPACA and is set to take effect in 2014. Some mandates included in the Health Insurance Portability and Accountability Act (HIPAA) have been included in and strengthened under the PPACA.

Funding for the EMR legislation will cover a span of 10 years. By the end of that time, it is hoped that all practices will have implemented electronic medical records. Incentive programs are available through the federal government. Some professionals meeting federal requirements for EMRs can get up to $44,000 through the Medicare Electronic Health Records Incentive Program. Others who are providing service to patients in a Health Professional Shortage Area might qualify for incentives in excess of $44,000. Incentives for institutions are significantly higher, starting at $2 million, but the requirements are stiffer than for individual professionals.

Naturally there are requirements established by the federal government to make certain the incentive funding is being used properly. For example, there are specific formats for use in the areas of medical billing, patient medical history and employee communication.

Ultimately, the use of modern technology to comply with the electronic records mandate of PPACA will make our healthcare system better, provide better care to the patients and make it more affordable to all.
Continue reading ›

1330873_courthouse.jpgFederal law enforcement agents arrested one Chicago-area resident and six Detroit-area residents based on allegations of home health care fraud. In an 18-count indictment unsealed on January 17, 2013, the federal government contends that the seven parties effectuated a scheme to defraud Medicare based on claims for in-home health services at Royal Home Health Care Inc., Prestige Home Health Care Services Inc., Platinum Home Health Services Inc. and Empirical Home Health Care Services Inc. According to the indictment, Medicare was defrauded of over $22 million based on false claims for services since August 2008.

The Medicare Program is a federal health care program that provides benefits to the disabled and persons over age 65. It is administered by the Centers for Medicare and Medicaid Services (“CMS”), a division of the United States Department of Health and Human Services Office of Inspector General (“HHS-OIG”). In order for a health care provider to participate in Medicare, the provider must agree to abide by Medicare polices and procedures, rules, and regulations published by the federal government. When a provider is certified as a participant in the program, the provider receives a provider identification number for billing purposes, known as a “PIN.” A provider uses the PIN to submit claims for reimbursement to the government for services rendered to a patient, or “beneficiary.” A Medicare beneficiary has a Medicare beneficiary number that is used for billing purposes.

Combating Medicare fraud has been a major priority and focus of the federal government for many years. Since March 2007, the federal government’s Medicare Fraud Strike Force, which involves HHS-OIG, the FBI and other federal law enforcement, have charged more than 1,480 defendants who have falsely billed Medicare for over $4.8 billion. This indictment is part of the effort of the government’s Medicare Fraud Strike Force to effectively combat Medicare Fraud in an effort to curb the spiraling costs of the Medicare Program and otherwise for the benefit of the federal taxpayer.

According to the indictment, the home health care companies purported to provide in-home physical therapy, occupational therapy, speech pathology and/or skilled nursing services to patients. Royal, Prestige, Platinum and Empirical were Medicare providers that submitted claims directly to Medicare using PINs and beneficiary numbers. The individuals named in the indictment were either owners and/or officers of the home health care companies, or were employed as therapists or patient recruiters. The indictment charges that the defendants offered and paid kickbacks and bribes in the forms of cash payments and/or prescription narcotics to Medicare beneficiaries for the purpose of such beneficiaries arranging for the use of their Medicare beneficiary numbers by the conspirators as the bases of claims for physical therapy and other services. The indictment further alleges that Medicare claims were submitted to the government for physical therapy services and other services that were not provided and/or were not medically necessary. The indictment states that the defendants used false medical documents to support the fraudulent claims.
Continue reading ›

Contact Information