Archive for MVP

What’s Behind the Curtain? Federal Agencies Seek Transparency Regarding Health Provider Ownership

What’s Behind the Curtain? Federal Agencies Seek Transparency Regarding Health Provider Ownership

By: Jessie L. Bekker, Burr & Forman LLP

Market analysts reported a decline in mergers & acquisitions in the health care industry in
2023 as compared to pre-pandemic trends—a perhaps unsurprising development amid 7% or
higher interest rates. The federal government, however, is now taking notice of who’s behind the
ongoing trend toward health care consolidation.

On March 5, three federal departments—the Department of Justice (DOJ), Department of
Health and Human Services (HHS), and Federal Trade Commission (FTC)—published a request
for information seeking public input into the effects private equity transactions have on patients,
payers and providers, a request driven by a concern “that some transactions may generate profits
for those firms at the expense of patients’ health, workers’ safety, quality of care, and affordable
health care for patients and taxpayers.”

The DOJ/HHS/FTC request for information is just the latest in a line of federal inquiries
into the ownership and control of providers and suppliers across the health care industry. The
Centers for Medicare & Medicaid Services (CMS) published a request for information in January
related to Medicare Advantage data, including data regarding “the impact of mergers and
acquisitions” and “the effects of vertical integration.” In December, President Joe Biden
announced the publication of ownership information regarding Medicare-enrolled federally
qualified health centers and rural health clinics. November brought new requirements regarding
nursing home ownership and control reporting through a new final rule published by CMS.
And of course, the Corporate Transparency Act, which took effect on January 1, 2024,
requires that nearly all business entities within and outside of the health care industry report their
ownership and control interests to the Department of Treasury’s Financial Crimes Enforcement
Network, a requirement that reflects the agency’s effort to track down fraudulent money
laundering activity.

Despite plateauing merger and acquisition activity in 2023, analysts predict 2024 could
be the year of physician practice acquisitions and health system consolidation. Reports indicate
that physician specialties including dermatology, cardiology, orthopedics and plastic surgery
may see an increase in investor interest. Others predict investor interest in behavioral health
providers. In any event, it’s unlikely the federal government’s interest in merger & acquisition
activity will wane. In its request for information, the DOJ, HHS and FTC requests public input
related to both direct acquisitions by private equity funds and “transactions structured to
facilitate private equity investment, circumventing applicable corporate practice of medicine
restrictions.” The agencies’ request also seeks information regarding vertical integration, where a
health system buys up health providers across the care continuum, from ambulatory surgery
centers, to nursing facilities.

The agencies are not just interested in who is behind the transaction, but how it affects
patients, payers, providers and employers on a variety of metrics including the cost and quality
of care, reimbursement rates, provider compensation models and changes in facility choice.

The DOJ/HHS/FTC request for information is open to public comment until May 6, 2024. Comments can be submitted at

While the requests from CMS and the DOJ, HHS and FTC don’t create affirmative
requirements of providers today, both the Corporate Transparency Act and CMS’ latest final rule
on nursing home ownership and control reporting generate new reporting obligations.

The Corporate Transparency Act will require most physician practices existing as of
January 1, 2024 to report certain information to the federal government by the end of the year,
including reporting of a practice’s ownership interests and the individuals who control the
entity’s decision-making. Among other required reports, the Financial Crimes Enforcement
Network, or FinCEN, seeks information regarding an entity’s beneficial owners—those who own
or control at least 25% of ownership interests of a reporting company, and those who exercise
“substantial control” over a reporting company. Entities that form in 2024 will be required to
make reports to FinCEN within ninety (90) days of formation. Practice managers and administers
are encouraged to seek counsel from their accountants and attorneys regarding the new reporting
requirements under the Corporate Transparency Act. FinCEN’s Small Entity Compliance
Guidance, which details the reporting requirements, can be found at

For nursing facilities, new ownership and control reporting requirements will be reported
on a revised version of the Form CMS-855A, the Medicare enrollment application for
institutional providers, which CMS has yet to publish. The revised form is expected to reflect the
final rule’s new mandated reporting requirements. Skilled nursing facilities (SNF) and Medicaid-
enrolled nursing facilities should expect to report information regarding their governing bodies,
officers, directors and managing employees, including SNF medical directors and administrators.
The new rule also requires reporting of “additional disclosable parties,” including, but not
limited to, people and entities who: exercise financial control over the facility; lease or sublease
real property to the facility; and provide management, administrative, clinical consulting and
financial or accounting services to the facility. Facilities should discuss the new requirements,
including the timing of the report, with their advisors.

Jessie L. Bekker is an attorney at Burr & Forman LLP practicing exclusively in the firm’s
healthcare practice group. Jessie can be reached at or (205) 458-5275.

Posted in: Legal Watch, MVP

Leave a Comment (0) →

New OIG Advisory Opinion Reinforces OIG’s Stance Against Turnkey Contractual Joint Ventures

New OIG Advisory Opinion Reinforces OIG’s Stance Against Turnkey Contractual Joint Ventures

By: Jessie Bekker, Burr & Forman LLP

The Office of Inspector General (“OIG”) has issued a new opinion with a familiar message cautioning providers against entering into suspect contractual joint ventures.

The OIG’s latest Advisory Opinion examined the Anti-Kickback Statute’s application to an arrangement related to the provision of intraoperative neuromonitoring (“IONM”) services (the “Proposed Arrangement”). As of the date of the Opinion, the requesting entity, an IONM provider, contracted with hospitals and surgery centers to provide the technical component of IONM services, which consisted of one of its neurophysiologists assisting during a surgery with the placement and operation of the IONM equipment. The IONM provider would arrange with a physician practice (“Practice”) to perform the personal component: remote monitoring by a neurologist of the IONM test results. The IONM provider billed its technical component services to the hospital or surgery center; the Practice billed the professional component to patients and their insurers. However, as competition grew fiercer, the IONM provider found itself at risk of falling behind its competitors who offered surgeons more lucrative opportunities, precipitating the Proposed Arrangement.

The Proposed Arrangement

Under the Proposed Arrangement, the IONM provider would assist a group of surgeons working for the hospitals and surgery centers with which the IONM provider contracted in creating a new IONM company (“NewCo”). The surgeon owners would own all of the interests in NewCo, which would contract with the existing IONM provider to provide all billing and collection services. NewCo would then contract with the Practice to provide the professional component of IONM services to NewCo’s clients. Under an agreement with the existing IONM provider, the IONM provider would supply NewCo with all of the day-to-day services, such that NewCo likely would not need to hire any of its own employees. NewCo – not the IONM provider – would contract with hospitals and surgery centers, receiving referrals for services from the surgeon owners, and would bill both the professional and technical components of the services. NewCo would compensate the IONM provider and Practice for their services through a fee, but the IONM provider anticipated NewCo’s profits would be substantial. In essence, NewCo would act as a competitor to the IONM provider with which it contracted, disrupting the IONM provider’s anticipated profits.


Generally speaking, the Anti-Kickback Statute (the “AKS”) prohibits the knowing and willful offering, payment or receipt of remuneration to induce, or in return for, the referral of an individual to a person for any item or service reimbursable by a federal health care program, like Medicare or Medicaid. The statute is intent-based and prosecutes a violation criminally. Violations constitute felonies punishable by fines and imprisonment.

OIG has long expressed its disfavor toward contractual joint ventures that exhibit certain factors pointing to their suspect nature. A contractual joint venture exists where a health care provider in one line of business (e.g., Practice) expands into a related line of business (e.g., IONM) by contracting with an existing provider of the related line of business (e.g., IONM provider) in order to provide the new related line of business to the health care provider’s patients without any substantial risk to the health care provider. The Proposed Arrangement, according to OIG, would “present a host of risks of fraud and abuse under the [AKS], including patient steering, unfair competition, inappropriate utilization, and increased costs to Federal healthcare programs.” OIG pointed to several risks raised by the Proposed Arrangement, specifically, that it could result in inappropriate steering of referrals from the surgeon owners to NewCo, the IONM provider, and the Practice of federal health care program business. Certain specific factors led OIG to its conclusion, including that the surgeon owners, as a result of contracting out its day-to-day operations to the IOMN provider, would have no real financial risk while reaping the benefits of the IOMN services provided. Additionally, both the Practice and IOMN provider are established entities that would effectively be forced to compete with themselves as a result of the Proposed Arrangement. Moreover, because the surgeon owners would have a vested interest in NewCo’s success, the OIG concluded that there would be a risk that the surgeon owners would only refer business to NewCo, the IOMN provider and the Practice in order to benefit from the billing opportunity for those services. Accordingly, OIG concluded that the Proposed Arrangement would risk violating the AKS.


The OIG Advisory Opinion highlights its longstanding concern with suspect contractual joint ventures and acts as a reminder to physicians venturing into new business lines of the risk factors that may implicate the AKS. The Advisory Opinion, just like all Advisory Opinions, is applicable only to its specific facts and should not be relied upon as definitive authority in determining the risk under the AKS of any other arrangement.

Posted in: Legal Watch, MVP

Leave a Comment (0) →



By Angie Cameron Smith with Burr & Forman, LLP

On July 6, 2021 Governor Kay Ivey allowed the State of Emergency in Alabama to expire.  She had previously proclaimed a State of Emergency due to the COVID-19 Pandemic effective March 13, 2020.  Along with that proclamation, came the invocation of Alabama’s Emergency Management Act.  When the state of emergency ended, so did the waivers or suspension of state regulatory requirements that were afforded to healthcare providers operating during the pandemic.  Due to the spike in COVID-19 cases, which appear to be related to the Delta variant, Governor Ivey proclaimed a new State of Emergency effective August 13, 2021.  Why does this matter?  Because many of the expired waivers that allowed for flexibilities for healthcare providers have now been renewed under the new State of Emergency.

Under Governor Ivey’s August 13 proclamation and pursuant to the authority granted to her under the Emergency Management Act, she cut “red tape for health care providers.”  The emergency proclamation removes barriers to allow additional healthcare providers and resources to address the surge in cases and is focused primarily on staffing at acute care hospitals.  The following apply to general acute care hospitals, critical access hospitals or specialized hospitals licensed by the Alabama Department of Public Health:  

  • A hospital’s chief of the medical staff or medical director may collaborate with or supervise an unlimited number of certified registered nurse practitioners (CRNP), certified nurse midwives (CNM); physician assistants (PA) and anesthesiology assistants (AA), and provide direction to an unlimited number of certified registered nurse anesthetists (CRNA);
  • CRNPs, CNMs, PAs and AAs working under the supervision of the chief of the medical staff at a hospital may implement the standard protocol and formulary approved by the Alabama Board of Medical Examiners;
  • CRNAs under direction of, and AAs under registration with, a hospital’s chief of the medical staff or medical director or his/her physician designee, are authorized to determine, prepare, monitor or administer legend and controlled medications for performance of anesthesia-related services, airway management (related or unrelated to anesthesia), and other acute care services within their scope of practice.
  • CRNPs, CNMs and CRNAs who possess an active, unencumbered nurse license or equivalent advanced practice approval issued by an appropriate licensing board of another state, the District of Columbia, or Canada, are authorized to practice in covered hospitals as if licensed in Alabama; and
  • Alabama’s Board of Pharmacy, Board of Nursing, Medical Licensure Commission, and State Board of Medical Examiners are authorized to adopt emergency rules to allow for expedited licensure and/or temporary permits for individuals possessing unencumbered licenses in other states.  At this time, this is limited to those practitioners providing care in inpatient units, emergency departments or other acute care units within acute care hospitals, critical access hospitals or specialized hospitals.

Another flexibility afforded under the Governor’s new proclamation is the authorization granted to the State Health Planning and Development Agency (SHPDA) to invoke the emergency rule passed last legislative session to allow for the issuance of emergency Certificates of Need.  This waiver was effective during the last Public Health Emergency to permit facilities to create alternate care sites.  Alternate care sites allow for a healthcare facility to convert parts of or entire facilities to provide care for which is not originally authorized.  For example, while hospitals struggle for placement of patients and surge capacities, these waivers would allow hospitals to create or use space not normally used for patient care or acute patient care.  Other healthcare providers may also seek waivers under the SHPDA Emergency Rule.  Under the previous health emergency skilled nursing facilities were able to transfer patients who did not require acute care but were in need of isolation and observation due to COVID to areas in a hospital not being used.  More information about alternate care sites can be found at and   

Another important aspect of the State of Emergency proclamation is the application of an alternative standard of care.  When evaluating whether a healthcare provider has breached the standard of care in a medical malpractice case, the analysis involves what a reasonable person would do in like or similar circumstances.  Under the alternative standards of care, if a provider has invoked its emergency operation plan in response to the public health emergency, it can implement alternative standards of care and those standards are “declared to be state-approved standard of care in healthcare facilities.” 

You may also recall that during the last legislative session there was an immunity statute passed to provide liability protections to healthcare providers and businesses during the COVID-19 pandemic.  This immunity statute should be unaffected by the gap between the last state of emergency ending on July 6, 2021, and the new state of emergency invoked on August 13, 2021.

The federal public health emergency (PHE) and the waivers under the U.S. Secretary of Health and Human Services Section 1135 declaration is also unaffected by the state of emergency.  The current federal PHE is set to last through October 18, 2021, with some indication from the federal administration that it will continue through the end of the year.

Angie Smith is a partner at Burr & Forman LLP and practices in the Healthcare Industry Group. Angie may be reached at (205) 458-5209 or

Posted in: Coronavirus, Legal Watch, MVP

Leave a Comment (0) →

Training, Training, Training—The First Line of Defense When it Comes to HIPAA Compliance

Training, Training, Training—The First Line of Defense When it Comes to HIPAA Compliance

By: Kelli Carpenter Fleming with Burr Forman

When it comes to HIPAA compliance efforts, the first line of defense in ensuring that protected health information is secured appropriately and compliantly is training your practice’s employees. More often than not, when an inappropriate use or disclosure of protected health information occurs, it is because an employee made a mistake. For example, the employee may have faxed the information to the wrong patient, or released records before confirming that an authorization was on file, or clicked a link in an e-mail opening the door for bad actors to gain access to the system. One way to prevent these mistakes is to train your employees on HIPAA compliance efforts, as well as easy, practical steps they can take to prevent such mistakes. However, a lot of physician practices, especially smaller ones, do not routinely train their employees on HIPAA compliance efforts. 

HIPAA training should not occur in a silo. While employees should always be trained upon hire, they should also be trained periodically thereafter. I recommend that clients conduct routine, formal HIPAA training at least once a year. I also recommend implementing less formal monthly HIPAA reminders to ensure that HIPAA remains on the forefront of everyone’s minds. In addition, if an unauthorized use or disclosure occurs, the practice should conduct training related to that incident, at a minimum for the employees involved. If a policy or procedure is changed, training should also be conducted on the revised policy or procedure. 

Whenever training is conducted, whether internally or externally, the training must be documented. The documentation should include the date the training was conducted, the employees that were trained, the topics discussed, and a copy of any training materials that were utilized. This documentation becomes extremely important if there is a breach incident or an investigation by OCR.

All physician practices should strengthen their first line of defense when it comes to HIPAA compliance by ensuring that their employees are properly and periodically trained. 

Kelli Fleming is a Partner at Burr & Forman LLP and practices exclusively in the firm’s Healthcare Practice Group. Kelli may be reached at (205) 458-5429 or

Posted in: HIPAA, Legal Watch, MVP

Leave a Comment (0) →

OSHA Issues COVID-19 Emergency Temporary Standard (ETS) for the Healthcare Industry

OSHA Issues COVID-19 Emergency Temporary Standard (ETS) for the Healthcare Industry

The Occupational Safety and Health Administration (OSHA) issued an Emergency Temporary Standard (ETS) for the healthcare industry on June 21, 2021.[1]

The Occupational Safety and Health Act (“the Act”) passed in 1970 and created OSHA to administer the Act. It has been thirty-eight years since OSHA issued its last ETS. That ETS was issued in 1983, covered asbestos, and was eventually struck down by a federal court.

The Act generally covers most employers, with some specific employers, such as “State(s) and political subdivision of a state,” being specifically excluded from OSHA’s jurisdiction.[2]  OSHA determined that COVID-19 causes health care industry employers and their employees to be in “grave danger,” which is the legal requirement allowing OSHA to issue an ETS.  Along with the ETS, OSHA issued General COVID-19 Guidance to most other workplaces, which followed the CDC’s guidance on COVID-19 in the workplace.  

The ETS generally applies to any workplace where employees provide healthcare services or healthcare support services, except for some specific exclusions such as retail pharmacies; home health care settings where all non-employees are screened prior to entry; healthcare support services not performed in a healthcare setting (e.g., off-site laundry); and telehealth services performed outside of a direct patient care setting.  Other exemptions include allowing employees to work from home and exemptions for those employees who cannot be vaccinated because of medical or religious reasons. One exemption could possibly apply to some physicians’ offices.  This exemption reads in full, “Non-hospital ambulatory care settings where all non-employees are screened prior to entry and people with suspected or confirmed COVID-19 are not permitted to enter those settings.”[3] More on this later.

It is clear that the ETS generally applies to physicians’ offices, as physician’s offices are used as examples in various parts of the ETS.[4]  However, employers with 10 or fewer employees have fewer requirements under the ETS.  For example, employers with more than 10 employees must have a written COVID-19 plan for each workplace. Employers with 10 or fewer employees must have COVID-19 plans, but the plan is not required to be in writing. OSHA’s plan is to include updates to the ETS as needed.  

The ETS covers the following subjects, as they relate to employment activities of health care workers in the health care industry:

COVID-19 Plan

Patient screening and management

Respiratory protection


Ventilation of rooms and buildings

Health screening and medical management

Physical barriers

Physical distancing

Hand hygiene and cleaning

Record keeping


Following is a brief discussion of each of the ETS requirements.

COVID-19 Plan.

Employers must have a plan to minimize the transmission of COVID-19 in the health care workspace.  Employers with more than 10 employees must have a written COVID-19 Plan.

Patient Screening and Management.

In settings where direct patient care is provided, employers must limit and monitor points of entry, screen and triage all non-employees entering the setting, and implement other patient management as necessary, including developing and implementing procedures regarding standard transmission-based precautions.

Respiratory Protections.

Employers must provide the personal protective equipment (PPE) necessary to protect employees, at no cost to the employees.


Employers must ensure and document that each employee receives training on the ETS, in a language and at a literacy level the employee understands.  Training should include various topics pertinent to COVID-19 safety measures, such as COVID-19 transmission and employer policies and procedures regarding COVID-19 transmission.

Ventilation of Rooms and Building.

HVAC systems should be operating at maximum efficiency, per the manufacturer’s recommendations.  Air filters that remove particles and aerosols that can transport the COVID-19 virus should be used where the HVAC system can accommodate the filters.

Health Screenings and Management.

All employees must be screened every day they work in a health care setting.  This can be accomplished by the employees answering questions before entering the workplace, or by the employee self-evaluating prior to entering the workplace. Where appropriate, employees must be kept from the workplace or removed from work (e.g., an employee develops a fever, cough and loss of the sense of taste while at work and is asked to leave). Employees must be informed of possible COVID-19 exposures (e.g., told of an employee (without giving their name) who has developed fever, cough and loss of the sense of taste at work, and is sent home). There are mandatory paid leave provisions for employees who develop COVID-19, or who must stay out of work because of a COVID-19 exposure, which are in addition to other employee paid leave provisions already in place for employers. Employees must be paid for the time they take while at work to be vaccinated against COVID-19, and for the day after receiving a vaccination, where there is a physical reaction to the vaccine.  

Physical barriers.

These include Plexiglas barriers when patients initially check in the office and between workers who must work at specific locations (e.g. computer billing) most of their workday.

Physical Distancing.

This is also referred to as “social distancing.”  Where there is room, employees should maintain at least six feet of distance between themselves and other employees (e.g., employee break rooms).

Hand Hygiene and Cleaning.

Hand hygiene and cleaning work together to reduce the spread of the COVID-19 virus. Offices and clinical spaces should be cleaned at least daily, and handwashing should occur between patient encounters.

Record Keeping and Reporting.

For employers covered by OSHA standards, there are already record-keeping requirements in place. Additional record-keeping and reporting are added by the ETS for employees who test positive for COVID-19 and employees who die because of a COVID-19 infection. Employers with more than 10 employees must keep a log of any employee diagnosed with COVID-19, whether or not the infection arose because of an occurrence at work.

This article began with an introduction to one of the exemptions that could possibly keep a physician’s office from having to comply with the ETS. That exemption reads “Non-hospital ambulatory care settings where all non-employees are screened prior to entry and people with suspected or confirmed COVID-19 are not permitted to enter those settings.”[5] Those physician’s offices that could operate under this provision — no suspected or confirmed COVID-19 patients or employers are allowed to enter the office — would be able to operate as they have in the past in regard to OSHA requirements. However, there are legal pitfalls with using this exemption to avoid compliance with the ETS.  For example, many surgeries require office follow-up. If a surgeon refused to see a patient who developed COVID-19 after surgery, but before the office follow-up, the patient could make a claim of abandonment.  There are other risks with this course of action, and many physicians could ill afford to refuse to see patients “suspected” of having COVID-19.  There may be ways to stay within the exemption; however, careful thought will need to be given for each patient in a similar situation. For instance, perhaps the post-surgery patient could be seen in a hospital ER, or evaluated/examined through a telehealth appointment, rather than in the surgeon’s office.  


As is often the case, the ETS has been issued almost beyond the point of usefulness. Physician offices, health care facilities, and other health care providers are going on two years of their response to the COVID-19 pandemic. To mandate changes to their well-established COVID-19 precautions at this time is disruptive, to say the least; and it places additional administrative burdens on employers subject to OSHA, without adding much, if any, additional value. Nevertheless, physician’s offices and others are well-advised to take the ETS seriously because it will likely be the subject of complaints, investigations, and audits by OSHA. OSHA investigates complaints of violations of federal law based upon anonymous employee complaints and random “audits” of employer compliance and has indicated it will enforce the ETS using both of these methods.

[1] Occupational Exposure to COVID-19; Emergency Temporary Standard, 86 Fed. Reg. 32376, available at

[2] 29 U.S.C. § 652(5). 

[3] 29 C.F.R. § 1910.502(a) (2) (iii).

[4] 29 C.F.R. § 1910.502(a), n. 2.

[5] 29 CFR Section 1910.502(a) (2) (iii).

Posted in: Legal Watch, MVP

Leave a Comment (0) →

Payor Auditing Activities

Payor Auditing Activities

By: Kelli Carpenter Fleming

During the height of the COVID-19 pandemic, the Centers for Medicare & Medicaid Services (“CMS”) suspended certain payor audit and oversight activities. However, now that communities are beginning to reopen, so are the audit activities. CMS and other third-party payors are increasing their audit activities, including claims filed during the public health emergency. 

Providers who are the subject of a billing audit must take such investigations seriously. Providers should identify one person in the organization to handle audit responses, calendar deadlines, and track findings and appeals. This avoids missing a deadline and helps ensure effective use of personnel resources. 

Providers should respond to any records request in connection with an audit in a timely manner, which may be more burdensome these days due to staffing shortages. The failure to timely provide requested records will, in most instances, automatically result in the denial of the claims. Providers should retain a copy of any records and information submitted in response to the document request, and, if sending by mail, obtain confirmation of delivery. 

In responding to any records request, it is wise to conduct an “internal self-audit” to determine if there are any areas of risk. This not only helps determine if there is a repayment obligation to the payor, but also helps gather information and arguments for appeal if necessary.

Lastly, depending on the scope of the audit or the type of the audit, providers may want to consider putting both their insurance carrier and their legal counsel on notice of the audit. There are some steps that can be taken upfront, as well as some traps to avoid, in connection with the audit response process, and the insurance carrier and legal counsel may be able to assist in that regard.

Kelli Fleming is a partner at Burr & Forman LLP and works exclusively in the Healthcare Industry Group. Kelli may be reached at 205-458-5429 or

Posted in: Management, Members, MVP

Leave a Comment (0) →

No Honor Among Thieves

No Honor Among Thieves

Most Americans will likely never forget where they were in March of 2020 when the world seemingly shut down.  While many used that time to reflect, enjoyed down time with family or even binge watched streaming services, health care workers geared up to save the lives of people impacted by COVID-19.  The novelty of this coronavirus posed exceptional challenges, placed unparalleled strain on the health care industry and exposed vulnerabilities.

One vulnerability in particular has, does and will continue to be a significant risk.  That threat is cybercrime.  It is as relentless as it is lucrative, and it has taken the health care industry by storm during a time when resources are low, and distractions are high.


In an almost unbelievable twist, some major cybercrime groups promised a “ceasefire” on cybersecurity attacks of the health care industry at the beginning of the pandemic.  DoppelPaymer Ransomware stated that they “always try to avoid hospitals…nursing homes” but if they happened to be responsible for a ransomware attack of a health care provider during the pandemic, they would provide a decryptor key free of charge. Likewise, Nefilim Ransomware took the same approach.  However, groups like Netwalker Ransomware and Maze promised not to intentionally target health care facilities, but would not commit to decryption if a health care entity was inadvertently impacted. 

While the alleged truce made by some of the larger cybercriminal groups may have appeared to be altruistic, the motivation may have been totally self-serving. During a global crisis, these groups likely decided that staying below the radar of law enforcement and military agencies was more about self-preservation than kindness to their fellow man.


While hopes were high that a global pandemic would cause bad actors to have mercy on mankind, data reflects that cybercrimes escalated during the pandemic.  On October 28, 2020, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) issued a joint advisory warning of an “increased and imminent cybercrime threat to U.S. hospitals and health care providers.”  It further stated that these bad actors were producing attacks which caused “data theft and disruption of healthcare services.”

As the global threat of cybercriminal activity proliferates within the health care sector, the industry must find ways to fight back.  One way that the health care industry can stand up against these persistent threats is more investments in their information security infrastructure, similar to that of the financial sector. These investments should include stronger password requirements, endpoint protection, and multi-factor authentication. 


Every effort must be made to determine and mitigate risk to protected health information.  There are several proactive measures that health care entities can take to decrease their risk of inappropriate disclosures of patient data.  Those measures include, but are not limited to, the following:

  • Invest in Anti-Virus Protection Software – Anti-virus protection software is a tool that can help entities detect and neutralize threats.  Most entities prefer efficiency.  This software will assist by filtering out malware which often slows down information system processes.  It has the added benefit of protecting your investment and allowing you to avoid the expense of purchasing new operating systems should your existing system become damaged due to malware.
  • On-Site and Off-Site System Backup – Federal regulations require covered entities to ensure on-site and off-site backup.  Should an entity become a victim of a ransomware attack or be forced to pivot to emergency operations, it is necessary to have backup systems that allow the entity to access and utilize reliable data.
  • Workforce Training – There is no greater defense to cyber threats than a well-trained workforce.  Entities should ensure that cybersecurity threats are emphasized to workforce members in refresher training so that employees are able to appropriately identify and report suspicious activity.
  • Segregation of Data – Entities should ensure that they are complying with the Minimum Necessary Rule for access to their information systems.

The COVID-19 pandemic has produced significant uncertainty in the health care environment and highlighted the need for renewed emphasis on protecting patient data.  HIPAA covered entities should use this time to assess whether they are operating in compliance with the Privacy Rule, Security Rule and Breach Notification Rule.  Likewise, they should reassess their Risk Analysis to ensure that it is HIPAA-compliant and take necessary action to avoid unauthorized disclosures. 

Samarria Dunson ( is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  She is also Of Counsel with the law firm of Balch & Bingham, LLP.

Posted in: Members, MVP, Technology

Leave a Comment (0) →

Potential HIPAA Changes That Would Allow Healthcare Providers to Disclose Phi and Better Protect Patients

Potential HIPAA Changes That Would Allow Healthcare Providers to Disclose Phi and Better Protect Patients

by Lindsey Phillips, Burr & Forman

On December 10, 2020, the Office for Civil Rights (“OCR”) at the United States Department of Health and Human Services (“HHS”) announced proposed changes to the regulations implementing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The proposed changes, which are set out in the Notice of Proposed Rulemaking (“NPRM”), are a part of the broader initiative to promote value-based care, enable better coordination among healthcare providers, and facilitate patient autonomy and engagement. 

One key theme found in the NPRM that will likely enable better coordination among healthcare providers and potentially increase patient safety is expanded permission to disclose protected health information (“PHI”) to third parties in emergency situations. For example, under the proposed changes, covered entities would be allowed more flexibility to disclose PHI in emergencies like a mental illness and substance abuse crisis. The current standard for disclosure of PHI in an emergency or health crisis is based on the covered entity’s “professional judgment.” This standard has often left covered entities unsure as to when a disclosure is permitted. The proposed modification relaxes this standard slightly in that it would allow a covered entity to disclose PHI in an emergency situation or health crisis when the covered entity has a good faith belief that the disclosure is in the best interest of the individual. A good faith belief could be based either on direct knowledge of relevant facts or representations by a person who can reasonably be expected to know relevant facts. For example, OCR has provided the following scenarios:

Good faith would permit a licensed health care professional to draw on experience to make a determination that it is in the best interests of a young adult patient, who has overdosed on opioids, to disclose relevant information to a parent who is involved in the patient’s treatment and who the young adult would expect, based on their relationship, to participate in or be involved with the patient’s recovery from the overdose. Likewise, front desk staff at a physician’s office who have regularly seen a family member or other caregiver accompany an adult patient to appointments could disclose relevant information to the family member or caregiver as a way of checking on the welfare of the patient, when a patient misses an appointment, based on the staff’s knowledge of the person’s involvement and a good faith belief about the patient’s best interest.

But not only would covered entities be allowed more flexibility to disclose PHI when individuals are experiencing emergencies or health crises, they would also be allowed more leniency to disclose PHI to avert a threat to safety. While covered entities are currently allowed to disclose PHI to prevent threats to health and safety, the current standard is considerably more stringent in that it allows the disclosure of PHI to avert a threat to health or safety only when the threat is “serious and imminent.” Under the changes proposed in the NPRM, covered entities could make a disclosure when the threat is “serious and reasonably foreseeable.” OCR has stated that “[a]dopting a ‘serious and reasonably foreseeable’ standard can enable a health care provider to timely notify a family member that an individual is at risk of suicide, even if the provider cannot predict that a suicide attempt is ‘imminent.'” In addition, “[a]n emergency room doctor who sees an elderly patient with COVID-19 could contact the patient’s nursing home to alert them of the potential exposure of other residents and staff based on the serious and reasonably foreseeable threat of infection with COVID-19 without delay caused by the need to assess whether the threat is sufficiently ‘imminent’ to permit the disclosure.” 

These proposed modifications provide additional clarity regarding PHI disclosures that would assist in the Department’s initiatives to increase coordination among healthcare providers and ultimately improve patient safety. Both of these proposed changes would hopefully empower covered entities to disclose PHI in situations where there is a genuine belief that harm is likely without being fearful of HIPAA penalties because the harm was not imminent.

Lindsey Phillips is an associate at Burr & Forman LLP practicing exclusively in the firm’s Healthcare Industry Group. 

Posted in: HIPAA, Legal Watch, MVP

Leave a Comment (0) →

Physician Recruitment Agreements – What You Need to Know

Physician Recruitment Agreements – What You Need to Know

by Howard E. Bogard

Both the federal Anti-kickback Statute and the Stark Law allow a hospital to provide certain financial assistance to aid a medical practice in its efforts to recruit and hire a new physician. Financial assistance can take many forms, including a collection guarantee, net income guarantee and/or payments with respect to a physician’s moving expenses, school debt and marketing.  A recruitment agreement reflecting financial assistance is typically signed by the medical practice, physician and hospital and is structured as a loan that is forgivable as long as the physician practices medicine in the hospital’s service area for a defined time period. The amount of financial assistance cannot take into account past or future referrals from the recruited physician (or medical practice) to the hospital.

In order for a hospital to provide a medical practice financial assistance to recruit and hire a new physician, the hospital must first determine that there is a documented need in the community for the physician’s specialty.  Once confirmed, the arrangement must be in writing and the physician must “relocate his or her medical practice” to the “geographic area served by the hospital” to become a member of the hospital’s medical staff. With some exceptions for hospitals located in rural areas, the geographic area served by a hospital is the area composed of the lowest number of contiguous zip codes from which the hospital draws at least 75 percent of its inpatients.  A physician will be considered to have relocated his or her medical practice if the physician moves his or her practice at least 25 miles and into the geographic area served by the hospital or the physician moves his or her practice into the geographic area served by the hospital and the physician derives at least 75 percent of revenues from patients not seen or treated by the physician at his or her prior medical practice site. There are also exceptions for residents or physicians who have been in practice one year or less or for physicians who meet other requirements.  The main point is that it is not permissible for a hospital to provide recruitment assistance with respect to a physician who is already working in the hospital’s service area.  

A common form of recruitment assistance is a collection or net income guarantee that runs for one or two years after the physician is first employed by the medical practice.   In either case, the recruitment agreement “guarantees” that the physician will generate a certain amount of revenue to satisfy a collection “target” or a net income “target”.  If the physician’s collections are not high enough in a particular month to meet the target amount, the hospital pays the difference.  With respect to a net income guarantee, the target is based on the physician’s collections after certain “direct expenses” are subtracted.  By law, direct expenses can only consist of new, incremental expenses incurred by the medical practice by virtue of the physician’s employment. Examples of new, direct expenses include the cost of the physician’s compensation and benefits, license fees and dues, malpractice insurance and other costs incurred by the medical practice to the extent that such expenses increase directly as a result of the physician’s employment.  Existing expenses, such as office rent and personnel costs, cannot be included as a direct expense. 

When reviewing a physician recruitment agreement, it is important to not only review the financial terms of the assistance but also to consider the following:

 Commitment Period – What is the length of time the recruited physician must practice in the hospital’s geographic service area for the recruitment assistance loan to be forgiven? The typical time period is one to three years after the financial assistance period ends.

   Repayment Obligations – It is important to review whether the medical practice, physician or both are obligated to repay the loan upon a default of the recruitment agreement.  Oftentimes, if the physician is the direct recipient of the loan proceeds, such as moving expense reimbursement and payments for student loans, the physician will be solely responsible. However, a collection or net income guarantee will often obligate both the physician and medical practice to repayment in the event of a default. A promissory note is often signed by the physician and sometimes the medical practice to secure the repayment of the loan.

Physician Obligations – While the physician will need to remain on the medical staff of the hospital during the term of the recruitment agreement, it is important to determine if other obligations are imposed on the physician.  Often, during the term of the recruitment agreement the physician will be obligated to certain hospital call obligations and restricted from having an ownership interest in a provider that competes with the hospital. 

Security Interest – To secure the recruitment agreement loan sometimes the hospital will want a security interest in the medical practice’s accounts receivable generated by the recruited physician. These provisions must be carefully reviewed since medical practices often pledge their accounts receivable as collateral to a bank or other financial institution.

A physician recruitment agreement can provide a medical practice significant financial assistance with the recruitment and hiring of a new physician. However, the agreement may also impose significant financial restrictions and penalties on both the medical practice and physician if the terms of the agreement are breached.  Any recruitment agreement should be carefully reviewed and negotiated.

Howard Bogard is a Partner at Burr & Forman LLP and chairs the firm’s Health Care Practice Group. He can be reached at 205-458-5416 or at

Posted in: Legal Watch, Management, Members, MVP

Leave a Comment (0) →

Are You Ready for Your PPP Loan Audit?

Are You Ready for Your PPP Loan Audit?

By: Jim Hoover, Burr & Forman

PPP loans received by individuals and businesses under the CARES Act will be audited (“reviewed”) by the SBA.  PPP loans of $2 million or more will automatically be audited by the SBA.  Many PPP loans of less than $2 million will also be audited.

Borrowers will often receive notification of the audit through their lending bank, but the SBA is directly notifying PPP borrowers as well.  The SBA is receiving support from the Internal Revenue Service and other federal agencies in these audits such as the Department of Justice.  There have been several criminal investigations resulting from these audits.

PPP loan audits request documents and information from the borrower, including income and employment tax returns, payroll records, financial statements, and bank account statements including deposit and payment information in order to verify information reported by the borrower on its PPP loan application.  However, the SBA PPP loan audits focus on much more.

SBA audits of PPP loans have thus far focused on whether the individual or business was eligible to receive a PPP loan, and whether the borrower correctly calculated its PPP loan amount.  Specific issues being reviewed by the SBA in these audits include “economic necessity” for a PPP loan, and “head-count” related issues including affiliation with other businesses, the appropriate “NAICS” code for the business, and whether the business counted all employees – full-time, part-time, and even temporary – in filing the loan application.  The SBA is also looking at other “business-specific” issues of the borrower.

The PPP loan application contains a borrower certification that “[c]urrent economic uncertainty makes this loan request necessary to support the ongoing operations of the Applicant“.  This same certification is also required in new PPP loan applications under the “Economic Aid Act”.  For borrowers that received PPP loans of less than $2 million, the borrower is deemed by the SBA to have made this “economic necessity” certification in “good faith.” As a result, the SBA may not be looking specifically at this issue for borrowers that received loans of less than $2 million.  However, for PPP loans of $2 million or more, borrowers are not eligible for this “good faith economic necessity presumption”, and the SBA is auditing this certification issue.

Without being an alarmist, false certifications is the keystone issue for most False Claims Act prosecutions.  Accordingly, it is important for borrowers to carefully review and gather the documentation that supports the certification.  

The SBA is beginning many audits by sending out a “Loan Necessity Questionnaire” (SBA Form 3509), which the SBA first sends to the lending bank and then the bank sends the questionnaire to the borrower.  The borrower has a limited amount of time, 10 days, to complete and return the questionnaire to the bank, and the bank then provides the completed questionnaire to the SBA.

If a borrower applies for forgiveness of a PPP loan, the forgiveness application may be separately reviewed by the SBA and, as a practical matter, if a borrower files for forgiveness this will likely trigger or at least accelerate a full SBA audit of the PPP loan.

Once an SBA PPP loan audit is completed, and where an adverse audit determination is made by SBA, including that the borrower may not qualify for the loan, the borrower then has administrative appeal rights within the SBA to have the audit determination reviewed, which can lead to a hearing before a federal administrative law judge. Those appeal rights are the subject of a future article.  


Jim Hoover is a partner at Burr & Forman LLP and works exclusively within the firm’s Health Care Practice Group and predominantly handles healthcare litigation. Burr & Forman has a dedicated team to counsel individuals and businesses in government audits, investigations and defense-related to the PPP under the CARES Act, and also new PPP loans under the Economic Aid Act. The PPP and CARES Act Audit, Investigations and Defense Team represents and advises clients in audits and investigations involving PPP loans and tax benefits that may have been claimed under the CARES Act. This multidisciplinary team combines more than 230 years of legal experience and attorneys with previous government positions, including attorneys with IRS Chief Counsel, the United States Department of Justice, and United States Attorneys’ Offices.  More information can be found at

Posted in: Coronavirus, Legal Watch, Management, MVP

Leave a Comment (0) →
Page 1 of 4 1234