Archive for Legal Watch

Two-Minute Primer on Electronic Prescription of Controlled Substances

Two-Minute Primer on Electronic Prescription of Controlled Substances

The contents of a recent Drug Enforcement Administration policy statement on electronic prescriptions for controlled substances sound simple enough—you can use a mobile device for EPCS if it meets the latest Federal Information Processing Standards security requirements (FIPS 140-2), and you can use it as a “hard token” if it is separate from the device used to create the EPCS. But what does that mean? Are there any more limitations?

The Controlled Substances Act regulates drugs and other substances that have a potential for abuse and psychological and physical dependence, i.e., “controlled substances.” Controlled substances are organized into five schedules. Schedule I drugs have a high risk of abuse and no current accepted medical uses in the United States. Drugs in Schedules II through IV have currently accepted medical uses, but they also have a high potential for abuse. Drugs in Schedule II can only be issued pursuant to a written prescription, whereas drugs in Schedules III and IV may be issued pursuant to written or oral prescriptions.[1] The written prescription may be an electronic one, if it satisfies certain requirements.

An EPCS may be created with input and data entry from the DEA registrant (the prescribing practitioner) or his or her agent, provided that only the registrant can actually sign the prescription using the EPCS application.[2] To sign the application, however, the registrant has to complete a two-factor authentication process while at the same time viewing certain information about the EPCS (date of issuance; full name of patient; drug name; dosage strength and form, quantity prescribed, and directions for use; number of refills authorized; earliest date on which a pharmacy may fill each prescription; name, address and DEA number of the registrant)[3] and a statement of acknowledgement[4] regarding the EPCS, as prescribed by regulation. The provider’s completion of the two-factor authentication process in the EPCS application is the equivalent of signing a hard-copy paper prescription.[5]

The two-factor authentication process includes the use of two of the following authentication factors: (1) something only the practitioner knows (e.g., a password or response to a challenge question); (2) biometric data (e.g., a fingerprint or iris scan); or (3) a device, known as a hard token, which is separate from the computer or other device used to access the EPCS application (i.e., the hard token could be your phone, as long as you are not electronically prescribing the EPCS through an EPCS application on your phone).[6] The hard token is subject to FIPS 140-2 Security Level 1 requirements,[7] and the system used to validate biometric data must comply with other regulatory requirements,[8] all of which are beyond the scope of this article and beyond this author’s expertise.[9] Whichever factors are used in the two-factor authentication process, the prescribing practitioner/registrant must not share the authentication factors with any other person or allow it to be used to electronically sign an EPCS.[10] Additionally, if a practitioner/registrant loses his or her hard token (if applicable), he must notify the appropriate access control managers for the EPCS application (either in his/her individual practice or through an institutional provider such as a hospital) within one business day of the discovery, or he or she may be held responsible for any controlled substances written using his or her two-factor authentication credential.[11]

In addition to the requirements above and the responsibilities the practitioner normally has when issuing paper or oral prescriptions for controlled substances, there are more practitioner responsibilities when it comes to EPCS.[12] To the extent an EPCS is not successfully delivered, the practitioner must ensure that any paper or oral prescription issued as a replacement for a failed EPCS indicates that the prescription was originally transmitted electronically to a particular pharmacy and that the transmission failed. The practitioner must also exercise certain reasonable precautions to ensure that the EPCS application complies with all applicable regulatory requirements, especially if the practitioner is on notice that the EPCS system may not meet all the requirements.[13]

An exhaustive discussion of all the applicable requirements for EPCS is beyond the scope of this article. However, practitioners should be thinking about the vendors they are using for their EPCS system, the system’s capabilities and process control limitations, and the information security or physical safeguards they must maintain to ensure their two-factor authentication credentials are secure. In addition, it should be noted that EPCS are subject to other laws, such as the Ryan Haight Online Pharmacy Consumer Protection Act of 2008, which generally requires a practitioner to conduct at least one in-person medical examination for a patient if they are prescribing controlled substances for the patient.[14]

From a process standpoint, EPCS may be easier to work with, but it implicates substantial compliance concerns with a variety of laws. Practitioners should carefully consider the volume of legal and regulatory requirements applicable to EPCS and ensure their operations conform to all applicable requirements.

Article contributed by Christopher L. Richard with Gilpin Givhan, P.C. Gilpin Givhan, P.C. is an official partner with the Medical Association.

 

Resources

[1] Drugs in Schedule V may only be distributed or dispensed for medical purposes, but are not grouped in with either Schedule II or Schedules III and IV for purposes of the prescription requirements. See 31 U.S.C. § 829.

[2] 21 C.F.R. § 1311.135.

[3] 21 C.F.R. § 1311.120(b)(9).

[4] “By completing the two-factor authentication protocol at this time, you are legally signing the prescription(s) and authorizing the transmission of the above information to the pharmacy for dispensing. The two-factor authentication protocol may only be completed by the practitioner whose name and DEA registration number appear above.” 21 C.F.R. § 1311.140(a)(3).

[5] 21 C.F.R. § 1311.140(a)(5).

[6] 21 C.F.R. § 1311.115.

[7] Incorporated by reference in 21 C.F.R. § 1311.08.

[8] See 21 C.F.R. § 1311.116.

[9] This author suggests consulting with information technology experts in order to verify applications meet regulatory requirements, or at least include in agreements with vendors that the service they are providing complies with the applicable regulatory requirements.

[10] 21 C.F.R. § 1311.102(a).

[11] 21 C.F.R. § 1311.102(b).

[12] See 21 C.F.R. § 1311.102.

[13] 21 C.F.R. § 1311.102.

[14] See 21 U.S.C. § 829(e).

Posted in: Legal Watch

Leave a Comment (0) →

What Can Physicians Charge for Medical Records?

What Can Physicians Charge for Medical Records?

The State of Alabama Board of Medical Examiners amended its rules that govern the fees physicians may charge to provide patients with copies of their medical records.2 The rules are set forth in Section 540-X-9-.10(2) of the Alabama Administrative Code, and the new rules became effective April 13, 2018.

Here are the key dos and don’ts physicians should take into account to determine how much (and whether) they should charge patients for copies of their records.

Don’t charge anything other than a “reasonable, cost-based fee” for necessary supplies, labor and postage.

As in the past, the new rules permit a physician to recover a reasonable, cost-based fee to comply with a patient’s request for copies of his medical records, subject to the prohibitions, requirements and recommendations below. Federal law and applicable U.S. Department of Health and Human Services (“HHS”) guidance specify that a reasonable, cost-based fee may include (i) certain costs for the labor required to copy the medical record (subject to certain limitations, as noted below); (ii) the physician’s costs reasonably incurred for supplies (e.g., costs for paper, toner and the like for paper copies, or for CDs, USB drives, or similar electronic media, if requested); and (iii) the physician’s costs reasonably incurred for postage, if the patient requests mail delivery to him or his designee. Only charge postage if the patient specifically requests mail delivery (and agrees to be responsible for the cost).

Don’t charge a “search” fee or other labor costs not specifically authorized by law.

Physicians may recover only certain, limited costs for labor required to copy a patient’s record. The fee may not include the physician’s costs, if any, to verify or document the patient’s request, costs to search for or retrieve the record, or costs to access, store and maintain electronic or paper records, or similar infrastructure costs. Among other things, this means that “search fees,” authorized by state law, are prohibited following the issuance of the new ALBME rules.3

In determining a reasonable, cost-based fee, labor generally may be calculated using either of two methods: (a) the physician’s actual labor cost to respond to the patient’s request; or (b) the average cost to respond to a similar request, based on a schedule.

Don’t charge more than the statutory limits, no matter what.

In contrast to prior rules, the new rules include additional nuance pertaining to the permissible charge for copying electronic medical records.

If the patient requests a paper copy of his medical record, whether the record is maintained in electronic or paper form, or an electronic copy of his paper record, the physician may charge a reasonable, cost-based fee, calculated using the factors listed above. The fee may be a per-page fee, so long as it is a reasonable, cost-based fee.4 As in the past, the new rules limit the amount a physician may charge for copies to $1.00 per page for the first 25 pages and $.50 per page for additional pages, plus the actual cost of mailing the record.5

However, if the patient requests an electronic copy of his electronic record, (i) the physician may not charge a per-page fee (regardless of amount); and (ii) the physician may either charge (a) a reasonable, cost-based fee, as determined above (subject to the prohibition on per-page fees) or (b) a flat fee of $6.50.

Don’t charge patients for copies if they can’t afford it.

Significantly, recent changes in federal and Alabama laws (i.e., HIPAA and the new ALBME rules) prohibit a physician from charging any fee to make copies of the medical record of a patient who is not able to pay.6 Unfortunately, there is no specific guidance to help physicians determine whether a patient is able to pay a reasonable, cost-based fee. The new rules indicate that, in making this determination, physicians “should give primary consideration to the ethical and professional duties owed to other physicians and to their patients.”

Don’t charge for access via an online patient portal.

Likewise, physicians may not charge a fee to a patient to access his electronic health record. Specifically, HIPAA precludes physicians and other covered entities from charging a fee to the patient to access his record using the View, Download and Transmit functionality of a certified electronic health record (“CEHRT”).

Notify the patient about any charges in advance.

Laws also prohibit a physician from charging a fee for copies unless the physician notifies the patient about the fee in advance (i.e., when the patient makes the request). The physician must also provide the patient with a breakdown of the fee, upon request. In fact, HHS recommends the physician make its normal charges for copies available to the public on its website or by other means.

Discussion

The new ALBME rules include some limitations not before instituted in previous rules. It is important to note the limitations discussed in this article only apply to a request made by the patient.7 So, for example, if a patient needs to provide copies of his medical record to an attorney, a physician may be permitted to charge a different (read: greater) fee if the attorney makes the request (by subpoena, for example), as opposed to the patient requesting the physician transfer the records to the attorney.

The new rules also include provisions intended to bring the Alabama rules into compliance with applicable provisions of the federal HIPAA rules.8 While the new rules provide needed clarity as to certain matters, questions remain. Likewise, HIPAA imposes certain additional limitations on permissible charges that must be taken into account, even though they are not mentioned in the ALBME rules.

In any event, the fact is, as in most legal and regulatory matters, the answer to the seemingly simple question, “What can I charge to make a copy of the patient’s record?” is it depends on a number of factors. In addition, federal and State of Alabama authorities have made it clear they intend to target physicians who charge excessive fees in future enforcement actions. Consequently, it is vital physicians have a proper understanding of the issues addressed above and promptly take appropriate action to comply.

Nothing in this article should be considered legal advice. In the event you need legal advice in respect to the matters above, or other matters, please contact appropriate legal counsel.

Article contributed by D. Brent Wills, Esq., and Mazie Bryant1 of Gilpin Givhan, PC. Gilpin Givhan, PC, is an official partner with the Medical Association.

References
1 Ms. Bryant is a Juris Doctor candidate at the University of Alabama School of Law.

2 See Ala. Admin. Code § 540-x-9-.10(2).

3 Note Section 12-21-6.1 of the Alabama Code still permits a $5.00 “search fee” to be charged. HIPAA explicitly pre-empts Alabama law on this issue. It is not clear whether or when the Alabama Legislature will update the statute.

4 Although HIPAA does not specify a per-page fee that constitutes a reasonable, cost-based fee, there is no indication that the (maximum) per-page fees specified in the new ALBME rules would not pass muster.

5 See Ala. Admin. Code § 540-x-9-.10(2).

6 Ala. Admin. Code 540-X-9.10(2).

7 Note HIPAA treats a request by the patient’s personal representative (as defined in the Privacy Rule) as a request made by the patient.

8 “HIPAA” means, in this context, the federal Health Insurance Portability and Accountability Act, together the privacy, security and breach notification rules promulgated thereunder, as set forth at 42 CFR Part 160 and Part 164, as modified by the Health Information and Technology for Economic and Clinical Health Act of 2009 (“HITECH”).

Posted in: Legal Watch

Leave a Comment (0) →

HHS Seeks Comments on Easing Stark Law Burdens

HHS Seeks Comments on Easing Stark Law Burdens

The Centers for Medicare & Medicaid Services has requested public input on how the physician self-referral law, or Stark Law, may be interfering with care coordination. To help accelerate the transformation to a value-based system that includes care coordination, HHS has launched a Regulatory Sprint to Coordinated Care. The Regulatory Sprint is focused on identifying regulatory requirements or prohibitions that may act as barriers to coordinated care, assessing whether those regulatory provisions are unnecessary obstacles to coordinated care, and issuing guidance or revising regulations to address such obstacles and, as appropriate, encouraging and incentivizing coordinated care.

On June 25, 2018, HHS published in the Federal Register a Request for Information seeking comments on the structure of arrangements between parties that participate in alternative payment models or other novel financial arrangements and the need to revise or expand exceptions to the Stark Law. CMS states “CMS is aware of the effect the physician self-referral law may have on parties participating or considering participation in integrated delivery models, alternative payment models, and arrangements to incent improvements in outcomes and reductions in cost.” CMS has also engaged stakeholders through comment solicitations in several recent rulemakings. In 2017, through the annual payment rules, CMS asked for comments on improvements that can be made to the health care delivery system that reduce unnecessary burdens for clinicians, other providers, and patients and their families.

CMS is interested in the public’s thoughts on issues that include the structure of arrangements between parties that participate in alternative payment models or other novel financial arrangements, the need for revisions or additions to exceptions to the physician self-referral law, and terminology related to alternative payment models and the physician self-referral law. Specifically, CMS requested stakeholders’ thoughts on important definitions and/or concepts such as defining “commercial reasonableness,” “fair market value” and “take into account the volume or value of referrals” by a physician.

While the Request for Information does not mean HHS will make any changes to Stark, it is encouraging that CMS recognizes the many roadblocks Stark causes to legitimate arrangements involving physicians.

The Request of Information is available online at https://federalregister.gov/d/2018-13529.

Jim Hoover is a partner at Burr & Forman LLP practicing exclusively in the firm’s Health Care Industry Group. Burr & Forman LLP is a partner with the Medical Association.

Posted in: Legal Watch

Leave a Comment (0) →

Medical Association Receives Board of Midwifery Rule Withdrawal

Medical Association Receives Board of Midwifery Rule Withdrawal

The Medical Association joined with the Alabama Hospital Association, the Alabama Board of Nursing, the Alabama Department of Public Health and the Alabama Chapter-American Academy of Pediatrics recently offered comment to the Alabama Board of Midwifery’s proposed rules concerning the passage of Act No. 2017-282 in May 2017 (regarding licensed midwives). The Medical Association requested the Board withdraw the proposals at this time. Subsequently, the Medical Association attended a meeting of the Board on May 4, 2018, in which the Board took that advice and withdrew the rules to start the process anew.

Generally, the Medical Association commented that the proposed rules failed to properly follow the requirements under Act No. 2017-282 (the “Act”) and substantially failed to adequately protect the public. The Medical Association was successful when the Act passed the last day of the legislative session in May 2017, in requiring licensed midwives to use informed consent, maintain levels of liability insurance, and provide certain statistics annually. The proposed rules failed to provide a duty for the Board to enforce any of these requirements as well as enforce many other statutory requirements. In fact, the proposed rules failed to even provide a duty that the Board establishes the minimum levels of liability insurance, as specifically required under the Act.

Below are some of the items upon which the Medical Association commented:

  • Under the proposed rules, a licensed midwife was to make a “reasonable effort” to contact a receiving health care professional or receiving institution in an emergency transfer. The Medical Association commented that a licensed midwife must make “every effort” to contact the institution. The Medical Association strongly objected to a licensed midwife simply calling 911 and washing his or her hands of the matter to effect a transfer.
  • The Board proposed a rule that it would only look at conduct for licensed midwives in the previous 12 months in a complaint. The Medical Association commented that the Board should look to all conduct and that 12 months, considering a pregnancy is nine months, is grossly insufficient.
  • The Board attempted in the proposed rules to create a formulary for prescription drugs when neither the Act nor any other law, allowed licensed midwives to use prescription drugs.
  • Under the proposed rules, licensed midwives were attempting to provide certain care for newborns. The Medical Association pointed out that nowhere in Alabama law is licensed midwives authorized to provide newborn care. Instead, the Medical Association suggested licensed midwives stabilize and transfer any newborn needing medical care.
  • The Board attempted to establish the name of the Act as the Childbirth Freedom Act when no such name was given.
  • The proposed rules failed to follow the Alabama Administrative Procedures Act.

In other words, the Medical Association believed that substantial changes in the proposed rules were necessary and that they should be redrafted to follow the law and protect clients sufficiently. The Medical Association was successful in convincing the Board that withdrawal of the rules was appropriate at this time.

Posted in: Legal Watch

Leave a Comment (0) →

Trends In False Claims Lawsuits

Trends In False Claims Lawsuits

 Trends in False Claims Lawsuits Since the Ruling in Universal Health Services v. U.S. ex rel. Escobar on June 16, 2016

Generally, the False Claims Act (“FCA”) imposes liability on any person who “knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval to the United States; [or] knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim 31 U.S.C. § 3729. The Supreme Court decided Universal Health Services v. U.S. ex rel. Escobar on June 16, 2016, which changes the way FCA lawsuits are litigated. The Supreme Court ruled in Escobar that the implied false certification theory can form the basis for False Claims Act (“FCA”) liability. In an implied false certification theory case, the defendant is alleged to have falsely certified that it complied with a statute or regulation, the compliance of which is a condition of Government payment.

However, in Escobar, the Supreme Court put limits on the application of the implied false certification theory. Importantly, it first emphasized the False Claims Act is not a means of imposing treble damages and other penalties for insignificant regulatory or contractual violations.

Although the Supreme Court held that the implied certification theory can be a basis for liability, it requires that two conditions are satisfied. First, the claim must make specific representations about the goods or services provided. Second, the health care provider’s failure to disclose noncompliance with material statutory, regulatory, or contractual requirements makes those representations misleading half-truths. Compliance with the statutory, regulatory or contractual requirements does not have to be an expressly stated condition of payment for liability under the FCA to attach. Rather, liability depends on whether the health care provider knowingly violated and/or misrepresented compliance with a legal requirement that the health care provider knew was material to the Government’s decision to pay the claim.

While the Supreme Court recognized the theory of implied certification, the theory does not turn upon whether the payment requirements are expressly designated as conditions of payment. “Statutory, regulatory and/or contractual requirements are not automatically material, even if they are labeled conditions of payment” and “[a] defendant can have ‘actual knowledge’ that a condition is material without the Government expressly calling it a condition of payment.” The Court further stated that requiring the Government to expressly designate conditions of payment for every regulation would be too burdensome, and the “rigorous” materiality and scienter threshold requirements in the FCA should suffice to ease health care provider’s concerns.

FCA analysis turns on whether the defendant knowingly violated a requirement that the health care provider knew was material to the Government’s payment decision. A misrepresentation about compliance with a statutory, regulatory, or contractual requirement must be material to the Government’s payment decision in order to be actionable under the False Claims Act. The Court provided clarification on how the “materiality requirements” should be enforced. The Court noted that the term “material” is defined in the FCA as “having a natural tendency to influence, or be capable of influencing, the payment or receipt of money or property.” The Court called the materiality standard “demanding” and largely dependent on the particular facts of the case rather than an objective bright-line standard. “[W]hen evaluating materiality under the False Claims Act, the Government’s decision to expressly identify a provision as a condition of payment is relevant, but not automatically dispositive…Conversely, if the Government pays a particular claim in full despite its actual knowledge that certain requirements were violated, that is very strong evidence that those requirements are not material. Or, if the Government regularly pays a particular type of claim in full, despite actual knowledge that certain requirements were violated, and has signaled no change in position, that is strong evidence that the requirements are not material.”

Escobar makes clear that the district court’s principal method for evaluating implied certification claims has changed. Since the ruling in Escobar, several federal circuit and district courts have taken the Supreme Court’s demanding materiality standard to heart and examines false claims cases using the criteria set out in Escobar. For example, the Eleventh Circuit recognized the district court should be given the opportunity to reconsider the allegations in false claims cases in light of the changed legal landscape. Marsteller for use & benefit of United States v. Tilton, 880 F.3d 1302, 1313 (11th Cir. 2018). The Eleventh Circuit states the Supreme Court explicitly rejected a standard for implied certification claims that focuses exclusively on whether the Government expressly designates a contractual, statutory, or regulatory obligation as a condition of payment. Whether a condition is so designated is “relevant to but not dispositive of the materiality inquiry,” but not a precondition to the theory of liability itself. Id. at 2001.

Escobar now provides the district court with a more refined framework to address false claims cases. The definition of “material” contained within the statute itself considers whether the misrepresentation had a natural tendency to influence or be capable of influencing, the payment or receipt of money or property. Escobar now instructs courts to consider whether noncompliance is “minor or insubstantial” and amounts to “garden-variety breaches of contract or regulatory violations,” or, conversely, whether the Government would have attached importance to the violation in determining whether to pay the claim. Id. at 2002–03.

As time goes on, the federal courts will continue refining what conduct warrants prosecution in FCA cases that can result in substantial civil monetary penalties. The meaning of “materiality” will continue to form a central consideration in litigation of any FCA case for years to come.

Jim Hoover is a partner in the Health Care Practice Group at Burr & Forman LLP and exclusively represents health care providers in false claims litigation and regulatory compliance. Burr & Forman LLP is a preferred partner with the Medical Association. 

Posted in: Legal Watch

Leave a Comment (0) →

You Need to Know When to Hold ’em and Know When to Merge ’em

You Need to Know When to Hold ’em and Know When to Merge ’em

With uncertainty in the health care markets and the growing demands on medical practice infrastructure, many physicians are thinking that merging their practice with another might be a worthwhile idea. A merger might be advisable under some circumstances, problematic in other cases, and potentially illegal in certain instances. We will leave the legal issues to the attorneys, but if you are talking with the only other practice of your specialty in your city, I recommend getting some legal advice.

When physicians initiate merger discussions, they often begin with an assumption that they can share the overhead of one group and all enjoy a dramatic increase in personal income. Based on the enthusiasm generated by this monetary issue, a plan to pursue merger begins. However, there are other matters which should come before the optimistic expectation of financial gain.

Do Your Homework

The most basic consideration is whether the physicians in both groups are clinically compatible. Medical training and various academies afford latitude in clinical decision making, a medical choice at one end of that range of latitude can be questionable in the mind of an M.D. on the opposite end. Making certain your groups are clinically compatible is the first step in a successful merger. Compatibility also includes practice patterns, treatment protocols and utilization issues.

If you are a good fit clinically, look next at cultural issues. This includes the manner in which the physicians relate to their patients, the staff and to one another. Many groups will not tolerate a physician who is rude to patients, hostile to staff and abrasive with other doctors in the group or in the medical community. This behavior may have been accepted in one group, but it will be toxic in the merged practice. In my experience working to help keep practices together, cultural differences are the most common areas of disagreement and are also the most difficult problems to solve.

Devising a Plan

If the groups are deemed to be clinically and culturally compatible, the hard part is complete. Now you are ready to address any differences in work ethic. I place this third because if there are differences, they can be mitigated with a well-designed physician compensation formula. There are times when one physician’s pursuit of appropriate work-life balance might result in choices which appear to another M.D. as neglect of the practice, but those are part of the cultural difference resolution. Differences in work ethic must be accommodated in the practice of medicine, and bonus differentials are designed to do exactly that.

Finally, it is time to assess the monetary matters. Overhead can be shared and, perhaps, reduced. The practice management, billing and EMR systems needed for one practice might be able to handle two groups with little increase in costs. Ancillary activities may be more profitable with additional physicians referring to them. The best practice behaviors of each group can be shared to improve patient scheduling, procedure mix, payer mix and revenue cycle processes.

Bet or Fold

The process of determining clinical, behavioral, work ethic and financial compatibility needs an outside facilitator to keep it on track and to ensure the difficult parts of the dialogue are addressed and moving forward, rather than stalling out. A merger may be in the cards for your group, but keep in mind that one done poorly can cause many years of pain which could have been avoided.

 

Article contributed by Sae Evans, Maddox Casey and Jim Stroud, Members, Warren Averett Healthcare Consulting Group. Warren Averett is an official Gold Partner with the Medical Association.

Posted in: Legal Watch

Leave a Comment (0) →

Alabama SB39: Another Shot in the Opioid Battle

Alabama SB39: Another Shot in the Opioid Battle

On March 28, 2018, Alabama Senate Bill 39 was sent to Governor Ivey’s desk for signature. SB39 introduces stiffer penalties related to fentanyl possession and distribution. It amounts to a local effort forming part of a nationwide, multi-pronged response to the opioid epidemic that has plagued the country in recent years. While this bill is not yet law as of the date of this article, it came to the Governor’s desk with broad support from both the House and Senate, and an awareness of its contents (and its place in the larger opioid crisis) is valuable.

Fentanyl is a particularly strong opioid that has of recent been the target of much abuse. The National Institute on Drug Abuse notes that in 2016, fentanyl contributed to more than 20,000 overdose deaths; medical examiners reported that fentanyl or fentanyl mixtures were involved in the deaths of the musicians Prince and Tom Petty. SB39 includes several related features stiffening enforcement of abuses of fentanyl and related drugs: the bill would:

  1. add fentanyl and related analogues (e.g., butyrfentanyl and acetyl fentanyl) to Schedule I of the controlled substances list;
  2. make a person (unless otherwise authorized by law) who possesses, distributes, or traffics such drugs guilty of a felony, and conviction for distribution subject to enhanced penalties;
  3. include under the meaning of “trafficking” possession of fifty or more individual packages of the substance

A related proposal that was introduced but ultimately rejected by the legislature was a change to allow prosecution of physicians for over-prescribing opioids.

Of particular note are the low thresholds set for amounts of fentanyl and fentanyl analogues — an acknowledgment of both the potency of the drug and the severity of the current crisis. The bill would amend §13A-12-231 of the Alabama Code to make possession of one gram or more of fentanyl or a fentanyl analogue a felony of “trafficking in illegal drugs,” and includes substantial fines. As noted above, conviction can also occur if one is in possession of 50 or more individual packages of fentanyl or a fentanyl analogue, notwithstanding the fact the combined weight of the fentanyl or fentanyl analogues in the packages may be less than one gram.

At this point of the opioid epidemic, some physicians may well be experiencing opioid fatigue. News articles, legislative and regulatory initiatives, personal testimonies, seminar topics, and other avenues have been bringing this issue to the health care industry’s attention for years now. It is a complex problem, with a multiplicity of root causes and a variety of faces. The several penalties included in this recent bill are a reminder that staying abreast of all the many changes, initiatives and tools aimed at addressing opioid abuse is well worth the time and attention.

Whatever the eventual fate of SB39, this will not be the last shot fired in the response to opioid abuse. This bill is a reminder that the responses to this crisis are varied, and that although the opioid epidemic is a national problem, it also plays out on the state and local level. As “opioid” refers to a diverse range of drugs, the “opioid epidemic” refers to a complex quagmire. Being well aware of the problem, in general, is no substitute for familiarity with the many paths being carved through it. In addition to introducing potential changes to the criminal law code such as SB39, Alabama has also taken such steps as forming the Alabama Opioid Overdose and Addiction Council, formed in August 2017 by Governor Ivey, which has made such recommendations as improving and modernizing Alabama’s prescription drug monitoring program; the Alabama Department of Public Health is leveraging funding from the CDC’s Data-Driven Prevention Initiative (DDPI) on Opioid and Heroin Abuse to identify stakeholders of and solutions to the problem; Alabama Attorney General Steve Marshall filed a lawsuit in February 2018 against one of the largest drug manufacturers in the nation.

This is a constantly changing landscape, and the opportunity for missteps abound. Some of these missteps have consequences that reach beyond issues of reimbursement and licensure. The fate of SB39 is worth watching — its wide support in both chambers of the Alabama Legislature make it a prime candidate for signing into law by the governor. However, beyond offering a description of this one bill, this present article should serve as a reminder that opioid-related news deserves close attention because of, not despite, the frequency of the topic. New laws and initiatives are coming out regularly, and if you’ve seen one you have not seen them all.

Article written by Chris Thompson, an attorney with Burr & Forman LLP practicing in the firm’s healthcare group. Burr & Forman, LLP, is a partner with the Medical Association. Read other articles from Burr & Forman LLP.

Posted in: Legal Watch

Leave a Comment (0) →

Alabama Legislature Considers State Law on Cybersecurity

Alabama Legislature Considers State Law on Cybersecurity

At the time of the writing of this article, Alabama is one step closer to having a law on the books related to cybersecurity. As one of only two states without a state data breach law, Alabama is considering legislation that requires certain entities, “covered entities,” to report to state agencies and affected individuals when there has been an unauthorized acquisition of “electronic, sensitive personally identifying information.”

On March 1, 2018, the Alabama Senate passed SB318, and if passed by the House and signed by the Governor, it would require “covered entities” to notify Alabama’s Attorney General, Alabama residents whose information has been compromised, and consumer credit-reporting agencies of a data breach. For health care providers covered by the Health Insurance Portability and Accountability Act (“HIPAA”), federal law already requires notification when they experience unauthorized disclosures of protected health information. In addition to HIPAA’s breach notification requirements, the new Alabama law would require reporting at the state level for healthcare providers who experience a data breach. It is important to note that the term “covered entities” in the proposed legislation is much broader and applies to persons or business entities that acquire or use personally identifiable information.

Investigation and Reporting

Under SB318, a covered entity is required to investigate any data breach and in some instances report the breach. The investigation must include:

  1.  an assessment of the nature and scope of the breach,
  2.  identification of any sensitive personally identifying information involved and the individuals involved,
  3.  a determination as to whether the information was acquired by an unauthorized individual and could result in substantial harm, and
  4.  identify and implement measures to restore security and confidentiality of the system involved in the breach.

It is the second factor that determines whether the breach is reportable:  Is the sensitive information reasonably believed to have been acquired by an unauthorized person? And is the unauthorized acquisition reasonably likely to cause substantial harm to the individuals?

The law sets forth four factors to consider when evaluating whether the information is “reasonably believed” to have been acquired by an unauthorized individual. In making this determination, the covered entity must evaluate “indications that the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information; indications that the information has been downloaded or copied; indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported; and whether the information has been made public.” Unfortunately, the law does not provide guidance on whether the breach is reasonably likely to cause substantial harm to the affected individual.

Even if a breach is not a reportable event, the covered entity must maintain relevant records for at least five years. For instance, if the covered entity determines the breach is not reasonably likely to cause substantial harm then no notification is required, but the entity should keep all records related to the breach and their determination that notification was not necessary for five years following the incident.

Required Security Measures

The proposed legislation also requires covered entities to implement “reasonable security measures” to protect an individual’s data.  Similar to HIPAA, the bill requires the covered entity to designate an employee to coordinate security measures (i.e. HIPAA Security Officer) and to identify risks of data breaches. In recognizing that not all covered entities face the same risks or have the same resources, the required “reasonable” security measures should take into account the size of the covered entity, the amount of data maintained and stored by the covered entity and the cost to implement security measures. Good news for healthcare providers, if a healthcare provider has performed the necessary security and risk assessments required under HIPAA, it should easily meet the standards required in SB318.

Information that Triggers Notification

Not all information qualifies as “sensitive personally identifiable information.” To meet this definition, the accessed information must consist of the individual’s first name or initial and last name in combination with any one of these data elements:

  • A non-truncated (or shortened) Social Security or tax identification number;
  • Non-truncated driver’s license, state-issued identification card number, passport number, military identification number or any unique, government-issued number used to verify identity;
  • A financial account, credit or debit card number along with a required security code, expiration date, PIN, access code or password necessary to access a financial account or conduct a transaction;
  • Individual medical or mental history or treatment information;
  • A health insurance policy or identification number; and
  • A username or email address along with a password or security question and answer that gives access to an online account that is likely to contain sensitive personal information.

Elements and Method of Notification

If the investigation concludes that notification must be made, the covered entity must provide notification as “expeditiously as possible but no more than 45 days after the determination of the breach. The notification may be made by mail or email and must include the following elements: 

  • The date, estimated date, or estimated date range of the breach;
  • A description of the sensitive personally identifying information that was acquired by an unauthorized person as part of the breach;
  • A general description of the actions taken by a covered entity to restore the security and confidentiality of the personal information involved in the breach;
  • A general description of steps a consumer can take to protect himself or herself from identity theft; and
  • Information that the individual can use to contact the covered entity to inquire about the breach.

Penalties

The legislation also includes penalties for failing to provide the required notifications, including a potential violation of the Alabama Deceptive Trade Practices Act (“ADTPA”). The Deceptive Trade Practice Act penalties would apply for willful or reckless disregard of the notification requirements. Civil money penalties are capped at $5,000 per day for each consecutive day the covered entity fails to comply with the notice provisions and there is a $500,000 cap for violations under the ADTPA. A violation does not constitute a criminal offense and does not provide for a private right of action.  In other words, a patient/consumer cannot sue the covered entity for the breach.

The bill is currently pending before the Alabama House of Representatives, bill number HB410.

Article contributed by Burr & Forman, LLP. Burr & Forman, LLP, is a partner with the Medical Association. Please read other articles from Burr & Forman, LLP, here.

Posted in: Legal Watch

Leave a Comment (0) →

Twenty States File Lawsuit against Government for the Affordable Care Act

Twenty States File Lawsuit against Government for the Affordable Care Act

Twenty states, including Alabama, have formed a coalition to file a lawsuit against the government claiming that the Affordable Care Act is now unconstitutional.

According to the lawsuit, the states are claiming that since the GOP eliminated the tax penalty associated with the individual mandate, ObamaCare itself is no longer constitutional.

The Tax Cuts and Jobs Act, signed into law by President Donald Trump on Dec. 22, 2017, eliminated the tax penalty of the ACA, without eliminating the individual mandate itself, according to the lawsuit filed in U.S. District Court in the Northern District of Texas.

In 2012, the Supreme Court ruled 5-4 that ObamaCare’s individual mandate was constitutional because Congress has the power to levy taxes. The lawsuit points to that part of the ruling in its argument that the law is no longer constitutional.

“Following the enactment of the Tax Cuts and Jobs Act of 2017, the country is left with an individual mandate to buy health insurance that lacks any constitutional basis,” the lawsuit states. “Once the heart of the ACA — the individual mandate — is declared unconstitutional, the remainder of the ACA must also fall.”

In its current form, the ACA imposes rising costs and transfers an enormous amount of regulatory power to the federal government, according to a statement by Texas Attorney General Ken Paxton and Wisconsin Attorney General Brad Schimel, who are leading the 20-state coalition lawsuit.

The lawsuit was filed by the attorneys general for the states of Wisconsin, Alabama, Arkansas, Arizona, Florida, Georgia, Indiana, Kansas, Louisiana, Missouri, Nebraska, South Carolina, South Dakota, Tennessee, Utah, West Virginia, Texas, and by the governors of Maine and Mississippi.

The Medical Association is closely monitoring the lawsuit and will report more information as it becomes available.

Posted in: Legal Watch

Leave a Comment (0) →

Just What the Doctor Ordered: An Alabama Perspective on the Opioid Epidemic

Just What the Doctor Ordered: An Alabama Perspective on the Opioid Epidemic

Sometimes, Alabama is No. 1. In 2012, Alabama was the highest per capita painkiller prescribing state, with an average of 143 prescriptions written per 100 people — almost three times the rate of the lowest prescribing state.1 Alabama has been home to other No. 1s, too. In 2012, Dr. Shelinder Aggarwal, a former Huntsville-area pain doctor, was the top Medicare prescriber of prescription painkillers in the United States, until he was sentenced to 15 years in prison, had to pay back some $9.5 million in fraudulently billed claims, and surrendered his medical license in the wake of an examination by the Board of Medical Examiners.2

Many aspects of Aggarwal’s practice, which was described in the charging documents against him as a “pill mill,” are almost beyond belief. Aggarwal was seeing 80 to 145 patients in his office each day in 2012. Alabama pharmacies filled about 110,013 prescriptions (12,313,984 pills) in calendar year 2012 for controlled substances prescribed by Aggarwal. That equates to 423 prescriptions and 144 patients per day, assuming Aggarwal worked a five-day work week and wrote about three prescriptions per patient.3

Exactly how Aggarwal was able to prescribe controlled substances in such volumes is no less shocking. According to charging documents, initial visits entailed little more than a superficial physical exam and a urine drug test and lasted only five minutes. Follow-up visits could last as little as two minutes. Aggarwal allegedly did not retrieve a patient’s medical history, nor did he treat his patients with anything other than controlled substances. He was known to ask patients what medications they wanted, and he even wrote prescriptions for controlled substances to patients who admitted to using illegal drugs, or whose drug screen showed illegal drugs in their system.4

Aggarwal’s example, perhaps, is on the extreme end of the spectrum, but it highlights the gravity of the “opioid epidemic” Alabama and the United States are facing right now. Every physician has a role to play combating these opioid problems, and there are tools out there to help.

Prescription Drug Monitoring Program

The Alabama Prescription Drug Monitoring Program, or PDMP, is designed to “promote the public health and welfare by detecting diversion, abuse and misuse of prescription medications classified as controlled substances under the Alabama Uniform Controlled Substances Act.”5 Under the authorizing act and implementing regulations for the PDMP, any dispenser of Class II, III, IV or V controlled substances must report the dispensing of these drugs to the PDMP.6 Therefore, in most cases, you should be able to see any controlled substance (e.g. opioids) that have been dispensed to a patient if you check the PDMP. Although the PDMP authorizing act does not require prescribers to check the PDMP, they are allowed to access PDMP
information for a current or prospective patient,7 and their applicable licensure board may impose requirements to check the PDMP by regulation. Prescribers and dispensers should consult the PDMP and may suggest other health providers also consult the PDMP if there is information that may be important to the other health provider. Note: Neither the PDMP report nor any information from the PDMP report should be disclosed — that’s why you should suggest the other health provider consult the PDMP if you have a concern, rather than revealing information directly from the report.8

BME Risk and Mitigation Strategies Rule

The PDMP statute does not require prescribers to consult the PDMP, but certain licensure boards do. For instance, the BME recently finalized a new rule on risk and mitigation strategies (RMS) for prescribing physicians.9 The new rule requires prescribers to check the PDMP at frequencies that vary based on the morphine milligram equivalency (MME) of medications they are prescribing: (1) upon each prescription for controlled substances greater than 90 MME; (2) at least twice each year for controlled substances between 30 and 90 MME; and (3) consistent with “good clinical practice” for controlled substances less than 30 MME. Additionally, physicians are required to document the use of RMS in the patient’s medical record. Physicians should take care to adequately document appropriate RMS without running afoul of the PDMP prohibition on disclosing the PDMP report or the information contained therein. This can be a difficult task to fulfill when you can’t keep a copy of the PDMP report in the patient’s medical record.10 A simple notation in the patient’s medical record that you have checked the PDMP and that there are no contraindicated prescriptions likely would suffice.

The new RMS rule sets forth other RMS, including pill counts, urine drug screenings, patient education, and others, some of which are described below from the CDC. Physicians should note that failure to fulfill their obligations under this rule could lead to adverse licensure actions.11

CDC Guidelines for Prescribing Opioids for Chronic Pain

The Centers for Disease Control and Prevention, after a rigorous period of research, consultation and public comment, has also issued opioid prescribing guidelines for primary care physicians treating patients with chronic pain.12 Below is a brief description of the guidelines:

  • Consider nonpharmacologic therapy; only prescribe opioids if risks outweigh benefits;
  • Establish treatment goals;
  • Discuss known risks and benefits of opioid therapy with patients, as well as clinician responsibilities for managing therapy;
  • Consider prescribing immediate-release, rather than extended-release opioids;
  • Prescribe the lowest-effective dosage;
  • For short-term (acute) pain, prescribe the lowest-effective dose and only in the quantity needed for the expected duration of pain severe enough to require opioids;
  • Evaluate risk factors for opioid-related harms and implement a risk mitigation plan;
  • Review the PDMP for harmful quantities or combinations of controlled substances;
  • Conduct urine drug testing before starting opioid therapy;
  • Avoid prescribing opioids and benzodiazepines concurrently, if possible;
  • Offer evidence-based treatment for patients with opioid-use disorder.

A full report listing methods, clinical evidence, and a full discussion of the above recommendations are available from the CDC (see link in footnote 12 below for reference).

These are just a few tools to help you help your patients and mitigate the opioid epidemic. Let’s not win anymore No. 1s of the kind described above for the State of Alabama.

References

1 Prescribing Data, Centers for Disease Control and Prevention (Dec. 20, 2016), https://www.cdc.gov/drugoverdose/data/prescribing.html; Leonard J. Paulozzi, MD et al., Vital Signs: Variation Among States in Prescribing Opioid Pain Relievers and Benzodiazepines—United States, 2012, CDC: Morbidity and Mortality Weekly Report (July 4, 2014), available at https://www.cdc.gov/mmwr/preview/mmwrhtml/mm6326a2.htm?s_cid=mm6326a2_w.

2 Huntsville Pill Mill Doctor Sentenced to 15 Years in Prison for Illegal Prescribing and Health Care Fraud, Department of Justice: U.S. Attorney’s Office, Northern District of Alabama (February 7, 2017), available at https://www.justice.gov/usao-ndal/pr/huntsville-pill-mill-doctor-sentenced-15-years-prison-illegal-prescribing-and-health.

3 United States v. Shelinder Aggarwal, Information Against Shelinder Aggarwal, Sept. 22, 2016.

4 Id.

5 Alabama Department of Public Health: Prescription Drug Monitoring Program Home (June 23, 2017), http://www.alabamapublichealth.gov/pdmp/index.html.

6 Ala. Code § 20-2-213 (1975); Ala. Admin. Code r. 420-7-2-.12 (Nov. 24, 2014).

7 Ala. Code § 20-2-214(2) (1975); Ala. Admin. Code r. 420-7-2-.13 (Nov. 24, 2014).

8 See Ala. Code §§ 20-2-215 to 20-2-216 (1975) (making records and information in the PDMP privileged and confidential and creating a Class A Misdemeanor for individuals who intentionally make an unauthorized disclosure of information from the PDMP); see also FAQ, Alabama Department of Public Health: Prescription Drug Monitoring Program (May 31, 2017), http://www.alabamapublichealth.gov/pdmp/faq.html.

9 See Ala. Admin. Code r. 540-X-4-.09 (March 9, 2017).

10 See FAQ, Alabama Department of Public Health: Prescription Drug Monitoring Program (May 31, 2017), http://www.alabamapublichealth.gov/pdmp/faq.html.

11 Ala. Admin. Code r. 540-X-4-.09(8) (March 9, 2017).

12 Deborah Dowell, MD et al., CDC Guideline for Prescribing Opioids for Chronic Pain—United States, 2016, CDC: Morbidity and Mortality Weekly Report (March 18, 2016), available at https://www.cdc.gov/mmwr/volumes/65/rr/rr6501e1.htm#suggestedcitation.

 

Article contributed by Christopher L. Richard with Gilpin Givhan, P.C. Gilpin Givhan, P.C., is a Bronze Partner with the Medical Association.

Posted in: Legal Watch

Leave a Comment (0) →
Page 1 of 3 123