Archive for Legal Watch

So, How Do I Comply with HIPAA?

Posted by on

hipaa_banner

Editor’s Note: This article was originally published in the 2016 Spring Issue of Alabama Medicine magazine

A physician client recently asked me a seemingly simple, straightforward question: “So, how do I comply with HIPAA?” The answer, unfortunately, is not as simple and straightforward as the question.

HIPAA (i.e., the Health Insurance Portability and Accountability Act) and its various regulations include numerous, often confusing requirements, and little in the way of practical guidance. With this in mind, this article provides the author’s attempt to give, in simple terms, an overview of HIPAA’s requirements, and a short list of practical steps physician practices may take to establish a baseline of compliance.

Overview

In the most simple terms, to comply with HIPAA, a physician practice needs to address and satisfy the obligations of a “covered entity” under the regulations set forth in the HIPAA security regulations, 45 CFR § 164.300 et seq. (the “Security Rule”); the HIPAA breach notification regulations, 45 CFR § 164.400 et seq. (the “Breach Notification Rule”); and the HIPAA privacy regulations, 45 CFR § 164.500 et seq. (the “Privacy Rule”), in respect to “protected health information” (“PHI”) received and maintained by the practice on behalf of its patients. HIPAA compliance has garnered significant attention recently, due to increasing public awareness in regard to data breaches and privacy and information security matters, generally, as well as increased enforcement efforts by the U.S. Department of Health and Human Services Office of Civil Rights (“HHS,” and “OCR”)1 and other government agencies,2 not to mention the looming specter of potential class action and other litigation involving affected patients.3 In addition, OCR recently commenced a new, expanded HIPAA audit program that will select physician practices and other HIPAA-covered entities and business associates for random compliance audits.4

Privacy Rule

To comply with the Privacy Rule, a physician practice must not access, use or disclose PHI, in paper or electronic form, other than as required or permitted by the Rule. For example, the Privacy Rule requires that a physician practice not disclose a patient’s PHI to a third party without an appropriate written authorization from the patient, except in certain circumstances, such as in connection with the patient’s treatment, or payment for such treatment, or the practice’s health care operations. The Privacy Rule also specifies that, in general, even if a particular disclosure is required or permitted, the practice must ensure that the disclosure is limited to the minimum necessary information. In addition to these foundational issues, the Privacy Rule requires that physician practices take certain administrative steps to facilitate compliance, including identifying a privacy officer, implementing written policies and procedures to formalize privacy practices, and entering into business associate agreements (that include specific provisions outlined in the Rule) with vendors and other third parties that create, receive, transmit or maintain PHI on behalf of the practice (“business associates,” in HIPAA terms). Physician practices must also regularly evaluate and update their privacy policies and practices, provide regular privacy training to their workforce members, and impose appropriate sanctions when workforce members fail to comply with established privacy practices.

Security Rule

Under the Security Rule, physician practices must implement reasonable and appropriate administrative, physical and technical safeguards to protect electronic PHI (“ePHI”). Technical safeguards include, for example, encryption, access controls, audit logs, authentication controls, and other safeguards directed toward securing ePHI. Physical safeguards include locking doors, screening computers, and other safeguards to protect access to workstations and other physical facilities where workforce members access ePHI and protocols to safeguard ePHI during disposal. Administrative safeguards include security risk analysis (discussed further below) and risk management plans, contingency/disaster recovery plans, and security incident reporting procedures, as well as written policies and procedures addressing security practices, regular evaluation of security safeguards, and workforce training and sanctions, similar to the Privacy Rule.

Breach Notification Rule

The Breach Notification Rule requires that, in the event a physician practice discovers an unauthorized access, use or disclosure of unsecured PHI (for example, a breach of unencrypted ePHI), in paper or electronic form, the practice must notify each patient affected by the breach, as well as OCR,5 unless the practice can demonstrate, based on a risk assessment conducted in accordance with the Rule,6 that there is not more than a low probability that PHI was compromised. Like the Privacy Rule and the Security Rule, the Breach Notification Rule also requires physician practices implement written policies and procedures to document their breach notification responsibilities and practices, train workforce members regarding their responsibilities in the event of a breach, and hold workforce members accountable for non-compliance.

Practical Steps

In view of the various rules and requirements discussed above, physician practices may take the following steps toward establishing a baseline of compliance with HIPAA.

Perform a security risk analysis in compliance with the Security Rule. It is essential that every physician practice perform (and regularly update, as appropriate) a security risk analysis, in compliance with the Security Rule, as noted above. Done properly, the security risk analysis highlights specific risks and vulnerabilities in the practice’s security practices and recommends specific steps to address them – thereby providing a road map, of sorts, to compliance with the Security Rule. From an enforcement standpoint, OCR has repeatedly zeroed in on covered entities that fail to perform an appropriate risk analysis. As a practical matter, most physician practices utilize third-party consultants, with appropriate information technology expertise and resources, to conduct the risk analysis. In any case, the risk analysis should be coordinated through legal counsel to, among other things, ensure applicable HIPAA requirements are addressed and preserve attorney-client privilege, to the extent possible, as to communications with the consultant (i.e., in regard to security risks and vulnerabilities identified in the analysis). Physician practices should be sure, also, to routinely update their risk analysis, to ensure that new and evolving legal requirements and risks are timely addressed.

Implement appropriate written policies and procedures for compliance with the Privacy Rule, Security Rule and Breach Notification Rule. It is also essential that every physician practice implemented, written policies and procedures to facilitate compliance with the Privacy Rule, the Security Rule and the Breach Notification Rule. “Template” policies and procedures may be obtained from various sources, and may be sufficient for compliance, at least temporarily; ultimately, however, practices should tailor their policies and procedures to their particular circumstances – including, for example, the specific risks and vulnerabilities identified, from time to time, in the practice’s (ongoing) security risk analysis, as well as the practice’s history and experience with (actual) privacy, security and breach matters. As noted above, it is also critical that the practice regularly review and update its policies procedures to ensure compliance with applicable laws and regulations, and to take into account, again, any recent privacy, security or breach related matters at the practice.

Address encryption. Technically, encryption is not required to comply with the Security Rule. Like risk analysis, however, encryption (specifically, lack of encryption) is a favorite target of OCR, in its enforcement efforts, especially in regard to (unencrypted) mobile devices, such as laptops and tablet computers, smartphones, and the like.7 Moreover, encrypted ePHI (i.e., “secure” ePHI)8 is not subject to the Breach Notification Rule; that is, even if the information is somehow breached, the practice need not notify patients or OCR regarding the incident.

Vet vendors and vendor contracts. Physician practices should routinely vet any vendors (i.e., business associates) that have access to PHI, in paper or electronic form, to ensure the vendor has appropriate safeguards in place, similar to those required of the practice. In addition, as noted above, physician practices should ensure that they have written, HIPAA compliant, business associate agreements in place with such vendors. Practices should also confirm that business associate agreements and/or related vendor service contracts include adequate protections (in the form of indemnification, and other remedies) for the practice, in the event of a data breach or similar incident. Moreover, due to the significant risk
management and legal implications now associated with ePHI, practices are advised to coordinate review of their vendor arrangements and contracts with appropriate legal counsel.

Implement appropriate back-up and contingency plans. The Security Rule requires that physician practices have in place secure procedures for backing up PHI and safeguards to protect PHI and to recover lost PHI, in the event of a natural disaster or other, similar contingency. Some practices utilize their own servers or resources to back up data; others utilize “cloud” or similar third-party services. As a practical matter, similar to risk analysis, contingency plans are often developed and implemented in coordination with a third-party consultant with appropriate expertise.

Confirm appropriate insurance coverage is in place. Many insurance carriers now offer some form of “cyber” insurance coverage to protect against losses related to data breaches and other information security matters. Cyber insurance typically addresses the insured’s overall information technology security practices; it may or may not address specific HIPAA compliance issues. In lieu of (or in addition to) cyber coverage, physician practices may look to other insurance (directors and officers, errors and omissions, professional liability, general liability, etc.) for coverage. In any case, particularly in view of the significant enforcement and litigation risks now associated with HIPAA and related privacy and security matters, physician practices must be sure they have adequate insurance coverage in place in the event of a data breach or similar privacy or security incident – and, in the event coverage is available from multiple sources, that they understand the interplay between the various policies.

Sources

  1. OCR enforcement efforts include a number of high dollar settlements (known as “resolution agreements”) entered into between OCR and HIPAA covered entities, including physician practices. For additional information pertaining to OCR resolution agreements and other enforcement efforts, please see the HHS website, at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html. (To view OCR resolution agreements involving physician practices, visit the above link, and select “Private Practices.”)
  2. Besides OCR, data breaches (whether or not HIPAA is implicated) may trigger enforcement efforts by state attorneys general, the Federal Trade Commission and other state or federal agencies.
  3. See, e.g., Class Action Lawsuit for Flowers Hospital Data Breach Moves to Discovery Phase, HIPAA Journal (Oct. 5. 2015), accessible at http://www.hipaajournal.com/flowers-hospital-class-action-data-breach-lawsuit-moves-to-discovery-8133/ (last visited March 24, 2016).
  4. See OCR Launches Phase 2 of HIPAA Audit Program, available at http://www.hhs.gov/hipaa/forprofessionals/compliance-enforcement/audit/phase2announcement/index.html.
  5. Notification to OCR is delivered using an online portal on the HHS website, accessible at https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true.
  6. The Breach Notification Rule includes specific factors the physician practice must take into account in conducting the risk assessment. These factors are set forth at 45 CFR §164.402.
  7. OCR data indicates that a significant portion of reported breaches of unsecured PHI, perhaps more than half, involve theft or loss of an unencrypted mobile device.
  8. To avoid the notification requirements of the Breach Notification Rule, ePHI must be encrypted according to specific, National Institute of Standards and Technology (“NIST”) protocols. For information regarding specific encryption protocols, see Guidance to Render Unsecured Protected Health Information Unusable, Unreadable or Indecipherable to Unauthorized Individuals, on the HHS website, at http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html.

The information in this article reflects the thoughts and opinions of the author, and does not, and is not intended to, constitute legal advice. If you have specific questions pertaining to HIPAA or other legal matters addressed herein, please consult appropriate legal counsel.

Contributed by D. Brent Wills, Esq., a partner at Gilpin Givhan P.C., a Bronze Partner with the Association.

Pin It

Tags: ,

Posted in: Legal Watch

Leave a Comment (0) →

Physicians: Be Cautious When Responding to a Subpoena or Request for Medical Records

Posted by on

medicalfile_banner

Editor’s Note: This article was originally published in the 2016 Summer Issue of Alabama Medicine magazine

Doctors must educate themselves and particularly their staff on the legal obligations to protect the confidentiality of medical records and how to properly respond to subpoenas and requests for patients’ health information. It is a huge mistake for physicians to automatically assume that a subpoena or request is properly executed. Improperly releasing a patient’s medical records can result in a civil suit by the patient, an administrative fine by the federal government, or disciplinary action by the state medical board.

Civil and criminal courts in the State of Alabama have the right to summon witnesses into court and require them to testify under oath. Subpoenas are issued to non-parties to a lawsuit; therefore, the health care provider is not a party to the pending litigation. Consequently, the method for securing the attendance of witnesses and records is by the issuance of a subpoena or a subpoena duces tecum, respectively.

A subpoena is a written order compelling a person to appear and give testimony at a trial or other proceeding. The subpoena duces tecum is a subpoena compelling a person to appear, give testimony, and bring all books, documents, papers, or records described in the notice. A failure to respond could subject the health care provider to contempt of court. A patient’s medical records are generally secured by a subpoena duces tecum, which is served on the person having actual custody or possession of the records, and typically request a patient’s chart, x-rays and billing documents. In most cases, the party seeking the information is not requesting the physician or his staff to physically appear in court to produce the records.

A subpoena is generally issued by an attorney or the clerk of court, which means that you will often receive a subpoena without an accompanying court order or any documents signed by the judge. A properly issued subpoena for patient records is generally as valid as any other properly issued subpoena with one important exception. That exception relates to subpoenas requesting health care information that is afforded special protection under state or federal law, such as records relating to the testing for or treatment of HIV, AIDS, STDs; and mental health, behavioral health, or treatment records of substance abuse programs. A subpoena requesting such information without a court order or patient authorization is generally not proper.

Typically, the subpoena must be accompanied by an authorization signed by the patient authorizing release of that specific protected information or an order signed by the judge authorizing release of that information. Stated another way, if the medical record contains information that relates to the testing or treatment of HIV, AIDS, STDs or psychiatric records, such as mental health or behavioral health, then the physician will need either:a court order signed by a judge specifically ordering the records related to these specially protected areas, or an authorization signed by the patient specifically authorizing the doctor to release that portion of the record.

  1. a court order signed by a judge specifically ordering the records related to these specially protected areas, or
  2. an authorization signed by the patient specifically authorizing the doctor to release that portion of the record.

The HIPAA Privacy Rules also require additional steps before a physician can release records containing protected health information (“PHI”) pursuant to a subpoena. A physician may disclose PHI in the course of any judicial or administrative proceeding by either obtaining an order of a court or in response to a subpoena if the physician obtains satisfactory assurances from the party issuing the subpoena.

For the purposes of obtaining “satisfactory assurances” from a party seeking PHI, the physician must receive documentation demonstrating that:the party requesting the information has made a good faith attempt to provide written notice to the individual, the notice to the individual includes sufficient information about the litigation to permit the individual to raise an objection to the court, and the time for the individual to raise objections has lapsed and no objections were filed, or all objections that were filed by the individual had been resolved by the Court.

  1. the party requesting the information has made a good faith attempt to provide written notice to the individual,
  2. the notice to the individual includes sufficient information about the litigation to permit the individual to raise an objection to the court, and
  3. the time for the individual to raise objections has lapsed and no objections were filed, or all objections that were filed by the individual had been resolved by the Court.

Physicians or their offices may receive subpoenas from out-of-state courts in matters involving mass tort claims such as asbestos. A subpoena from another state’s court does not have the authority to compel production in Alabama. Thus, a physician who receives a subpoena in Alabama by another state’s court should not respond to the subpoena unless the subpoena is domesticated by (accompanied by an order from) a circuit court in Alabama.

Physician and physician practices may also receive requests for medical records prior to a lawsuit being filed. These requests may come from the patient or a law firm. HIPAA governs the release of these records and whether the request is authorized. Records should only be released to authorized individuals. If the patient is living, authorized individuals include the patient or his Personal Representative.

Pursuant to HIPAA, “Personal Representative” is defined by state law and would include someone who has a Power of Attorney for the patient. If the patient is deceased, the Personal Representative of the patient’s estate may obtain the records. In 2013, HIPAA expanded authorized individuals of deceased patients to include family or individuals involved in the patient’s care, if the request is relevant to their involvement in the patient’s care, unless releasing the records is inconsistent with prior expressed preference of the individual. Therefore, a deceased patient’s family member may request the records even if she is not appointed as the personal representative of the patient’s estate, and a physician may release the records if it determines the individual is authorized under this provision.

The problem for physicians and their staff is that they often do not know the requirements necessary to make a subpoena or request valid or lawfully enforceable. Therefore, it is prudent for the physician to educate his/her staff about subpoenas and requests for records and when not to respond or release the records. In certain circumstances, it may be wise for the physician to consider having a subpoena or request reviewed by legal counsel to determine the appropriate response.

The relatively small expense can save a tremendous amount of trouble later on.

bronzemvpContributed by Jim Hoover and Angie Cameron Smith, members of Burr & Forman, LLP’s Health Care Industry Group and represent health care providers in regulatory and litigation matters. Burr & Forman, LLP, is an official Bronze Partner with the Medical Association.

Pin It

Tags: ,

Posted in: Legal Watch

Leave a Comment (0) →

Recent Changes to the Federal Stark Law

Posted by on

advocacylaw_banner

Editor’s Note: This article was originally published in the 2016 Winter Issue of Alabama Medicine magazine

Most physicians are aware of the Federal Stark Law and the limitations it places on a physicians’ ability to enter into financial relationships with potential referral sources. Can I refer patients to the physical therapy practice I own? Can I lease space and/or equipment from the hospital? Can I share my front desk personnel with another provider? These are questions we commonly hear from physicians who are navigating the complicated web of health care compliance under the Stark Law. Recent changes to the Stark Law enacted through the 2016 Medicare Physician Fee Schedule Final Rule (“Final Rule”) may provide added flexibility to physicians contemplating some of these types of arrangements.

The issuance of the Final Rule on Nov. 16, 2015, was the first time the industry has seen such broad changes to the physician self-referral law in several years. According to the Centers for Medicare and Medicaid Services (CMS), the changes are designed to “accommodate delivery and payment system reform, to reduce burden, and to facilitate compliance.” The majority of the changes took effect Jan. 1, 2016.

The Stark Law prohibits a physician from referring Medicare or Medicaid patients for certain “designated health services” to entities with which the physician (or an immediate family member of the physician) has a financial relationship, unless an exception applies. Any relationship in which remuneration (i.e., something of value) flows between the parties is considered a financial relationship under the Stark Law.

Designated health services (“DHS”) covered by the Stark Law include the following:

  1. clinical laboratory services;
  2. physical therapy, occupational therapy, and outpatient speech language pathology services;
  3. radiology and certain other imaging services;
  4. radiation therapy services and supplies;
  5. durable medical equipment and supplies;
  6. parenteral and enteral nutrients, equipment and supplies;
  7. prosthetics, orthotics and prosthetic devices and supplies;
  8. home health services;
  9. outpatient prescription drugs; and
  10. inpatient and outpatient hospital services.

The majority of the Final Rule changes address the exceptions to the Stark Law — in other words, the instances in which CMS has stated that a financial relationship is permitted between referring parties. While a summary of all the recent changes is beyond the scope of this article, I did want to highlight some of the more significant changes.

In the Final Rule, CMS established two new Stark Law exceptions. The first exception permits hospitals, federally qualified health centers (FQHC), or rural health clinics (RHC), to provide assistance to physicians to recruit and compensate non-physician practitioners (i.e., nurse practitioners, clinical nurse specialists, physician assistants, certified nurse midwives, clinical social workers, and clinical psychologists) under certain conditions. In other words, physicians can now receive recruitment incentives to attract non-physician practitioners to their practice.

In order to take advantage of the exception, among other things, at least 75 percent of the patient care services provided by the recruited non-physician practitioner must be primary care or mental health services. Further, the payment to the physician by the hospital, FQHC, or RHC cannot exceed 50 percent of the aggregate compensation, signing bonus, and benefits paid to the non-physician practitioner and must be consistent with fair market value. This new exception may only be utilized once every three years for a particular physician (unless the non-physician practitioner leaves prior to the expiration of one year) and there is a two-year limit on the assistance provided by the hospital, FQHC, or RHC.

The second new Stark Law exception permits time-share arrangements for the use of office space, equipment, personnel, items, supplies and services. The exception applies to arrangements that grant a right of permission to use the premises, equipment, personnel, items, supplies, or services, but not to arrangements that transfer control over such items. While these types of arrangements have been in place for years and have been analyzed under other Stark Law exceptions, the new exception provides clarification and flexibility. There are some limitations, however, to the use of the new exception. For example, advance imaging equipment (e.g., MRI and CT) and clinical or pathology laboratory equipment may not be used within the shared space. Further, compensation formulas based on revenue percentage or per-unit fees are prohibited.

In the Final Rule, CMS also clarified several existing Stark Law exceptions. While a discussion of all of the clarifications is beyond the scope of this article, I wanted to highlight a few:

  • Many Stark Law exceptions contain a requirement that the arrangement be “in writing.” However, sometimes physicians fail to enter into or sign a formal written contract prior to the initiation of the arrangement. In the Final Rule, CMS clarified that the “writing” does not necessarily need to be a single written formal contract, but rather can be a collection of contemporaneous writings that relate to each other and that document the relationship (e.g., e-mails, invoices, check requests, board meeting minutes, time sheets, etc.). A document produced after a referral is made, however, cannot be used to demonstrate compliance with respect to prior referrals. Nonetheless, despite the clarification, a single written contract remains the recommended method of documentation when possible.
  • Under the previous provisions, if a signature to an arrangement was missing, the parties had 30 days to obtain the missing signature if the omission was not inadvertent and 90 if the omission was inadvertent. Under the Final Rule, parties now have 90 days to obtain a missing signature regardless of whether the omission was inadvertent.
  • For exceptions requiring a one-year arrangement, CMS clarified that the one-year term does not have to be directly expressed in the writing, provided the parties can show factual compliance with the one-year requirement through other documentation.
  • Previously, under the exception for leases and personal services agreements, a holdover period at the expiration of the agreement was limited to six months. In other words, if the agreement expired and the parties failed to enter into a new agreement, the old agreement could govern the relationship but only for a period of six months. The Final Rule allows for an indefinite holdover period on the same terms as the original agreement as long as the arrangement remains compliant with the applicable exception. However, amendments during the holdover period are prohibited. In light of this change, it is highly recommended that the parties review holdover agreements periodically to confirm that the arrangement remains compliant (e.g., that the payment remains consistent with fair market value).
  • CMS clarified that when parties split-bill for services (e.g., hospital bills technical component and physician bills professional component), this alone does not create a financial relationship triggering the Stark Law between the parties.
  • The Final Rule clarifies the definition of remuneration under the Stark Law does not include the provision of items, devices, or supplies that are used solely to collect, transport, process or store specimens or to order or communicate the results of tests or procedures.

Physicians contemplating arrangements that may fall under a Stark Law exception are encouraged to review these latest developments. Depending on the circumstances, some of the most recent changes may provide added flexibility and additional options for physicians.

bronzemvpContributed by Kelli Fleming, a partner at Burr & Forman, LLP, who works exclusively within the firm’s Health Care Practice Group. Burr & Forman, LLP, is an official Bronze Partner with the Medical Association.

Pin It

Tags: ,

Posted in: Legal Watch

Leave a Comment (0) →

The New Capitated System: How Do Physicians Respond?

Posted by on

Doctor with female patient

Editor’s Note: This article was originally published in the 2015 Winter Issue of Alabama Medicine magazine

On May 17, 2013, Gov. Robert Bentley signed into law Act 2013-261, Ala. Code Sections 22-6-150 et seq., which changes the Alabama Medicaid System from a fee-for-service to a managed care program (the “Act”). This will dramatically change the way nearly 1 million Alabama Medicaid beneficiaries receive their care, and change the way providers are paid. The Alabama Medicaid Agency will allocate a fixed, capitated per-member per-month payment to newly formed regional care organizations (“RCOs”) in return for the RCOs providing health care services to the Medicaid beneficiaries assigned to the RCO. The RCOs will provide the health care services through physicians and other health care providers who enter into provider agreements with the RCOs.

Each RCO is required to establish a network of health care providers in order to deliver care to its enrollees. The network can include physicians, hospitals, pharmacies, podiatrists, chiropractors, psychologists, dentists, therapists, social workers, rural health clinics and other health care providers. RCOs do not have to directly contract with providers, but can also contract with a managed care organization that will contract with providers. Under the law, RCOs are required to contract with any willing physician, hospital or other provider to offer services to beneficiaries in the RCO region if the provider is willing to accept the same payment and contract terms offered by the RCO to other comparable providers.

RCOs can pay providers either on a fee-for-service basis or on a capitated basis. In addition, RCOs can implement value, performance and other payment methodologies. If a RCO decides to not credential a provider in its network, the RCO must give the provider written notice of the reason for its decision, and follow credentialing requirements set out in federal regulations.

There are now 11 organizations across the State of Alabama that have been granted probationary certification as Medicaid Regional Care Organizations or “RCO”s. Physicians have begun receiving notices from some of these RCOs asking them to return a letter of intent to participate in the RCO network of providers. RCOs must be able to demonstrate to the Medicaid Agency that they have an adequate provider network in place by April 1, 2015. The RCOs are now on a fast track to put together the Primary Care Networks, and will be sending provider contracts out later this year. This will be the time physicians and other providers will be negotiating with the RCOs for the best agreement they can get.

The letters of intent being sent out are non-binding on physicians, and merely acknowledge the physician is willing to negotiate with the RCO. However, the issuance of the letters of intent by the RCOs may trigger discussions among physicians that may have antitrust implications. While a physician who simply sends in a letter of intent is acting individually, and without antitrust issues, if that physician begins discussing with other physicians whether or not the physicians should send letters of intent, the physicians involved in the discussions may be deemed to be acting collectively, and antitrust issues arise.

Under antitrust laws, physicians are considered horizontal competitors who compete with each other for patients just as car dealers are horizontal competitors who compete for customers. Any distinction in the law for professions has long been abandoned. Violations of the antitrust laws carry very severe penalties including potential criminal prosecution, trebled damages and an award of the plaintiff’s attorney fees. The enormous legal fees involved in defending an antitrust investigation by the Department of Justice or the Federal Trade Commission alone can be devastating to a physician practice.

To protect physicians who negotiate with RCOs, the Act provides immunity from liability under the antitrust laws by putting these negotiations under an exemption to antitrust known as the “State Action Doctrine.” This doctrine is set forth by the U.S. Supreme Court and exempts actions of a state from application of the antitrust laws. To qualify for the exemption, the state must clearly articulate and express a state policy to exempt the anticompetitive conduct and then actively supervise the anticompetitive conduct. The most difficult prong of the two-part test to meet is the requirement of active state supervision. The Medical Association of the State of Alabama has worked with the officials and attorneys for the Medicaid Agency to give physicians the maximum protection possible from the potential violation of the antitrust laws. It will be up to individual physicians and other providers, however, to assure they understand and follow to the letter the Medicaid Regulations designed to allow the Medicaid Agency to supervise the collective negotiations. Failure to do so can remove the antitrust immunity provided by the Act and leave the physicians and other providers vulnerable to the sanctions of the antitrust laws.

If carefully followed, the Act and the Medicaid Regulations provide the necessary elements to exempt collective negotiations from antitrust liability. Before talking with other physicians about the pros and cons of contracting with a Medicaid RCO, physicians should apply through an online process to the Medicaid Agency for a Certificate to Collaborate (the “Certificate”). The electronic application is available at https://rcoportal.medicaid.alabama.gov. Once the application is approved, a Certificate will be issued which will allow for collective negotiation, bargaining, and cooperation regarding payment and health care delivery. Careful attention must be paid to the Medicaid Regulations to assure the Certificate to Collaborate continues in force. To satisfy the State Action Doctrine, it is required the active state supervision be continuous, so just getting the Certificate alone is not sufficient. The Medicaid Regulations provide for continual monitoring and supervision of the negotiation process. Physicians and other providers must have someone in their offices knowledgeable of the requirements, and carefully assuring that they are followed.

In addition, the State Action Doctrine immunity only applies to collective negotiations with regard to Medicaid. It does not immunize any collective actions regarding private insurance companies or health maintenance organizations. Care must be taken to assure that the negotiations are limited to Medicaid beneficiaries.

The Certificate is not necessary for physicians to attend informational sessions on the new system, but is necessary for physicians to discuss among themselves whether or not to participate or on what terms to participate.Now is the time for physicians to get their Certificates, as the provider contracts will be next on the agenda for the RCOs. In all likelihood, physicians in the different regions who jointly negotiate with the RCOs either solely as physicians or in collaboration with one or more hospitals will be in

Now is the time for physicians to get their Certificates, as the provider contracts will be next on the agenda for the RCOs. In all likelihood, physicians in the different regions who jointly negotiate with the RCOs either solely as physicians or in collaboration with one or more hospitals will be in position to get better contracts than those who individually negotiate. The antitrust immunities in the Act give physicians and other providers greater ability to join together in new organizations to negotiate with RCOs and provide care to their enrollees.

Independent Practice Associations (“IPAs”), Preferred Provider Organizations (“PPOs”) and Physician Hospital Organizations (“PHOs”) are examples of the types of entities that will regain popularity in the development of the new provider networks. With the antitrust immunities furnished by the Act IPAs, PPOs and PHOs, as well as other entities, will be effective means for physicians and other providers to join together collectively and negotiate with RCOs. IPAs are entities in which physicians can integrate either partially or fully their practices into a separate entity that will negotiate with the RCOs and actually provide the care to enrollees of the RCO. PPOs are entities physicians can form to negotiate with RCOs for fees to be paid to the physicians but do not provide the care to enrollees. Care is provided through the individual medical practices. PHOs separate entities formed by hospitals and members of their medical staffs to negotiate and provide both hospital and physician services to enrollees.

The Act is changing the landscape for the provision of health care services for Medicaid beneficiaries. Other articles will deal with topics to help physicians negotiate the changes, including terms to carefully consider in signing provider contracts. Needless to say, as the time grows closer, physicians and other providers will be discussing options and strategies for responding to the changes.

bronzemvpArticle contributed by John T. Mooresmith, Esq., Burr Forman, LLP. Burr Forman, LLP, is an official Bronze Partner of the Medical Association.

 

Pin It

Tags: , ,

Posted in: Legal Watch

Leave a Comment (0) →
Page 9 of 9 «...56789