Archive for April, 2017

Texting and Emailing in the World of HIPAA

Posted by on
Texting and Emailing in the World of HIPAA

If you experience anxiety every time you consider texting and/or emailing in your health care setting, you are not alone. On one hand, the world that we live in necessitates that information is communicated in a quick and easy manner. The ability to text or email staff and patients has become a high priority for many health care entities. On the other hand, patient privacy and confidentiality is essential to meeting compliance standards. Though emailing and texting are convenient, it certainly does not come without the possibility of pitfalls. It is a complex issue that requires meeting several factors in order to be implemented properly.

But Everybody Is Doing It, Right?

The perception is that many health care entities are already taking advantage of emailing and texting capabilities.  That may be accurate.  But the bigger question is whether they are utilizing those tools in accordance with HIPAA Privacy and Security requirements.  Health care entities should consider the following:

A Risk Analysis is key.  An adequate Risk Analysis is required to be performed at the outset of the practice, prior to developing a HIPAA policy.  This Risk Analysis identifies the type of information that you maintain or access and the areas within your entity where protected health information (PHI) is vulnerable. The Risk Analysis should be reviewed, and amended if necessary, whenever there is a change in your information technology environment.  This includes adopting the use of email and text messaging. The entity will need to consider potential vulnerabilities and threats, then document their plan to ensure that health information stays secure.

Show me the policy.  The HIPAA Privacy and Security policy must document your entity’s use of these services and define how employees are to utilize them.  This includes specifying whether only business owned devices can be used or whether the entity allows employees to utilize their own personal device (BYOD). The policy should also be specific about any differences in procedure for emailing and texting internally, versus outside communication with patients and other health care providers.  The policy requirement should be followed by adequate training.

Encryption, encryption, encryption.  Many entities that utilize PHI in email communications secure the information via encryption.  Within health care entities, the information is often secured by firewalls.  Firewalls make it much easier to implement security measures, oversee procedures and secure information.  Some health care entities choose to transmit PHI via electronic health records and customized patient portals. However, using emails to properly transmit PHI outside the entity is a much more complicated process.  To properly transmit PHI via email, encryption must be utilized.  Encryption software will resolve security issues because the patient receives an email containing a link which requires a unique username and password to access the PHI. Some patients find the process of logging in and remembering required passwords to be cumbersome, but others appreciate knowing that their information is secure.

Less is moreWhen communicating with individuals outside of your entity about PHI, utilize the Minimum Necessary Rule.  The Minimum Necessary Rule requires health care entities to limit the PHI produced to the amount of information necessary for the recipient to carry out their function.  For example, if another provider requests a patient’s diabetes lab work, only provide the requested lab work and not the patient’s entire medical record.  Also, it is recommended that you not share sensitive information including, but not limited to, a patient’s mental health, communicable disease status, child or elder abuse, and substance abuse issues.  The entity’s policies/procedures should define and describe how sensitive information should be transmitted.

The patient gets their way. HIPAA requires entities to communicate with patients in the manner determined by the patient, so long as it is reasonable. An entity’s Notice of Privacy Practices will generally articulate methods of intended communication by the entity.  However, a patient may choose not to receive communications through a traditional method. An example would be a patient request not to use U.S. mail, but to use email instead.  That entity may find that they do not have encrypted email capabilities that would appropriately safeguard the information. In this scenario, the health care entity must still comply with the patient’s request; however, they should have the patient sign a form that memorializes the patient’s request to use email communication and documents the risks associated with this request.

The guidance above does not apply to patient initiated communications. Patients are not considered to be HIPAA covered entities and therefore, their actions are not HIPAA violations.  Thus, patients are free to initiate emails or text messages with health care providers at their pleasure. Health care entities should have a form on hand for the patient to sign prior to responding to an email or text message from the patient. This form documents that the patient is aware of the inherent risk of email or text message communications, but wishes to receive the communication in that form anyway. This will help to satisfy the patient’s preference while helping to shield the health care entity from liability if communications are intercepted beyond the entity’s control.

Texting Has Added Risks

Text messages are generally available to anyone who utilizes that person’s phone because there is generally not separate password security for access to the text messaging feature.  Additionally, because the text messages do not pass through the entity’s servers, it is difficult, if not impossible, for IT staff and Security Officers to audit the texts.  And if these communications are intended to be a part of the patient’s record to demonstrate communication, the patient loses the right to amend the communication if it is not readily available in the paper or electronic record. There are vendors who offer “secure texting” solutions. If a health care entity is considering a secure texting vendor, have your designated Security Officer review their system carefully and converse extensively with the vendor about whether their product is indeed secure. A BAA with the vendor is also required. Finally, the entity should revisit its written policy and retrain when necessary.

To ensure that your practice is in compliance, and for assistance with determining whether your entity should proceed with implementing text or email communications, please consult a health care compliance professional.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Pin It

Tags: , , , , ,

Posted in: Legal Watch, Liability

Leave a Comment (0) →

The Lowdown on Public Wi-Fi

Posted by on
The Lowdown on Public Wi-Fi

I am writing this from an airplane. Often, when I hop on a plane — particularly for a long flight — I wait for the ascent to 10,000 feet and immediately jump onto public Wi-Fi, just as I do in coffee shops, the dentist’s office, and pretty much anywhere else I can grab a signal. But that was before I spent an hour chatting with Joe Gervais, director of security communications at LifeLock, and part-time hacker (though Gervais points out, he hacks “only for good”). The point of the conversation was to figure out when it’s okay to use public Wi-Fi, when it’s not, and what you can do instead. Here’s what I learned…

What is public Wi-Fi? Any Wi-Fi that’s shared with someone other than yourself and the members of your household. A guest account that’s been set up for visitors to a particular company? Hotel Wi-Fi, free or not? In-flight Wi-Fi? Public, public and public. It doesn’t matter if it’s free or you pay a fee, or if it’s password protected.

Get that? Even if the Wi-Fi network requires a password, that doesn’t mean it’s safe.

What danger does that pose for me? Whenever computers are on a shared network, all the data is flowing over shared “wires.” Every computer on the network can see all the data flowing over that network. The default behavior, Gervais explains, is to ignore data that isn’t meant for your machine. But if you’re technically savvy and so inclined, you can, essentially, flip a switch and see everything. Most of it, he says, is garbage unless you’re a “network geek, a hacker, or attacker.” Then you can learn things that could be used, for example, in targeted phishing attacks.

For example? Say you’re a veteran, and you’re researching PTSD. You go online to search the terms, “PTSD” and “treatment.” Maybe you look up a local treatment center or a Veterans Administration support group. How much information an attacker can glean depends on the kinds of website pages you visit.

If you’re on secure websites (which have “https” in the URL address) vs. insecure ones (which have only “http”), the attacker can see the site itself, but not the page you went to. Visit enough sites, though, and it still might give someone enough information to launch a relevant phishing attack against you.

Even downloading apps on public Wi-Fi is to be avoided. A sophisticated attacker could pose as that app telling you there’s an update and use that via phishing to get you to give up personal information—your financial info, for instance, if you were downloading a bank’s app.

This is getting very scary. You’re telling me. But there a few things you can do to keep yourself safer.

  1. Limit your behavior on public Wi-Fi. Don’t do anything on your browser that you wouldn’t do if a stranger was sitting next to you staring at your screen, Gervais says. That means no transacting. It also means not sending emails that contain sensitive information. You’re better off picking up the phone or, if that’s not possible, texting.
  2. Use a VPN app. VPNs are virtual private networks and they come in app form for your smartphone and tablet. This creates an encrypted channel, so your online business is protected from prying eyes. Some good ones include WiTopia and F-Secure Freedome. You will find plenty of free ones in the app store, but Gervais cautions: “If you’re not paying for the VPN, you the user, are the product.” Use your hotspot. If you don’t want to go the VPN route, use cellular data on your phone and, for your computer or tablet, connect using the personal hotspot on your phone. Now that many of the cellular carriers are going to unlimited data, you can feel better about using it freely.

Oh, and while you’re at it, make sure your home Wi-Fi network is protected with a strong password. You don’t want neighbors “borrowing” your bandwidth, slowing your internet connection, or — if they’re so inclined — seeing what you’re doing online.

Contributed by LifeLock, which is a partner with the Medical Association. Medical Association members receive a discount on LifeLock memberships. Click to learn more.

Pin It

Tags: , , , ,

Posted in: MVP

Leave a Comment (0) →

A Physician is Leaving Your Practice – “Must Have” Employment Agreement Provisions (Part II)

Posted by on
A Physician is Leaving Your Practice – “Must Have” Employment Agreement Provisions (Part II)

Editor’s Note: The following is the second installment of a three-part series discussing important provisions in physician employment agreements.

When a physician leaves a medical practice, especially if the physician stays in the area to compete against his/her former employer, the situation can become stressful and acrimonious. During the final weeks of employment, the departing physician can start to focus more on his/her new practice to the detriment of the current employer, and disputes often arise regarding access to medical records, soliciting patients and employees and when to schedule procedures – before or after termination. We have seen both medical practices and departing physicians engage in questionable conduct in order to keep as many patients as possible. Lawyers are often engaged to try and negotiate the terms of separation or, in a worse-case scenario, to file or defend a lawsuit.

Over the years, we have counseled hundreds of physician practices on how to successfully navigate the various issues that arise when a physician departs, regardless of whether the physician is an employee or an owner. Careful planning on the front end through a comprehensive employment agreement is the most important element in an amicable and fair separation. More often than not, we have found that disputes and subsequent litigation can arise when the employment agreement is not properly drafted or does not adequately address the specific terms of separation.

This three-part series provides a summary of the key provisions (with sample language) that can be incorporated into a physician employment agreement to help mitigate problems when a physician leaves your practice. Since each medical practice is unique, please consult with your own attorney before using any of the provided sample provisions in a physician employment agreement.

Protecting Other Practice Employees. When a physician leaves a medical practice he/she may want to encourage other practice employees (i.e., nurses, technicians, receptionists, etc.) to leave and work for the physician. These employees are a valuable asset to the medical practice and oftentimes the medical practice has invested significant time and resources in training its employees. Under Alabama Code Section 8-1-1, which was amended Jan. 1, 2016, a medical practice can protect an employee from being hired by a departing physician; provided, however, that the practice can demonstrate that the employee is “uniquely essential” to the medical practice. The term “uniquely essential” has not been specifically interpreted by the courts, but appears to require that the medical practice demonstrate that the protected employee(s) is not easily replaced due to a unique skill set or training, and the loss of the employee(s) would be detrimental to the medical practice.

Physician agrees that, during the term of this Employment Agreement and for a period of one (1) year following termination of this Employment Agreement, regardless of the cause of such termination, Physician shall not, directly or indirectly, through any individual, person or entity, without the prior written consent of Employer: (a) solicit, induce or attempt to solicit or induce away, or aid, assist, or abet any other party or person in soliciting, inducing or attempting to solicit or induce away from employment or other association with Employer, any employee of Employer, or (b) employ, hire or contract for services with any employee of Employer, or any person who was an employee of Employer during the six (6) month period prior to termination of Physician’s employment with Employer. The Employer and Physician acknowledge that the restrictions contained in this Section are reasonable and necessary to protect the protectable interests of Employer which include, without limitation, Employer’s confidential information, Employer’s commercial relationships with its patients, patient goodwill associated with its business, and the unique training of its employees, which was and is provided by Employer at considerable expense.  Physician acknowledges and agrees that the Employer’s employees hold positions uniquely essential to the management, organization and service of the Employer.

Compensation.  When a physician leaves a medical practice he/she will be compensated through the date of termination. If, however, the employment agreement provides for some form of bonus compensation based on, for example, collections or other measures of productivity, the employment agreement should address whether the physician is eligible for a bonus, pro-rated through the date of termination, or if termination before the end of the bonus measurement period results in the physician forfeiting any bonus. In addition, if the physician is paid based on production (e.g., collections less allocated expenses), then the employment agreement should address whether accounts receivable generated by the physician which are collected after termination for some designated time period will be counted toward the physician’s final paycheck, or if only collections received through the date of termination will be allocated to the physician. With either a bonus or production compensation model, some employment agreements provide that the departing physician will not be eligible for a bonus or the allocation of any post-termination collections if the physician terminates the employment agreement without cause or if the medical practice terminates the employment agreement with cause. Regardless, it is very important to clearly delineate in the employment agreement how compensation will be addressed upon termination.

Continuing Malpractice Insurance.  When a physician leaves a medical practice it is critical that medical malpractice insurance is maintained which provides continuing insurance for the physician’s professional services if a claim arises after the date of termination. Payment of a reporting endorsement (sometimes referred to as “tail insurance”) is typically an item negotiated by the parties. Regardless of how the costs are allocated, it is important that the employment agreement require either the purchase of a reporting endorsement or that the departing physician be obligated to maintain his/her then current malpractice insurance without interruption for a period of at least four years (eight years if minor patients are involved) after termination of employment. The following sample provision obligates the departing physician to pay for tail insurance, but can be modified as appropriate to provide that the medical practice will cover the costs of such insurance.

Immediately upon termination of employment with Employer, Physician shall, at Physician’s sole expense: (a) purchase or obtain a professional liability insurance reporting endorsement (e.g., tail coverage) with the same base and excess coverage limits and annual aggregate as the professional liability policy made available by the Employer for the Physician (the “Professional Liability Insurance Policy”) in order to provide continuing insurance protection for Physician and Employer against claims for malpractice or negligence occasioned by the acts of Physician while he/she was an employee of Employer (hereinafter referred to as the “Reporting Endorsement”), or (b) make arrangements for the continuation of the Professional Liability Insurance Policy with the same professional liability insurance carrier and with the same base and excess coverage limits and annual aggregate as the Professional Liability Insurance Policy, and listing Employer as an additional insured on such policy (hereinafter referred to as the “Continuation Policy”).

To evidence compliance, Physician shall provide to Employer within ten (10) days following the date of termination of this Employment Agreement either: (a) a copy of the Reporting Endorsement, or (b) a copy of the Continuation Policy, a “Certificate of Insurance Holder,” evidencing the existence of the Continuation Policy and written confirmation from the insurance carrier that Employer is listed as an additional insured on the Continuation Policy. If Physician obtains the Continuation Policy, and within ____ (____) years after termination of employment with Employer, should the Continuation Policy lapse, terminate or be modified so as not to satisfy the definition of a “Continuation Policy” in this Employment Agreement, or should Physician ever change professional liability insurance carriers, Physician agrees that he/she shall immediately purchase the Reporting Endorsement and that he/she shall provide Employer with a copy of the Reporting Endorsement at that time. If Physician fails to purchase such coverage and/or provide Employer with a certificate of same in accordance with the above‑stated requirements, Employer shall have the right, as hereby acknowledged by Physician, but not the obligation, to purchase such coverage and notify Physician in writing of the total premium costs thereof. Physician hereby expressly acknowledges and agrees that the total premium cost for such coverage purchased by Employer under this Section (plus a ten percent (10%) administrative fee) shall be immediately due and payable by Physician to Employer upon Physician’s receipt of said notice and Employer shall have the right to offset Physician’s cost of insurance against any amounts due Physician, with Physician reimbursing Employer for any deficiency. The terms of this Section shall survive termination of the Employment Agreement.

While it may take more work on the front-end, having a well-thought out and comprehensive physician employment agreement will save significant time, effort and potentially money when a physician leaves your medical practice. Stay tuned for Part III of this three-part series which will discuss protecting confidential information and protection from future liabilities.

Read the full series:

A Physician is Leaving Your Practice – “Must Have” Employment Agreement Provisions (Part I)

A Physician is Leaving Your Practice – “Must Have” Employment Agreement Provisions (Part II)

A Physician is Leaving Your Practice – “Must Have” Employment Agreement Provisions (Part III)

Howard Bogard is a Partner with Burr & Forman LLP and serves as the Chair of the firm’s Health Care Industry Group. Kelli Fleming is a Partner with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman, LLP, is an official Bronze Partner with the Medical Association.

Pin It

Tags: , , ,

Posted in: Legal Watch, Management, MVP

Leave a Comment (0) →

Medical Licensure Compact Goes Live

Posted by on
Medical Licensure Compact Goes Live

The Interstate Medical Licensure Compact, a pathway to expedite the licensing of physicians already licensed to practice in one state, who seek to practice medicine in multiple states, is officially live. Alabama became the seventh state to enact the Interstate Medical Licensure Compact and the final state necessary in order for the expedited pathway to licensure for board-certified physicians who have no history of disciplinary action against them to be made possible through the Compact.

The Compact creates a new pathway to expedite the licensing of physicians already licensed to practice in one state, who seek to practice medicine in multiple states. The Compact is designed to increase access to health care in underserved or rural areas and allow patients to more easily consult physicians through telemedicine technologies. The Compact will make it easier for physicians to obtain licenses to practice in multiple states and will strengthen public protection by facilitating state medical board sharing of investigative and disciplinary information that they cannot share now.

The Interstate Medical Licensure Compact is an agreement between 18 states and the 23 Medical and Osteopathic Boards in those states. Under this agreement licensed physicians can qualify to practice medicine across state lines within the Compact if they meet the agreed upon eligibility requirements. Approximately 80 percent of physicians meet the criteria for licensure through the IMLC.

Physicians can apply for an expedited license at https://imlcc.org/applynow/.

There are a few issues of special note:

  • As of now, seven of the 18 states (AL, ID, IA, KS, WV, WI, WY) in the Compact are ready to issue licenses through the Compact. The remaining 11 are working to clarify/verify that their state medical boards are authorized to conduct background checks as required by the Compact. Bills to clear up this issue appear to be moving quickly.
  • Fees
    1. For states – The Commission decided that there will be no cost to a state to participate in the Compact.
    2. For physicians – The cost to a physician to participate in the Compact is:
      1. Application Cost  = $700
        1. $400 of which will go to the Commission, and
        2. $300 of which will go to the physician’s State of Principal Licensure to cover the cost of verifying the physician’s credentials; PLUS
      2. License Cost – Each state in the Compact has the authority to establish the cost of the license received through the Compact. The costs range from $75-600. See the breakdown here.

The application fee may be changed in the future as licenses start being processed, and the amount of interest in getting a license through the Compact is better known.

Pin It

Tags: , , ,

Posted in: Advocacy

Leave a Comment (0) →

Research: Physician Shortage Likely to Have Severe Impact on Patient Care

Posted by on
Research: Physician Shortage Likely to Have Severe Impact on Patient Care

The United States continues to face a projected physician shortage over the next decade, creating a real risk to patient care, according to new data released by the Association of American Medical Colleges. The latest projections continue to align with previous estimates, showing a projected shortage of between 40,800 and 104,900 doctors.

For the third consecutive year, the Life Science division of the global information company, IHS Markit, conducted a study of physician supply and demand on behalf of the AAMC, modeling a wide range of health care and policy scenarios, such as payment and delivery reform, increased use of advanced practice nurses and physician assistants, and delays in physician retirements. This year’s report extended the date of the projections by five years, from 2025 to 2030, to account for the time needed to train a physician who would start medical school in 2017. The report also includes an expanded section modeling the additional demand for physicians that would be generated by health care utilization equity.

“The nation continues to face a significant physician shortage. As our patient population continues to grow and age, we must begin to train more doctors if we wish to meet the health care needs of all Americans,” said AAMC President and CEO Darrell G. Kirch, M.D.

The report aggregates the shortages in four broad categories: primary care, medical specialties, surgical specialties, and other specialties. By 2030, the study estimates a shortfall of between 7,300 and 43,100 primary care physicians. Non-primary care specialties are expected to experience a shortfall of between 33,500 and 61,800 physicians.

These findings are largely consistent with the 2015 and 2016 reports. In particular, the supply of surgical specialists is expected to remain level, while demand increases. The study also finds that the numbers of new primary care physicians and other medical specialists are not keeping pace with the health care demands of a growing and aging population.

“By 2030, the U.S. population of Americans aged 65 and older will grow by 55 percent, which makes the projected shortage especially troubling,” Kirch said. “As patients get older, they need two to three times as many services, mostly in specialty care, which is where the shortages are particularly severe.”

Expanding on last year’s findings, the new report also includes an analysis of the needs and health care utilization of underserved populations. These data show that if the barriers to utilization were removed for these patients, and all Americans accessed health care at the same levels as insured, non-Hispanic white populations, the United States would have needed up to 96,800 doctors in 2015. Nearly three-quarters of those physicians would be needed in metropolitan areas. This figure is in addition to the projected workforce shortage based on current practice patterns.

“Not only do these utilization equity data highlight the need for the nation to train more doctors, they also demonstrate the importance of a diverse health care workforce. Many of those who underutilize health care — despite their need — are from racial and ethnic minority backgrounds,” Kirch said. “A diverse and culturally competent workforce will enable us to provide the care all Americans need and deserve.”

To help alleviate the physician shortage, the AAMC supports a multipronged solution, including expanding medical school class size, innovating in care delivery and team-based care, making better use of technology, and increasing federal support for an additional 3,000 new residency positions per year over the next five years.

“We urge Congress to approve a modest increase in federal support for new doctors,” Kirch said. “Expanded federal support, along with all medical schools and teaching hospitals working to enhance education and improve care delivery, would be a measured approach to solving what could be a dangerous health care crisis.”

The Association of American Medical Colleges is a not-for-profit association dedicated to transforming health care through innovative medical education, cutting-edge patient care, and groundbreaking medical research. Its members comprise all 147 accredited U.S. and 17 accredited Canadian medical schools; nearly 400 major teaching hospitals and health systems, including 51 Department of Veterans Affairs medical centers; and more than 80 academic societies. Through these institutions and organizations, the AAMC serves the leaders of America’s medical schools and teaching hospitals and their nearly 160,000 faculty members, 83,000 medical students, and 115,000 resident physicians. Additional information about the AAMC and its member medical schools and teaching hospitals is available at www.aamc.org.

Pin It

Tags: , , , ,

Posted in: Research

Leave a Comment (0) →

Medical Association Joins Coalition for PA Reform

Posted by on
Medical Association Joins Coalition for PA Reform

Responding to unreasonable hurdles for patients seeking care, the Medical Association has joined a coalition including the American Medical Association and 16 other health care organizations urging health plans, benefit managers and others to reform prior authorization requirements imposed on medical tests, procedures, devices and drugs.

The coalition, which represents hospitals, medical groups, patients, pharmacists and physicians, says that requiring pre-approval by insurers before patients can get certain drugs or treatments can delay or interrupt medical services, divert significant resources from patient care and complicate medical decisions. Concerns that aggressive prior authorization programs place cost savings ahead of optimal care have led Delaware, Ohio and Virginia to recently join other states in passing strong patient protection legislation.

Given the potential barriers that prior authorization can pose to patient-centered care, the coalition is urging an industry-wide reassessment of these programs to align with a newly created set of 21 principles. Prior authorization programs could be improved by applying the principles’ common-sense concepts grouped in five broad categories:

  • Clinical validity,
  • Continuity of care,
  • Transparency and fairness,
  • Timely access and administrative efficiency, and
  • Alternatives and exemptions.

“Strict or bureaucratic oversight programs for drug or medical treatments have delayed access to necessary care, wasted limited health care resources and antagonized patients and physicians alike,” said AMA President Andrew W. Gurman, M.D. “The AMA joins the other coalition organizations in urging health insurers and others to apply the reform principles and streamline requirements, lengthy assessments and inconsistent rules in current prior authorization programs.”

The data entry and administrative tasks associated with prior authorization reduce time available for patients. According to a new AMA survey, every week a medical practice completes an average of 37 prior authorization requirements per physician, which takes a physician and their staff an average of 16 hours, or the equivalent of two business days, to process.

The AMA survey illustrates that physician concerns with the undue burdens of pre-authorizing medical care have reached a critical level. Highlights from the AMA survey include:

  • Seventy-five percent of surveyed physicians described prior authorization burdens as high or extremely high.
  • More than a third of surveyed physicians reported having staff who work exclusively on prior authorization.
  • Nearly 60 percent of surveyed physicians reported that their practices wait, on average, at least 1 business day for prior authorization decisions —and more than 25 percent of physicians said they wait 3 business days or longer.
  • Nearly 90 percent of surveyed physicians reported that prior authorization sometimes, often, or always delays access to care.

The AMA survey findings indicate there is a real opportunity to improve the patient experience while significantly reducing administrative burdens for both payers and physicians by reforming prior authorization and utilization management programs.

See also Medical Association Joins Call to CMS to Delay EHR Certification Requirements and Medical Association Urges CMS to Reduce EHR and MU Burden on Physicians

Pin It

Tags: , ,

Posted in: Advocacy

Leave a Comment (0) →

Just a Guy with a Ladder with Lee Irvin, M.D.

Posted by on
Just a Guy with a Ladder with Lee Irvin, M.D.

MOBILE – You probably don’t know Lee Irvin, M.D., of Mobile, and he’s fine with that. He’s the kind of gentleman you’d love to hang out with and have a drink or dinner with…swap stories with. But it’s easy to see that his medical mission over the last couple of years wears heavy on his heart.

Dr. Irvin is a pain physician. Yes, a pain physician. He said he has no problem with introducing himself that way, even though there is a bit of a stigma associated with the treatment of pain, especially in Mobile following the arrest and conviction in February 2017 of Mobile physicians Xiulu Ruan and John Patrick Couch. Couch and Ruan were convicted in federal court for operating their clinics as pill mills, raking in millions of dollars by overprescribing potent, and deadly, narcotic pain medications to patients.

“It was like driving down the road, seeing a house on fire, and you’re the guy with a ladder,” Dr. Irvin said. “I was the guy with the ladder. Of course, I was going to help those patients.”

Dr. Irvin was the first physician in Mobile to treat patients with pain pumps more than 30 years ago, so he was the first physician to step up and render aid to the patients Couch and Ruan left behind who were on pain pumps. Dr. Irvin said he had about 35 of his own patients on pain pumps at that time, but there was an influx of nearly 350 pain pump patients from the now-closed practice in need of immediate care, some exhibiting signs of withdrawal by the time he intervened.

“Unfortunately, there were another reported 7,000 to 8,000 medication-managed patients from that practice that needed assistance,” Dr. Irvin said. “There was no way I could take on all of them, but in that year and a half, I took on another several hundred more. We were on a clock. It took almost a year to get those patients weaned off that medication. So, when you ask whether I had to do this, yeah…I did.”

One huge problem Dr. Irvin noted was the lack of resources for patients who have addiction issues, resources on the local and state levels that have left patients in need of specialized care falling through the proverbial cracks.

“We are in dire need of addiction specialists, social workers, mental health professionals – resources these patients need to get better. How can there be this tremendous need, yet we still do not have these resources to help our patients?” Dr. Irvin questioned.

Dr. Irvin continues to work closely with investigators with the Alabama Board of Medical Examiners to ensure the safety and health of the patients. As he puts it, “Doctors are supposed to help,” but he said he feels the reputation of most pain physicians has been tarnished by those who have put money above the welfare of their patients.

“When someone asks me now what my specialty is, I have no trouble saying I’m in pain management. I started in anesthesiology, but for the last 10 years or so, pain physicians have had such a bad reputation because of those bad physicians mistreating this profession and endangering the lives of their patients. We don’t want to write a bunch of narcotics to cover up an underlying disease. I have an old-fashioned idea that as a physician you should sit down with your patient and talk, get a complete history…and listen. It’s amazing how much information you can get from your patients if you just listen. I haven’t done anything amazing. I just listen and take care of my patients,” Dr. Irvin explained.

It may be an old-fashioned idea, according to Dr. Irvin, but his decision to make pain management his life’s work is actually deeply rooted in the illness of a family friend.

“I had a personal reason for specializing in pain,” Dr. Irvin said. “There was a fellow I grew up next door to who was like my second father. He was my hunting and fishing buddy. There were some kids out shooting while he was quail hunting, and he caught a .22 round in the hip. His doctors kept telling him it would do more harm than good to take that round out, but it was really a red herring. There was something else going on causing his pain.”

It was about 18 months later when Dr. Irvin’s old friend was told he had prostate cancer with mets. His pain wasn’t being managed very well, and one of the last times he visited with him, he had been warned that he might not recognize him…but he did.

“I wasn’t expecting that. He was in a lot of pain, sitting on a sack of medicine, and basically not knowing where he was, but he still recognized me. I couldn’t help but think there has got to be a better way. That was my moment. That was my reason for choosing pain medicine,” Dr. Irvin said.

Pin It

Tags: , , ,

Posted in: Physicians Giving Back

Leave a Comment (0) →

What You Need to Know about the Business of Practicing Medicine

Posted by on
What You Need to Know about the Business of Practicing Medicine

While physicians today learn cutting-edge medical treatments and technologies, most of them don’t receive any instruction on the business side of medicine. That’s an unfortunate omission; practicing medicine requires doctors to enter contracts, to be aware of applicable rules, laws and regulations, to market themselves, to understand proper coding requirements, and to properly collect patient payments.

Today we will focus on one of the first business documents a physician will encounter: a contract with a physician practice. What subjects will it cover? What questions can you ask? Should you get a professional to look at the document?

Compensation is one item that will be addressed in the contract. Be sure you understand how your compensation is determined, whether you have the opportunity to earn a bonus, and exactly what a bonus will be based on. You may be offered a trial period to practice as a salaried physician (perhaps one to three years) before you can join the practice as a partner.

Don’t be afraid to ask questions. If you are required to work as a salaried physician for a time, how does the practice decide whether or not to offer you a partnership? What has happened to physicians who have come before you? Has anyone failed to make partner, and if so, what were the reasons?

If you are fortunate enough to be considering competing offers, don’t look at salaries in a vacuum. A quick online search will reveal the average income of a physician in your specialty in the city you are considering. Similarly, you can search and compare the cost of living in different cities. A slightly lower offer may go farther in a city with a much lower cost of living.

Do not forget to factor in benefits as well. A practice that pays for your CME, malpractice insurance, health and disability insurance, and makes generous contributions to your retirement account is relieving you from paying thousands of dollars per month.

OnBoard Healthcare is a partner of the Medical Association. Visit them online for more information.

Pin It

Tags: , , , ,

Posted in: Management

Leave a Comment (0) →

How Can You Avoid a HIPAA Mega Breach?

Posted by on
How Can You Avoid a HIPAA Mega Breach?

A HIPAA breach often occurs when a health care entity wrongfully discloses the protected health information of a patient or client. These incidents can occur by accident, like faxing patient information to the wrong fax number. They can also be the result of willful or intentional acts, like employees who gather patient information for the purpose of filing false tax returns. They occur in many forms and can affect any number of individuals.  Breaches can range in scale from a single individual being compromised to an incident affecting thousands and even millions of people.

The Department of Health and Human Services requires a breaching entity to take specific reporting action based on the number of individuals the breach affects. In the world of HIPAA breaches, 500 is a magic number. Breaches affecting greater than 500 individuals are generally considered a HIPAA “Mega” breach. These mega beaches have more stringent notification requirements that could cause your health care practice to be featured on the evening news. Just as with breaches affecting fewer than 500 people, mega breaches require that you provide individual notice to each patient. This often requires staff time as they work to locate each patient’s last known address and send them a breach notification letter explaining what happened, who was involved, how their data was compromised, and what the entity is doing to avoid similar incidents in the future. Often, entities will offer their patients credit monitoring for a two-year period to mitigate the breach and demonstrate to the patient that the entity is serious about data security.

Mega breaches also require individual notice. However, these large breaches also require simultaneous notice directly to the HHS Office of Civil Rights and local media and news outlets. Entities reporting these large breaches will deal with immediate issues like loss of business and loss of reputation while also responding to patients and clients who are angry that their information has been compromised.

How can you avoid dealing with a HIPAA Mega breach in your practice?

You Must Perform a Competent and Thorough Risk Analysis. Many compliance professionals refer to this as your entity’s “annual exam.”  During this process, you and your team should determine every system that contains electronic protected health information and assess its vulnerability for inappropriate disclosure. This analysis is a requirement of the HIPAA Security Rule and must occur annually or sooner if necessitated by changes to your IT system or turnover in your workforce. Entities must remember to document this process and have it readily available to produce to HHS upon request. Failure to perform, document, and/or produce an adequate Risk Analysis is often a sign to HHS that an entity is non-compliant and may lead to a more extensive audit. This is an opportunity for entities to determine the adequacy of their cybersecurity and how to protect their entity from malware.

Invest in Encryption. HIPAA categorizes patient data in two ways: (1) secured and (2) unsecured. Entities most often find themselves in trouble when they have a breach of unsecured  The breach notification requirements discussed above which include notice to patients, HHS and media outlets ONLY refer to breaches of unsecured data. However, secured data is exempt from notice requirements. Secured or encrypted data is considered to be unusable, unreadable, or indecipherable to unauthorized individuals; thus, a breach of that device cannot occur. Encrypting patient data is the ultimate safety net! For example, a nurse uses a business laptop to store patient information of the 550+ individuals that are treated in her practice. She takes it home for the night and leaves it on the passenger seat of her car. Her vehicle is broken into overnight and the laptop is stolen. If the laptop is unencrypted, she now faces HIPAA breach notification requirements, loss of reputation, and the overwhelming threat of possible fines and lawsuits. However, if the laptop is encrypted, she would simply document the occurrence and have the laptop replaced.

Enforce Privacy and Security Policies and Provide Training. Often, the most effective tool in your health care compliance arsenal is a competent and well-informed workforce. Employees must understand how their actions can affect the security of data along with the consequences of violating policies and procedures. Additionally, having policies and procedures that are customized to your practice demonstrates a serious approach to compliance. Often, being able to produce copies of polices and training that employees were mandated to review and participate in will reflect that the entity itself was aware of its risks and sought to avoid or minimize them. An employee who has documented that they have reviewed the policies and participated in training, but nevertheless participated in negligent or reckless behavior, is more likely to be seen as a “bad actor” and not a reflection of a culture of non-compliance within the entity.

You’re entity may also want to reflect on how the following devices are utilized and stored:

  1. Hard Drives
  2. CDs/DVDs
  3. Flash Drives
  4. Back-Up Storage Tapes

To ensure that your practice is complying with federal regulations, and for assistance with avoiding or navigating a mega breach, please consult a health care compliance professional.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Pin It

Tags: , ,

Posted in: HIPAA

Leave a Comment (0) →