Archive for Legal Watch

Federal Cures Act “Information Blocking” Compliance Date Approaching

Federal Cures Act “Information Blocking” Compliance Date Approaching

The 21st Century Cures Act (Cures Act), passed by Congress in 2016, included a provision in Title IV, Section 4004 against “information blocking,” defined in the Act as a practice or practices, “likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.”  The Act further required the Office of National Coordinator for Health Information Technology (ONC) and the Department of Health and Human Services (HHS) to promulgate rules (the rules) for enforcement on information blocking.  

The rules, which have been in effect since April 2021, apply the information blocking provisions of the Cures Act to “actors,” defined to include health care providers like physicians and hospitals, as well as health information exchanges and health information technology (HIT) developers or vendors.  They currently require physicians to make the following electronic health information, otherwise known as the United States Core Data for Operability, version 1 (USCDIv1) accessible to patients in the electronic health record with no delay:  Consultation notes, discharge summary notes, history and physical, imaging narratives, laboratory report narratives, pathology report narratives, procedure notes, and progress notes.  

On October 6, 2022, physicians and other actors will be required to provide patient access to all electronically maintained health records, with the exception of psychotherapy notes and information compiled in anticipation of litigation, to avoid charges of information blocking.  The rules further provide that by December 31, 2022, electronic health record systems must have updated technology to allow easier patient access to electronic health information.

Because HIT vendors are also considered actors and must comply with information blocking rules, physicians who are not yet in compliance or preparing for upcoming compliance dates should work with their HIT vendors to develop a compliance plan for this section of the Cures Act. They should also become familiar with exceptions provided in the rules where delays or denials of access are not considered information blocking.  Finally, physicians should be on the alert for notice from ONC and HHS on the penalties for health care providers for information blocking.  Potential penalties for HIT vendors and health information exchanges found to be participating in information blocking have already been determined by rule to include fines up to $1 million per violation. To date the potential penalties for health care providers found to be information blocking are “disincentives” to be determined by HHS using a formula and criteria not yet developed.

Resources for Physicians on Information Blocking:

Posted in: Legal Watch

Leave a Comment (0) →

Prepare Your Practice for Expanded Information Blocking Requirements

Prepare Your Practice for Expanded Information Blocking Requirements

By: Catherine (Cat) Kirkland, Burr & Forman LLP

Is your practice ready? Starting October 6, 2022, physicians and group practices will be required to make full electronic health information available for access, exchange, and use to patients (among others) in a reasonable manner. This deadline marks the end of a multi-year phase-in from the U.S. Department of Health and Human Services (HHS) of “information blocking” rules set forth in the 21st Century Cures Act Interoperability and Information Blocking Regulations.

The Cures Act defines information blocking as “a practice by an actor that is likely to interfere with the access, exchange, or use of electronic health information (EHI), except as required by law or specified in an information blocking exception.” Physicians, hospitals, and group practices, among many other provider types, are all specifically defined as “actors” under the Act and are therefore subject to the regulations. The Act defines EHI as information contained within a designated record set, which for a physician or group practice would include medical records, billing records, and other documents used by the physician or practice in conjunction with patient care (ex: scans received, emergency department records, etc.).

Examples of prohibited information blocking might include:

  • Implementing a blanket (and not individualized) approach of withholding laboratory or other test results from a patient portal until a physician can evaluate the results;
  • Charging a fee for physical copies of a patient’s EHI, when the fee does not meet HHS’ fee exception criteria; or
  • Purposefully limiting what EHI is shared in a patient portal if the portal technology would allow for full EHI access.

A practice is not considered information blocking if it meets one of eight exceptions. Five of these exceptions relate to why a provider might not fulfill a request for access, exchange, or use of EHI, including: 1) prevention of harm (a very limited exception requiring a patient-by-patient analysis); 2) privacy protection (ex: if state or federal law require a patient consent to set-up a portal and the patient has not consented); 3) safeguarding security of the EHI; 4) infeasibility (ex: hurricanes or uncontrollable events); and 5) if the provider’s IT is temporarily unavailable. Each of these exceptions contain key conditions that must all be demonstrated by the provider before the exception can be claimed.

The Cures Act authorizes the HHS Office of Inspector General to investigate any claim of information blocking and in 2021, HHS established an online portal for complaints. Any complaint submitted through HHS’s portal could result in an OIG investigation and potentially penalties or disincentives.

The overall industry response to the expanded rules has been one of concern and confusion with a major push for HHS to release more guidance before the October 6 deadline. However, waiting on additional HHS guidance is not a defense to the information blocking rules. Physicians and group practices should be proactive in their compliance by reviewing the rules and exceptions carefully. Physicians should ensure that all policies, procedures, and/or compliance programs comply with the rules, address rule exceptions, and require documentation of when an exception is used and why.

Catherine (Cat) Kirkland is a partner at Burr & Forman LLP and practices exclusively in the firm’s Health Care Practice Group. Cat may be reached at (251) 340-7271 or by email at

Posted in: Legal Watch

Leave a Comment (0) →

I Have to Correct What?

I Have to Correct What?

By Kelli C. Fleming, Burr & Forman, LLP

A client recently informed me that their practice was experiencing a large increase in the number of medical record amendment requests it was receiving from patients. My perception is that this is the result of two things: (1) the widespread transition to electronic medical records, and (2) increased portal usage by patients to access medical information. Thus, I thought it might be a good time for a little refresher on a patient’s right to amend their health information.

Under HIPAA, a patient has the right to request an amendment of their health information for as long as the information is maintained in a “Designated Record Set.” Not only must the patient be notified of this right in the Notice of Privacy Practices, but a practice has certain obligations when a patient exercises this right.

When receiving a request from a patient to amend their health information, I recommend requiring that the request be in writing and include the reason for the requested amendment. 

Once a request is made, the request for an amendment must be acted upon no later than sixty (60) days after receipt of such request.  If, however, the practice is unable to act on the amendment within sixty (60) days, the time may be extended by no more than an additional thirty (30) days, provided that the practice provides the patient, no later than sixty (60) days after receipt of such request, with a written statement of the reasons for the delay and the date by which it will complete the request. Only one such extension is permitted.

If the request for amendment is accepted by the practice, the practice must properly amend the information and inform the patient that the information has been amended. The documentation in the record should reflect that the change is an amendment or an update and be dated as of the date of the amendment. The practice shall also obtain the patient’s permission to notify certain persons of the amendment.

However, providers are not required to abide by every amendment request. The request for amendment may be denied if the information (1) was not created by the practice, unless the patient provides a reasonable basis to believe that the originator of the information is no longer available to act on the requested amendment; (2) is not part of the Designated Record Set; (3) would not be available for access under the patient’s right to access; or (4) is accurate and complete.

If the requested amendment is denied, in whole or in part, the practice must provide the patient with a timely, written denial containing specific information. The practice must permit the patient to submit a written statement disagreeing with the denial and the basis of such disagreement. The practice may prepare a written rebuttal to the patient’s statement of disagreement.  If a written rebuttal is prepared, among other things, a copy must be given to the patient who submitted the statement of disagreement.

Kelli C. Fleming is a partner at Burr & Forman LLP and practices exclusively in the firm’s Health Care Practice Group. Kelli may be reached at (205) 458-5429 or

Posted in: Legal Watch, Uncategorized

Leave a Comment (0) →



By Angie Cameron Smith, Burr & Forman, LLP

Good documentation is important for many reasons: continuity of care, compliance, and risk management to name a few.  Documentation supports payment for services but can also form the basis of medical malpractice cases, whether it be lack of documentation, improper documentation or poor documentation.  Therefore, it is important to revisit best practices on a regular basis to protect providers from documentation pitfalls. 

  1. Timely documentation and signatures

It seems elementary that a provider should timely document in a patient’s medical record, but one of the first issues that comes up in compliance audits (Medicare, Medicaid etc.), is whether there is timely documentation in the medical record.  In some instances, being timely may require a signature before a service is rendered; in other cases, the documentation should be done at the time of the encounter. It is important to document timely because it is a contemporaneous recording of the provider’s assessment.    

Signatures on medical documentation or orders can create significant liability because it is an essential element for payment and compliance.  For instance, Medicare has specific signature requirements, including:  (1) must be for a service ordered or provided by the provider signing; (2) must be handwritten or electronic, and (3) must be legible but can be confirmed through a signature log or attestation.  Neither Medicare nor Medicaid accepts stamped signatures unless the provider can establish an inability to sign due to disability.  We have often used signature logs and attestations in audits to establish the provider rendered the service, but it is preferable that the signature meet the requirements without the need for additional support.  Medicare also states that you cannot “add late signatures…beyond the short delay that happens during the transcription process.”  If a signature is missing from medical documentation (not orders) an attestation from the provider may render it valid.  

  1. Follow your documentation policies  

Although there may be documentation requirements dictated by certain payors, a provider should also be mindful of any policies that a particular facility, practice or group may have regarding documentation.  Review your facility or practice policies with regard to documentation.  It is surprising how often there is a policy in place that addresses an aspect of documentation, and no one is following it, usually because the provider was unaware of it.  This can be very difficult to overcome when defending lack of documentation if a policy says the documentation should exist.

  1. Need to make a change – use an addendum rather than editing an existing record

There may be times when a provider has created a timely entry on a patient, but sometime later, the provider recalls that he/she did not include a detail about the evaluation or treatment or encounter.  It is important in the age of electronic medical records that when editing, adding or updating an entry, that it be done as an addendum to the original entry rather than changing an existing record.  Editing could be problematic for many reasons.  For instance, when defending a medical malpractice case, there is often a request for a HIPAA audit trail that shows who viewed the record, made entries in the record or edited the record.  If something was changed as opposed to an addendum, this creates the appearance of an attempt to improperly alter a medical record.  Therefore, it is best to create an addendum to an entry previously made with an explanation as to the purpose of the addendum.  Where you are have a paper record or chart, it is less of an issue because the original note should be available but it is still important to initial any edits and not alter the original documentation.  

  1. Copying and pasting, “cloning” 

For the most part, electronic medical records have made documenting medical evaluations and treatment more efficient, not to mention easier to read.  However, there are some efficiencies that should be avoided.  In some EMR systems, a provider has the ability to see information from a prior visit (see next tip).  As mentioned below, this can be great for continuity of care; however, if a provider copies the entry for review of systems or history and physical, and fails to edit it for the actual evaluation performed at the time of service, it can lead to problems.  From a compliance standpoint, such repeat/verbatim documentation can call into question whether the provider actually conducted the evaluation.  The same would be true from a liability standpoint.  It is unlikely that the exact same information would be gleaned from the patient on separate visits.  Therefore, a provider should not “clone” entries to create a new entry in the chart.   

  1. Reviewing prior history or last visit 

Although not necessarily specific to documentation, it is important for continuity for care for a provider to consider or review information from any prior visit.  This often comes up in a failure to diagnose case where a provider failed to review a prior visit and on a subsequent visit, the symptoms complained of are exacerbated.  The patient’s attorney often argues that had the provider reviewed the prior visit, the diagnosis may have been different or the outcome may have been different.  A failure to review prior history does not necessarily lead to liability on the part of the provider, but it provides a narrative for a jury or arbitrator that a simple review of prior history could have led to a different outcome.  


Be mindful of documentation requirements necessary for payment/compliance, consider conducting self-audits of charts on a periodic basis to ensure compliance and ensure policies are up to date and reflect how providers are documenting.  

Angie Smith is a Partner at Burr & Forman practicing exclusively in the firm’s healthcare practice group. Angie may be reached at (205) 458-5209 or

Posted in: Legal Watch

Leave a Comment (0) →

Federal District Court Issues First Court Opinion Regarding EKRA’s Commission Based Payments

By James A. Hoover, Esq., Burr & Forman, LLP

A Federal District Judge in the United States District Court, District of Hawaii issued the first court opinion interpreting the prohibition of the payment of commissions by clinical laboratories to employees or independent contractors that was implemented by the Eliminating Kickback in Recovery Act of 2018 (“EKRA”).  Judge Kodayashi entered her decision on October 18, 2021 in the case S&G Labs Hawaii, LLC v Graves.  

In S&G Labs, the court ruled that the commission payments made to an employee of a clinical laboratory were legitimate compensation payments and did not violate EKRA notwithstanding the fact the payments were made to a salesman who introduced S&G Labs to physicians, counseling centers and other entities that referred patients to the lab. In so ruling, the Court emphasized the salesman had no contact with any individual whose own specimens were tested.  

As a refresher, the Substance Use-Disorder Prevention that Promotes Opioid Recovery and Treatment for Patients and Communities Act (the “SUPPORT Act) seeks to prohibit “patient brokering” practices by some recovery homes and treatment facilities. Section 1822 of the SUPPORT Act, signed into law and effective as of October 24, 2018, contains EKRA, now codified at 18 U.S.C. § 220. Although EKRA was created to address “patient brokering,” EKRA arguably prohibits a much broader scope of conduct by stating:

“whoever, with respect to services covered by a health benefit program… knowingly and willfully (1) solicits or receives any remuneration… directly or indirectly, overtly or covertly, in cash or in-kind, in return for referring a patient or patronage to… a laboratory, or (2) pays or offers any remuneration… directly or indirectly, overtly or covertly, in cash or in-kind (A) to induce a referral of an individual to a… laboratory or (B) in exchange for an individual using the services of that … laboratory, shall be fined not more than $200,000, imprisoned not more than 10 years, or both, for each occurrence”)

18 U.S.C. 220(a) (emphasis added).

EKRA also contains an exception to the prohibition set out above.  The exception states that “a payment made by an employer to an employee or independent contractor…if the employee’s payment is not determined by or does not vary by–(A) the number of individuals referred to a particular… laboratory; (B) the number of tests or procedures performed; or (C) the amount billed to or received from, in part or in whole, the health care benefit program from the individuals referred to a particular… laboratory.” 18 U.S.C. 220(b)(2).

EKRA on its face implicates any financial relationship between a clinical laboratory and an individual or legal entity that generates business for the lab. Although EKRA’s text is similar to the federal healthcare program anti-kickback statute, 42 U.S.C. 1320-7b(b) (the “AKS”), it is arguably much broader in scope for a number of reasons.  First, EKRA defines “laboratory” to include any CLIA-certified laboratory.  Second, the statute defines “health benefit program” to mean “any public or private plan or contract… under which any medical benefit, item, or service is provided to any individual.” Thus, EKRA applies to payments by any payor, such as commercial insurance and even self-pay, not just by government-funded plans.   

Relating to EKRA, the question before the Court in S&G Labs dealt directly with compensation paid by S&G Labs to an employee.  The compensation arrangement involved a compensation arrangement that included a base salary of $50,000.00 and a percentage of monthly net profits generated by the employee’s client accounts and by the client accounts handled by S&G employees whom the relevant employee managed.  The employee’s commission-based compensation resulted in him receiving more than $1.8 million in 2018 alone.

S&G Labs is a medical testing facility that performs urinalysis screening for legal substances, as well as for controlled substances for physicians, substance abuse treatment facilities and other types of entities.  The Court analyzed the definition of “laboratory” and “clinical laboratory” and concluded that S&G Labs was a laboratory for EKRA purposes.  

Next, the Court compared EKRA’s statutory language of “remuneration” and “individual” with the AKS’ statutory language for those terms.  The Court ruled, in light of the statutory construction of EKRA and the AKS, that the employee’s compensation from S&G constituted remuneration under EKRA.  

The Court also analyzed whether the remuneration paid to the employee was paid to “induce a referral of an individual to” S&G labs.  The Court opined that undoubtedly the employee’s “…commission-based compensation structure induced him to try to bring more business to S&G, either directly through the accounts he serviced himself, or through the accounts of the personnel under his management. However, the ‘client’ accounts they serviced were not individuals whose samples were tested at S&G. Their ‘clients’ were ‘the physicians, substance abuse counseling centers, or other organizations in need of having persons tested.’”  Thus, the Court concluded the compensation arrangement did not violate § 220(a) and the exception in § 220(b) was not applicable.  

Although the commission-based sales compensation arrangement in the employment agreement was upheld in this instance, this opinion is extremely narrow in its implications.  As a result, notwithstanding this opinion, EKRA remains a thorny problem for all laboratories and those who refer to them and requires much thought and consideration before using such commission-based compensation arrangements for clinical laboratories.  

Jim Hoover is a Partner at Burr & Forman LLP and practices exclusively in the firm’s Healthcare Practice Group. Jim may be reached at (205) 458-5111 or

Posted in: Legal Watch, Uncategorized

Leave a Comment (0) →

Supreme Court Rules on Vaccine Mandates

Supreme Court Rules on Vaccine Mandates

By: Brandy A. Boone, General Counsel of the Medical Association of the State of Alabama

The US Supreme Court (“the Court”) recently released differing opinions on the two-part Biden administration vaccine mandate.  In Biden v. Missouri1, the Court lifted a US District Court’s stay on enforcement of the Department of Health and Human Services’ (HHS) rule amending CMS Conditions of Participation to require covered staff to be vaccinated for COVID-19.  The Court took the opposite approach in National Federation of Independent Business v. Department of Labor2, by enjoining the enforcement of an OSHA standard requiring employers with at least 100 employees to require covered workers to be vaccinated.

The CMS rule, more commonly known as the healthcare worker vaccine mandate, was issued as an interim final rule for facilities regulated by CMS Conditions of Participation, including hospitals and long-term care facilities.   The rule requires covered facilities to have a plan for vaccinating all staff, a plan for the provision of medical and religious exemptions, and a plan for tracking and monitoring vaccinations and exemptions.  Because physician offices are not facilities regulated by CMS Conditions of Participation, this rule does not apply to physician offices or healthcare workers who work in physician offices, unless they are also on staff at a covered facility.

A number of states, including Alabama, filed lawsuits seeking injunctions to the enforcement of the healthcare worker vaccine mandate.  Those lawsuits were consolidated into two federal court actions, and in both, the federal district courts issued stays to enforcement.  The federal government petitioned the corresponding federal circuit courts for relief from the stays, and relief was denied in both courts. Following the circuit court denials, the government petitioned the US Supreme Court for the same relief, and the Court agreed to hear the specific issue of whether to lift the preliminary injunction.  

The Court issued a per curiam opinion on January 13, 2022, granting the government’s petition and lifting the US District Court’s stay on enforcement of the vaccine mandate. The Court noted in a 5-4 decision that the Department of Health and Human Services (HHS) is the administering agency for Medicare and Medicaid programs, and thus the HHS Secretary is charged by federal law to develop regulations to aid in efficient administration of those programs and to protect the health and safety of individuals served by them.  The Court also agreed that that the HHS Secretary was within his authority in issuing the vaccine mandate in an interim final rule, rather than through a usual notice and comment period, because of the highly infectious nature of COVID-19, and the particular vulnerability of populations served by Medicare and Medicaid. 

Although the Court lifted the preliminary injunction on enforcement of the healthcare worker vaccine mandate, it only ruled on that specific issue, so the state lawsuits to stop enforcement are back in the federal circuit courts, pending the federal government’s appeal, and a possible writ of certiorari.  However, the rule will remain in effect and enforceable pending the appeal and possible writ.  The Court’s opinion did not address or affect the available religious and medical exemptions to the rule, and it did not expand the scope of the rule beyond healthcare facilities with conditions of participation for Medicare and Medicaid Services, so it still does not apply to physician clinics or offices.

The other vaccine mandate, not specific to healthcare, came through the Occupational Safety and Healthcare Administration (“OSHA”), under the auspices of the Department of Labor.  OSHA enacted a temporary emergency standard covering employers with at least 100 employees.  The standard requires worker vaccinations, with no exceptions, other than daily masking and weekly testing at the employee’s expense.  

This new standard was challenged by states and business organizations in several federal courts, and one federal circuit court entered a stay on enforcement.  When all of the cases were consolidated under another federal circuit court, that court lifted the stay so the rule could go into effect.  The Supreme Court accepted an emergency petition from the states and business leaders on whether to impose a preliminary injunction on enforcement of the rule, pending the resolution of lawsuits consolidated with the Sixth Circuit Court of Appeals.

On the same day the Court lifted the stay on the healthcare worker vaccine mandate, the Court granted a stay of enforcement of the OSHA worker vaccine mandate.  In another per curiam opinion, this time a 6-3 decision, the Court reasoned that federal law authorizes OSHA to regulate workplace safety, but that Congress has not given OSHA specific authority to regulate “broad public health measures.”  Finding that while there is COVID-19 infection risk in the workplace, those risks are not relegated just to the workplace, and therefore, OSHA exceeded Congressional authority in enacting its temporary emergency standard requiring worker vaccinations.

As with the healthcare worker vaccine mandate, the Court’s ruling does not end the rule or the challenge to the rule.  The Court has stayed enforcement of this OSHA standard until the disposition of the legal challenges in the Sixth Circuit Court of Appeals and any potential writ of certiorari. 

  1.  Biden v. Missouri, Nos 21A240 and 21A241 (2022);

National Federation of Independent Business v. Department of Labor, Nos 21A244 and 21A247 (2022);

Posted in: Coronavirus, Legal Watch

Leave a Comment (0) →



By Angie Cameron Smith with Burr & Forman, LLP

On July 6, 2021 Governor Kay Ivey allowed the State of Emergency in Alabama to expire.  She had previously proclaimed a State of Emergency due to the COVID-19 Pandemic effective March 13, 2020.  Along with that proclamation, came the invocation of Alabama’s Emergency Management Act.  When the state of emergency ended, so did the waivers or suspension of state regulatory requirements that were afforded to healthcare providers operating during the pandemic.  Due to the spike in COVID-19 cases, which appear to be related to the Delta variant, Governor Ivey proclaimed a new State of Emergency effective August 13, 2021.  Why does this matter?  Because many of the expired waivers that allowed for flexibilities for healthcare providers have now been renewed under the new State of Emergency.

Under Governor Ivey’s August 13 proclamation and pursuant to the authority granted to her under the Emergency Management Act, she cut “red tape for health care providers.”  The emergency proclamation removes barriers to allow additional healthcare providers and resources to address the surge in cases and is focused primarily on staffing at acute care hospitals.  The following apply to general acute care hospitals, critical access hospitals or specialized hospitals licensed by the Alabama Department of Public Health:  

  • A hospital’s chief of the medical staff or medical director may collaborate with or supervise an unlimited number of certified registered nurse practitioners (CRNP), certified nurse midwives (CNM); physician assistants (PA) and anesthesiology assistants (AA), and provide direction to an unlimited number of certified registered nurse anesthetists (CRNA);
  • CRNPs, CNMs, PAs and AAs working under the supervision of the chief of the medical staff at a hospital may implement the standard protocol and formulary approved by the Alabama Board of Medical Examiners;
  • CRNAs under direction of, and AAs under registration with, a hospital’s chief of the medical staff or medical director or his/her physician designee, are authorized to determine, prepare, monitor or administer legend and controlled medications for performance of anesthesia-related services, airway management (related or unrelated to anesthesia), and other acute care services within their scope of practice.
  • CRNPs, CNMs and CRNAs who possess an active, unencumbered nurse license or equivalent advanced practice approval issued by an appropriate licensing board of another state, the District of Columbia, or Canada, are authorized to practice in covered hospitals as if licensed in Alabama; and
  • Alabama’s Board of Pharmacy, Board of Nursing, Medical Licensure Commission, and State Board of Medical Examiners are authorized to adopt emergency rules to allow for expedited licensure and/or temporary permits for individuals possessing unencumbered licenses in other states.  At this time, this is limited to those practitioners providing care in inpatient units, emergency departments or other acute care units within acute care hospitals, critical access hospitals or specialized hospitals.

Another flexibility afforded under the Governor’s new proclamation is the authorization granted to the State Health Planning and Development Agency (SHPDA) to invoke the emergency rule passed last legislative session to allow for the issuance of emergency Certificates of Need.  This waiver was effective during the last Public Health Emergency to permit facilities to create alternate care sites.  Alternate care sites allow for a healthcare facility to convert parts of or entire facilities to provide care for which is not originally authorized.  For example, while hospitals struggle for placement of patients and surge capacities, these waivers would allow hospitals to create or use space not normally used for patient care or acute patient care.  Other healthcare providers may also seek waivers under the SHPDA Emergency Rule.  Under the previous health emergency skilled nursing facilities were able to transfer patients who did not require acute care but were in need of isolation and observation due to COVID to areas in a hospital not being used.  More information about alternate care sites can be found at and   

Another important aspect of the State of Emergency proclamation is the application of an alternative standard of care.  When evaluating whether a healthcare provider has breached the standard of care in a medical malpractice case, the analysis involves what a reasonable person would do in like or similar circumstances.  Under the alternative standards of care, if a provider has invoked its emergency operation plan in response to the public health emergency, it can implement alternative standards of care and those standards are “declared to be state-approved standard of care in healthcare facilities.” 

You may also recall that during the last legislative session there was an immunity statute passed to provide liability protections to healthcare providers and businesses during the COVID-19 pandemic.  This immunity statute should be unaffected by the gap between the last state of emergency ending on July 6, 2021, and the new state of emergency invoked on August 13, 2021.

The federal public health emergency (PHE) and the waivers under the U.S. Secretary of Health and Human Services Section 1135 declaration is also unaffected by the state of emergency.  The current federal PHE is set to last through October 18, 2021, with some indication from the federal administration that it will continue through the end of the year.

Angie Smith is a partner at Burr & Forman LLP and practices in the Healthcare Industry Group. Angie may be reached at (205) 458-5209 or

Posted in: Coronavirus, Legal Watch, MVP

Leave a Comment (0) →

Training, Training, Training—The First Line of Defense When it Comes to HIPAA Compliance

Training, Training, Training—The First Line of Defense When it Comes to HIPAA Compliance

By: Kelli Carpenter Fleming with Burr Forman

When it comes to HIPAA compliance efforts, the first line of defense in ensuring that protected health information is secured appropriately and compliantly is training your practice’s employees. More often than not, when an inappropriate use or disclosure of protected health information occurs, it is because an employee made a mistake. For example, the employee may have faxed the information to the wrong patient, or released records before confirming that an authorization was on file, or clicked a link in an e-mail opening the door for bad actors to gain access to the system. One way to prevent these mistakes is to train your employees on HIPAA compliance efforts, as well as easy, practical steps they can take to prevent such mistakes. However, a lot of physician practices, especially smaller ones, do not routinely train their employees on HIPAA compliance efforts. 

HIPAA training should not occur in a silo. While employees should always be trained upon hire, they should also be trained periodically thereafter. I recommend that clients conduct routine, formal HIPAA training at least once a year. I also recommend implementing less formal monthly HIPAA reminders to ensure that HIPAA remains on the forefront of everyone’s minds. In addition, if an unauthorized use or disclosure occurs, the practice should conduct training related to that incident, at a minimum for the employees involved. If a policy or procedure is changed, training should also be conducted on the revised policy or procedure. 

Whenever training is conducted, whether internally or externally, the training must be documented. The documentation should include the date the training was conducted, the employees that were trained, the topics discussed, and a copy of any training materials that were utilized. This documentation becomes extremely important if there is a breach incident or an investigation by OCR.

All physician practices should strengthen their first line of defense when it comes to HIPAA compliance by ensuring that their employees are properly and periodically trained. 

Kelli Fleming is a Partner at Burr & Forman LLP and practices exclusively in the firm’s Healthcare Practice Group. Kelli may be reached at (205) 458-5429 or

Posted in: HIPAA, Legal Watch, MVP

Leave a Comment (0) →

OSHA Issues COVID-19 Emergency Temporary Standard (ETS) for the Healthcare Industry

OSHA Issues COVID-19 Emergency Temporary Standard (ETS) for the Healthcare Industry

The Occupational Safety and Health Administration (OSHA) issued an Emergency Temporary Standard (ETS) for the healthcare industry on June 21, 2021.[1]

The Occupational Safety and Health Act (“the Act”) passed in 1970 and created OSHA to administer the Act. It has been thirty-eight years since OSHA issued its last ETS. That ETS was issued in 1983, covered asbestos, and was eventually struck down by a federal court.

The Act generally covers most employers, with some specific employers, such as “State(s) and political subdivision of a state,” being specifically excluded from OSHA’s jurisdiction.[2]  OSHA determined that COVID-19 causes health care industry employers and their employees to be in “grave danger,” which is the legal requirement allowing OSHA to issue an ETS.  Along with the ETS, OSHA issued General COVID-19 Guidance to most other workplaces, which followed the CDC’s guidance on COVID-19 in the workplace.  

The ETS generally applies to any workplace where employees provide healthcare services or healthcare support services, except for some specific exclusions such as retail pharmacies; home health care settings where all non-employees are screened prior to entry; healthcare support services not performed in a healthcare setting (e.g., off-site laundry); and telehealth services performed outside of a direct patient care setting.  Other exemptions include allowing employees to work from home and exemptions for those employees who cannot be vaccinated because of medical or religious reasons. One exemption could possibly apply to some physicians’ offices.  This exemption reads in full, “Non-hospital ambulatory care settings where all non-employees are screened prior to entry and people with suspected or confirmed COVID-19 are not permitted to enter those settings.”[3] More on this later.

It is clear that the ETS generally applies to physicians’ offices, as physician’s offices are used as examples in various parts of the ETS.[4]  However, employers with 10 or fewer employees have fewer requirements under the ETS.  For example, employers with more than 10 employees must have a written COVID-19 plan for each workplace. Employers with 10 or fewer employees must have COVID-19 plans, but the plan is not required to be in writing. OSHA’s plan is to include updates to the ETS as needed.  

The ETS covers the following subjects, as they relate to employment activities of health care workers in the health care industry:

COVID-19 Plan

Patient screening and management

Respiratory protection


Ventilation of rooms and buildings

Health screening and medical management

Physical barriers

Physical distancing

Hand hygiene and cleaning

Record keeping


Following is a brief discussion of each of the ETS requirements.

COVID-19 Plan.

Employers must have a plan to minimize the transmission of COVID-19 in the health care workspace.  Employers with more than 10 employees must have a written COVID-19 Plan.

Patient Screening and Management.

In settings where direct patient care is provided, employers must limit and monitor points of entry, screen and triage all non-employees entering the setting, and implement other patient management as necessary, including developing and implementing procedures regarding standard transmission-based precautions.

Respiratory Protections.

Employers must provide the personal protective equipment (PPE) necessary to protect employees, at no cost to the employees.


Employers must ensure and document that each employee receives training on the ETS, in a language and at a literacy level the employee understands.  Training should include various topics pertinent to COVID-19 safety measures, such as COVID-19 transmission and employer policies and procedures regarding COVID-19 transmission.

Ventilation of Rooms and Building.

HVAC systems should be operating at maximum efficiency, per the manufacturer’s recommendations.  Air filters that remove particles and aerosols that can transport the COVID-19 virus should be used where the HVAC system can accommodate the filters.

Health Screenings and Management.

All employees must be screened every day they work in a health care setting.  This can be accomplished by the employees answering questions before entering the workplace, or by the employee self-evaluating prior to entering the workplace. Where appropriate, employees must be kept from the workplace or removed from work (e.g., an employee develops a fever, cough and loss of the sense of taste while at work and is asked to leave). Employees must be informed of possible COVID-19 exposures (e.g., told of an employee (without giving their name) who has developed fever, cough and loss of the sense of taste at work, and is sent home). There are mandatory paid leave provisions for employees who develop COVID-19, or who must stay out of work because of a COVID-19 exposure, which are in addition to other employee paid leave provisions already in place for employers. Employees must be paid for the time they take while at work to be vaccinated against COVID-19, and for the day after receiving a vaccination, where there is a physical reaction to the vaccine.  

Physical barriers.

These include Plexiglas barriers when patients initially check in the office and between workers who must work at specific locations (e.g. computer billing) most of their workday.

Physical Distancing.

This is also referred to as “social distancing.”  Where there is room, employees should maintain at least six feet of distance between themselves and other employees (e.g., employee break rooms).

Hand Hygiene and Cleaning.

Hand hygiene and cleaning work together to reduce the spread of the COVID-19 virus. Offices and clinical spaces should be cleaned at least daily, and handwashing should occur between patient encounters.

Record Keeping and Reporting.

For employers covered by OSHA standards, there are already record-keeping requirements in place. Additional record-keeping and reporting are added by the ETS for employees who test positive for COVID-19 and employees who die because of a COVID-19 infection. Employers with more than 10 employees must keep a log of any employee diagnosed with COVID-19, whether or not the infection arose because of an occurrence at work.

This article began with an introduction to one of the exemptions that could possibly keep a physician’s office from having to comply with the ETS. That exemption reads “Non-hospital ambulatory care settings where all non-employees are screened prior to entry and people with suspected or confirmed COVID-19 are not permitted to enter those settings.”[5] Those physician’s offices that could operate under this provision — no suspected or confirmed COVID-19 patients or employers are allowed to enter the office — would be able to operate as they have in the past in regard to OSHA requirements. However, there are legal pitfalls with using this exemption to avoid compliance with the ETS.  For example, many surgeries require office follow-up. If a surgeon refused to see a patient who developed COVID-19 after surgery, but before the office follow-up, the patient could make a claim of abandonment.  There are other risks with this course of action, and many physicians could ill afford to refuse to see patients “suspected” of having COVID-19.  There may be ways to stay within the exemption; however, careful thought will need to be given for each patient in a similar situation. For instance, perhaps the post-surgery patient could be seen in a hospital ER, or evaluated/examined through a telehealth appointment, rather than in the surgeon’s office.  


As is often the case, the ETS has been issued almost beyond the point of usefulness. Physician offices, health care facilities, and other health care providers are going on two years of their response to the COVID-19 pandemic. To mandate changes to their well-established COVID-19 precautions at this time is disruptive, to say the least; and it places additional administrative burdens on employers subject to OSHA, without adding much, if any, additional value. Nevertheless, physician’s offices and others are well-advised to take the ETS seriously because it will likely be the subject of complaints, investigations, and audits by OSHA. OSHA investigates complaints of violations of federal law based upon anonymous employee complaints and random “audits” of employer compliance and has indicated it will enforce the ETS using both of these methods.

[1] Occupational Exposure to COVID-19; Emergency Temporary Standard, 86 Fed. Reg. 32376, available at

[2] 29 U.S.C. § 652(5). 

[3] 29 C.F.R. § 1910.502(a) (2) (iii).

[4] 29 C.F.R. § 1910.502(a), n. 2.

[5] 29 CFR Section 1910.502(a) (2) (iii).

Posted in: Legal Watch, MVP

Leave a Comment (0) →

Potential HIPAA Changes That Would Allow Healthcare Providers to Disclose Phi and Better Protect Patients

Potential HIPAA Changes That Would Allow Healthcare Providers to Disclose Phi and Better Protect Patients

by Lindsey Phillips, Burr & Forman

On December 10, 2020, the Office for Civil Rights (“OCR”) at the United States Department of Health and Human Services (“HHS”) announced proposed changes to the regulations implementing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The proposed changes, which are set out in the Notice of Proposed Rulemaking (“NPRM”), are a part of the broader initiative to promote value-based care, enable better coordination among healthcare providers, and facilitate patient autonomy and engagement. 

One key theme found in the NPRM that will likely enable better coordination among healthcare providers and potentially increase patient safety is expanded permission to disclose protected health information (“PHI”) to third parties in emergency situations. For example, under the proposed changes, covered entities would be allowed more flexibility to disclose PHI in emergencies like a mental illness and substance abuse crisis. The current standard for disclosure of PHI in an emergency or health crisis is based on the covered entity’s “professional judgment.” This standard has often left covered entities unsure as to when a disclosure is permitted. The proposed modification relaxes this standard slightly in that it would allow a covered entity to disclose PHI in an emergency situation or health crisis when the covered entity has a good faith belief that the disclosure is in the best interest of the individual. A good faith belief could be based either on direct knowledge of relevant facts or representations by a person who can reasonably be expected to know relevant facts. For example, OCR has provided the following scenarios:

Good faith would permit a licensed health care professional to draw on experience to make a determination that it is in the best interests of a young adult patient, who has overdosed on opioids, to disclose relevant information to a parent who is involved in the patient’s treatment and who the young adult would expect, based on their relationship, to participate in or be involved with the patient’s recovery from the overdose. Likewise, front desk staff at a physician’s office who have regularly seen a family member or other caregiver accompany an adult patient to appointments could disclose relevant information to the family member or caregiver as a way of checking on the welfare of the patient, when a patient misses an appointment, based on the staff’s knowledge of the person’s involvement and a good faith belief about the patient’s best interest.

But not only would covered entities be allowed more flexibility to disclose PHI when individuals are experiencing emergencies or health crises, they would also be allowed more leniency to disclose PHI to avert a threat to safety. While covered entities are currently allowed to disclose PHI to prevent threats to health and safety, the current standard is considerably more stringent in that it allows the disclosure of PHI to avert a threat to health or safety only when the threat is “serious and imminent.” Under the changes proposed in the NPRM, covered entities could make a disclosure when the threat is “serious and reasonably foreseeable.” OCR has stated that “[a]dopting a ‘serious and reasonably foreseeable’ standard can enable a health care provider to timely notify a family member that an individual is at risk of suicide, even if the provider cannot predict that a suicide attempt is ‘imminent.'” In addition, “[a]n emergency room doctor who sees an elderly patient with COVID-19 could contact the patient’s nursing home to alert them of the potential exposure of other residents and staff based on the serious and reasonably foreseeable threat of infection with COVID-19 without delay caused by the need to assess whether the threat is sufficiently ‘imminent’ to permit the disclosure.” 

These proposed modifications provide additional clarity regarding PHI disclosures that would assist in the Department’s initiatives to increase coordination among healthcare providers and ultimately improve patient safety. Both of these proposed changes would hopefully empower covered entities to disclose PHI in situations where there is a genuine belief that harm is likely without being fearful of HIPAA penalties because the harm was not imminent.

Lindsey Phillips is an associate at Burr & Forman LLP practicing exclusively in the firm’s Healthcare Industry Group. 

Posted in: HIPAA, Legal Watch, MVP

Leave a Comment (0) →
Page 1 of 7 12345...»