Archive for Legal Watch

Tracking A Patient’s Every Move: HIPAA Compliance Risk

Posted by on
Tracking A Patient’s Every Move: HIPAA Compliance Risk

By: Kelli Fleming with Burr & Forman LLP

The Health and Human Services Office for Civil Rights (”OCR”) recently published a guidance bulletin addressing the use of online tracking technologies by entities covered by HIPAA, including but not limited physician practices. 

A tracking technology is used to collect information about how online users interact with websites or mobile applications. For example, have you ever wondered why after you search for a product on google, it automatically appears as an ad in your social media for the next few days? That is the result of a form of tracking technology. 

When used by healthcare providers, the information that is collected by way of a tracking technology may be considered protected health information (“PHI”) covered by HIPAA. If a healthcare provider utilizes a tracking technology vendor to gather and analyze information, including information about patients, the provider must ensure that the release of the information to the vendor is compliant with HIPAA and is not an impermissible use or disclosure. 

In the recent bulletin, OCR clarified that individually identifiable information “collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the [information] does not include specific treatment or billing information like dates and types of healthcare services.” 

Covered entities that engage a user-authenticated webpage (i.e., a website that requires a log-in) should only allow tracking technologies to use and disclose information in compliance with HIPAA, including in a secure manner. In order to comply with HIPAA, the covered entity must either enter in a Business Associate Agreement (“BAA”) with the vendor, or obtain patient authorization for such use and/or disclosure. Disclosing PHI to tracking technology vendors based solely on informing individuals of such use in the website’s privacy policy or terms of use is not sufficient, nor is merely accepting or rejecting cookie use. There must be either a valid, HIPAA compliant patient authorization or a BAA, and the use and/or disclosure must be permissible under HIPAA. For example, a disclosure to a tracking vendor for marketing purposes, without an authorization, would be impermissible. 

Covered entities using a website that is not user-authenticated (i.e., does not require a log-in) need to determine if any of the information obtained by the tracking vendor would be individually identifiable and constitute PHI. If so, a BAA and compliance with HIPAA would be required. However, the determination as to whether or not PHI is being collected by the vendor is not always clear and may not necessarily be known by the provider. OCR provides the example that if a student is writing a term paper regarding oncology services and visits a hospital’s oncology services webpage, information tracked in connection with that website visit would not be considered PHI. However, if a patient were looking at the same page regarding oncology services to see a second opinion on treatment options for a brain tumor, information tracked in connection with that website visit would be considered PHI. It would be difficult, if not impossible, for providers to determine the purpose of the visit.

Thus, based on the recent OCR guidance, if a covered entity is utilizing tracking technologies on its websites, in my opinion, the provider should always act as if PHI is being tracked and enter into a BAA with the vendor and ensure the use/disclosure is appropriate under HIPAA.

Kelli Fleming is a Partner at Burr & Forman LLP practicing exclusively in the Healthcare Practice Group. Kelli may be reached at (205) 458-5429 or kfleming@burr.com.

Pin It

Tags: , , ,

Posted in: HIPAA, Legal Watch, Technology

Leave a Comment (0) →

What’s Behind the Curtain? Federal Agencies Seek Transparency Regarding Health Provider Ownership

Posted by on
What’s Behind the Curtain? Federal Agencies Seek Transparency Regarding Health Provider Ownership

By: Jessie L. Bekker, Burr & Forman LLP

Market analysts reported a decline in mergers & acquisitions in the health care industry in
2023 as compared to pre-pandemic trends—a perhaps unsurprising development amid 7% or
higher interest rates. The federal government, however, is now taking notice of who’s behind the
ongoing trend toward health care consolidation.

On March 5, three federal departments—the Department of Justice (DOJ), Department of
Health and Human Services (HHS), and Federal Trade Commission (FTC)—published a request
for information seeking public input into the effects private equity transactions have on patients,
payers and providers, a request driven by a concern “that some transactions may generate profits
for those firms at the expense of patients’ health, workers’ safety, quality of care, and affordable
health care for patients and taxpayers.”

The DOJ/HHS/FTC request for information is just the latest in a line of federal inquiries
into the ownership and control of providers and suppliers across the health care industry. The
Centers for Medicare & Medicaid Services (CMS) published a request for information in January
related to Medicare Advantage data, including data regarding “the impact of mergers and
acquisitions” and “the effects of vertical integration.” In December, President Joe Biden
announced the publication of ownership information regarding Medicare-enrolled federally
qualified health centers and rural health clinics. November brought new requirements regarding
nursing home ownership and control reporting through a new final rule published by CMS.
And of course, the Corporate Transparency Act, which took effect on January 1, 2024,
requires that nearly all business entities within and outside of the health care industry report their
ownership and control interests to the Department of Treasury’s Financial Crimes Enforcement
Network, a requirement that reflects the agency’s effort to track down fraudulent money
laundering activity.

Despite plateauing merger and acquisition activity in 2023, analysts predict 2024 could
be the year of physician practice acquisitions and health system consolidation. Reports indicate
that physician specialties including dermatology, cardiology, orthopedics and plastic surgery
may see an increase in investor interest. Others predict investor interest in behavioral health
providers. In any event, it’s unlikely the federal government’s interest in merger & acquisition
activity will wane. In its request for information, the DOJ, HHS and FTC requests public input
related to both direct acquisitions by private equity funds and “transactions structured to
facilitate private equity investment, circumventing applicable corporate practice of medicine
restrictions.” The agencies’ request also seeks information regarding vertical integration, where a
health system buys up health providers across the care continuum, from ambulatory surgery
centers, to nursing facilities.

The agencies are not just interested in who is behind the transaction, but how it affects
patients, payers, providers and employers on a variety of metrics including the cost and quality
of care, reimbursement rates, provider compensation models and changes in facility choice.

The DOJ/HHS/FTC request for information is open to public comment until May 6, 2024. Comments can be submitted at https://www.regulations.gov/docket/FTC-2024-0022.

While the requests from CMS and the DOJ, HHS and FTC don’t create affirmative
requirements of providers today, both the Corporate Transparency Act and CMS’ latest final rule
on nursing home ownership and control reporting generate new reporting obligations.

The Corporate Transparency Act will require most physician practices existing as of
January 1, 2024 to report certain information to the federal government by the end of the year,
including reporting of a practice’s ownership interests and the individuals who control the
entity’s decision-making. Among other required reports, the Financial Crimes Enforcement
Network, or FinCEN, seeks information regarding an entity’s beneficial owners—those who own
or control at least 25% of ownership interests of a reporting company, and those who exercise
“substantial control” over a reporting company. Entities that form in 2024 will be required to
make reports to FinCEN within ninety (90) days of formation. Practice managers and administers
are encouraged to seek counsel from their accountants and attorneys regarding the new reporting
requirements under the Corporate Transparency Act. FinCEN’s Small Entity Compliance
Guidance, which details the reporting requirements, can be found at
https://www.fincen.gov/boi/small-entity-compliance-guide.

For nursing facilities, new ownership and control reporting requirements will be reported
on a revised version of the Form CMS-855A, the Medicare enrollment application for
institutional providers, which CMS has yet to publish. The revised form is expected to reflect the
final rule’s new mandated reporting requirements. Skilled nursing facilities (SNF) and Medicaid-
enrolled nursing facilities should expect to report information regarding their governing bodies,
officers, directors and managing employees, including SNF medical directors and administrators.
The new rule also requires reporting of “additional disclosable parties,” including, but not
limited to, people and entities who: exercise financial control over the facility; lease or sublease
real property to the facility; and provide management, administrative, clinical consulting and
financial or accounting services to the facility. Facilities should discuss the new requirements,
including the timing of the report, with their advisors.

Jessie L. Bekker is an attorney at Burr & Forman LLP practicing exclusively in the firm’s
healthcare practice group. Jessie can be reached at jbekker@burr.com or (205) 458-5275.

Pin It

Tags: , , ,

Posted in: Legal Watch, MVP

Leave a Comment (0) →

Statement by the Medical Association of Alabama on the Recent Alabama Supreme Court Ruling on the Legal Status of Embryos

Posted by on
Statement by the Medical Association of Alabama on the Recent Alabama Supreme Court Ruling on the Legal Status of Embryos

The Medical Association of the State of Alabama expresses concern over the recent Alabama Supreme Court decision regarding the legal status of embryos, as it relates to In-Vitro Fertilization (IVF) procedures that may result in a woman becoming pregnant. 

The significance of this decision impacts all Alabamians and will likely lead to fewer babies—children, grandchildren, nieces, nephews, and cousins—as fertility options become limited for those who want to have a family.

In addition, the ruling has already forced UAB, the largest healthcare system in the State of Alabama, to stop providing IVF services to Alabama couples. Others will likely do the same, leaving little to no alternatives for reproductive assistance. IVF is oftentimes the only option for couples wanting to conceive.

In closing, we ask that the Alabama Supreme Court stay or revisit their ruling to ensure continued access to IVF care in Alabama.

Pin It

Tags: , , ,

Posted in: Legal Watch, Official Statement

Leave a Comment (0) →

OCR Issues Guidance on Visitation Discrimination
in Hospitals and Long Term Care Facilities

Posted by on
OCR Issues Guidance on Visitation Discrimination<br>in Hospitals and Long Term Care Facilities

By: Angie C. Smith, Burr & Forman LLP

Visitation in long-term care facilities and hospitals received a lot of attention during COVID
because of facility closures that led to limited visitation, and it is now a topic of interest for the
Office of Civil Rights (OCR) due to discrimination concerns. On January 25, 2024, OCR issued
guidance to hospitals and long-term care facilities to clarify obligations of those providers to
ensure religious non-discrimination for patient visitation.

Under federal law, hospitals, long-term care facilities, and critical access hospitals are prohibited
from restricting, denying or in any way limiting visitation to patients on the basis of race, color,
national origin, religion, sex, gender identity, sexual orientation, or disability. Additionally,
provisions of the Affordable Care Act and Section 504 of the Rehabilitation Act prohibit any
type of discrimination in certain federally funded programs and activities. In order to be in
compliance, providers are required to have policies and procedures to prohibit discrimination. In
fact, when becoming a Medicare provider, healthcare providers certify to the federal
government that they are in compliance with these non-discrimination laws.
Although the Centers for Medicare and Medicaid Services (CMS) is the agency that oversees
compliance with the regulations cited above, CMS has delegated its authority to enforce the
regulations pertaining to discrimination in visitation to OCR. Following this delegation, OCR
issued a set of frequently asked questions (FAQs) to serve as guidance for hospitals and long-term care facilities. Additionally, OCR held a call with stakeholders on February 6, 2023, to
further discuss its guidance. Below are the key topics covered by OCR.

  1. What constitutes visitation?
    The FAQ states that patients and residents have the right to receive visitors of
    their choosing, but it also noted that patients and residents can withdraw or deny
    consent to any visitor. A visitor includes, but is not limited to, a spouse or
    domestic partner, same-sex spouse or domestic partner, another family member or
    friend, and clergy minister or other faith leader.
    The guidance also reminds providers of their obligations to allow individuals with
    disabilities access to support persons, which is separate and apart from an
    individual’s right to visitors.
  2. Which facilities are covered by the visitation requirements?
    The guidance specifically references the regulations pertaining to hospitals,
    including critical access hospitals, and long-term care facilities, but it also
    referenced federal non-discrimination laws that apply to all entities receiving
    federal funding. Those laws prohibit entities receiving federal assistance from
    excluding an individual from participating in, denying an individual the benefits
    of, or otherwise discriminating against an individual in the entity’s programs and
    activities. Therefore, even those providers who may not be covered by the
    visitation requirements should review the guidance.
  3. Which patients are covered by these rights?
    Patients and residents protected by the visitation rights are not limited to Medicare
    and Medicaid beneficiaries. All patients or residents receiving services from
    Medicare and Medicaid-certified facilities are covered by this guidance, and the
    right to visitation and non-discrimination applies to all patients and residents,
    regardless of whether their hospitalization or residency is being paid for by
    Medicare or Medicaid.
  4. What are the notification obligations of the facilities?
    Hospitals and long-term care facilities are required to inform patients and
    residents of their visitation rights, which should include any information related to
    clinical limitations or restrictions on such visitation. These providers must also
    have written policies and procedures related to visitation that include any
    clinically necessary or reasonable restriction or limitation that the provider may
    need to place on the visitation rights of a patient and the reasons that would
    support clinical restrictions or limitations.
    As mentioned above, OCR recognizes that there may be clinical reasons that
    visitation with a patient must be restricted or limited, and OCR’s FAQs make it
    clear that any such restriction or limitation must be “clinically necessary” or
    “otherwise reasonable.” Examples provided were limiting visitation hours or the
    number of visitors at a time. However, it is important that any type of limitation
    or restriction be objective and not based on any stereotype or assumption. It
    should also be clearly outlined in the facility’s policies related to visitation.
    OCR states in the FAQs that a provider has a responsibility to provide auxiliary
    aids and services to individuals with a disability in order to provide equal
    opportunity to participate or benefit from the services provided, which would
    include the ability to have visitation. According to the FAQs, a policy that only
    allows for video remote interpretation instead of in-person interpreter “may
    violate” certain non-discrimination laws, if an in-person interpreter or reader is
    necessary for effective communication.
  5. What might constitute a discriminatory denial of visitation?
    If a policy or procedure subjects certain classes of visitors to additional screening
    or if it prohibits certain classes of visitors and not others on the basis of race,
    color, national origin, religion, sex, gender identity, sexual orientation, or
    disability. Examples given were as follows:
    1. Facility prevented family member from bringing patients kosher food or
      halal food to meet the patient’s religious dietary restrictions while
      allowing other visitors to bring non-religious food items to patients.
    2. Members of certain religious groups subjected to more rigorous screening
      or denied visitation.
    3. Policies that would prohibit clergy or religious leaders from meeting with the patient.
  1. Does a facility’s chaplain program affect the right to visitation by other faith
    leaders?     Even if the facility has a chaplaincy program, it must still allow other types of religious or faith leaders to visit patients, if the patient requests such visitation. Likewise, a facility must abide by a patient’s choice to deny visitation to clergy or religious leaders.

Conclusion/Takeway
Typically, when OCR issues guidance on a particular topic, we see corresponding scrutiny from
regulators and government enforcement agencies. Therefore, providers should take this
opportunity to review its visitation policies for compliance with the guidance and ensure staff are
educated on those policies.

OCR’s FAQs can be found here.
https://www.hhs.gov/civil-rights/for-individuals/special-topics/emergency-preparedness/faqs- patient-visitation/index.html?cm_ven=ExactTarget&cm_cat=HHS+Office+for+Civil+Rights+Releases+ Visitation+Guidance+Resources&cm_pla=Mark%27s+Memos+2024+Marketing+List&cm_ite= FAQ+on+Patient+Visitation+at+Certain+Federally+Funded+Entities+and+Facilities%e2%80%8 b&cm_lm=1612414245&cm_ainfo=&&&&&


Angie Smith is a Partner at Burr & Forman LLP practicing exclusively in the Healthcare
Practice Group. Kelli may be reached at (205) 458-5209 or acsmith@burr.com.

Pin It

Posted in: Legal Watch

Leave a Comment (0) →

Cyber-attacks on the Rise (Once Again…)

Posted by on
Cyber-attacks on the Rise (Once Again…)

By: Kelli C. Fleming, Esq., Burr & Forman

Cyber-attacks within the healthcare industry are continuing to rise, despite increased awareness, security measures, and training. The attacks are not only becoming more far-reaching, with each attack impacting more and more patient data, but are also more prevalent as well. Threat actors do not discriminate against victims, as we are seeing reports of security breaches against physician practices, rural hospitals, large hospital chains, as well as their business associate vendors and contractors.

At the time of drafting this article, we are only ten days into 2024, and in 2024 thus far, five breach reports have been published by the Office for Civil Rights (“OCR”) for incidents involving more than 500 individuals. The total number of individuals impacted as a result of those five instances is over 585,000. Of those five reports, four of them deal with hacking/IT incidents on a network server. Of the entities reporting, one is a health plan, two are healthcare providers (hospital and long-term care provider), and two are business associates. 

Partly as a result of this rise in cyberattacks against the healthcare industry, the Department of Health and Human Services (“HHS”) recently announced plans to increase federal funding to assist providers with training and implementing cyber-security protections. The plans also include increased fines for facilities that do not have adequate cyber-security measures in place. While the plans are in the early stages, and require additional funding and coordination among government entities, it is encouraging to see the government recognize that additional assistance is needed by the healthcare industry to thwart attacks. Providers are encouraged to monitor any guidance and assistance issued by HHS in this regard. 

In addition, OCR publishes cyber-security guidance as well as a cyber-security quarterly newsletter to help HIPAA-covered entities, including providers, to remain in compliance. The guidance and the quarterly newsletters contain helpful tips on ways to reduce the risk of a security breach. The guidance and newsletters are available at https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html. Providers are encouraged to review this guidance for helpful information on measures they can implement to reduce the risk of a cyber-attack. 

Kelli Fleming is a Partner at Burr & Forman LLP practicing exclusively in the Healthcare Practice Group. Kelli may be reached at (205) 458-5429 or kfleming@burr.com.

Pin It

Posted in: Legal Watch

Leave a Comment (0) →

Updated: Remote Patient Monitoring

Posted by on
Updated: Remote Patient Monitoring

This article is an update to “Remote Patient Monitoring” published in the Fall 2023 edition
of the Alabama Medicine Magazine. The U.S. Department of Health and Human Services Office
of the Inspector General (“OIG”) issued a Consumer Fraud Alert related to Remote Patient
Monitoring (“RPM”) on November 21, 2023. This alert provided insight into RPM practices
subject to scrutiny by OIG.


OIG indicated that legitimate RPM includes the use of medical devices like scales, glucose
monitors, blood pressure cuffs, cardiac rhythm devices, and other like equipment to continuously
monitor patients with chronic conditions for medical anomalies within the comfort of the patient’s
home. However, there must be a medical necessity for such services for bills submitted
for RPM services to withstand enforcement scrutiny from OIG. Accordingly, to minimize the risk
of enforcement actions, providers should ensure that the need for such services is present before
setting up a patient with an RPM device.


Additionally, OIG indicated that fraudulent use of RPM occurs where billing is submitted
for set-up, patient teaching, and monthly monitoring of data and the RPM equipment does not meet
the statutory standards. For example, fraudulent RPM billing occurs when bills are submitted for
RPM services, but RPM equipment either (i) is not sent to the patient or (ii) is sent, but is not FDA-approved. Providers should be sure that all equipment provided to their patients meets the requisite
requirements for FDA approval before submitting bills for RPM services. Additionally, providers
should ensure that patients have RPM equipment and appropriately use the equipment to meet
coding requirements before billing for any RPM services provided.


When setting up RPM services, OIG has addressed some suspect characteristics of RPM
that providers should consider. These characteristics include (i) signing patients up for RPM
services through call centers; and (ii) failing to include necessary patient consents for RPM
services in patient files. With these characteristics in mind, there are steps that providers can take
to lessen the risk of scrutiny from OIG. First, providers should be sure to maintain policies and
procedures to ensure that the proper documentation of patient consents is kept in appropriate files.
Additionally, as a best practice, providers should only set up RPM services after establishing a
patient-provider relationship, and avoid, to the extent possible, using call centers to set up RPM
services for patients.

Pin It

Posted in: Legal Watch

Leave a Comment (0) →

Proposed Penalties for Information Blocking Violations

Posted by on
Proposed Penalties for Information Blocking Violations

By: Kelli C. Fleming, Esq. with Burr & Forman LLP

On October 30, 2023, the Department of Health and Human Services (“HHS”) released a proposed rule establishing penalties against healthcare providers who violate the information-blocking rules implemented under the 21st Century Cures Act. The information blocking rules prohibit a healthcare provider, among other “actors” as defined in the rules, from taking any action that is likely to interfere with the access, exchange, or use of electronic health information contained in a designated record set (“EHI”), unless the action is required by law or an applicable legal exception is met. The information blocking rules apply to any request for EHI from any requestor, not just a request to access information from patients.

Currently, there are no penalties against healthcare providers for violating the information-blocking rules. The latest information-blocking proposed rule aims to change that by allowing for payment disincentives for healthcare providers who violate the information-blocking rules. For eligible hospitals and critical access hospitals, the disincentives include not being able to be deemed a meaningful EHR user in the applicable EHR reporting period. For eligible individual providers, the disincentives include not being able to be deemed a meaningful user of certified EHR technology in a performance period and therefore receiving a zero score in the Promoting Interoperability performance category of MIPS. For accountable care organizations and their participants, the disincentives include not being able to participate as an ACO for at least a year. 

“HHS is committed to developing and implementing policies that discourage information blocking to help people and the health providers they allow to have access to their electronic health information,” said HHS Secretary Xavier Becerra. “We are confident the disincentives included in the proposed rule, if finalized, will further increase the appropriate sharing of electronic health information and establish a framework for potential additional disincentives in the future.”

The proposed rule regarding the information blocking disincentives is currently available for public comment. Written or electronic comments must be received on or before January 2, 2024.

Kelli Fleming is a Partner at Burr & Forman LLP practicing exclusively in the firm’s Health Care Practice Group. Kelli may be reached at (205) 458-5429 or kfleming@burr.com.

Pin It

Posted in: Legal Watch, Technology

Leave a Comment (0) →

New OIG Advisory Opinion Reinforces OIG’s Stance Against Turnkey Contractual Joint Ventures

Posted by on
New OIG Advisory Opinion Reinforces OIG’s Stance Against Turnkey Contractual Joint Ventures

By: Jessie Bekker, Burr & Forman LLP

The Office of Inspector General (“OIG”) has issued a new opinion with a familiar message cautioning providers against entering into suspect contractual joint ventures.

The OIG’s latest Advisory Opinion examined the Anti-Kickback Statute’s application to an arrangement related to the provision of intraoperative neuromonitoring (“IONM”) services (the “Proposed Arrangement”). As of the date of the Opinion, the requesting entity, an IONM provider, contracted with hospitals and surgery centers to provide the technical component of IONM services, which consisted of one of its neurophysiologists assisting during a surgery with the placement and operation of the IONM equipment. The IONM provider would arrange with a physician practice (“Practice”) to perform the personal component: remote monitoring by a neurologist of the IONM test results. The IONM provider billed its technical component services to the hospital or surgery center; the Practice billed the professional component to patients and their insurers. However, as competition grew fiercer, the IONM provider found itself at risk of falling behind its competitors who offered surgeons more lucrative opportunities, precipitating the Proposed Arrangement.

The Proposed Arrangement

Under the Proposed Arrangement, the IONM provider would assist a group of surgeons working for the hospitals and surgery centers with which the IONM provider contracted in creating a new IONM company (“NewCo”). The surgeon owners would own all of the interests in NewCo, which would contract with the existing IONM provider to provide all billing and collection services. NewCo would then contract with the Practice to provide the professional component of IONM services to NewCo’s clients. Under an agreement with the existing IONM provider, the IONM provider would supply NewCo with all of the day-to-day services, such that NewCo likely would not need to hire any of its own employees. NewCo – not the IONM provider – would contract with hospitals and surgery centers, receiving referrals for services from the surgeon owners, and would bill both the professional and technical components of the services. NewCo would compensate the IONM provider and Practice for their services through a fee, but the IONM provider anticipated NewCo’s profits would be substantial. In essence, NewCo would act as a competitor to the IONM provider with which it contracted, disrupting the IONM provider’s anticipated profits.

Analysis

Generally speaking, the Anti-Kickback Statute (the “AKS”) prohibits the knowing and willful offering, payment or receipt of remuneration to induce, or in return for, the referral of an individual to a person for any item or service reimbursable by a federal health care program, like Medicare or Medicaid. The statute is intent-based and prosecutes a violation criminally. Violations constitute felonies punishable by fines and imprisonment.

OIG has long expressed its disfavor toward contractual joint ventures that exhibit certain factors pointing to their suspect nature. A contractual joint venture exists where a health care provider in one line of business (e.g., Practice) expands into a related line of business (e.g., IONM) by contracting with an existing provider of the related line of business (e.g., IONM provider) in order to provide the new related line of business to the health care provider’s patients without any substantial risk to the health care provider. The Proposed Arrangement, according to OIG, would “present a host of risks of fraud and abuse under the [AKS], including patient steering, unfair competition, inappropriate utilization, and increased costs to Federal healthcare programs.” OIG pointed to several risks raised by the Proposed Arrangement, specifically, that it could result in inappropriate steering of referrals from the surgeon owners to NewCo, the IONM provider, and the Practice of federal health care program business. Certain specific factors led OIG to its conclusion, including that the surgeon owners, as a result of contracting out its day-to-day operations to the IOMN provider, would have no real financial risk while reaping the benefits of the IOMN services provided. Additionally, both the Practice and IOMN provider are established entities that would effectively be forced to compete with themselves as a result of the Proposed Arrangement. Moreover, because the surgeon owners would have a vested interest in NewCo’s success, the OIG concluded that there would be a risk that the surgeon owners would only refer business to NewCo, the IOMN provider and the Practice in order to benefit from the billing opportunity for those services. Accordingly, OIG concluded that the Proposed Arrangement would risk violating the AKS.

Takeaways

The OIG Advisory Opinion highlights its longstanding concern with suspect contractual joint ventures and acts as a reminder to physicians venturing into new business lines of the risk factors that may implicate the AKS. The Advisory Opinion, just like all Advisory Opinions, is applicable only to its specific facts and should not be relied upon as definitive authority in determining the risk under the AKS of any other arrangement.

Pin It

Posted in: Legal Watch, MVP

Leave a Comment (0) →

Online Tracking Tools—Be Cautious.

Posted by on
Online Tracking Tools—Be Cautious.

By: Kelli C. Fleming, Esq., Burr & Forman LLP

The Office for Civil Rights (“OCR”) and the Federal Trade Commission (“FTC”) recently teamed up to warn several healthcare providers about the privacy and security risks affiliated with online tracking technologies. According to the warning, these online tracking technologies may, under certain circumstances, be improperly disclosing protected health information (“PHI”) to third-parties or using such information for impermissible purposes.

Third-party tracking technologies, for example, Google Analytics, collect information about how users, oftentimes patients, interact with a provider’s website. Once collected, such information may be sent to the third-party who developed such technologies or used for marketing purposes without patient authorization. The unauthorized disclosure of this information to third-parties and the use of this information for marketing purposes could violate both HIPAA and the FTC Act. Providers who use a third-party website developer are unfortunately sometimes unaware that such technologies are even being used on their websites.

Indicating that online tracking is an area of priority, OCR issued guidance regarding online tracking technologies in December 2022. This guidance provides a general overview of how HIPAA applies to a provider’s use of online tracking technologies by addressing the following: (1) what is a tracking technology; (2) how does HIPAA apply to regulated entities’ use of tracking technologies; (3) tracking on user-authenticated webpages; (4) tracking on unauthenticated webpages; (5) tracking within mobile apps; and (6) HIPAA compliance obligations for regulated entities when using tracking technologies. This guidance is available at https://www.hhs.gov/about/news/2022/12/01/hhs-office-for-civil-rights-issues-bulletin-on-requirements-under-hipaa-for-online-tracking-technologies.html. 

In addition to agency enforcement, lawsuits are starting to be filed for violations of privacy and confidentiality due to improper uses and disclosures stemming from online tracking technologies. Thus, providers utilizing online tracking tools or allowing website developers to use such tools should closely review the relevant guidance to ensure that any disclosures and uses are appropriate. 

Kelli Fleming is a Partner at Burr & Forman LLP practicing exclusively in the firm’s Health Care Practice Group. Kelli may be reached at (205) 458-5429 or kfleming@burr.com.

Pin It

Posted in: Legal Watch, Technology

Leave a Comment (0) →

Ethical and Legal Considerations for Caring for Patients Under the Influence of Medical Marijuana

Posted by on
Ethical and Legal Considerations for Caring for Patients Under the Influence of Medical Marijuana

By: Jessie Bekker, Burr & Forman, LLP

In 2021, Alabama became one of thirty-eight states to legalize the medicinal use of cannabis. Though Alabama has yet to license any providers to prescribe it, an interesting question is how the consumption of medical cannabis by a patient before an appointment could impact the ability to obtain informed consent for scheduled procedures and treatments. For example, is a person who takes some form of marijuana before a procedure considered impaired for the purposes of determining their ability to consent? Does the determination change if that person is under the influence of prescribed versus recreational marijuana (or any other substance, for that matter)?

Here are a few considerations to keep in mind when determining whether a patient who has consumed cannabis prior to showing up for his/her doctor’s appointment can be treated as scheduled—or should perhaps come back another day:

  1. Determine whether the patient can coherently and meaningfully participate in their care. Fundamentally, determining whether a patient can provide informed consent to treatment comes down to whether that person understands their condition, the benefits of the proposed care plan, and the risks of obtaining and foregoing treatment. If a patient presents for care under the influence of medical cannabis or some other prescribed drug, consider whether that patient can play an active role in their care. Consuming drugs may impact informed consent if consumption results in impaired cognitive function. Therefore, if a patient’s condition leads to a negative answer to the above questions, consider postponing care or obtaining consent from a surrogate.
  2. Consider whether a delay in care put’s the patient’s health at risk. Sometimes, patients present under the influence of drugs or alcohol, but their health requires urgent attention. If a delay in treatment has the potential to cause the patient’s condition to worsen, act on your best medical judgment. Per the American Medical Association, ask the patient’s surrogate, when available, to provide consent. Where neither the patient nor a surrogate can provide consent, initiate treatment and obtain consent from the patient or surrogate as soon as the opportunity arises. 
  3. Reschedule non-emergent appointments. If a patient is impaired after consuming medical cannabis and presents to a scheduled appointment for non-urgent treatment, consider rescheduling the appointment. Additionally, consider speaking with the patient’s prescriber to determine at which amount the patient can safely consume medical cannabis without reaching impairment, and reschedule the appointment for a date when the patient, his/her prescriber, and the treating physician all agree that the patient can receive appropriate care.

Treating a person who is impaired presents issues regarding informed consent. Still, not all consumption of drugs, like medical cannabis, will implicate the patient’s ability to meaningfully participate in their care. As Alabama’s medical cannabis industry takes shape, these questions may arise more frequently. When making delicate determinations about a person’s ability to consent to care, work with that patient and their surrogate and/or other providers, where appropriate, to best meet the patient’s needs.

Jessie Bekker is an Associate at Burr & Forman LLP and practices exclusively in the firm’s Healthcare Practice Group. Jessie may be reached at (205) 458-5275 or jbekker@burr.com.

Pin It

Tags:

Posted in: Legal Watch, Medical Cannabis

Leave a Comment (0) →
Page 1 of 9 12345...»