Archive for Legal Watch

A Physician is Leaving Your Practice – “Must Have” Employment Agreement Provisions (Part III)

A Physician is Leaving Your Practice – “Must Have” Employment Agreement Provisions (Part III)

Editor’s Note: The following is the final installment of a three-part series discussing important provisions in physician employment agreements.

When a physician leaves a medical practice, especially if the physician stays in the area to compete against his/her former employer, the situation can become stressful and acrimonious. During the final weeks of employment, the departing physician can start to focus more on his/her new practice to the detriment of the current employer, and disputes often arise regarding access to medical records, soliciting patients and employees and when to schedule procedures – before or after termination. We have seen both medical practices and departing physicians engage in questionable conduct in order to keep as many patients as possible. Lawyers are often engaged in negotiating the terms of separation or, in a worse-case scenario, filing or defending a lawsuit.

Over the years, we have counseled hundreds of physician practices on how to successfully navigate the various issues that arise when a physician departs, regardless of whether the physician is an employee or an owner. Careful planning on the front end through a comprehensive employment agreement is the most important element in an amicable and fair separation. More often than not, we have found that disputes and subsequent litigation can arise when the employment agreement is not properly drafted or does not adequately address the specific terms of separation.

This three-part series provides a summary of the key provisions (with sample language) that can be incorporated into a physician employment agreement to help mitigate problems when a physician leaves your practice. Since each medical practice is unique, please consult with your own attorney before using any of the provided sample provisions in a physician employment agreement.

Protecting the Practice’s Confidential Information. Especially if the departing physician will continue to practice in the same service area as the medical practice, it is very important that the practice protects its sensitive and confidential information, including medical records, charge masters and policies and procedures. As such, the employment agreement should address the confidentiality of such items. Failure to do so will make it more difficult for the medical practice to protect its sensitive information.

Physician agrees that all data and information which he/she receives from Employer, whether directly or indirectly, in connection with this Employment Agreement or Physician’s employment with Employer shall be considered confidential and proprietary information belonging solely to Employer (the “Confidential Information”). Without limiting the foregoing, “Confidential Information” shall mean any written or oral information of Employer, including, without limitation, all business or management studies, patient lists and records, financial information, Employer documents, forms, business or management methods, marketing data, fee schedules, employee and operating manuals, trade secrets as defined by the Alabama Trade Secret Act, as amended from time to time, accounting information, and any other information treated by Employer as being confidential or labeled “Confidential” by Employer. Physician shall hold such Confidential Information in strictest confidence and shall not make use of such Confidential Information except in the performance of his/her services for Employer. Physician shall not disclose, distribute or otherwise divulge such Confidential Information to any other third-party without the prior written consent of Employer, except in the performance of his/her services for Employer. Notwithstanding anything contained in this Section to the contrary, the obligations of Physician under this Section shall not apply to information or property which Physician can demonstrate is: (a) now in the public domain or later publicly available through no fault of Physician, (b) has been or is in the future rightfully obtained without restriction by Physician from other sources not subject to a confidentiality agreement, or (c) independently developed without use of Employer’s Confidential Information. Upon request of Employer and upon termination of this Employment Agreement, Physician shall immediately return to Employer all Confidential Information which Physician received from Employer or any Confidential Information within Physician’s possession. The terms of this Section shall survive termination of the Employment Agreement.

Protecting the Practice from Future Liabilities. When a physician leaves a medical practice it is still possible for the practice to face liability stemming from the physician’s past conduct. For example, federal payers, such as Medicare and Medicaid, as well as commercial payers, can audit medical practices for professional services rendered several years prior to the date of the audit.  Further, HIPAA violations, malpractice issues and other misconduct may not surface until after a physician leaves a medical practice. Unless the employment agreement continues to hold the departing physician responsible after termination for his/her conduct during employment the medical practice may have insufficient remedies in the event a problem arises.

Physician shall hold harmless, indemnify and defend Employer, and its members, partners, officers, directors, employees, successors, representatives and assigns, from and against any and all liabilities, costs, damages, suits, judgments, fines, losses, demands or expenses of any kind whatsoever (including, but not limited to, court costs, arbitration fees, if applicable, and attorneys’ fees and expenses actually and reasonably incurred) from or attributable to: (a) any breach by Physician of this Employment Agreement, (b) any and all negligent or intentional acts and/or omissions of Physician, and/or (c) any overpayment, refunds, offsets or recoupments related to claims for medical services provided or ordered by the Physician, but only to the extent the Physician received compensation from the claims subject to the refund, offset or recoupment.  The terms of this Section shall survive termination of the Employment Agreement.

While it may take more work on the front-end, having a well-thought out and comprehensive physician employment agreement will save significant time, effort and potentially money when a physician leaves your medical practice.

Read the full series:

A Physician is Leaving Your Practice – “Must Have” Employment Agreement Provisions (Part I)

A Physician is Leaving Your Practice – “Must Have” Employment Agreement Provisions (Part II)

Howard Bogard is a Partner with Burr & Forman LLP and serves as the Chair of the firm’s Health Care Industry Group. Kelli Fleming is a Partner with Burr & Forman LLP practicing in the firm’s Health Care Industry Group.

Posted in: Legal Watch, Management, MVP

Leave a Comment (0) →

Texting and Emailing in the World of HIPAA

Texting and Emailing in the World of HIPAA

If you experience anxiety every time you consider texting and/or emailing in your health care setting, you are not alone. On one hand, the world that we live in necessitates that information is communicated in a quick and easy manner. The ability to text or email staff and patients has become a high priority for many health care entities. On the other hand, patient privacy and confidentiality is essential to meeting compliance standards. Though emailing and texting are convenient, it certainly does not come without the possibility of pitfalls. It is a complex issue that requires meeting several factors in order to be implemented properly.

But Everybody Is Doing It, Right?

The perception is that many health care entities are already taking advantage of emailing and texting capabilities.  That may be accurate.  But the bigger question is whether they are utilizing those tools in accordance with HIPAA Privacy and Security requirements.  Health care entities should consider the following:

A Risk Analysis is key.  An adequate Risk Analysis is required to be performed at the outset of the practice, prior to developing a HIPAA policy.  This Risk Analysis identifies the type of information that you maintain or access and the areas within your entity where protected health information (PHI) is vulnerable. The Risk Analysis should be reviewed, and amended if necessary, whenever there is a change in your information technology environment.  This includes adopting the use of email and text messaging. The entity will need to consider potential vulnerabilities and threats, then document their plan to ensure that health information stays secure.

Show me the policy.  The HIPAA Privacy and Security policy must document your entity’s use of these services and define how employees are to utilize them.  This includes specifying whether only business owned devices can be used or whether the entity allows employees to utilize their own personal device (BYOD). The policy should also be specific about any differences in procedure for emailing and texting internally, versus outside communication with patients and other health care providers.  The policy requirement should be followed by adequate training.

Encryption, encryption, encryption.  Many entities that utilize PHI in email communications secure the information via encryption.  Within health care entities, the information is often secured by firewalls.  Firewalls make it much easier to implement security measures, oversee procedures and secure information.  Some health care entities choose to transmit PHI via electronic health records and customized patient portals. However, using emails to properly transmit PHI outside the entity is a much more complicated process.  To properly transmit PHI via email, encryption must be utilized.  Encryption software will resolve security issues because the patient receives an email containing a link which requires a unique username and password to access the PHI. Some patients find the process of logging in and remembering required passwords to be cumbersome, but others appreciate knowing that their information is secure.

Less is moreWhen communicating with individuals outside of your entity about PHI, utilize the Minimum Necessary Rule.  The Minimum Necessary Rule requires health care entities to limit the PHI produced to the amount of information necessary for the recipient to carry out their function.  For example, if another provider requests a patient’s diabetes lab work, only provide the requested lab work and not the patient’s entire medical record.  Also, it is recommended that you not share sensitive information including, but not limited to, a patient’s mental health, communicable disease status, child or elder abuse, and substance abuse issues.  The entity’s policies/procedures should define and describe how sensitive information should be transmitted.

The patient gets their way. HIPAA requires entities to communicate with patients in the manner determined by the patient, so long as it is reasonable. An entity’s Notice of Privacy Practices will generally articulate methods of intended communication by the entity.  However, a patient may choose not to receive communications through a traditional method. An example would be a patient request not to use U.S. mail, but to use email instead.  That entity may find that they do not have encrypted email capabilities that would appropriately safeguard the information. In this scenario, the health care entity must still comply with the patient’s request; however, they should have the patient sign a form that memorializes the patient’s request to use email communication and documents the risks associated with this request.

The guidance above does not apply to patient initiated communications. Patients are not considered to be HIPAA covered entities and therefore, their actions are not HIPAA violations.  Thus, patients are free to initiate emails or text messages with health care providers at their pleasure. Health care entities should have a form on hand for the patient to sign prior to responding to an email or text message from the patient. This form documents that the patient is aware of the inherent risk of email or text message communications, but wishes to receive the communication in that form anyway. This will help to satisfy the patient’s preference while helping to shield the health care entity from liability if communications are intercepted beyond the entity’s control.

Texting Has Added Risks

Text messages are generally available to anyone who utilizes that person’s phone because there is generally not separate password security for access to the text messaging feature.  Additionally, because the text messages do not pass through the entity’s servers, it is difficult, if not impossible, for IT staff and Security Officers to audit the texts.  And if these communications are intended to be a part of the patient’s record to demonstrate communication, the patient loses the right to amend the communication if it is not readily available in the paper or electronic record. There are vendors who offer “secure texting” solutions. If a health care entity is considering a secure texting vendor, have your designated Security Officer review their system carefully and converse extensively with the vendor about whether their product is indeed secure. A BAA with the vendor is also required. Finally, the entity should revisit its written policy and retrain when necessary.

To ensure that your practice is in compliance, and for assistance with determining whether your entity should proceed with implementing text or email communications, please consult a health care compliance professional.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Posted in: Legal Watch, Liability

Leave a Comment (0) →

A Physician is Leaving Your Practice – “Must Have” Employment Agreement Provisions (Part II)

A Physician is Leaving Your Practice – “Must Have” Employment Agreement Provisions (Part II)

Editor’s Note: The following is the second installment of a three-part series discussing important provisions in physician employment agreements.

When a physician leaves a medical practice, especially if the physician stays in the area to compete against his/her former employer, the situation can become stressful and acrimonious. During the final weeks of employment, the departing physician can start to focus more on his/her new practice to the detriment of the current employer, and disputes often arise regarding access to medical records, soliciting patients and employees and when to schedule procedures – before or after termination. We have seen both medical practices and departing physicians engage in questionable conduct in order to keep as many patients as possible. Lawyers are often engaged to try and negotiate the terms of separation or, in a worse-case scenario, to file or defend a lawsuit.

Over the years, we have counseled hundreds of physician practices on how to successfully navigate the various issues that arise when a physician departs, regardless of whether the physician is an employee or an owner. Careful planning on the front end through a comprehensive employment agreement is the most important element in an amicable and fair separation. More often than not, we have found that disputes and subsequent litigation can arise when the employment agreement is not properly drafted or does not adequately address the specific terms of separation.

This three-part series provides a summary of the key provisions (with sample language) that can be incorporated into a physician employment agreement to help mitigate problems when a physician leaves your practice. Since each medical practice is unique, please consult with your own attorney before using any of the provided sample provisions in a physician employment agreement.

Protecting Other Practice Employees. When a physician leaves a medical practice he/she may want to encourage other practice employees (i.e., nurses, technicians, receptionists, etc.) to leave and work for the physician. These employees are a valuable asset to the medical practice and oftentimes the medical practice has invested significant time and resources in training its employees. Under Alabama Code Section 8-1-1, which was amended Jan. 1, 2016, a medical practice can protect an employee from being hired by a departing physician; provided, however, that the practice can demonstrate that the employee is “uniquely essential” to the medical practice. The term “uniquely essential” has not been specifically interpreted by the courts, but appears to require that the medical practice demonstrate that the protected employee(s) is not easily replaced due to a unique skill set or training, and the loss of the employee(s) would be detrimental to the medical practice.

Physician agrees that, during the term of this Employment Agreement and for a period of one (1) year following termination of this Employment Agreement, regardless of the cause of such termination, Physician shall not, directly or indirectly, through any individual, person or entity, without the prior written consent of Employer: (a) solicit, induce or attempt to solicit or induce away, or aid, assist, or abet any other party or person in soliciting, inducing or attempting to solicit or induce away from employment or other association with Employer, any employee of Employer, or (b) employ, hire or contract for services with any employee of Employer, or any person who was an employee of Employer during the six (6) month period prior to termination of Physician’s employment with Employer. The Employer and Physician acknowledge that the restrictions contained in this Section are reasonable and necessary to protect the protectable interests of Employer which include, without limitation, Employer’s confidential information, Employer’s commercial relationships with its patients, patient goodwill associated with its business, and the unique training of its employees, which was and is provided by Employer at considerable expense.  Physician acknowledges and agrees that the Employer’s employees hold positions uniquely essential to the management, organization and service of the Employer.

Compensation.  When a physician leaves a medical practice he/she will be compensated through the date of termination. If, however, the employment agreement provides for some form of bonus compensation based on, for example, collections or other measures of productivity, the employment agreement should address whether the physician is eligible for a bonus, pro-rated through the date of termination, or if termination before the end of the bonus measurement period results in the physician forfeiting any bonus. In addition, if the physician is paid based on production (e.g., collections less allocated expenses), then the employment agreement should address whether accounts receivable generated by the physician which are collected after termination for some designated time period will be counted toward the physician’s final paycheck, or if only collections received through the date of termination will be allocated to the physician. With either a bonus or production compensation model, some employment agreements provide that the departing physician will not be eligible for a bonus or the allocation of any post-termination collections if the physician terminates the employment agreement without cause or if the medical practice terminates the employment agreement with cause. Regardless, it is very important to clearly delineate in the employment agreement how compensation will be addressed upon termination.

Continuing Malpractice Insurance.  When a physician leaves a medical practice it is critical that medical malpractice insurance is maintained which provides continuing insurance for the physician’s professional services if a claim arises after the date of termination. Payment of a reporting endorsement (sometimes referred to as “tail insurance”) is typically an item negotiated by the parties. Regardless of how the costs are allocated, it is important that the employment agreement require either the purchase of a reporting endorsement or that the departing physician be obligated to maintain his/her then current malpractice insurance without interruption for a period of at least four years (eight years if minor patients are involved) after termination of employment. The following sample provision obligates the departing physician to pay for tail insurance, but can be modified as appropriate to provide that the medical practice will cover the costs of such insurance.

Immediately upon termination of employment with Employer, Physician shall, at Physician’s sole expense: (a) purchase or obtain a professional liability insurance reporting endorsement (e.g., tail coverage) with the same base and excess coverage limits and annual aggregate as the professional liability policy made available by the Employer for the Physician (the “Professional Liability Insurance Policy”) in order to provide continuing insurance protection for Physician and Employer against claims for malpractice or negligence occasioned by the acts of Physician while he/she was an employee of Employer (hereinafter referred to as the “Reporting Endorsement”), or (b) make arrangements for the continuation of the Professional Liability Insurance Policy with the same professional liability insurance carrier and with the same base and excess coverage limits and annual aggregate as the Professional Liability Insurance Policy, and listing Employer as an additional insured on such policy (hereinafter referred to as the “Continuation Policy”).

To evidence compliance, Physician shall provide to Employer within ten (10) days following the date of termination of this Employment Agreement either: (a) a copy of the Reporting Endorsement, or (b) a copy of the Continuation Policy, a “Certificate of Insurance Holder,” evidencing the existence of the Continuation Policy and written confirmation from the insurance carrier that Employer is listed as an additional insured on the Continuation Policy. If Physician obtains the Continuation Policy, and within ____ (____) years after termination of employment with Employer, should the Continuation Policy lapse, terminate or be modified so as not to satisfy the definition of a “Continuation Policy” in this Employment Agreement, or should Physician ever change professional liability insurance carriers, Physician agrees that he/she shall immediately purchase the Reporting Endorsement and that he/she shall provide Employer with a copy of the Reporting Endorsement at that time. If Physician fails to purchase such coverage and/or provide Employer with a certificate of same in accordance with the above‑stated requirements, Employer shall have the right, as hereby acknowledged by Physician, but not the obligation, to purchase such coverage and notify Physician in writing of the total premium costs thereof. Physician hereby expressly acknowledges and agrees that the total premium cost for such coverage purchased by Employer under this Section (plus a ten percent (10%) administrative fee) shall be immediately due and payable by Physician to Employer upon Physician’s receipt of said notice and Employer shall have the right to offset Physician’s cost of insurance against any amounts due Physician, with Physician reimbursing Employer for any deficiency. The terms of this Section shall survive termination of the Employment Agreement.

While it may take more work on the front-end, having a well-thought out and comprehensive physician employment agreement will save significant time, effort and potentially money when a physician leaves your medical practice. Stay tuned for Part III of this three-part series which will discuss protecting confidential information and protection from future liabilities.

Read the full series:

A Physician is Leaving Your Practice – “Must Have” Employment Agreement Provisions (Part I)

A Physician is Leaving Your Practice – “Must Have” Employment Agreement Provisions (Part II)

A Physician is Leaving Your Practice – “Must Have” Employment Agreement Provisions (Part III)

Howard Bogard is a Partner with Burr & Forman LLP and serves as the Chair of the firm’s Health Care Industry Group. Kelli Fleming is a Partner with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman, LLP, is an official Bronze Partner with the Medical Association.

Posted in: Legal Watch, Management, MVP

Leave a Comment (0) →

Is a Physician Leaving Your Practice? Here are Your “Must Have” Employment Agreement Provisions (Part I)

Is a Physician Leaving Your Practice? Here are Your “Must Have” Employment Agreement Provisions (Part I)

The following is the first installment of a three-part series discussing important provisions in physician employment agreements.

When a physician leaves a medical practice, especially if the physician stays in the area to compete against his/her former employer, the situation can become stressful and acrimonious. During the final weeks of employment, the departing physician can start to focus more on his/her new practice to the detriment of the current employer, and disputes often arise regarding access to medical records, soliciting patients and employees and when to schedule procedures – before or after termination. We have seen both medical practices and departing physicians engage in questionable conduct in order to keep as many patients as possible. Lawyers are often engaged to negotiate the terms of separation or, in a worse-case scenario, to file or defend a lawsuit.

Over the years, we have counseled hundreds of physician practices on how to successfully navigate the various issues that arise when a physician departs, regardless of whether the physician is an employee or an owner. Careful planning on the front end through a comprehensive employment agreement is the most important element in an amicable and fair separation. More often than not, we have found that disputes and subsequent litigation can arise when the employment agreement is not properly drafted or does not adequately address the specific terms of separation.

This three-part series provides a summary of the key provisions (with sample language) that can be incorporated into a physician employment agreement to help mitigate problems when a physician leaves your practice. Since each medical practice is unique, please consult with your own attorney before using any of the provided sample provisions in a physician employment agreement.

Setting Expectations. Unless there is an immediate termination due to a breach of the employment agreement or other significant event, such as loss of license, oftentimes a physician’s employment is terminated by either party “without cause” upon thirty (30) to ninety (90) days prior written notice. In that situation, the physician continues to work for the medical practice during the notice period. This can be a very stressful time for both the practice and the departing physician, as the practice often feels that the physician’s loyalties have shifted. Even though the physician remains employed (and receives compensation), the physician may not be acting in the best interest of the soon-to-be former employer. As such, it is helpful to set expectations of conduct in the employment agreement during this transition period.

Following any notice of termination of Physician’s employment with the Employer which does not immediately terminate Physician’s employment, Physician shall continue to conduct himself/herself in accordance with the terms of this Employment Agreement, and specifically shall not: (a) copy (or instruct Employer personnel to copy) medical charts of patients for Physician’s use after termination of employment with the Employer, (b) compile (or instruct Employer personnel to compile) lists containing patient data, including patient names, addresses and/or telephone numbers of Employer’s patients for Physician’s use after termination of employment with the Employer, (c) schedule (or instruct Employer personnel to schedule) medical appointments, procedures and/or surgeries between Physician and Employer’s patients subsequent to the termination date of Physician’s employment with the Employer, (d) take vacation or continuing medical education time-off that is inconsistent with Physician’s normal vacation and continuing medical education time-off, or (e) otherwise diminish or lessen Physician’s services for the Employer.

In addition, upon termination of employment the departing physician should be required to complete certain obligations.

Notwithstanding the termination of Physician’s employment with Employer, Physician shall be required to: (a) cooperate with Employer on any malpractice or other actions or suits related to Physician, (b) immediately upon termination complete all medical records and return all property belonging to Employer, including, without limitation, patient and client lists, fee schedules, compensation information, medical records and all confidential information of the Employer, and (c) otherwise fulfill all responsibilities hereunder reasonably determined by Employer to relate to the services rendered by Physician prior to termination.

Patient Notices. One of the most contentious issues surrounding the departure of a physician involves notifying patients the physician is leaving. Under Alabama licensure law, the departing physician is obligated to notify his/her “Active” patients of the date the physician is leaving and his/her new contact information. The purpose behind the notification is to provide patients the freedom of choice to remain with the practice or follow the departing physician, and to minimize potential patient abandonment issues. The term “Active” patients is not defined under licensure law, but in our experience notice should be sent to those patients treated by the departing physician within the last twelve (12) months immediately prior to termination. Physicians who practice in a specialty that might require longer follow-up care, such as oncology or cardiology, would likely need to notify patients treated in the eighteen (18) to twenty-four (24) months immediately prior to termination.

Sometimes, the medical practice will provide the departing physician a list of his/her patients with addresses so the physician can send the required notice. Oftentimes, however, the medical practice does not want to provide a patient list and arguments arise over the proper way to notify patients and the timing of such notice. Specifying in the employment agreement the form of such notice, how costs are to be allocated and the timing of the notice will help avoid arguments.

Upon termination of this Employment Agreement, Physician shall not have any right to receive a list of patients treated by Physician while an employee of Employer. Any notice required by law to be sent to Physician’s patients upon Physician’s departure from the Employer shall be sent by the Employer on behalf of Physician and the parties hereby agree that such notice shall only be sent to those patients for whom the Physician served as the primary physician within _________ (_____) months immediately preceding the date of termination of this Employment Agreement (e.g., Active Patients). The Physician and Employer shall each pay one-half of the costs associated with the notice, to include applicable postage. The form of notice shall reference both Employer (and its physicians) and the Physician and shall be agreed upon by the parties in good faith.  The Physician and Employer will work together in good faith to send out the notice at least thirty (30) days prior to the Physician’s last day of employment, if feasible.

Medical Records. The patient medical records, whether paper or electronic, belong to the medical practice. However, certain situations may arise when the practice should make medical records available to the departing physician after termination, including, for example, to address medical malpractice claims or government investigations. Further, patients have the right of access to their records and can direct that the practice make copies of their records available to the departing physician. Oftentimes, we will include in the patient notice a HIPAA Authorization form for the patient to sign if he/she intends to continue under the care of the departing physician and wants the medical practice to send copies of records to the physician.

Physician shall prepare in a timely and complete manner medical records relating to his/her provision of professional services in such form and containing such information as customarily maintained by Physician and as required by applicable federal and state law, third-party payer agreements and Employer. All patient records, case histories, films, and personal and regular files concerning the patients consulted, interviewed, treated or cared for by Physician pursuant to this Employment Agreement shall belong to and remain the property of Employer. Upon termination of this Employment Agreement, Physician shall have the right, in accordance with state and federal law, including the Health Insurance Portability and Accountability Act of 1996, and its corresponding regulations, as may be amended from time to time, to obtain copies at Physician’s sole cost and expense of any patient record of Employer; provided, however, that Physician was involved in the applicable patient’s care and further that Physician’s right to copy such patient records shall be subject to: (a) Employer receiving a written authorization signed by the patient authorizing Employer to release such copies to Physician, (b) Physician requiring access to certain patient records to defend or prepare to defend any alleged or threatened professional liability claims relating to such patient records, or (c) Physician requiring access to certain patient records with respect to governmental or third party payer audits or reviews of claims for reimbursement relating to such patient records.

While it may take more work on the front-end, having a well-thought out and comprehensive physician employment agreement will save significant time, effort and potentially money when a physician leaves your medical practice. Stay tuned for Part II of this three-part series which will discuss protecting other employees, compensation, and continuing malpractice insurance.

Read the full series:

A Physician is Leaving Your Practice – “Must Have” Employment Agreement Provisions (Part II)

A Physician is Leaving Your Practice – “Must Have” Employment Agreement Provisions (Part III)

Howard Bogard is a Partner with Burr & Forman LLP and serves as the Chair of the firm’s Health Care Industry Group. Kelli Fleming is a Partner with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman, LLP, is an official Bronze Partner with the Medical Association.

Posted in: Legal Watch

Leave a Comment (0) →

IRS: Watch Out for Dangerous W-2 Phishing Scam

IRS: Watch Out for Dangerous W-2 Phishing Scam

WASHINGTON The Internal Revenue Service, state tax agencies and the tax industry issued an urgent alert today to all employers that the Form W-2 email phishing scam has evolved beyond the corporate world and is spreading to other sectors, including school districts, tribal organizations and nonprofits.

In a related development, the W-2 scammers are coupling their efforts to steal employee W-2 information with an older scheme on wire transfers that is victimizing some organizations twice.

“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme,’’ said IRS Commissioner John Koskinen.

When employers report W-2 thefts immediately to the IRS, the agency can take steps to help protect employees from tax-related identity theft. The IRS, state tax agencies and the tax industry, working together as the Security Summit, have enacted numerous safeguards in 2016 and 2017 to identify fraudulent returns filed through scams like this. As the Summit partners make progress, cybercriminals need more data to mimic real tax returns.

Here’s how the scam works: Cybercriminals use various spoofing techniques to disguise an email to make it appear as if it is from an organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2.  This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES).

The Security Summit partners urge all employers to be vigilant. The W-2 scam, which first appeared last year, is circulating earlier in the tax season and to a broader cross-section of organizations, including school districts, tribal casinos, chain restaurants, temporary staffing agencies, healthcare and shipping and freight. Those businesses that received the scam email last year also are reportedly receiving it again this year.

Security Summit partners warned of this scam’s reappearance last week but have seen an upswing in reports in recent days.

New Twist to W-2 Scam: Companies Also Being Asked to Wire Money

In the latest twist, the cybercriminal follows up with an “executive” email to the payroll or comptroller and asks that a wire transfer also be made to a certain account. Although not tax related, the wire transfer scam is being coupled with the W-2 scam email, and some companies have lost both employees’ W-2s and thousands of dollars due to wire transfers.

The IRS, states and tax industry urge all employers to share information with their payroll, finance and human resources employees about this W-2 and wire transfer scam. Employers should consider creating an internal policy, if one is lacking, on the distribution of employee W-2 information and conducting wire transfers.

Steps Employers Can Take If They See the W-2 Scam

Organizations receiving a W-2 scam email should forward it to phishing@irs.gov and place “W2 Scam” in the subject line. Organizations that receive the scams or fall victim to them should file a complaint with the Internet Crime Complaint Center (IC3) operated by the Federal Bureau of Investigation. Employees whose Forms W-2 have been stolen should review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft. Employees should file a Form 14039, Identity Theft Affidavit, if the employee’s own tax return rejects because of a duplicate Social Security number or if instructed to do so by the IRS.

The W-2 scam is just one of several new variations that have appeared in the past year that focus on the large-scale thefts of sensitive tax information from tax preparers, businesses and payroll companies. Individual taxpayers also can be targets of phishing scams, but cybercriminals seem to have evolved their tactics to focus on mass data thefts.

Be Safe Online

In addition to avoiding email scams during the tax season, taxpayers and tax preparers should be leery of using search engines to find technical help with taxes or tax software. Selecting the wrong “tech support” link could lead to a loss of data or an infected computer. Also, software “tech support” will not call users randomly. This is a scam.

Taxpayers searching for a paid tax professional for tax help can use the IRS Choosing a Tax Professional lookup tool or if taxpayers need free help can review the Free Tax Return Preparation Programs. Taxpayers searching for tax software can use Free File, which offers 12 brand-name products for free, at www.irs.gov/freefile. Taxpayer or tax preparers looking for tech support for their software products should go directly to the provider’s web page.

Tax professionals also should beware of ongoing scams related to IRS e-Services. Thieves are trying to use IRS efforts to make e-Services more secure to send emails asking e-Services users to update their accounts. Their objective is to steal e-Services users’ credentials to access these important services.

Posted in: Legal Watch

Leave a Comment (0) →

Fraud and Abuse Investigations Should Be Taken Very Seriously

Fraud and Abuse Investigations Should Be Taken Very Seriously

Editor’s Note: Burr & Forman LLP is sharing this information as a partner with the Medical Association and would like physicians to understand that the federal government is being vigilant with all health care fraud and abuse investigations. If you have questions concerning the content of this article, please contact Jim Hoover of Burr & Forman LLP at (205) 458-5111 or jhoover@burr.com.

For the United States Government, fraud and abuse recovery has an excellent return for each investment dollar spent. According to the Health Care Fraud and Abuse Control (HCFAC) Program Report, released by the Department of Health and Human Services and the Department of Justice on Jan. 18, 2017, the federal government recovered more than $3.3 billion in fraudulent health care claims in Fiscal Year 2016. That means for the last three years for every dollar invested into the program it generated a $5 return.

Established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HCFAC Program was designed to identify and prosecute health care fraud and abuse through the coordination of federal, state, and local law enforcement activities. Since its inception in 1997, the program has returned close to $31 billion to the Medicare Trust Funds.

According to the program report, during FY 2016 the Federal Government won or negotiated over $2.5 billion in health care fraud judgments and settlements. Of the $3.3 billion, the Medicare Trust Funds received transfers of approximately $1.7 billion, and $235.2 million in Federal Medicaid money was similarly transferred to the Medicaid program. Over $17.9 billion has been returned by the program to the Medicare Trust Funds for years 2009 through 2016 alone.

Other notable results of the program include, the disclosure that for FY 2016 alone, the DOJ opened 975 new criminal health care fraud investigations that led Federal prosecutors to file criminal charges in 480 cases involving 802 defendants. A total of 658 defendants were convicted of health care fraud-related crimes during the year. On the civil front, in FY 2016 the DOJ opened 930 new civil health care fraud investigations and had 1,422 civil health care fraud matters pending at the end of the fiscal year.

HHS’ Office of Inspector General (HHS-OIG) investigations conducted in 2016 resulted in 765 criminal actions against individuals or entities that allegedly engaged in crimes related to Medicare and Medicaid. There were 690 civil actions, which include false claims and unjust-enrichment lawsuits, civil monetary penalties (CMP) settlements, and administrative recoveries related to provider self-disclosures. HHS-OIG also excluded 3,635 individuals and entities from participation in Medicare, Medicaid, and other federal health care programs. Among these exclusions, some were based on criminal convictions for crimes related to Medicare and Medicaid (1,362) or to other health care programs (262), for patient abuse or neglect (299), or as a result of licensure revocations (1,448).

There were multiple highlighted cases involving physicians. In April 2016, a doctor in Maryland specializing in interventional pain management was sentenced to nine years and three months in prison, followed by three years of supervised release for one count of health care fraud, two counts of making a false statement related to a health care program, one count of obstruction of justice, four counts of wire fraud, and one count of aggravated identity theft. The convictions were based on allegations the doctor submitted claims for nerve block injections when in fact the doctor did not own nor use imaging guidance which was necessary to administer nerve block injections. The doctor also falsely documented patient files to indicate that imaging guidance was used. Finally, when Medicare contractors visited the pain clinic and inquired about the imaging guidance machine, the doctor created a false lease document reflecting the fact that he had leased the machine.

In April 2016, a licensed physician pleaded guilty to health care fraud, admitting that he submitted false claims to Medicare for purported visits with Medicare beneficiaries, including on dates when he was out of the country, for beneficiaries who were deceased on the dates he purportedly treated them, and for services totaling more than 24 hours in one day. He agreed that he submitted approximately $2.4 million in fraudulent claims to Medicare for which he was paid approximately $1.2 million.

In July 2016, following a three-week trial in the Eastern District of New York, a physician was convicted of one count of health care fraud, three counts of making false statements in connection with health care matters, and two counts of money laundering. The evidence at trial showed the defendant, a general surgeon, billed the Medicare program for thousands of wound-debridement and incision-and-drainage surgical procedures that he did not in fact perform. The defendant billed Medicare over $7 million and was paid over $3 million in reimbursement by Medicare.

It is a safe bet to assume based on the above returns government investigations and qui tam/false claims lawsuits are here to stay no matter who is President. To read more about the 2016 results and upcoming initiatives, the program reports are located on the HHS-OIG website .

Jim Hoover is a member of Burr & Forman LLP’s Health Care Industry Group and represents health care providers in healthcare regulatory and litigation matters.

Posted in: Legal Watch

Leave a Comment (0) →

What You Need to Know About Section 1557: The ACA Nondiscrimination Provisions

What You Need to Know About Section 1557: The ACA Nondiscrimination Provisions

The Affordable Care Act prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in certain health programs or activities. Section 1557 builds on long-standing Federal civil rights laws: Title VI of the Civil Rights Act of 1964, Title IX of the Education Amendments of 1972, Section 504 of the Rehabilitation Act of 1973 and the Age Discrimination Act of 1975. Individuals may either file a complaint with the Office of Civil Rights (OCR) or the law creates a private cause of action.

Who must comply?

Physicians receiving financial assistance from HHS (except solely Medicare Part B).

When?

By October 16, 2016

What must be done?

Post notices, taglines, and take steps to provide meaningful access to individuals with limited English proficiency. This may mean you need to enter into a contract with a call center.

What does Section 1557 require?

By October 16, 2016, all covered entities must post notice and taglines in the top 15 languages in conspicuously visible font size for individuals with limited English proficiency (LEP). The rules require language assistance for persons with LEP. A provider may not require an individual with LEP to provide his or her own interpreter. The Office of Civil Rights website contains sample notices, statements and taglines in multiple languages. (See link below). The rules require using a “qualified translator” when translating written content. The rule itself is lengthy and specific. Any physicians, hospitals or entities receiving any financial assistance with HHS, including Medicare Parts A, C & D; Medicaid grants; loans; subsidies; meaningful use payments; payments for research offered through NIH; payments for any health program administered by HHS; etc. must comply. If a physician’s only financial assistance from HHS is to receive Part B, he or she is not covered. If a physician or entity is principally engaged in health care then all of the operations are covered minus certain limited exceptions.

Covered entities must offer a qualified interpreter to an individual with LEP when oral interpretation is a reasonable step to provide meaningful access. The interpreter need not be licensed under state law, but must have relevant proficiency. Simply having above average familiarity with speaking or understanding the relevant foreign language does not necessarily qualify him or her as an interpreter. HHS has regulations that apply to covered entities choosing to provide interpreters through remote video. See 45 C.F.R. § 92.201(f)

What are the basics?

  1. Do not discriminate on the basis of race, color, national origin, sex, age, or disability. Treat men and women equally in healthcare and treat individuals consistent with gender identity. Provide language assistance. Provide auxiliary aids to those with disabilities. Make newly constructed or altered facilities accessible to those with disabilities.
  2. Sign a form with HHS that you will comply – HHS-690 Form.
  3. Entities with 15 or more employees must appoint a compliance coordinator and establish a grievance coordinator.
  4. “Taglines” and statements must be included on “significant” documents and communications. HHS is working on guidance as to what is a “significant” publication. Information on services or treatment, or the administration of drugs, is considered significant.
  5. Post notices of nondiscrimination. A sample notice is available from the link set forth below.
  6. The entity must take reasonable steps to provide meaningful access to LEP persons.

What is a tagline?

All covered entities must post short statements written in non-English informing individuals that language assistance services are available free of charge. These taglines should be posted in the top 15 languages spoken by LEP persons in that state. (See list below). The entity should post the taglines in physical locations with interaction with the public, websites and other significant communications. The top two languages should be posted in small sized publications.

Is there guidance?

OCR has translated a sample notice of nondiscrimination and the taglines for use by covered entities into 64 languages: www.hhs.gov/civil-rights/for-individuals/section-1557/translated-resources/index.html

HHS has provided a training guide (http://www.hhs.gov/sites/default/files/section1557-presenters-guide.pdf and http://www.hhs.gov/sites/default/files/section1557-training-slides.pdf).

What are the current top 15 languages for Alabama?

  • Spanish — 75,000
  • Chinese — 5,405
  • Korean — 4,554
  • Vietnamese — 3,708
  • Arabic — 1,440
  • German — 1,411
  • French — 1,278
  • Gujarati — 888
  • Tagalog — 856
  • Hindi — 818
  • Laotian — 681
  • Russian — 586
  • Portuguese — 516
  • Turkish — 505
  • Japanese — 484

http://www.hhs.gov/sites/default/files/resources-for-covered-entities-top-15-languages-list.pdf

Posted in: Legal Watch

Leave a Comment (0) →

So, How Do I Comply with HIPAA?

hipaa_banner

Editor’s Note: This article was originally published in the 2016 Spring Issue of Alabama Medicine magazine

A physician client recently asked me a seemingly simple, straightforward question: “So, how do I comply with HIPAA?” The answer, unfortunately, is not as simple and straightforward as the question.

HIPAA (i.e., the Health Insurance Portability and Accountability Act) and its various regulations include numerous, often confusing requirements, and little in the way of practical guidance. With this in mind, this article provides the author’s attempt to give, in simple terms, an overview of HIPAA’s requirements, and a short list of practical steps physician practices may take to establish a baseline of compliance.

Overview

In the most simple terms, to comply with HIPAA, a physician practice needs to address and satisfy the obligations of a “covered entity” under the regulations set forth in the HIPAA security regulations, 45 CFR § 164.300 et seq. (the “Security Rule”); the HIPAA breach notification regulations, 45 CFR § 164.400 et seq. (the “Breach Notification Rule”); and the HIPAA privacy regulations, 45 CFR § 164.500 et seq. (the “Privacy Rule”), in respect to “protected health information” (“PHI”) received and maintained by the practice on behalf of its patients. HIPAA compliance has garnered significant attention recently, due to increasing public awareness in regard to data breaches and privacy and information security matters, generally, as well as increased enforcement efforts by the U.S. Department of Health and Human Services Office of Civil Rights (“HHS,” and “OCR”)1 and other government agencies,2 not to mention the looming specter of potential class action and other litigation involving affected patients.3 In addition, OCR recently commenced a new, expanded HIPAA audit program that will select physician practices and other HIPAA-covered entities and business associates for random compliance audits.4

Privacy Rule

To comply with the Privacy Rule, a physician practice must not access, use or disclose PHI, in paper or electronic form, other than as required or permitted by the Rule. For example, the Privacy Rule requires that a physician practice not disclose a patient’s PHI to a third party without an appropriate written authorization from the patient, except in certain circumstances, such as in connection with the patient’s treatment, or payment for such treatment, or the practice’s health care operations. The Privacy Rule also specifies that, in general, even if a particular disclosure is required or permitted, the practice must ensure that the disclosure is limited to the minimum necessary information. In addition to these foundational issues, the Privacy Rule requires that physician practices take certain administrative steps to facilitate compliance, including identifying a privacy officer, implementing written policies and procedures to formalize privacy practices, and entering into business associate agreements (that include specific provisions outlined in the Rule) with vendors and other third parties that create, receive, transmit or maintain PHI on behalf of the practice (“business associates,” in HIPAA terms). Physician practices must also regularly evaluate and update their privacy policies and practices, provide regular privacy training to their workforce members, and impose appropriate sanctions when workforce members fail to comply with established privacy practices.

Security Rule

Under the Security Rule, physician practices must implement reasonable and appropriate administrative, physical and technical safeguards to protect electronic PHI (“ePHI”). Technical safeguards include, for example, encryption, access controls, audit logs, authentication controls, and other safeguards directed toward securing ePHI. Physical safeguards include locking doors, screening computers, and other safeguards to protect access to workstations and other physical facilities where workforce members access ePHI and protocols to safeguard ePHI during disposal. Administrative safeguards include security risk analysis (discussed further below) and risk management plans, contingency/disaster recovery plans, and security incident reporting procedures, as well as written policies and procedures addressing security practices, regular evaluation of security safeguards, and workforce training and sanctions, similar to the Privacy Rule.

Breach Notification Rule

The Breach Notification Rule requires that, in the event a physician practice discovers an unauthorized access, use or disclosure of unsecured PHI (for example, a breach of unencrypted ePHI), in paper or electronic form, the practice must notify each patient affected by the breach, as well as OCR,5 unless the practice can demonstrate, based on a risk assessment conducted in accordance with the Rule,6 that there is not more than a low probability that PHI was compromised. Like the Privacy Rule and the Security Rule, the Breach Notification Rule also requires physician practices implement written policies and procedures to document their breach notification responsibilities and practices, train workforce members regarding their responsibilities in the event of a breach, and hold workforce members accountable for non-compliance.

Practical Steps

In view of the various rules and requirements discussed above, physician practices may take the following steps toward establishing a baseline of compliance with HIPAA.

Perform a security risk analysis in compliance with the Security Rule. It is essential that every physician practice perform (and regularly update, as appropriate) a security risk analysis, in compliance with the Security Rule, as noted above. Done properly, the security risk analysis highlights specific risks and vulnerabilities in the practice’s security practices and recommends specific steps to address them – thereby providing a road map, of sorts, to compliance with the Security Rule. From an enforcement standpoint, OCR has repeatedly zeroed in on covered entities that fail to perform an appropriate risk analysis. As a practical matter, most physician practices utilize third-party consultants, with appropriate information technology expertise and resources, to conduct the risk analysis. In any case, the risk analysis should be coordinated through legal counsel to, among other things, ensure applicable HIPAA requirements are addressed and preserve attorney-client privilege, to the extent possible, as to communications with the consultant (i.e., in regard to security risks and vulnerabilities identified in the analysis). Physician practices should be sure, also, to routinely update their risk analysis, to ensure that new and evolving legal requirements and risks are timely addressed.

Implement appropriate written policies and procedures for compliance with the Privacy Rule, Security Rule and Breach Notification Rule. It is also essential that every physician practice implemented, written policies and procedures to facilitate compliance with the Privacy Rule, the Security Rule and the Breach Notification Rule. “Template” policies and procedures may be obtained from various sources, and may be sufficient for compliance, at least temporarily; ultimately, however, practices should tailor their policies and procedures to their particular circumstances – including, for example, the specific risks and vulnerabilities identified, from time to time, in the practice’s (ongoing) security risk analysis, as well as the practice’s history and experience with (actual) privacy, security and breach matters. As noted above, it is also critical that the practice regularly review and update its policies procedures to ensure compliance with applicable laws and regulations, and to take into account, again, any recent privacy, security or breach related matters at the practice.

Address encryption. Technically, encryption is not required to comply with the Security Rule. Like risk analysis, however, encryption (specifically, lack of encryption) is a favorite target of OCR, in its enforcement efforts, especially in regard to (unencrypted) mobile devices, such as laptops and tablet computers, smartphones, and the like.7 Moreover, encrypted ePHI (i.e., “secure” ePHI)8 is not subject to the Breach Notification Rule; that is, even if the information is somehow breached, the practice need not notify patients or OCR regarding the incident.

Vet vendors and vendor contracts. Physician practices should routinely vet any vendors (i.e., business associates) that have access to PHI, in paper or electronic form, to ensure the vendor has appropriate safeguards in place, similar to those required of the practice. In addition, as noted above, physician practices should ensure that they have written, HIPAA compliant, business associate agreements in place with such vendors. Practices should also confirm that business associate agreements and/or related vendor service contracts include adequate protections (in the form of indemnification, and other remedies) for the practice, in the event of a data breach or similar incident. Moreover, due to the significant risk
management and legal implications now associated with ePHI, practices are advised to coordinate review of their vendor arrangements and contracts with appropriate legal counsel.

Implement appropriate back-up and contingency plans. The Security Rule requires that physician practices have in place secure procedures for backing up PHI and safeguards to protect PHI and to recover lost PHI, in the event of a natural disaster or other, similar contingency. Some practices utilize their own servers or resources to back up data; others utilize “cloud” or similar third-party services. As a practical matter, similar to risk analysis, contingency plans are often developed and implemented in coordination with a third-party consultant with appropriate expertise.

Confirm appropriate insurance coverage is in place. Many insurance carriers now offer some form of “cyber” insurance coverage to protect against losses related to data breaches and other information security matters. Cyber insurance typically addresses the insured’s overall information technology security practices; it may or may not address specific HIPAA compliance issues. In lieu of (or in addition to) cyber coverage, physician practices may look to other insurance (directors and officers, errors and omissions, professional liability, general liability, etc.) for coverage. In any case, particularly in view of the significant enforcement and litigation risks now associated with HIPAA and related privacy and security matters, physician practices must be sure they have adequate insurance coverage in place in the event of a data breach or similar privacy or security incident – and, in the event coverage is available from multiple sources, that they understand the interplay between the various policies.

Sources

  1. OCR enforcement efforts include a number of high dollar settlements (known as “resolution agreements”) entered into between OCR and HIPAA covered entities, including physician practices. For additional information pertaining to OCR resolution agreements and other enforcement efforts, please see the HHS website, at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html. (To view OCR resolution agreements involving physician practices, visit the above link, and select “Private Practices.”)
  2. Besides OCR, data breaches (whether or not HIPAA is implicated) may trigger enforcement efforts by state attorneys general, the Federal Trade Commission and other state or federal agencies.
  3. See, e.g., Class Action Lawsuit for Flowers Hospital Data Breach Moves to Discovery Phase, HIPAA Journal (Oct. 5. 2015), accessible at http://www.hipaajournal.com/flowers-hospital-class-action-data-breach-lawsuit-moves-to-discovery-8133/ (last visited March 24, 2016).
  4. See OCR Launches Phase 2 of HIPAA Audit Program, available at http://www.hhs.gov/hipaa/forprofessionals/compliance-enforcement/audit/phase2announcement/index.html.
  5. Notification to OCR is delivered using an online portal on the HHS website, accessible at https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true.
  6. The Breach Notification Rule includes specific factors the physician practice must take into account in conducting the risk assessment. These factors are set forth at 45 CFR §164.402.
  7. OCR data indicates that a significant portion of reported breaches of unsecured PHI, perhaps more than half, involve theft or loss of an unencrypted mobile device.
  8. To avoid the notification requirements of the Breach Notification Rule, ePHI must be encrypted according to specific, National Institute of Standards and Technology (“NIST”) protocols. For information regarding specific encryption protocols, see Guidance to Render Unsecured Protected Health Information Unusable, Unreadable or Indecipherable to Unauthorized Individuals, on the HHS website, at http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html.

The information in this article reflects the thoughts and opinions of the author, and does not, and is not intended to, constitute legal advice. If you have specific questions pertaining to HIPAA or other legal matters addressed herein, please consult appropriate legal counsel.

Contributed by D. Brent Wills, Esq., a partner at Gilpin Givhan P.C., a Bronze Partner with the Association.

Posted in: Legal Watch

Leave a Comment (0) →

Physicians: Be Cautious When Responding to a Subpoena or Request for Medical Records

medicalfile_banner

Editor’s Note: This article was originally published in the 2016 Summer Issue of Alabama Medicine magazine

Doctors must educate themselves and particularly their staff on the legal obligations to protect the confidentiality of medical records and how to properly respond to subpoenas and requests for patients’ health information. It is a huge mistake for physicians to automatically assume that a subpoena or request is properly executed. Improperly releasing a patient’s medical records can result in a civil suit by the patient, an administrative fine by the federal government, or disciplinary action by the state medical board.

Civil and criminal courts in the State of Alabama have the right to summon witnesses into court and require them to testify under oath. Subpoenas are issued to non-parties to a lawsuit; therefore, the health care provider is not a party to the pending litigation. Consequently, the method for securing the attendance of witnesses and records is by the issuance of a subpoena or a subpoena duces tecum, respectively.

A subpoena is a written order compelling a person to appear and give testimony at a trial or other proceeding. The subpoena duces tecum is a subpoena compelling a person to appear, give testimony, and bring all books, documents, papers, or records described in the notice. A failure to respond could subject the health care provider to contempt of court. A patient’s medical records are generally secured by a subpoena duces tecum, which is served on the person having actual custody or possession of the records, and typically request a patient’s chart, x-rays and billing documents. In most cases, the party seeking the information is not requesting the physician or his staff to physically appear in court to produce the records.

A subpoena is generally issued by an attorney or the clerk of court, which means that you will often receive a subpoena without an accompanying court order or any documents signed by the judge. A properly issued subpoena for patient records is generally as valid as any other properly issued subpoena with one important exception. That exception relates to subpoenas requesting health care information that is afforded special protection under state or federal law, such as records relating to the testing for or treatment of HIV, AIDS, STDs; and mental health, behavioral health, or treatment records of substance abuse programs. A subpoena requesting such information without a court order or patient authorization is generally not proper.

Typically, the subpoena must be accompanied by an authorization signed by the patient authorizing release of that specific protected information or an order signed by the judge authorizing release of that information. Stated another way, if the medical record contains information that relates to the testing or treatment of HIV, AIDS, STDs or psychiatric records, such as mental health or behavioral health, then the physician will need either:a court order signed by a judge specifically ordering the records related to these specially protected areas, or an authorization signed by the patient specifically authorizing the doctor to release that portion of the record.

  1. a court order signed by a judge specifically ordering the records related to these specially protected areas, or
  2. an authorization signed by the patient specifically authorizing the doctor to release that portion of the record.

The HIPAA Privacy Rules also require additional steps before a physician can release records containing protected health information (“PHI”) pursuant to a subpoena. A physician may disclose PHI in the course of any judicial or administrative proceeding by either obtaining an order of a court or in response to a subpoena if the physician obtains satisfactory assurances from the party issuing the subpoena.

For the purposes of obtaining “satisfactory assurances” from a party seeking PHI, the physician must receive documentation demonstrating that:the party requesting the information has made a good faith attempt to provide written notice to the individual, the notice to the individual includes sufficient information about the litigation to permit the individual to raise an objection to the court, and the time for the individual to raise objections has lapsed and no objections were filed, or all objections that were filed by the individual had been resolved by the Court.

  1. the party requesting the information has made a good faith attempt to provide written notice to the individual,
  2. the notice to the individual includes sufficient information about the litigation to permit the individual to raise an objection to the court, and
  3. the time for the individual to raise objections has lapsed and no objections were filed, or all objections that were filed by the individual had been resolved by the Court.

Physicians or their offices may receive subpoenas from out-of-state courts in matters involving mass tort claims such as asbestos. A subpoena from another state’s court does not have the authority to compel production in Alabama. Thus, a physician who receives a subpoena in Alabama by another state’s court should not respond to the subpoena unless the subpoena is domesticated by (accompanied by an order from) a circuit court in Alabama.

Physician and physician practices may also receive requests for medical records prior to a lawsuit being filed. These requests may come from the patient or a law firm. HIPAA governs the release of these records and whether the request is authorized. Records should only be released to authorized individuals. If the patient is living, authorized individuals include the patient or his Personal Representative.

Pursuant to HIPAA, “Personal Representative” is defined by state law and would include someone who has a Power of Attorney for the patient. If the patient is deceased, the Personal Representative of the patient’s estate may obtain the records. In 2013, HIPAA expanded authorized individuals of deceased patients to include family or individuals involved in the patient’s care, if the request is relevant to their involvement in the patient’s care, unless releasing the records is inconsistent with prior expressed preference of the individual. Therefore, a deceased patient’s family member may request the records even if she is not appointed as the personal representative of the patient’s estate, and a physician may release the records if it determines the individual is authorized under this provision.

The problem for physicians and their staff is that they often do not know the requirements necessary to make a subpoena or request valid or lawfully enforceable. Therefore, it is prudent for the physician to educate his/her staff about subpoenas and requests for records and when not to respond or release the records. In certain circumstances, it may be wise for the physician to consider having a subpoena or request reviewed by legal counsel to determine the appropriate response.

The relatively small expense can save a tremendous amount of trouble later on.

bronzemvpContributed by Jim Hoover and Angie Cameron Smith, members of Burr & Forman, LLP’s Health Care Industry Group and represent health care providers in regulatory and litigation matters. Burr & Forman, LLP, is an official Bronze Partner with the Medical Association.

Posted in: Legal Watch

Leave a Comment (0) →

Recent Changes to the Federal Stark Law

advocacylaw_banner

Editor’s Note: This article was originally published in the 2016 Winter Issue of Alabama Medicine magazine

Most physicians are aware of the Federal Stark Law and the limitations it places on a physicians’ ability to enter into financial relationships with potential referral sources. Can I refer patients to the physical therapy practice I own? Can I lease space and/or equipment from the hospital? Can I share my front desk personnel with another provider? These are questions we commonly hear from physicians who are navigating the complicated web of health care compliance under the Stark Law. Recent changes to the Stark Law enacted through the 2016 Medicare Physician Fee Schedule Final Rule (“Final Rule”) may provide added flexibility to physicians contemplating some of these types of arrangements.

The issuance of the Final Rule on Nov. 16, 2015, was the first time the industry has seen such broad changes to the physician self-referral law in several years. According to the Centers for Medicare and Medicaid Services (CMS), the changes are designed to “accommodate delivery and payment system reform, to reduce burden, and to facilitate compliance.” The majority of the changes took effect Jan. 1, 2016.

The Stark Law prohibits a physician from referring Medicare or Medicaid patients for certain “designated health services” to entities with which the physician (or an immediate family member of the physician) has a financial relationship, unless an exception applies. Any relationship in which remuneration (i.e., something of value) flows between the parties is considered a financial relationship under the Stark Law.

Designated health services (“DHS”) covered by the Stark Law include the following:

  1. clinical laboratory services;
  2. physical therapy, occupational therapy, and outpatient speech language pathology services;
  3. radiology and certain other imaging services;
  4. radiation therapy services and supplies;
  5. durable medical equipment and supplies;
  6. parenteral and enteral nutrients, equipment and supplies;
  7. prosthetics, orthotics and prosthetic devices and supplies;
  8. home health services;
  9. outpatient prescription drugs; and
  10. inpatient and outpatient hospital services.

The majority of the Final Rule changes address the exceptions to the Stark Law — in other words, the instances in which CMS has stated that a financial relationship is permitted between referring parties. While a summary of all the recent changes is beyond the scope of this article, I did want to highlight some of the more significant changes.

In the Final Rule, CMS established two new Stark Law exceptions. The first exception permits hospitals, federally qualified health centers (FQHC), or rural health clinics (RHC), to provide assistance to physicians to recruit and compensate non-physician practitioners (i.e., nurse practitioners, clinical nurse specialists, physician assistants, certified nurse midwives, clinical social workers, and clinical psychologists) under certain conditions. In other words, physicians can now receive recruitment incentives to attract non-physician practitioners to their practice.

In order to take advantage of the exception, among other things, at least 75 percent of the patient care services provided by the recruited non-physician practitioner must be primary care or mental health services. Further, the payment to the physician by the hospital, FQHC, or RHC cannot exceed 50 percent of the aggregate compensation, signing bonus, and benefits paid to the non-physician practitioner and must be consistent with fair market value. This new exception may only be utilized once every three years for a particular physician (unless the non-physician practitioner leaves prior to the expiration of one year) and there is a two-year limit on the assistance provided by the hospital, FQHC, or RHC.

The second new Stark Law exception permits time-share arrangements for the use of office space, equipment, personnel, items, supplies and services. The exception applies to arrangements that grant a right of permission to use the premises, equipment, personnel, items, supplies, or services, but not to arrangements that transfer control over such items. While these types of arrangements have been in place for years and have been analyzed under other Stark Law exceptions, the new exception provides clarification and flexibility. There are some limitations, however, to the use of the new exception. For example, advance imaging equipment (e.g., MRI and CT) and clinical or pathology laboratory equipment may not be used within the shared space. Further, compensation formulas based on revenue percentage or per-unit fees are prohibited.

In the Final Rule, CMS also clarified several existing Stark Law exceptions. While a discussion of all of the clarifications is beyond the scope of this article, I wanted to highlight a few:

  • Many Stark Law exceptions contain a requirement that the arrangement be “in writing.” However, sometimes physicians fail to enter into or sign a formal written contract prior to the initiation of the arrangement. In the Final Rule, CMS clarified that the “writing” does not necessarily need to be a single written formal contract, but rather can be a collection of contemporaneous writings that relate to each other and that document the relationship (e.g., e-mails, invoices, check requests, board meeting minutes, time sheets, etc.). A document produced after a referral is made, however, cannot be used to demonstrate compliance with respect to prior referrals. Nonetheless, despite the clarification, a single written contract remains the recommended method of documentation when possible.
  • Under the previous provisions, if a signature to an arrangement was missing, the parties had 30 days to obtain the missing signature if the omission was not inadvertent and 90 if the omission was inadvertent. Under the Final Rule, parties now have 90 days to obtain a missing signature regardless of whether the omission was inadvertent.
  • For exceptions requiring a one-year arrangement, CMS clarified that the one-year term does not have to be directly expressed in the writing, provided the parties can show factual compliance with the one-year requirement through other documentation.
  • Previously, under the exception for leases and personal services agreements, a holdover period at the expiration of the agreement was limited to six months. In other words, if the agreement expired and the parties failed to enter into a new agreement, the old agreement could govern the relationship but only for a period of six months. The Final Rule allows for an indefinite holdover period on the same terms as the original agreement as long as the arrangement remains compliant with the applicable exception. However, amendments during the holdover period are prohibited. In light of this change, it is highly recommended that the parties review holdover agreements periodically to confirm that the arrangement remains compliant (e.g., that the payment remains consistent with fair market value).
  • CMS clarified that when parties split-bill for services (e.g., hospital bills technical component and physician bills professional component), this alone does not create a financial relationship triggering the Stark Law between the parties.
  • The Final Rule clarifies the definition of remuneration under the Stark Law does not include the provision of items, devices, or supplies that are used solely to collect, transport, process or store specimens or to order or communicate the results of tests or procedures.

Physicians contemplating arrangements that may fall under a Stark Law exception are encouraged to review these latest developments. Depending on the circumstances, some of the most recent changes may provide added flexibility and additional options for physicians.

bronzemvpContributed by Kelli Fleming, a partner at Burr & Forman, LLP, who works exclusively within the firm’s Health Care Practice Group. Burr & Forman, LLP, is an official Bronze Partner with the Medical Association.

Posted in: Legal Watch

Leave a Comment (0) →
Page 4 of 5 12345