Archive for Legal Watch

Avoid Fines and Penalties by Timely Responding to Requests for Patient Records

Avoid Fines and Penalties by Timely Responding to Requests for Patient Records

By: Angie Cameron Smith, Burr & Forman LLP

The Office of Civil Rights (“OCR”) routinely makes announcements about enforcement actions taken against healthcare providers. One such enforcement action is a civil money penalty (“CMP”) related to a provider’s failure to timely comply with a request for medical records from a patient. So far in 2024, OCR has fined two providers $100,000 or more for failing to timely respond to a patient’s right to access medical records. Although the penalties OCR may impose range from $100 per violation to $50,000 per violation, in the two recent cases, OCR determined that the violations were due to “reasonable cause” and not willful neglect. “Reasonable cause” means that the provider knew, or by exercising reasonable diligence would have known, that the failure to provide access violated the regulation, but in which case the provider did not act with willful neglect. These two providers received CMPs of $1,000 per day for each day they failed to provide access to the records. In addition to the fines, those providers were required to have a corrective action plan approved by OCR and undergo monitoring by OCR. To avoid similar fines and penalties, it is important that physician practices timely respond to requests from patients for copies of their medical records.

Under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”), a covered entity, which includes healthcare providers, must respond within 30 days of receipt of a patient’s request for access to records. 1 Although it seems fairly straightforward, healthcare providers can run afoul of the rule if they or their staff fail to recognize the importance of responding to such requests.

What is a Patient Right to Access?
HIPAA “requires HIPAA covered entities to provide individuals, upon request, with access to the protected health information (“PHI”) about them in one or more ‘designated record sets’ maintained by or for the covered entity.” 2 The right to access includes inspecting or obtaining a copy, or both, and it also allows the patient to direct that the healthcare provider give the copy to a designated individual or entity. If the patient directs the provider to send the PHI to another person, the request must be in writing, signed by the patient, and clearly identify the designated person and where to send the PHI.  

Patients have a right to access their PHI for as long as the information is maintained by the provider, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the provider, another provider, etc.).

What is the “medical record”?
HIPAA defines the “designated record set” as the group of records maintained by or for the healthcare provider that includes medical records and billing records and “other records that are used, in whole or part, by or for the [healthcare provider] to make decisions about patients.

The rule does not require that a provider create new information or explanatory materials that are not already in the designated record set.”

Can you deny a request?
Certain information is excepted from the right to access including psychotherapy notes and information compiled for civil, criminal or administrative actions. Note that in one of the recent enforcement actions, the provider did not provide the individual with access to the requested information and asserted to OCR that its basis for doing so was because the provider had filed a lawsuit against the patient for failure to pay. This was not sufficient to justify denying access to the records.

Additionally, if the provider believes access to the information could cause harm to the patient or another person, the provider can refuse to provide the record.

What if it takes longer to compile the records?
Due to the use of electronic medical records, OCR’s guidance states that the 30-day timeframe is the outer limit and that providers should respond as quickly as possible. However, the regulation acknowledges that there may be instances where a provider cannot meet the 30-day turnaround. In those instances, within the initial 30-day period, the provider must send a written statement to the patient providing the reason for the delay and the date by which the records will be provided, which cannot be longer than an additional 30 days. A provider can only have one 30-day extension.

What if the patient is deceased?
Someone other than the patient can request access to the medical records of a patient, even if the patient is deceased. Under the Rule, an individual’s “personal representative” has the right to access PHI about the individual consistent with the scope of that person’s authority as personal representative. Verification of the person’s ability to act as the “personal representative” should always be obtained.

What’s the difference between the right to access and an authorization to release?
Healthcare providers may receive an “authorization” to release medical records or PHI to a third party. This is different than the patient requesting access to his own medical record. A provider is not required to disclose PHI pursuant to an authorization and there is no required timeframe within which the provider must respond if it chooses to provide the requested information.

Resources to use in developing policies and procedures
OCR has a set of Frequently Asked Questions on its website to address many of the common issues that arise with HIPAA and specifically with the “Right to Access” provisions, which can be a great resource: https://www.hhs.gov/hipaa/for-professionals/faq/index.html.

Every practice should have HIPAA policies and procedures that include how the practice handles requests for records to ensure that those requests are processed timely and correctly.

1 45 CFR 164.524
2 https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html

Angie Smith is a Partner at Burr & Forman LLP practicing exclusively in the Healthcare Practice Group. Angie may be reached at (205) 458-5209 or asmith@burr.com.

Posted in: Legal Watch

Leave a Comment (0) →

FTC’s Non-Compete Ban Blocked by Federal Judge

FTC’s Non-Compete Ban Blocked by Federal Judge

By: H. Carlton Hilson, Amy Jordan Wilkes, and Gabriell Jeffreys, Burr & Forman LLC

On August 20, 2024, a federal judge in Texas blocked a Federal Trade Commission (FTC) final rule from taking effect that would effectively ban most employee non-compete agreements. The rule, which was set to take effect on September 4, 2024, would have prevented employers from entering into or enforcing non-compete agreements with the vast majority of employees and required employers to provide written notice to current and former employees that their non-compete agreements are no longer valid.

The court’s 27-page opinion blocking the rule concluded that the “FTC lacks statutory authority to promulgate the Non-Compete Rule and that the Rule is arbitrary and capricious.”
Specifically:
– The FTC exceeded its statutory authority in promulgating the Non-Compete Rule because it lacks substantive rulemaking authority with respect to unfair methods of competition; and
– The rule is arbitrary and capricious because “it is unreasonably overbroad without a reasonable explanation[;]” “is based on inconsistent and flawed empirical evidence, fails to consider the positive benefits of non-compete agreements, and disregards the substantial body of evidence supporting these agreements[;]” and “the FTC failed to sufficiently address alternatives to issuing the rule.”

Ultimately, the court “set aside” the Non-Compete Rule because it determined the FTC’s promulgation of the rule was an unlawful agency action, which means the rule will not be enforced or take effect on September 4, 2024 as anticipated.

Although the Non-Compete Rule has been set aside, the FTC has indicated it is considering a potential appeal and reminded employers that the decision does not prevent the FTC from addressing non-compete agreements through case-by-case enforcement actions. Thus, employee non-compete agreements will still face increased scrutiny. Accordingly, employers should undertake a careful of review of their non-compete agreements and other agreements containing restrictive covenants to ensure they are compliant with applicable federal and state law.


H. Carlton Hilson, Amy Jordan Wilkes and Gabrielle Jeffreys are Partners at Burr & Forman LLP.

Posted in: Legal Watch, MVP

Leave a Comment (0) →

The FTC Expands Notification Requirements for Health Breaches on Health Apps

The FTC Expands Notification Requirements for Health Breaches on Health Apps

By: Ashton Brock, Burr & Forman LLP

On April 26, 2024, the Federal Trade Commission (FTC) published a final rule aiming to clarify the current Health Breach Notification Rule (HBN Rule), giving greater protections and expanding breach notification requirements for vendors of personal health information who are not regulated by HIPAA. Pursuant to the FTC, this final rule is designed to strengthen and modernize the HBN Rule by clarifying its applicability to health apps and other similar technologies and expanding the information that covered entities must provide to consumers when notifying them of a breach of their health data.

To start, the FTC first developed a breach notification rule for consumer-facing entities that are not HIPPA covered entities or business associates in 2009 when the American Recovery and Reinvestment Act of 2009 granted them the rulemaking authority to do so. The FTC’s first version of its HBN Rule was limited. Although limited, its goal was to hold accountable those entities existing in the market that offered personal health record (PHR) services which were not covered by the Health Insurance Portability and Accountability Act of 1996 (HIPPA). This first rule required that PHR related entities notify impacted consumers, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health information. 

Now however, the FTC has clarified and expanded the initial rule to broaden protections and notice requirements to include health apps and similar technologies. As such, physicians should pay particular attention to this updated HBN Rule if they are involved in the development of apps or in any way related to the information that is collected on these apps. Specifically, the updated rule finalized changes that include: 

  • Revising definitions of “PHR identifiable health information” and adding two new definitions for “covered health care provider” and “health care services or supplies;”
  • Clarifying what a “breach of security” is, to state that it includes unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure;
  • Revising the definition of a PHR related entity. This is two-fold, starting with making clear that the final rule covers entities that offer products and services through online services, including mobile applications, of vendors of PHRs, and then further makes clear that only entities that access or send unsecured identifiable health information to a PHR — rather than entities that access or send any information to a PHR — qualify as PHR related entities; 
  • Clarifying what it means for a PHR to draw PHR identifiable heath information from multiple sources; 
  • Expanding consumer notice requirements, now stating that the notice must include the name or identity (or, where providing the full name or identity would pose a risk to individuals or the entity providing notice, a description) of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security; 
  • Changing the time requirement, stating that for breaches involving 500 or more individuals, covered entities must notify the FTC at the same time they send notices to affected individuals, which must occur without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security; and 
  • Improving the rules readability to promote compliance.

All in all, the final rule seeks to clarify and broaden the reach of the HBN Rule to keep up with the ever-changing innovations in the healthcare industry. This includes health apps or websites that offer products or services solely through online services or mobile applications and that both send and receive identifiable health information, like fitness trackers and wearable blood pressure monitors. Now, these apps or websites are required to alert their vendors of their status as a PHR related entity or vendor of PHR in order to put vendors on notice of the potential implications under the Rule.

The final rule becomes effective 60 days after publication in the Federal Register. With breaches of the HBN Rule subject to civil penalties under Section 18 of the FTC Act, physicians should immediately review the final rule’s requirements if you have not already done so. For the full rule, see https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule.

Ashton Brock is an Associate at Burr & Forman LLP. Ashton may be reached at (205) 458-5340 or abrock@burr.com.

Posted in: Legal Watch, Technology

Leave a Comment (0) →

Court Issues Ruling in Abortion Prosecution Lawsuits

Court Issues Ruling in Abortion Prosecution Lawsuits

In the latest fallout from the US Supreme Court Dobbs decision, on Monday, May 6, 2024, Judge Myron Thompson of the US District Court for the Middle District of Alabama issued an order granting in part and denying in part Alabama Attorney General Steve Marshall’s Motion to Dismiss two federal court actions alleging violations of the constitutional rights of the plaintiffs, their staff, and their clients. The suits were filed after Marshall publicly stated an intent to prosecute under a criminal conspiracy statute enacted in 1896 any individuals or entities who transport or otherwise provide aid to Alabama women seeking to obtain abortions in states where abortion is legal. Three separate plaintiffs brought suit in two cases, collectively alleging violations of the First Amendment, the right to travel between states, the jurisdictional authority of a state, the overbreadth doctrine, and the right to fair notice for due process.

The Attorney General’s Motion to Dismiss was primarily based on the argument that the plaintiffs in all three cases lacked standing to bring the actions themselves, and where applicable, lacked standing to bring actions on behalf of their staff or clients. The Court reserved judgment on whether the constitutional right to travel applied to the one non-individual plaintiff, but otherwise sided with the plaintiffs on the standing issue.

Of the constitutional claims presented, the Court granted the Motion to Dismiss as to two of them. One of the plaintiffs claimed that the interpretation of the state conspiracy statute on which the Attorney General relied for the authority to prosecute is unconstitutionally overbroad, but offered no facts in support of that assertion, and therefore, that claim was dismissed. Similarly, a plaintiff’s fair warning – violation of due process claim was dismissed as premature because there has not yet been a prosecution under the law. For all of the other pending constitutional claims, the Court either denied the Motion to Dismiss or reserved judgment, which served as a denial in effect. Because only two constitutional theories were dismissed, the claims are still pending in federal court, along with a Motion for Summary Judgment filed by the Plaintiffs. Although the cases await final resolution, the Court’s partial denial of the Attorney General’s Motion to Dismiss and accompanying opinion dealt a substantial blow to the constitutionality of prosecution of individuals who aid others to get legal abortions outside of Alabama.

Posted in: Legal Watch

Leave a Comment (0) →

Tracking A Patient’s Every Move: HIPAA Compliance Risk

Tracking A Patient’s Every Move: HIPAA Compliance Risk

By: Kelli Fleming with Burr & Forman LLP

The Health and Human Services Office for Civil Rights (”OCR”) recently published a guidance bulletin addressing the use of online tracking technologies by entities covered by HIPAA, including but not limited physician practices. 

A tracking technology is used to collect information about how online users interact with websites or mobile applications. For example, have you ever wondered why after you search for a product on google, it automatically appears as an ad in your social media for the next few days? That is the result of a form of tracking technology. 

When used by healthcare providers, the information that is collected by way of a tracking technology may be considered protected health information (“PHI”) covered by HIPAA. If a healthcare provider utilizes a tracking technology vendor to gather and analyze information, including information about patients, the provider must ensure that the release of the information to the vendor is compliant with HIPAA and is not an impermissible use or disclosure. 

In the recent bulletin, OCR clarified that individually identifiable information “collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the [information] does not include specific treatment or billing information like dates and types of healthcare services.” 

Covered entities that engage a user-authenticated webpage (i.e., a website that requires a log-in) should only allow tracking technologies to use and disclose information in compliance with HIPAA, including in a secure manner. In order to comply with HIPAA, the covered entity must either enter in a Business Associate Agreement (“BAA”) with the vendor, or obtain patient authorization for such use and/or disclosure. Disclosing PHI to tracking technology vendors based solely on informing individuals of such use in the website’s privacy policy or terms of use is not sufficient, nor is merely accepting or rejecting cookie use. There must be either a valid, HIPAA compliant patient authorization or a BAA, and the use and/or disclosure must be permissible under HIPAA. For example, a disclosure to a tracking vendor for marketing purposes, without an authorization, would be impermissible. 

Covered entities using a website that is not user-authenticated (i.e., does not require a log-in) need to determine if any of the information obtained by the tracking vendor would be individually identifiable and constitute PHI. If so, a BAA and compliance with HIPAA would be required. However, the determination as to whether or not PHI is being collected by the vendor is not always clear and may not necessarily be known by the provider. OCR provides the example that if a student is writing a term paper regarding oncology services and visits a hospital’s oncology services webpage, information tracked in connection with that website visit would not be considered PHI. However, if a patient were looking at the same page regarding oncology services to see a second opinion on treatment options for a brain tumor, information tracked in connection with that website visit would be considered PHI. It would be difficult, if not impossible, for providers to determine the purpose of the visit.

Thus, based on the recent OCR guidance, if a covered entity is utilizing tracking technologies on its websites, in my opinion, the provider should always act as if PHI is being tracked and enter into a BAA with the vendor and ensure the use/disclosure is appropriate under HIPAA.

Kelli Fleming is a Partner at Burr & Forman LLP practicing exclusively in the Healthcare Practice Group. Kelli may be reached at (205) 458-5429 or kfleming@burr.com.

Posted in: HIPAA, Legal Watch, Technology

Leave a Comment (0) →

What’s Behind the Curtain? Federal Agencies Seek Transparency Regarding Health Provider Ownership

What’s Behind the Curtain? Federal Agencies Seek Transparency Regarding Health Provider Ownership

By: Jessie L. Bekker, Burr & Forman LLP

Market analysts reported a decline in mergers & acquisitions in the health care industry in
2023 as compared to pre-pandemic trends—a perhaps unsurprising development amid 7% or
higher interest rates. The federal government, however, is now taking notice of who’s behind the
ongoing trend toward health care consolidation.

On March 5, three federal departments—the Department of Justice (DOJ), Department of
Health and Human Services (HHS), and Federal Trade Commission (FTC)—published a request
for information seeking public input into the effects private equity transactions have on patients,
payers and providers, a request driven by a concern “that some transactions may generate profits
for those firms at the expense of patients’ health, workers’ safety, quality of care, and affordable
health care for patients and taxpayers.”

The DOJ/HHS/FTC request for information is just the latest in a line of federal inquiries
into the ownership and control of providers and suppliers across the health care industry. The
Centers for Medicare & Medicaid Services (CMS) published a request for information in January
related to Medicare Advantage data, including data regarding “the impact of mergers and
acquisitions” and “the effects of vertical integration.” In December, President Joe Biden
announced the publication of ownership information regarding Medicare-enrolled federally
qualified health centers and rural health clinics. November brought new requirements regarding
nursing home ownership and control reporting through a new final rule published by CMS.
And of course, the Corporate Transparency Act, which took effect on January 1, 2024,
requires that nearly all business entities within and outside of the health care industry report their
ownership and control interests to the Department of Treasury’s Financial Crimes Enforcement
Network, a requirement that reflects the agency’s effort to track down fraudulent money
laundering activity.

Despite plateauing merger and acquisition activity in 2023, analysts predict 2024 could
be the year of physician practice acquisitions and health system consolidation. Reports indicate
that physician specialties including dermatology, cardiology, orthopedics and plastic surgery
may see an increase in investor interest. Others predict investor interest in behavioral health
providers. In any event, it’s unlikely the federal government’s interest in merger & acquisition
activity will wane. In its request for information, the DOJ, HHS and FTC requests public input
related to both direct acquisitions by private equity funds and “transactions structured to
facilitate private equity investment, circumventing applicable corporate practice of medicine
restrictions.” The agencies’ request also seeks information regarding vertical integration, where a
health system buys up health providers across the care continuum, from ambulatory surgery
centers, to nursing facilities.

The agencies are not just interested in who is behind the transaction, but how it affects
patients, payers, providers and employers on a variety of metrics including the cost and quality
of care, reimbursement rates, provider compensation models and changes in facility choice.

The DOJ/HHS/FTC request for information is open to public comment until May 6, 2024. Comments can be submitted at https://www.regulations.gov/docket/FTC-2024-0022.

While the requests from CMS and the DOJ, HHS and FTC don’t create affirmative
requirements of providers today, both the Corporate Transparency Act and CMS’ latest final rule
on nursing home ownership and control reporting generate new reporting obligations.

The Corporate Transparency Act will require most physician practices existing as of
January 1, 2024 to report certain information to the federal government by the end of the year,
including reporting of a practice’s ownership interests and the individuals who control the
entity’s decision-making. Among other required reports, the Financial Crimes Enforcement
Network, or FinCEN, seeks information regarding an entity’s beneficial owners—those who own
or control at least 25% of ownership interests of a reporting company, and those who exercise
“substantial control” over a reporting company. Entities that form in 2024 will be required to
make reports to FinCEN within ninety (90) days of formation. Practice managers and administers
are encouraged to seek counsel from their accountants and attorneys regarding the new reporting
requirements under the Corporate Transparency Act. FinCEN’s Small Entity Compliance
Guidance, which details the reporting requirements, can be found at
https://www.fincen.gov/boi/small-entity-compliance-guide.

For nursing facilities, new ownership and control reporting requirements will be reported
on a revised version of the Form CMS-855A, the Medicare enrollment application for
institutional providers, which CMS has yet to publish. The revised form is expected to reflect the
final rule’s new mandated reporting requirements. Skilled nursing facilities (SNF) and Medicaid-
enrolled nursing facilities should expect to report information regarding their governing bodies,
officers, directors and managing employees, including SNF medical directors and administrators.
The new rule also requires reporting of “additional disclosable parties,” including, but not
limited to, people and entities who: exercise financial control over the facility; lease or sublease
real property to the facility; and provide management, administrative, clinical consulting and
financial or accounting services to the facility. Facilities should discuss the new requirements,
including the timing of the report, with their advisors.

Jessie L. Bekker is an attorney at Burr & Forman LLP practicing exclusively in the firm’s
healthcare practice group. Jessie can be reached at jbekker@burr.com or (205) 458-5275.

Posted in: Legal Watch, MVP

Leave a Comment (0) →

Statement by the Medical Association of Alabama on the Recent Alabama Supreme Court Ruling on the Legal Status of Embryos

Statement by the Medical Association of Alabama on the Recent Alabama Supreme Court Ruling on the Legal Status of Embryos

The Medical Association of the State of Alabama expresses concern over the recent Alabama Supreme Court decision regarding the legal status of embryos, as it relates to In-Vitro Fertilization (IVF) procedures that may result in a woman becoming pregnant. 

The significance of this decision impacts all Alabamians and will likely lead to fewer babies—children, grandchildren, nieces, nephews, and cousins—as fertility options become limited for those who want to have a family.

In addition, the ruling has already forced UAB, the largest healthcare system in the State of Alabama, to stop providing IVF services to Alabama couples. Others will likely do the same, leaving little to no alternatives for reproductive assistance. IVF is oftentimes the only option for couples wanting to conceive.

In closing, we ask that the Alabama Supreme Court stay or revisit their ruling to ensure continued access to IVF care in Alabama.

Posted in: Legal Watch, Official Statement

Leave a Comment (0) →

OCR Issues Guidance on Visitation Discrimination
in Hospitals and Long Term Care Facilities

OCR Issues Guidance on Visitation Discrimination<br>in Hospitals and Long Term Care Facilities

By: Angie C. Smith, Burr & Forman LLP

Visitation in long-term care facilities and hospitals received a lot of attention during COVID
because of facility closures that led to limited visitation, and it is now a topic of interest for the
Office of Civil Rights (OCR) due to discrimination concerns. On January 25, 2024, OCR issued
guidance to hospitals and long-term care facilities to clarify obligations of those providers to
ensure religious non-discrimination for patient visitation.

Under federal law, hospitals, long-term care facilities, and critical access hospitals are prohibited
from restricting, denying or in any way limiting visitation to patients on the basis of race, color,
national origin, religion, sex, gender identity, sexual orientation, or disability. Additionally,
provisions of the Affordable Care Act and Section 504 of the Rehabilitation Act prohibit any
type of discrimination in certain federally funded programs and activities. In order to be in
compliance, providers are required to have policies and procedures to prohibit discrimination. In
fact, when becoming a Medicare provider, healthcare providers certify to the federal
government that they are in compliance with these non-discrimination laws.
Although the Centers for Medicare and Medicaid Services (CMS) is the agency that oversees
compliance with the regulations cited above, CMS has delegated its authority to enforce the
regulations pertaining to discrimination in visitation to OCR. Following this delegation, OCR
issued a set of frequently asked questions (FAQs) to serve as guidance for hospitals and long-term care facilities. Additionally, OCR held a call with stakeholders on February 6, 2023, to
further discuss its guidance. Below are the key topics covered by OCR.

  1. What constitutes visitation?
    The FAQ states that patients and residents have the right to receive visitors of
    their choosing, but it also noted that patients and residents can withdraw or deny
    consent to any visitor. A visitor includes, but is not limited to, a spouse or
    domestic partner, same-sex spouse or domestic partner, another family member or
    friend, and clergy minister or other faith leader.
    The guidance also reminds providers of their obligations to allow individuals with
    disabilities access to support persons, which is separate and apart from an
    individual’s right to visitors.
  2. Which facilities are covered by the visitation requirements?
    The guidance specifically references the regulations pertaining to hospitals,
    including critical access hospitals, and long-term care facilities, but it also
    referenced federal non-discrimination laws that apply to all entities receiving
    federal funding. Those laws prohibit entities receiving federal assistance from
    excluding an individual from participating in, denying an individual the benefits
    of, or otherwise discriminating against an individual in the entity’s programs and
    activities. Therefore, even those providers who may not be covered by the
    visitation requirements should review the guidance.
  3. Which patients are covered by these rights?
    Patients and residents protected by the visitation rights are not limited to Medicare
    and Medicaid beneficiaries. All patients or residents receiving services from
    Medicare and Medicaid-certified facilities are covered by this guidance, and the
    right to visitation and non-discrimination applies to all patients and residents,
    regardless of whether their hospitalization or residency is being paid for by
    Medicare or Medicaid.
  4. What are the notification obligations of the facilities?
    Hospitals and long-term care facilities are required to inform patients and
    residents of their visitation rights, which should include any information related to
    clinical limitations or restrictions on such visitation. These providers must also
    have written policies and procedures related to visitation that include any
    clinically necessary or reasonable restriction or limitation that the provider may
    need to place on the visitation rights of a patient and the reasons that would
    support clinical restrictions or limitations.
    As mentioned above, OCR recognizes that there may be clinical reasons that
    visitation with a patient must be restricted or limited, and OCR’s FAQs make it
    clear that any such restriction or limitation must be “clinically necessary” or
    “otherwise reasonable.” Examples provided were limiting visitation hours or the
    number of visitors at a time. However, it is important that any type of limitation
    or restriction be objective and not based on any stereotype or assumption. It
    should also be clearly outlined in the facility’s policies related to visitation.
    OCR states in the FAQs that a provider has a responsibility to provide auxiliary
    aids and services to individuals with a disability in order to provide equal
    opportunity to participate or benefit from the services provided, which would
    include the ability to have visitation. According to the FAQs, a policy that only
    allows for video remote interpretation instead of in-person interpreter “may
    violate” certain non-discrimination laws, if an in-person interpreter or reader is
    necessary for effective communication.
  5. What might constitute a discriminatory denial of visitation?
    If a policy or procedure subjects certain classes of visitors to additional screening
    or if it prohibits certain classes of visitors and not others on the basis of race,
    color, national origin, religion, sex, gender identity, sexual orientation, or
    disability. Examples given were as follows:
    1. Facility prevented family member from bringing patients kosher food or
      halal food to meet the patient’s religious dietary restrictions while
      allowing other visitors to bring non-religious food items to patients.
    2. Members of certain religious groups subjected to more rigorous screening
      or denied visitation.
    3. Policies that would prohibit clergy or religious leaders from meeting with the patient.
  1. Does a facility’s chaplain program affect the right to visitation by other faith
    leaders?
    Even if the facility has a chaplaincy program, it must still allow other types of religious or faith leaders to visit patients, if the patient requests such visitation. Likewise, a facility must abide by a patient’s choice to deny visitation to clergy or religious leaders.

Conclusion/Takeway
Typically, when OCR issues guidance on a particular topic, we see corresponding scrutiny from
regulators and government enforcement agencies. Therefore, providers should take this
opportunity to review its visitation policies for compliance with the guidance and ensure staff are
educated on those policies.

OCR’s FAQs can be found here.
https://www.hhs.gov/civil-rights/for-individuals/special-topics/emergency-preparedness/faqs- patient-visitation/index.html?cm_ven=ExactTarget&cm_cat=HHS+Office+for+Civil+Rights+Releases+ Visitation+Guidance+Resources&cm_pla=Mark%27s+Memos+2024+Marketing+List&cm_ite= FAQ+on+Patient+Visitation+at+Certain+Federally+Funded+Entities+and+Facilities%e2%80%8 b&cm_lm=1612414245&cm_ainfo=&&&&&


Angie Smith is a Partner at Burr & Forman LLP practicing exclusively in the Healthcare
Practice Group. Kelli may be reached at (205) 458-5209 or acsmith@burr.com.

Posted in: Legal Watch

Leave a Comment (0) →

Cyber-attacks on the Rise (Once Again…)

Cyber-attacks on the Rise (Once Again…)

By: Kelli C. Fleming, Esq., Burr & Forman

Cyber-attacks within the healthcare industry are continuing to rise, despite increased awareness, security measures, and training. The attacks are not only becoming more far-reaching, with each attack impacting more and more patient data, but are also more prevalent as well. Threat actors do not discriminate against victims, as we are seeing reports of security breaches against physician practices, rural hospitals, large hospital chains, as well as their business associate vendors and contractors.

At the time of drafting this article, we are only ten days into 2024, and in 2024 thus far, five breach reports have been published by the Office for Civil Rights (“OCR”) for incidents involving more than 500 individuals. The total number of individuals impacted as a result of those five instances is over 585,000. Of those five reports, four of them deal with hacking/IT incidents on a network server. Of the entities reporting, one is a health plan, two are healthcare providers (hospital and long-term care provider), and two are business associates. 

Partly as a result of this rise in cyberattacks against the healthcare industry, the Department of Health and Human Services (“HHS”) recently announced plans to increase federal funding to assist providers with training and implementing cyber-security protections. The plans also include increased fines for facilities that do not have adequate cyber-security measures in place. While the plans are in the early stages, and require additional funding and coordination among government entities, it is encouraging to see the government recognize that additional assistance is needed by the healthcare industry to thwart attacks. Providers are encouraged to monitor any guidance and assistance issued by HHS in this regard. 

In addition, OCR publishes cyber-security guidance as well as a cyber-security quarterly newsletter to help HIPAA-covered entities, including providers, to remain in compliance. The guidance and the quarterly newsletters contain helpful tips on ways to reduce the risk of a security breach. The guidance and newsletters are available at https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html. Providers are encouraged to review this guidance for helpful information on measures they can implement to reduce the risk of a cyber-attack. 

Kelli Fleming is a Partner at Burr & Forman LLP practicing exclusively in the Healthcare Practice Group. Kelli may be reached at (205) 458-5429 or kfleming@burr.com.

Posted in: Legal Watch

Leave a Comment (0) →

Updated: Remote Patient Monitoring

Updated: Remote Patient Monitoring

This article is an update to “Remote Patient Monitoring” published in the Fall 2023 edition
of the Alabama Medicine Magazine
. The U.S. Department of Health and Human Services Office
of the Inspector General (“OIG”) issued a Consumer Fraud Alert related to Remote Patient
Monitoring (“RPM”) on November 21, 2023. This alert provided insight into RPM practices
subject to scrutiny by OIG.


OIG indicated that legitimate RPM includes the use of medical devices like scales, glucose
monitors, blood pressure cuffs, cardiac rhythm devices, and other like equipment to continuously
monitor patients with chronic conditions for medical anomalies within the comfort of the patient’s
home. However, there must be a medical necessity for such services for bills submitted
for RPM services to withstand enforcement scrutiny from OIG. Accordingly, to minimize the risk
of enforcement actions, providers should ensure that the need for such services is present before
setting up a patient with an RPM device.


Additionally, OIG indicated that fraudulent use of RPM occurs where billing is submitted
for set-up, patient teaching, and monthly monitoring of data and the RPM equipment does not meet
the statutory standards. For example, fraudulent RPM billing occurs when bills are submitted for
RPM services, but RPM equipment either (i) is not sent to the patient or (ii) is sent, but is not FDA-approved. Providers should be sure that all equipment provided to their patients meets the requisite
requirements for FDA approval before submitting bills for RPM services. Additionally, providers
should ensure that patients have RPM equipment and appropriately use the equipment to meet
coding requirements before billing for any RPM services provided.


When setting up RPM services, OIG has addressed some suspect characteristics of RPM
that providers should consider. These characteristics include (i) signing patients up for RPM
services through call centers; and (ii) failing to include necessary patient consents for RPM
services in patient files. With these characteristics in mind, there are steps that providers can take
to lessen the risk of scrutiny from OIG. First, providers should be sure to maintain policies and
procedures to ensure that the proper documentation of patient consents is kept in appropriate files.
Additionally, as a best practice, providers should only set up RPM services after establishing a
patient-provider relationship, and avoid, to the extent possible, using call centers to set up RPM
services for patients.

Posted in: Legal Watch

Leave a Comment (0) →
Page 1 of 9 12345...»