Archive for Legal Watch

Is a Physician Leaving Your Practice? Here are Your “Must Have” Employment Agreement Provisions (Part I)

Is a Physician Leaving Your Practice? Here are Your “Must Have” Employment Agreement Provisions (Part I)

The following is the first installment of a three-part series discussing important provisions in physician employment agreements.

When a physician leaves a medical practice, especially if the physician stays in the area to compete against his/her former employer, the situation can become stressful and acrimonious. During the final weeks of employment, the departing physician can start to focus more on his/her new practice to the detriment of the current employer, and disputes often arise regarding access to medical records, soliciting patients and employees and when to schedule procedures – before or after termination. We have seen both medical practices and departing physicians engage in questionable conduct in order to keep as many patients as possible. Lawyers are often engaged to negotiate the terms of separation or, in a worse-case scenario, to file or defend a lawsuit.

Over the years, we have counseled hundreds of physician practices on how to successfully navigate the various issues that arise when a physician departs, regardless of whether the physician is an employee or an owner. Careful planning on the front end through a comprehensive employment agreement is the most important element in an amicable and fair separation. More often than not, we have found that disputes and subsequent litigation can arise when the employment agreement is not properly drafted or does not adequately address the specific terms of separation.

This three-part series provides a summary of the key provisions (with sample language) that can be incorporated into a physician employment agreement to help mitigate problems when a physician leaves your practice. Since each medical practice is unique, please consult with your own attorney before using any of the provided sample provisions in a physician employment agreement.

Setting Expectations. Unless there is an immediate termination due to a breach of the employment agreement or other significant event, such as loss of license, oftentimes a physician’s employment is terminated by either party “without cause” upon thirty (30) to ninety (90) days prior written notice. In that situation, the physician continues to work for the medical practice during the notice period. This can be a very stressful time for both the practice and the departing physician, as the practice often feels that the physician’s loyalties have shifted. Even though the physician remains employed (and receives compensation), the physician may not be acting in the best interest of the soon-to-be former employer. As such, it is helpful to set expectations of conduct in the employment agreement during this transition period.

Following any notice of termination of Physician’s employment with the Employer which does not immediately terminate Physician’s employment, Physician shall continue to conduct himself/herself in accordance with the terms of this Employment Agreement, and specifically shall not: (a) copy (or instruct Employer personnel to copy) medical charts of patients for Physician’s use after termination of employment with the Employer, (b) compile (or instruct Employer personnel to compile) lists containing patient data, including patient names, addresses and/or telephone numbers of Employer’s patients for Physician’s use after termination of employment with the Employer, (c) schedule (or instruct Employer personnel to schedule) medical appointments, procedures and/or surgeries between Physician and Employer’s patients subsequent to the termination date of Physician’s employment with the Employer, (d) take vacation or continuing medical education time-off that is inconsistent with Physician’s normal vacation and continuing medical education time-off, or (e) otherwise diminish or lessen Physician’s services for the Employer.

In addition, upon termination of employment the departing physician should be required to complete certain obligations.

Notwithstanding the termination of Physician’s employment with Employer, Physician shall be required to: (a) cooperate with Employer on any malpractice or other actions or suits related to Physician, (b) immediately upon termination complete all medical records and return all property belonging to Employer, including, without limitation, patient and client lists, fee schedules, compensation information, medical records and all confidential information of the Employer, and (c) otherwise fulfill all responsibilities hereunder reasonably determined by Employer to relate to the services rendered by Physician prior to termination.

Patient Notices. One of the most contentious issues surrounding the departure of a physician involves notifying patients the physician is leaving. Under Alabama licensure law, the departing physician is obligated to notify his/her “Active” patients of the date the physician is leaving and his/her new contact information. The purpose behind the notification is to provide patients the freedom of choice to remain with the practice or follow the departing physician, and to minimize potential patient abandonment issues. The term “Active” patients is not defined under licensure law, but in our experience notice should be sent to those patients treated by the departing physician within the last twelve (12) months immediately prior to termination. Physicians who practice in a specialty that might require longer follow-up care, such as oncology or cardiology, would likely need to notify patients treated in the eighteen (18) to twenty-four (24) months immediately prior to termination.

Sometimes, the medical practice will provide the departing physician a list of his/her patients with addresses so the physician can send the required notice. Oftentimes, however, the medical practice does not want to provide a patient list and arguments arise over the proper way to notify patients and the timing of such notice. Specifying in the employment agreement the form of such notice, how costs are to be allocated and the timing of the notice will help avoid arguments.

Upon termination of this Employment Agreement, Physician shall not have any right to receive a list of patients treated by Physician while an employee of Employer. Any notice required by law to be sent to Physician’s patients upon Physician’s departure from the Employer shall be sent by the Employer on behalf of Physician and the parties hereby agree that such notice shall only be sent to those patients for whom the Physician served as the primary physician within _________ (_____) months immediately preceding the date of termination of this Employment Agreement (e.g., Active Patients). The Physician and Employer shall each pay one-half of the costs associated with the notice, to include applicable postage. The form of notice shall reference both Employer (and its physicians) and the Physician and shall be agreed upon by the parties in good faith.  The Physician and Employer will work together in good faith to send out the notice at least thirty (30) days prior to the Physician’s last day of employment, if feasible.

Medical Records. The patient medical records, whether paper or electronic, belong to the medical practice. However, certain situations may arise when the practice should make medical records available to the departing physician after termination, including, for example, to address medical malpractice claims or government investigations. Further, patients have the right of access to their records and can direct that the practice make copies of their records available to the departing physician. Oftentimes, we will include in the patient notice a HIPAA Authorization form for the patient to sign if he/she intends to continue under the care of the departing physician and wants the medical practice to send copies of records to the physician.

Physician shall prepare in a timely and complete manner medical records relating to his/her provision of professional services in such form and containing such information as customarily maintained by Physician and as required by applicable federal and state law, third-party payer agreements and Employer. All patient records, case histories, films, and personal and regular files concerning the patients consulted, interviewed, treated or cared for by Physician pursuant to this Employment Agreement shall belong to and remain the property of Employer. Upon termination of this Employment Agreement, Physician shall have the right, in accordance with state and federal law, including the Health Insurance Portability and Accountability Act of 1996, and its corresponding regulations, as may be amended from time to time, to obtain copies at Physician’s sole cost and expense of any patient record of Employer; provided, however, that Physician was involved in the applicable patient’s care and further that Physician’s right to copy such patient records shall be subject to: (a) Employer receiving a written authorization signed by the patient authorizing Employer to release such copies to Physician, (b) Physician requiring access to certain patient records to defend or prepare to defend any alleged or threatened professional liability claims relating to such patient records, or (c) Physician requiring access to certain patient records with respect to governmental or third party payer audits or reviews of claims for reimbursement relating to such patient records.

While it may take more work on the front-end, having a well-thought out and comprehensive physician employment agreement will save significant time, effort and potentially money when a physician leaves your medical practice. Stay tuned for Part II of this three-part series which will discuss protecting other employees, compensation, and continuing malpractice insurance.

Read the full series:

A Physician is Leaving Your Practice – “Must Have” Employment Agreement Provisions (Part II)

A Physician is Leaving Your Practice – “Must Have” Employment Agreement Provisions (Part III)

Howard Bogard is a Partner with Burr & Forman LLP and serves as the Chair of the firm’s Health Care Industry Group. Kelli Fleming is a Partner with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman, LLP, is an official Bronze Partner with the Medical Association.

Posted in: Legal Watch

Leave a Comment (0) →

IRS: Watch Out for Dangerous W-2 Phishing Scam

IRS: Watch Out for Dangerous W-2 Phishing Scam

WASHINGTON The Internal Revenue Service, state tax agencies and the tax industry issued an urgent alert today to all employers that the Form W-2 email phishing scam has evolved beyond the corporate world and is spreading to other sectors, including school districts, tribal organizations and nonprofits.

In a related development, the W-2 scammers are coupling their efforts to steal employee W-2 information with an older scheme on wire transfers that is victimizing some organizations twice.

“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme,’’ said IRS Commissioner John Koskinen.

When employers report W-2 thefts immediately to the IRS, the agency can take steps to help protect employees from tax-related identity theft. The IRS, state tax agencies and the tax industry, working together as the Security Summit, have enacted numerous safeguards in 2016 and 2017 to identify fraudulent returns filed through scams like this. As the Summit partners make progress, cybercriminals need more data to mimic real tax returns.

Here’s how the scam works: Cybercriminals use various spoofing techniques to disguise an email to make it appear as if it is from an organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2.  This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES).

The Security Summit partners urge all employers to be vigilant. The W-2 scam, which first appeared last year, is circulating earlier in the tax season and to a broader cross-section of organizations, including school districts, tribal casinos, chain restaurants, temporary staffing agencies, healthcare and shipping and freight. Those businesses that received the scam email last year also are reportedly receiving it again this year.

Security Summit partners warned of this scam’s reappearance last week but have seen an upswing in reports in recent days.

New Twist to W-2 Scam: Companies Also Being Asked to Wire Money

In the latest twist, the cybercriminal follows up with an “executive” email to the payroll or comptroller and asks that a wire transfer also be made to a certain account. Although not tax related, the wire transfer scam is being coupled with the W-2 scam email, and some companies have lost both employees’ W-2s and thousands of dollars due to wire transfers.

The IRS, states and tax industry urge all employers to share information with their payroll, finance and human resources employees about this W-2 and wire transfer scam. Employers should consider creating an internal policy, if one is lacking, on the distribution of employee W-2 information and conducting wire transfers.

Steps Employers Can Take If They See the W-2 Scam

Organizations receiving a W-2 scam email should forward it to phishing@irs.gov and place “W2 Scam” in the subject line. Organizations that receive the scams or fall victim to them should file a complaint with the Internet Crime Complaint Center (IC3) operated by the Federal Bureau of Investigation. Employees whose Forms W-2 have been stolen should review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft. Employees should file a Form 14039, Identity Theft Affidavit, if the employee’s own tax return rejects because of a duplicate Social Security number or if instructed to do so by the IRS.

The W-2 scam is just one of several new variations that have appeared in the past year that focus on the large-scale thefts of sensitive tax information from tax preparers, businesses and payroll companies. Individual taxpayers also can be targets of phishing scams, but cybercriminals seem to have evolved their tactics to focus on mass data thefts.

Be Safe Online

In addition to avoiding email scams during the tax season, taxpayers and tax preparers should be leery of using search engines to find technical help with taxes or tax software. Selecting the wrong “tech support” link could lead to a loss of data or an infected computer. Also, software “tech support” will not call users randomly. This is a scam.

Taxpayers searching for a paid tax professional for tax help can use the IRS Choosing a Tax Professional lookup tool or if taxpayers need free help can review the Free Tax Return Preparation Programs. Taxpayers searching for tax software can use Free File, which offers 12 brand-name products for free, at www.irs.gov/freefile. Taxpayer or tax preparers looking for tech support for their software products should go directly to the provider’s web page.

Tax professionals also should beware of ongoing scams related to IRS e-Services. Thieves are trying to use IRS efforts to make e-Services more secure to send emails asking e-Services users to update their accounts. Their objective is to steal e-Services users’ credentials to access these important services.

Posted in: Legal Watch

Leave a Comment (0) →

Fraud and Abuse Investigations Should Be Taken Very Seriously

Fraud and Abuse Investigations Should Be Taken Very Seriously

Editor’s Note: Burr & Forman LLP is sharing this information as a partner with the Medical Association and would like physicians to understand that the federal government is being vigilant with all health care fraud and abuse investigations. If you have questions concerning the content of this article, please contact Jim Hoover of Burr & Forman LLP at (205) 458-5111 or jhoover@burr.com.

For the United States Government, fraud and abuse recovery has an excellent return for each investment dollar spent. According to the Health Care Fraud and Abuse Control (HCFAC) Program Report, released by the Department of Health and Human Services and the Department of Justice on Jan. 18, 2017, the federal government recovered more than $3.3 billion in fraudulent health care claims in Fiscal Year 2016. That means for the last three years for every dollar invested into the program it generated a $5 return.

Established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HCFAC Program was designed to identify and prosecute health care fraud and abuse through the coordination of federal, state, and local law enforcement activities. Since its inception in 1997, the program has returned close to $31 billion to the Medicare Trust Funds.

According to the program report, during FY 2016 the Federal Government won or negotiated over $2.5 billion in health care fraud judgments and settlements. Of the $3.3 billion, the Medicare Trust Funds received transfers of approximately $1.7 billion, and $235.2 million in Federal Medicaid money was similarly transferred to the Medicaid program. Over $17.9 billion has been returned by the program to the Medicare Trust Funds for years 2009 through 2016 alone.

Other notable results of the program include, the disclosure that for FY 2016 alone, the DOJ opened 975 new criminal health care fraud investigations that led Federal prosecutors to file criminal charges in 480 cases involving 802 defendants. A total of 658 defendants were convicted of health care fraud-related crimes during the year. On the civil front, in FY 2016 the DOJ opened 930 new civil health care fraud investigations and had 1,422 civil health care fraud matters pending at the end of the fiscal year.

HHS’ Office of Inspector General (HHS-OIG) investigations conducted in 2016 resulted in 765 criminal actions against individuals or entities that allegedly engaged in crimes related to Medicare and Medicaid. There were 690 civil actions, which include false claims and unjust-enrichment lawsuits, civil monetary penalties (CMP) settlements, and administrative recoveries related to provider self-disclosures. HHS-OIG also excluded 3,635 individuals and entities from participation in Medicare, Medicaid, and other federal health care programs. Among these exclusions, some were based on criminal convictions for crimes related to Medicare and Medicaid (1,362) or to other health care programs (262), for patient abuse or neglect (299), or as a result of licensure revocations (1,448).

There were multiple highlighted cases involving physicians. In April 2016, a doctor in Maryland specializing in interventional pain management was sentenced to nine years and three months in prison, followed by three years of supervised release for one count of health care fraud, two counts of making a false statement related to a health care program, one count of obstruction of justice, four counts of wire fraud, and one count of aggravated identity theft. The convictions were based on allegations the doctor submitted claims for nerve block injections when in fact the doctor did not own nor use imaging guidance which was necessary to administer nerve block injections. The doctor also falsely documented patient files to indicate that imaging guidance was used. Finally, when Medicare contractors visited the pain clinic and inquired about the imaging guidance machine, the doctor created a false lease document reflecting the fact that he had leased the machine.

In April 2016, a licensed physician pleaded guilty to health care fraud, admitting that he submitted false claims to Medicare for purported visits with Medicare beneficiaries, including on dates when he was out of the country, for beneficiaries who were deceased on the dates he purportedly treated them, and for services totaling more than 24 hours in one day. He agreed that he submitted approximately $2.4 million in fraudulent claims to Medicare for which he was paid approximately $1.2 million.

In July 2016, following a three-week trial in the Eastern District of New York, a physician was convicted of one count of health care fraud, three counts of making false statements in connection with health care matters, and two counts of money laundering. The evidence at trial showed the defendant, a general surgeon, billed the Medicare program for thousands of wound-debridement and incision-and-drainage surgical procedures that he did not in fact perform. The defendant billed Medicare over $7 million and was paid over $3 million in reimbursement by Medicare.

It is a safe bet to assume based on the above returns government investigations and qui tam/false claims lawsuits are here to stay no matter who is President. To read more about the 2016 results and upcoming initiatives, the program reports are located on the HHS-OIG website .

Jim Hoover is a member of Burr & Forman LLP’s Health Care Industry Group and represents health care providers in healthcare regulatory and litigation matters.

Posted in: Legal Watch

Leave a Comment (0) →

What You Need to Know About Section 1557: The ACA Nondiscrimination Provisions

What You Need to Know About Section 1557: The ACA Nondiscrimination Provisions

The Affordable Care Act prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in certain health programs or activities. Section 1557 builds on long-standing Federal civil rights laws: Title VI of the Civil Rights Act of 1964, Title IX of the Education Amendments of 1972, Section 504 of the Rehabilitation Act of 1973 and the Age Discrimination Act of 1975. Individuals may either file a complaint with the Office of Civil Rights (OCR) or the law creates a private cause of action.

Who must comply?

Physicians receiving financial assistance from HHS (except solely Medicare Part B).

When?

By October 16, 2016

What must be done?

Post notices, taglines, and take steps to provide meaningful access to individuals with limited English proficiency. This may mean you need to enter into a contract with a call center.

What does Section 1557 require?

By October 16, 2016, all covered entities must post notice and taglines in the top 15 languages in conspicuously visible font size for individuals with limited English proficiency (LEP). The rules require language assistance for persons with LEP. A provider may not require an individual with LEP to provide his or her own interpreter. The Office of Civil Rights website contains sample notices, statements and taglines in multiple languages. (See link below). The rules require using a “qualified translator” when translating written content. The rule itself is lengthy and specific. Any physicians, hospitals or entities receiving any financial assistance with HHS, including Medicare Parts A, C & D; Medicaid grants; loans; subsidies; meaningful use payments; payments for research offered through NIH; payments for any health program administered by HHS; etc. must comply. If a physician’s only financial assistance from HHS is to receive Part B, he or she is not covered. If a physician or entity is principally engaged in health care then all of the operations are covered minus certain limited exceptions.

Covered entities must offer a qualified interpreter to an individual with LEP when oral interpretation is a reasonable step to provide meaningful access. The interpreter need not be licensed under state law, but must have relevant proficiency. Simply having above average familiarity with speaking or understanding the relevant foreign language does not necessarily qualify him or her as an interpreter. HHS has regulations that apply to covered entities choosing to provide interpreters through remote video. See 45 C.F.R. § 92.201(f)

What are the basics?

  1. Do not discriminate on the basis of race, color, national origin, sex, age, or disability. Treat men and women equally in healthcare and treat individuals consistent with gender identity. Provide language assistance. Provide auxiliary aids to those with disabilities. Make newly constructed or altered facilities accessible to those with disabilities.
  2. Sign a form with HHS that you will comply – HHS-690 Form.
  3. Entities with 15 or more employees must appoint a compliance coordinator and establish a grievance coordinator.
  4. “Taglines” and statements must be included on “significant” documents and communications. HHS is working on guidance as to what is a “significant” publication. Information on services or treatment, or the administration of drugs, is considered significant.
  5. Post notices of nondiscrimination. A sample notice is available from the link set forth below.
  6. The entity must take reasonable steps to provide meaningful access to LEP persons.

What is a tagline?

All covered entities must post short statements written in non-English informing individuals that language assistance services are available free of charge. These taglines should be posted in the top 15 languages spoken by LEP persons in that state. (See list below). The entity should post the taglines in physical locations with interaction with the public, websites and other significant communications. The top two languages should be posted in small sized publications.

Is there guidance?

OCR has translated a sample notice of nondiscrimination and the taglines for use by covered entities into 64 languages: www.hhs.gov/civil-rights/for-individuals/section-1557/translated-resources/index.html

HHS has provided a training guide (http://www.hhs.gov/sites/default/files/section1557-presenters-guide.pdf and http://www.hhs.gov/sites/default/files/section1557-training-slides.pdf).

What are the current top 15 languages for Alabama?

  • Spanish — 75,000
  • Chinese — 5,405
  • Korean — 4,554
  • Vietnamese — 3,708
  • Arabic — 1,440
  • German — 1,411
  • French — 1,278
  • Gujarati — 888
  • Tagalog — 856
  • Hindi — 818
  • Laotian — 681
  • Russian — 586
  • Portuguese — 516
  • Turkish — 505
  • Japanese — 484

http://www.hhs.gov/sites/default/files/resources-for-covered-entities-top-15-languages-list.pdf

Posted in: Legal Watch

Leave a Comment (0) →

So, How Do I Comply with HIPAA?

hipaa_banner

Editor’s Note: This article was originally published in the 2016 Spring Issue of Alabama Medicine magazine

A physician client recently asked me a seemingly simple, straightforward question: “So, how do I comply with HIPAA?” The answer, unfortunately, is not as simple and straightforward as the question.

HIPAA (i.e., the Health Insurance Portability and Accountability Act) and its various regulations include numerous, often confusing requirements, and little in the way of practical guidance. With this in mind, this article provides the author’s attempt to give, in simple terms, an overview of HIPAA’s requirements, and a short list of practical steps physician practices may take to establish a baseline of compliance.

Overview

In the most simple terms, to comply with HIPAA, a physician practice needs to address and satisfy the obligations of a “covered entity” under the regulations set forth in the HIPAA security regulations, 45 CFR § 164.300 et seq. (the “Security Rule”); the HIPAA breach notification regulations, 45 CFR § 164.400 et seq. (the “Breach Notification Rule”); and the HIPAA privacy regulations, 45 CFR § 164.500 et seq. (the “Privacy Rule”), in respect to “protected health information” (“PHI”) received and maintained by the practice on behalf of its patients. HIPAA compliance has garnered significant attention recently, due to increasing public awareness in regard to data breaches and privacy and information security matters, generally, as well as increased enforcement efforts by the U.S. Department of Health and Human Services Office of Civil Rights (“HHS,” and “OCR”)1 and other government agencies,2 not to mention the looming specter of potential class action and other litigation involving affected patients.3 In addition, OCR recently commenced a new, expanded HIPAA audit program that will select physician practices and other HIPAA-covered entities and business associates for random compliance audits.4

Privacy Rule

To comply with the Privacy Rule, a physician practice must not access, use or disclose PHI, in paper or electronic form, other than as required or permitted by the Rule. For example, the Privacy Rule requires that a physician practice not disclose a patient’s PHI to a third party without an appropriate written authorization from the patient, except in certain circumstances, such as in connection with the patient’s treatment, or payment for such treatment, or the practice’s health care operations. The Privacy Rule also specifies that, in general, even if a particular disclosure is required or permitted, the practice must ensure that the disclosure is limited to the minimum necessary information. In addition to these foundational issues, the Privacy Rule requires that physician practices take certain administrative steps to facilitate compliance, including identifying a privacy officer, implementing written policies and procedures to formalize privacy practices, and entering into business associate agreements (that include specific provisions outlined in the Rule) with vendors and other third parties that create, receive, transmit or maintain PHI on behalf of the practice (“business associates,” in HIPAA terms). Physician practices must also regularly evaluate and update their privacy policies and practices, provide regular privacy training to their workforce members, and impose appropriate sanctions when workforce members fail to comply with established privacy practices.

Security Rule

Under the Security Rule, physician practices must implement reasonable and appropriate administrative, physical and technical safeguards to protect electronic PHI (“ePHI”). Technical safeguards include, for example, encryption, access controls, audit logs, authentication controls, and other safeguards directed toward securing ePHI. Physical safeguards include locking doors, screening computers, and other safeguards to protect access to workstations and other physical facilities where workforce members access ePHI and protocols to safeguard ePHI during disposal. Administrative safeguards include security risk analysis (discussed further below) and risk management plans, contingency/disaster recovery plans, and security incident reporting procedures, as well as written policies and procedures addressing security practices, regular evaluation of security safeguards, and workforce training and sanctions, similar to the Privacy Rule.

Breach Notification Rule

The Breach Notification Rule requires that, in the event a physician practice discovers an unauthorized access, use or disclosure of unsecured PHI (for example, a breach of unencrypted ePHI), in paper or electronic form, the practice must notify each patient affected by the breach, as well as OCR,5 unless the practice can demonstrate, based on a risk assessment conducted in accordance with the Rule,6 that there is not more than a low probability that PHI was compromised. Like the Privacy Rule and the Security Rule, the Breach Notification Rule also requires physician practices implement written policies and procedures to document their breach notification responsibilities and practices, train workforce members regarding their responsibilities in the event of a breach, and hold workforce members accountable for non-compliance.

Practical Steps

In view of the various rules and requirements discussed above, physician practices may take the following steps toward establishing a baseline of compliance with HIPAA.

Perform a security risk analysis in compliance with the Security Rule. It is essential that every physician practice perform (and regularly update, as appropriate) a security risk analysis, in compliance with the Security Rule, as noted above. Done properly, the security risk analysis highlights specific risks and vulnerabilities in the practice’s security practices and recommends specific steps to address them – thereby providing a road map, of sorts, to compliance with the Security Rule. From an enforcement standpoint, OCR has repeatedly zeroed in on covered entities that fail to perform an appropriate risk analysis. As a practical matter, most physician practices utilize third-party consultants, with appropriate information technology expertise and resources, to conduct the risk analysis. In any case, the risk analysis should be coordinated through legal counsel to, among other things, ensure applicable HIPAA requirements are addressed and preserve attorney-client privilege, to the extent possible, as to communications with the consultant (i.e., in regard to security risks and vulnerabilities identified in the analysis). Physician practices should be sure, also, to routinely update their risk analysis, to ensure that new and evolving legal requirements and risks are timely addressed.

Implement appropriate written policies and procedures for compliance with the Privacy Rule, Security Rule and Breach Notification Rule. It is also essential that every physician practice implemented, written policies and procedures to facilitate compliance with the Privacy Rule, the Security Rule and the Breach Notification Rule. “Template” policies and procedures may be obtained from various sources, and may be sufficient for compliance, at least temporarily; ultimately, however, practices should tailor their policies and procedures to their particular circumstances – including, for example, the specific risks and vulnerabilities identified, from time to time, in the practice’s (ongoing) security risk analysis, as well as the practice’s history and experience with (actual) privacy, security and breach matters. As noted above, it is also critical that the practice regularly review and update its policies procedures to ensure compliance with applicable laws and regulations, and to take into account, again, any recent privacy, security or breach related matters at the practice.

Address encryption. Technically, encryption is not required to comply with the Security Rule. Like risk analysis, however, encryption (specifically, lack of encryption) is a favorite target of OCR, in its enforcement efforts, especially in regard to (unencrypted) mobile devices, such as laptops and tablet computers, smartphones, and the like.7 Moreover, encrypted ePHI (i.e., “secure” ePHI)8 is not subject to the Breach Notification Rule; that is, even if the information is somehow breached, the practice need not notify patients or OCR regarding the incident.

Vet vendors and vendor contracts. Physician practices should routinely vet any vendors (i.e., business associates) that have access to PHI, in paper or electronic form, to ensure the vendor has appropriate safeguards in place, similar to those required of the practice. In addition, as noted above, physician practices should ensure that they have written, HIPAA compliant, business associate agreements in place with such vendors. Practices should also confirm that business associate agreements and/or related vendor service contracts include adequate protections (in the form of indemnification, and other remedies) for the practice, in the event of a data breach or similar incident. Moreover, due to the significant risk
management and legal implications now associated with ePHI, practices are advised to coordinate review of their vendor arrangements and contracts with appropriate legal counsel.

Implement appropriate back-up and contingency plans. The Security Rule requires that physician practices have in place secure procedures for backing up PHI and safeguards to protect PHI and to recover lost PHI, in the event of a natural disaster or other, similar contingency. Some practices utilize their own servers or resources to back up data; others utilize “cloud” or similar third-party services. As a practical matter, similar to risk analysis, contingency plans are often developed and implemented in coordination with a third-party consultant with appropriate expertise.

Confirm appropriate insurance coverage is in place. Many insurance carriers now offer some form of “cyber” insurance coverage to protect against losses related to data breaches and other information security matters. Cyber insurance typically addresses the insured’s overall information technology security practices; it may or may not address specific HIPAA compliance issues. In lieu of (or in addition to) cyber coverage, physician practices may look to other insurance (directors and officers, errors and omissions, professional liability, general liability, etc.) for coverage. In any case, particularly in view of the significant enforcement and litigation risks now associated with HIPAA and related privacy and security matters, physician practices must be sure they have adequate insurance coverage in place in the event of a data breach or similar privacy or security incident – and, in the event coverage is available from multiple sources, that they understand the interplay between the various policies.

Sources

  1. OCR enforcement efforts include a number of high dollar settlements (known as “resolution agreements”) entered into between OCR and HIPAA covered entities, including physician practices. For additional information pertaining to OCR resolution agreements and other enforcement efforts, please see the HHS website, at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html. (To view OCR resolution agreements involving physician practices, visit the above link, and select “Private Practices.”)
  2. Besides OCR, data breaches (whether or not HIPAA is implicated) may trigger enforcement efforts by state attorneys general, the Federal Trade Commission and other state or federal agencies.
  3. See, e.g., Class Action Lawsuit for Flowers Hospital Data Breach Moves to Discovery Phase, HIPAA Journal (Oct. 5. 2015), accessible at http://www.hipaajournal.com/flowers-hospital-class-action-data-breach-lawsuit-moves-to-discovery-8133/ (last visited March 24, 2016).
  4. See OCR Launches Phase 2 of HIPAA Audit Program, available at http://www.hhs.gov/hipaa/forprofessionals/compliance-enforcement/audit/phase2announcement/index.html.
  5. Notification to OCR is delivered using an online portal on the HHS website, accessible at https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true.
  6. The Breach Notification Rule includes specific factors the physician practice must take into account in conducting the risk assessment. These factors are set forth at 45 CFR §164.402.
  7. OCR data indicates that a significant portion of reported breaches of unsecured PHI, perhaps more than half, involve theft or loss of an unencrypted mobile device.
  8. To avoid the notification requirements of the Breach Notification Rule, ePHI must be encrypted according to specific, National Institute of Standards and Technology (“NIST”) protocols. For information regarding specific encryption protocols, see Guidance to Render Unsecured Protected Health Information Unusable, Unreadable or Indecipherable to Unauthorized Individuals, on the HHS website, at http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html.

The information in this article reflects the thoughts and opinions of the author, and does not, and is not intended to, constitute legal advice. If you have specific questions pertaining to HIPAA or other legal matters addressed herein, please consult appropriate legal counsel.

Contributed by D. Brent Wills, Esq., a partner at Gilpin Givhan P.C., a Bronze Partner with the Association.

Posted in: Legal Watch

Leave a Comment (0) →

Physicians: Be Cautious When Responding to a Subpoena or Request for Medical Records

medicalfile_banner

Editor’s Note: This article was originally published in the 2016 Summer Issue of Alabama Medicine magazine

Doctors must educate themselves and particularly their staff on the legal obligations to protect the confidentiality of medical records and how to properly respond to subpoenas and requests for patients’ health information. It is a huge mistake for physicians to automatically assume that a subpoena or request is properly executed. Improperly releasing a patient’s medical records can result in a civil suit by the patient, an administrative fine by the federal government, or disciplinary action by the state medical board.

Civil and criminal courts in the State of Alabama have the right to summon witnesses into court and require them to testify under oath. Subpoenas are issued to non-parties to a lawsuit; therefore, the health care provider is not a party to the pending litigation. Consequently, the method for securing the attendance of witnesses and records is by the issuance of a subpoena or a subpoena duces tecum, respectively.

A subpoena is a written order compelling a person to appear and give testimony at a trial or other proceeding. The subpoena duces tecum is a subpoena compelling a person to appear, give testimony, and bring all books, documents, papers, or records described in the notice. A failure to respond could subject the health care provider to contempt of court. A patient’s medical records are generally secured by a subpoena duces tecum, which is served on the person having actual custody or possession of the records, and typically request a patient’s chart, x-rays and billing documents. In most cases, the party seeking the information is not requesting the physician or his staff to physically appear in court to produce the records.

A subpoena is generally issued by an attorney or the clerk of court, which means that you will often receive a subpoena without an accompanying court order or any documents signed by the judge. A properly issued subpoena for patient records is generally as valid as any other properly issued subpoena with one important exception. That exception relates to subpoenas requesting health care information that is afforded special protection under state or federal law, such as records relating to the testing for or treatment of HIV, AIDS, STDs; and mental health, behavioral health, or treatment records of substance abuse programs. A subpoena requesting such information without a court order or patient authorization is generally not proper.

Typically, the subpoena must be accompanied by an authorization signed by the patient authorizing release of that specific protected information or an order signed by the judge authorizing release of that information. Stated another way, if the medical record contains information that relates to the testing or treatment of HIV, AIDS, STDs or psychiatric records, such as mental health or behavioral health, then the physician will need either:a court order signed by a judge specifically ordering the records related to these specially protected areas, or an authorization signed by the patient specifically authorizing the doctor to release that portion of the record.

  1. a court order signed by a judge specifically ordering the records related to these specially protected areas, or
  2. an authorization signed by the patient specifically authorizing the doctor to release that portion of the record.

The HIPAA Privacy Rules also require additional steps before a physician can release records containing protected health information (“PHI”) pursuant to a subpoena. A physician may disclose PHI in the course of any judicial or administrative proceeding by either obtaining an order of a court or in response to a subpoena if the physician obtains satisfactory assurances from the party issuing the subpoena.

For the purposes of obtaining “satisfactory assurances” from a party seeking PHI, the physician must receive documentation demonstrating that:the party requesting the information has made a good faith attempt to provide written notice to the individual, the notice to the individual includes sufficient information about the litigation to permit the individual to raise an objection to the court, and the time for the individual to raise objections has lapsed and no objections were filed, or all objections that were filed by the individual had been resolved by the Court.

  1. the party requesting the information has made a good faith attempt to provide written notice to the individual,
  2. the notice to the individual includes sufficient information about the litigation to permit the individual to raise an objection to the court, and
  3. the time for the individual to raise objections has lapsed and no objections were filed, or all objections that were filed by the individual had been resolved by the Court.

Physicians or their offices may receive subpoenas from out-of-state courts in matters involving mass tort claims such as asbestos. A subpoena from another state’s court does not have the authority to compel production in Alabama. Thus, a physician who receives a subpoena in Alabama by another state’s court should not respond to the subpoena unless the subpoena is domesticated by (accompanied by an order from) a circuit court in Alabama.

Physician and physician practices may also receive requests for medical records prior to a lawsuit being filed. These requests may come from the patient or a law firm. HIPAA governs the release of these records and whether the request is authorized. Records should only be released to authorized individuals. If the patient is living, authorized individuals include the patient or his Personal Representative.

Pursuant to HIPAA, “Personal Representative” is defined by state law and would include someone who has a Power of Attorney for the patient. If the patient is deceased, the Personal Representative of the patient’s estate may obtain the records. In 2013, HIPAA expanded authorized individuals of deceased patients to include family or individuals involved in the patient’s care, if the request is relevant to their involvement in the patient’s care, unless releasing the records is inconsistent with prior expressed preference of the individual. Therefore, a deceased patient’s family member may request the records even if she is not appointed as the personal representative of the patient’s estate, and a physician may release the records if it determines the individual is authorized under this provision.

The problem for physicians and their staff is that they often do not know the requirements necessary to make a subpoena or request valid or lawfully enforceable. Therefore, it is prudent for the physician to educate his/her staff about subpoenas and requests for records and when not to respond or release the records. In certain circumstances, it may be wise for the physician to consider having a subpoena or request reviewed by legal counsel to determine the appropriate response.

The relatively small expense can save a tremendous amount of trouble later on.

bronzemvpContributed by Jim Hoover and Angie Cameron Smith, members of Burr & Forman, LLP’s Health Care Industry Group and represent health care providers in regulatory and litigation matters. Burr & Forman, LLP, is an official Bronze Partner with the Medical Association.

Posted in: Legal Watch

Leave a Comment (0) →

Recent Changes to the Federal Stark Law

advocacylaw_banner

Editor’s Note: This article was originally published in the 2016 Winter Issue of Alabama Medicine magazine

Most physicians are aware of the Federal Stark Law and the limitations it places on a physicians’ ability to enter into financial relationships with potential referral sources. Can I refer patients to the physical therapy practice I own? Can I lease space and/or equipment from the hospital? Can I share my front desk personnel with another provider? These are questions we commonly hear from physicians who are navigating the complicated web of health care compliance under the Stark Law. Recent changes to the Stark Law enacted through the 2016 Medicare Physician Fee Schedule Final Rule (“Final Rule”) may provide added flexibility to physicians contemplating some of these types of arrangements.

The issuance of the Final Rule on Nov. 16, 2015, was the first time the industry has seen such broad changes to the physician self-referral law in several years. According to the Centers for Medicare and Medicaid Services (CMS), the changes are designed to “accommodate delivery and payment system reform, to reduce burden, and to facilitate compliance.” The majority of the changes took effect Jan. 1, 2016.

The Stark Law prohibits a physician from referring Medicare or Medicaid patients for certain “designated health services” to entities with which the physician (or an immediate family member of the physician) has a financial relationship, unless an exception applies. Any relationship in which remuneration (i.e., something of value) flows between the parties is considered a financial relationship under the Stark Law.

Designated health services (“DHS”) covered by the Stark Law include the following:

  1. clinical laboratory services;
  2. physical therapy, occupational therapy, and outpatient speech language pathology services;
  3. radiology and certain other imaging services;
  4. radiation therapy services and supplies;
  5. durable medical equipment and supplies;
  6. parenteral and enteral nutrients, equipment and supplies;
  7. prosthetics, orthotics and prosthetic devices and supplies;
  8. home health services;
  9. outpatient prescription drugs; and
  10. inpatient and outpatient hospital services.

The majority of the Final Rule changes address the exceptions to the Stark Law — in other words, the instances in which CMS has stated that a financial relationship is permitted between referring parties. While a summary of all the recent changes is beyond the scope of this article, I did want to highlight some of the more significant changes.

In the Final Rule, CMS established two new Stark Law exceptions. The first exception permits hospitals, federally qualified health centers (FQHC), or rural health clinics (RHC), to provide assistance to physicians to recruit and compensate non-physician practitioners (i.e., nurse practitioners, clinical nurse specialists, physician assistants, certified nurse midwives, clinical social workers, and clinical psychologists) under certain conditions. In other words, physicians can now receive recruitment incentives to attract non-physician practitioners to their practice.

In order to take advantage of the exception, among other things, at least 75 percent of the patient care services provided by the recruited non-physician practitioner must be primary care or mental health services. Further, the payment to the physician by the hospital, FQHC, or RHC cannot exceed 50 percent of the aggregate compensation, signing bonus, and benefits paid to the non-physician practitioner and must be consistent with fair market value. This new exception may only be utilized once every three years for a particular physician (unless the non-physician practitioner leaves prior to the expiration of one year) and there is a two-year limit on the assistance provided by the hospital, FQHC, or RHC.

The second new Stark Law exception permits time-share arrangements for the use of office space, equipment, personnel, items, supplies and services. The exception applies to arrangements that grant a right of permission to use the premises, equipment, personnel, items, supplies, or services, but not to arrangements that transfer control over such items. While these types of arrangements have been in place for years and have been analyzed under other Stark Law exceptions, the new exception provides clarification and flexibility. There are some limitations, however, to the use of the new exception. For example, advance imaging equipment (e.g., MRI and CT) and clinical or pathology laboratory equipment may not be used within the shared space. Further, compensation formulas based on revenue percentage or per-unit fees are prohibited.

In the Final Rule, CMS also clarified several existing Stark Law exceptions. While a discussion of all of the clarifications is beyond the scope of this article, I wanted to highlight a few:

  • Many Stark Law exceptions contain a requirement that the arrangement be “in writing.” However, sometimes physicians fail to enter into or sign a formal written contract prior to the initiation of the arrangement. In the Final Rule, CMS clarified that the “writing” does not necessarily need to be a single written formal contract, but rather can be a collection of contemporaneous writings that relate to each other and that document the relationship (e.g., e-mails, invoices, check requests, board meeting minutes, time sheets, etc.). A document produced after a referral is made, however, cannot be used to demonstrate compliance with respect to prior referrals. Nonetheless, despite the clarification, a single written contract remains the recommended method of documentation when possible.
  • Under the previous provisions, if a signature to an arrangement was missing, the parties had 30 days to obtain the missing signature if the omission was not inadvertent and 90 if the omission was inadvertent. Under the Final Rule, parties now have 90 days to obtain a missing signature regardless of whether the omission was inadvertent.
  • For exceptions requiring a one-year arrangement, CMS clarified that the one-year term does not have to be directly expressed in the writing, provided the parties can show factual compliance with the one-year requirement through other documentation.
  • Previously, under the exception for leases and personal services agreements, a holdover period at the expiration of the agreement was limited to six months. In other words, if the agreement expired and the parties failed to enter into a new agreement, the old agreement could govern the relationship but only for a period of six months. The Final Rule allows for an indefinite holdover period on the same terms as the original agreement as long as the arrangement remains compliant with the applicable exception. However, amendments during the holdover period are prohibited. In light of this change, it is highly recommended that the parties review holdover agreements periodically to confirm that the arrangement remains compliant (e.g., that the payment remains consistent with fair market value).
  • CMS clarified that when parties split-bill for services (e.g., hospital bills technical component and physician bills professional component), this alone does not create a financial relationship triggering the Stark Law between the parties.
  • The Final Rule clarifies the definition of remuneration under the Stark Law does not include the provision of items, devices, or supplies that are used solely to collect, transport, process or store specimens or to order or communicate the results of tests or procedures.

Physicians contemplating arrangements that may fall under a Stark Law exception are encouraged to review these latest developments. Depending on the circumstances, some of the most recent changes may provide added flexibility and additional options for physicians.

bronzemvpContributed by Kelli Fleming, a partner at Burr & Forman, LLP, who works exclusively within the firm’s Health Care Practice Group. Burr & Forman, LLP, is an official Bronze Partner with the Medical Association.

Posted in: Legal Watch

Leave a Comment (0) →

The New Capitated System: How Do Physicians Respond?

Doctor with female patient

Editor’s Note: This article was originally published in the 2015 Winter Issue of Alabama Medicine magazine

On May 17, 2013, Gov. Robert Bentley signed into law Act 2013-261, Ala. Code Sections 22-6-150 et seq., which changes the Alabama Medicaid System from a fee-for-service to a managed care program (the “Act”). This will dramatically change the way nearly 1 million Alabama Medicaid beneficiaries receive their care, and change the way providers are paid. The Alabama Medicaid Agency will allocate a fixed, capitated per-member per-month payment to newly formed regional care organizations (“RCOs”) in return for the RCOs providing health care services to the Medicaid beneficiaries assigned to the RCO. The RCOs will provide the health care services through physicians and other health care providers who enter into provider agreements with the RCOs.

Each RCO is required to establish a network of health care providers in order to deliver care to its enrollees. The network can include physicians, hospitals, pharmacies, podiatrists, chiropractors, psychologists, dentists, therapists, social workers, rural health clinics and other health care providers. RCOs do not have to directly contract with providers, but can also contract with a managed care organization that will contract with providers. Under the law, RCOs are required to contract with any willing physician, hospital or other provider to offer services to beneficiaries in the RCO region if the provider is willing to accept the same payment and contract terms offered by the RCO to other comparable providers.

RCOs can pay providers either on a fee-for-service basis or on a capitated basis. In addition, RCOs can implement value, performance and other payment methodologies. If a RCO decides to not credential a provider in its network, the RCO must give the provider written notice of the reason for its decision, and follow credentialing requirements set out in federal regulations.

There are now 11 organizations across the State of Alabama that have been granted probationary certification as Medicaid Regional Care Organizations or “RCO”s. Physicians have begun receiving notices from some of these RCOs asking them to return a letter of intent to participate in the RCO network of providers. RCOs must be able to demonstrate to the Medicaid Agency that they have an adequate provider network in place by April 1, 2015. The RCOs are now on a fast track to put together the Primary Care Networks, and will be sending provider contracts out later this year. This will be the time physicians and other providers will be negotiating with the RCOs for the best agreement they can get.

The letters of intent being sent out are non-binding on physicians, and merely acknowledge the physician is willing to negotiate with the RCO. However, the issuance of the letters of intent by the RCOs may trigger discussions among physicians that may have antitrust implications. While a physician who simply sends in a letter of intent is acting individually, and without antitrust issues, if that physician begins discussing with other physicians whether or not the physicians should send letters of intent, the physicians involved in the discussions may be deemed to be acting collectively, and antitrust issues arise.

Under antitrust laws, physicians are considered horizontal competitors who compete with each other for patients just as car dealers are horizontal competitors who compete for customers. Any distinction in the law for professions has long been abandoned. Violations of the antitrust laws carry very severe penalties including potential criminal prosecution, trebled damages and an award of the plaintiff’s attorney fees. The enormous legal fees involved in defending an antitrust investigation by the Department of Justice or the Federal Trade Commission alone can be devastating to a physician practice.

To protect physicians who negotiate with RCOs, the Act provides immunity from liability under the antitrust laws by putting these negotiations under an exemption to antitrust known as the “State Action Doctrine.” This doctrine is set forth by the U.S. Supreme Court and exempts actions of a state from application of the antitrust laws. To qualify for the exemption, the state must clearly articulate and express a state policy to exempt the anticompetitive conduct and then actively supervise the anticompetitive conduct. The most difficult prong of the two-part test to meet is the requirement of active state supervision. The Medical Association of the State of Alabama has worked with the officials and attorneys for the Medicaid Agency to give physicians the maximum protection possible from the potential violation of the antitrust laws. It will be up to individual physicians and other providers, however, to assure they understand and follow to the letter the Medicaid Regulations designed to allow the Medicaid Agency to supervise the collective negotiations. Failure to do so can remove the antitrust immunity provided by the Act and leave the physicians and other providers vulnerable to the sanctions of the antitrust laws.

If carefully followed, the Act and the Medicaid Regulations provide the necessary elements to exempt collective negotiations from antitrust liability. Before talking with other physicians about the pros and cons of contracting with a Medicaid RCO, physicians should apply through an online process to the Medicaid Agency for a Certificate to Collaborate (the “Certificate”). The electronic application is available at https://rcoportal.medicaid.alabama.gov. Once the application is approved, a Certificate will be issued which will allow for collective negotiation, bargaining, and cooperation regarding payment and health care delivery. Careful attention must be paid to the Medicaid Regulations to assure the Certificate to Collaborate continues in force. To satisfy the State Action Doctrine, it is required the active state supervision be continuous, so just getting the Certificate alone is not sufficient. The Medicaid Regulations provide for continual monitoring and supervision of the negotiation process. Physicians and other providers must have someone in their offices knowledgeable of the requirements, and carefully assuring that they are followed.

In addition, the State Action Doctrine immunity only applies to collective negotiations with regard to Medicaid. It does not immunize any collective actions regarding private insurance companies or health maintenance organizations. Care must be taken to assure that the negotiations are limited to Medicaid beneficiaries.

The Certificate is not necessary for physicians to attend informational sessions on the new system, but is necessary for physicians to discuss among themselves whether or not to participate or on what terms to participate.Now is the time for physicians to get their Certificates, as the provider contracts will be next on the agenda for the RCOs. In all likelihood, physicians in the different regions who jointly negotiate with the RCOs either solely as physicians or in collaboration with one or more hospitals will be in

Now is the time for physicians to get their Certificates, as the provider contracts will be next on the agenda for the RCOs. In all likelihood, physicians in the different regions who jointly negotiate with the RCOs either solely as physicians or in collaboration with one or more hospitals will be in position to get better contracts than those who individually negotiate. The antitrust immunities in the Act give physicians and other providers greater ability to join together in new organizations to negotiate with RCOs and provide care to their enrollees.

Independent Practice Associations (“IPAs”), Preferred Provider Organizations (“PPOs”) and Physician Hospital Organizations (“PHOs”) are examples of the types of entities that will regain popularity in the development of the new provider networks. With the antitrust immunities furnished by the Act IPAs, PPOs and PHOs, as well as other entities, will be effective means for physicians and other providers to join together collectively and negotiate with RCOs. IPAs are entities in which physicians can integrate either partially or fully their practices into a separate entity that will negotiate with the RCOs and actually provide the care to enrollees of the RCO. PPOs are entities physicians can form to negotiate with RCOs for fees to be paid to the physicians but do not provide the care to enrollees. Care is provided through the individual medical practices. PHOs separate entities formed by hospitals and members of their medical staffs to negotiate and provide both hospital and physician services to enrollees.

The Act is changing the landscape for the provision of health care services for Medicaid beneficiaries. Other articles will deal with topics to help physicians negotiate the changes, including terms to carefully consider in signing provider contracts. Needless to say, as the time grows closer, physicians and other providers will be discussing options and strategies for responding to the changes.

bronzemvpArticle contributed by John T. Mooresmith, Esq., Burr Forman, LLP. Burr Forman, LLP, is an official Bronze Partner of the Medical Association.

 

Posted in: Legal Watch

Leave a Comment (0) →
Page 9 of 9 «...56789