Posts

HIPAA Compliance white background

$2.5M settlement shows that not understanding HIPAA requirements creates financial risk

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), recently announced a Health Insurance Portability and Accountability Act (HIPAA) settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI).  In 2012, CardioNet, a company that remotely monitors patients at risk for cardiac arrhythmias, reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home.  The laptop contained the ePHI of 1,391 individuals.  The settlement was not reached until 2017, indicating the length of time that some HIPAA investigations can take, with its attendant costs.

CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan.  This settlement is the first involving a wireless health services provider, based, in part, on CardioNet’s failure to comply with basic HIPAA rules that are applicable to all “covered entities” and “business associates”. Thus, the compliance steps outlined below for mobile devices are applicable to any device used to store PHI or ePHI.

OCR’s investigation into the impermissible disclosure revealed that CardioNet had insufficient risk analysis and risk management processes in place at the time of the theft.  Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented.  Further, the organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

HHS and OCR have published a very helpful 5-step guideline for establishing compliance with HIPAA.  While the following actions relate specifically to mobile devices, these five steps are applicable to all PHI.

Decide

Decide whether mobile devices will be used to access, receive, transmit, or store patients’ health information or used as part of your organization’s internal networks or systems (e.g., your EHR system).

Understand the risks to your organization before you decide to allow the use of mobile devices. Risks (threats and vulnerabilities) can vary based on the mobile device and its use. Some risks may be:

  1. A lost or stolen mobile device
  2. Inadvertent downloading of viruses or other malware
  3. Unintentional disclosure to unauthorized users when sharing mobile devices with friends, family and/or coworkers
  4. Use of an unsecured Wi-Fi network.

Assess

Assess how mobile devices affect the risks (threats and vulnerabilities) to the PHI your organization holds.

Conduct a risk analysis to identify the risks to your organization. If you are a solo provider, you may conduct this risk analysis yourself. If you work in a larger organization, the organization may conduct the risk analysis.

A risk analysis will help determine the safeguards, policies, and procedures your organization needs. It should include reviewing risks created by all mobile devices used to communicate with your internal networks or systems, regardless whether the devices are personally owned or provided by the organization.

Perform a risk analysis periodically and whenever there is a new mobile device, a lost or stolen device, or suspected compromised health information.

After conducting a risk analysis, document, in writing:

  1. Which mobile devices are being used to communicate with your organization’s internal networks or system (g., the EHR system or Health Information Exchange (HIE)), and
  2. What information is accessed, received, stored, and transmitted by or with the mobile device.

Identify

Identify your organization’s mobile device risk management strategy, including privacy and security safeguards.

The purpose of a mobile device risk management strategy is to develop and implement mobile device safeguards to reduce risks (threats and vulnerabilities) identified in the risk analysis. The risk management strategy should include evaluation and maintenance of the mobile device safeguards you put in place.

Develop, Document, and Implement

Develop, document, and implement the organization’s mobile device policies and procedures to safeguard health information.

Organizations should develop and implement reasonable and appropriate policies and procedures to safeguard health information, including those specific to mobile devices. Here are some topics and questions to consider when developing mobile device policies and procedures:

  1. Has the organization identified all the mobile devices that are being used in the organization? How is the organization keeping track of them?
  2. Should the organization let providers and professionals use their personally owned mobile devices within the organization?
  3. Should providers and professionals be able to connect to the organization’s internal network or system with their personally owned mobile devices, either remotely or on site?
  4. Does the organization restrict how providers and professionals can use mobile devices?
  5. Will the organization institute standard configuration and technical controls on all mobile devices used to access internal networks or systems, such as an EHR?
  6. Are there restrictions on the type of information providers and professionals can store on mobile devices?
  7. Does the organization have written procedures for addressing misuse of mobile devices?
  8. Does the organization have procedures to wipe or disable a mobile device that is lost or stolen or when providers and professionals end their employment or association with the organization?
  9. How is the organization training its workforce (management, doctors, nurses, and staff) on policies and procedures and holding them accountable?

Train

Train and conduct mobile device privacy and security awareness and training for providers and professionals.

Providers and professionals who use mobile devices must have privacy and security awareness and training, on an annual basis, to avoid costly mistakes that can result in loss of patient trust.

Privacy and security awareness and training should include a discussion of the following topics:

  1. How to assess risks (threats and vulnerabilities) when using mobile devices for work;
  2. How to secure mobile devices;
  3. How to protect and secure health information;
  4. How to avoid mistakes when using mobile devices.

Finally, the organization should train its workforce so that they understand the organization’s mobile device policies and procedures and how to follow them.


Jennifer Snow | Farrow-Gillespie & Heath LLP | Dallas, TX

Jennifer Snow practices in the areas of health care law and business litigation. She is the author of numerous articles on health care law. Jennifer represents physicians and physician groups in health law matters, and she represents companies and executives in business litigation.

Ms. Snow has been named to the list of “Rising Stars” by Texas Monthly Magazine and Texas Super Lawyers (a Thomson Reuters service) in every year since 2014.


Scott Chase | Farrow-Gillespie & Heath LLPScott Chase has practiced health law, corporate law, and intellectual property law for over 35 years.  Mr. Chase is Board Certified in Health Law by the Texas Board of Legal Specialization.

Scott’s primary practice focus is business transactions for physicians and healthcare facilities, as well as healthcare regulatory issues such as the Affordable Care Act, HIPAA and peer review.  Mr. Chase handles general corporate matters and trademark/copyright issues for physicians and also for a variety of non-healthcare clients.

Obamacare logo

What is the status of ObamaCare, and why should I care?

ObamaCare | Farrow-Gillespie & Heath | Dallas, TXRegardless of your position on the Affordable Care Act, otherwise known as ObamaCare (“ACA”), you should neither panic nor rejoice just yet over the actions and inactions of the United States government regarding this healthcare insurance law.  You have probably read about the various options, i.e., “repeal and replace,” “repeal and delay,” or simply “repeal” the ACA.  What Congress is figuring out is that it is difficult to keep “good” provisions, e.g., the one related to “pre-existing conditions” (which over 70% of Americans like) but to do away with “bad” provisions, e.g., the individual mandate (which 70% of Americans do not like) and still keep an actuarial pool that doesn’t adversely affect insurance premiums in a substantial way.  Conventional wisdom is that, without the individual mandate, premiums would increase, probably at a faster rate than is current under the ACA.

All other countries that have provide universal access to healthcare for its citizens figured out a long time ago that everyone needs to be covered in order to spread the cost of insurance over the total population.  As someone who has studied the ways in which Western countries have instituted universal access to healthcare (e.g., Germany in the 1870’s) and who has lectured extensively on the ACA, I am not surprised at Congress’s inability to come up with a plan that would cover everyone, not require everyone to carry insurance, and keep insurance premiums down.  Add in the fact that any new Congressional plan will affect over 20 million citizens who have already obtained health insurance through the ACA and you can see the possibility of throwing insurance markets into chaos.

Of course, there are lots of other ideas, e.g., more incentives for health savings accounts (“HSA’s”), altering the “minimum essential benefits” list, use of high risk pools, etc., and each of these has a different effect, both on the economics of healthcare and on the hotly-debated issue of universal access to healthcare.

But something is likely to happen in the next 3 months and my recommendations for the immediate future are as follows:

  1. If you have insurance, don’t drop it or let it lapse.
  2. If you lose employer-based insurance, be sure to review your COBRA options.
  3. If you lose your job and COBRA is not attractive, you have the option of utilizing the ACA marketplace because losing your job is “qualifying life event” that allows you to access the marketplace outside of the annual “open enrollment period.”

Please feel free to contact Scott Chase or Jennifer Snow at our firm if you have any questions about the ACA.


Jennifer Snow | Farrow-Gillespie & Heath LLP | Dallas, TX

Jennifer Snow practices in the areas of health care law and business litigation. She is the author of numerous articles on health care law. Jennifer represents physicians and physician groups in health law matters, and she represents companies and executives in business litigation.

Ms. Snow has been named to the list of “Rising Stars” by Texas Monthly Magazine and Texas Super Lawyers (a Thomson Reuters service) in every year since 2014.


Scott Chase | Farrow-Gillespie & Heath LLPScott Chase has practiced health law, corporate law, and intellectual property law for over 35 years.  Mr. Chase is Board Certified in Health Law by the Texas Board of Legal Specialization.

Scott’s primary practice focus is business transactions for physicians and healthcare facilities, as well as healthcare regulatory issues such as the Affordable Care Act, HIPAA and peer review.  Mr. Chase handles general corporate matters and trademark/copyright issues for physicians and also for a variety of non-healthcare clients.

Team of doctors and nurses

Physician non-competition agreements

Many people erroneously believe that non-competes are not enforceable against physicians in Texas.  To the contrary, non-competes that are ancillary to or part of otherwise enforceable contracts generally are enforceable, provided that they meet certain statutory requirements.  For example, these covenants must contain reasonable limitations as to time, geographical area, and scope of activity to be restrained.  They also must not deny a doctor access to his patient list, must provide access to medical records upon patient authorization, and must provide for a buy-out of the covenant at a reasonable price.  A physician may not be prohibited by a non-compete provision from providing continuing care to a patient during the course of an acute illness.

In addition to imposing an undesirable non-competition clause, a poorly reviewed employment contract can expose a doctor to many other unanticipated risks as well, including call coverage and payback obligations.

For more information on review and negotiation of physician employment contracts, please contact board-certified health care law attorney Scott Chase.

Farrow-Gillespie Heath Witter LLP - Health Care Law

Corporate practice of medicine

Texas law generally prohibits the practice of medicine by any corporation, entity, or non-physician individual.  The “corporate practice of medicine” doctrine forbids a physician from entering into an agreement with a non-physician under which the non-physician would in any way control the physician’s medical practice.  Based on this doctrine, non-physician individuals and entities generally cannot employ physicians.

There are, of course, exceptions to this general rule.  For example, a nonprofit certified by the Texas Medical Board under Section 162.001(b) of the Texas Occupations Code — often called a “5.01(a) corporation” after the section of the Texas Medical Practice Act under which they were originally formed—may employ a physician if certain requirements are met.  The directors of such a corporation must all be licensed by the Texas State Board of Medical Examiners and must retain the sole authority to direct all medical, professional, and ethical aspects of the practice of medicine within the corporation.  Additional requirements must be met in case of any non-physician members of the corporation.  Further, a 5.01(a) corporation, like any Texas non-profit corporation, may not pay dividends to its members, so any profits must be paid through management agreements or as compensation.

In 2011, the Texas Legislature enacted laws designed to allow specific types of hospitals and hospital districts to hire physicians and to allow physicians to form certain ownership-sharing agreements with physician assistants.  Critical access hospitals, sole community hospitals, and hospitals in counties of 50,000 or fewer people may now employ physicians if certain protections are in place.  Physicians may also form corporations, partnerships, professional associations, and professional limited liability companies together with physician assistants, provided that statutory ownership and control requirements are met.

medical person typing

HIPAA and business associates

HIPAA-covered entities and their business associates are facing increased obligations to securely maintain and handle protected health information.A health care entity subject to HIPAA rules must ensure that its contracts with a business associate that may receive protected health information include statutorily required assurances that the business associate will appropriately safeguard the information. That is, in a vendor contract, staffing contract, or services contract in which data provided to a party includes protected health information of any person, the contract that governs that transaction or relationship must include language of HIPAA compliance.

For assistance in assessing security risks, updating policies, and training employees, please contact board-certified healthcare attorney Scott Chase.

HIPAA Medical Record

What is HIPAA?

HIPAA, HITECH, and state laws all impact the responsibilities of health care providers and their business associates regarding the treatment and disclosure of confidential medical and health records. HIPAA, HITECH, and state laws all impact the responsibilities of health care providers and their business associates regarding the treatment and disclosure of confidential medical and health records. The HIPAA Security Rule, in particular, requires that covered entities must keep electronically-stored protected health information in a manner that maintains the records’ confidentiality, integrity, and availability. Covered health care providers must carefully identify potential risks and vulnerabilities and protect against reasonably-anticipated threats or hazards to the security of confidential information. They must protect against reasonably anticipated impermissible uses or disclosures and ensure compliance by their employees. The Security Rule requires covered entities to provide access to usable electronically-stored protected health information to authorized persons on demand.   Business associates of HIPAA-covered entities, who are not covered entities themselves, also face increased responsibility under the HITECH Act of 2009 to securely maintain and handle protected health information. To avoid steep fines and the growing possibility of civil liability, covered entities and their business associates should be informed and proactive regarding their evolving responsibilities with respect to protected health information.

The Security Rule does not dictate specific protection measures, but instead allows each covered entity to develop its own measures considering its size, complexity, and capabilities; its technical infrastructure; costs; and the likelihood and possible impact of inadvertent disclosures of protected health information. Entities must properly document their chosen safety measure. Importantly, however, it is not enough for an entity to adopt security standards; instead, those standards must actually be assessed, implemented, and followed. The Security Rule requires that security measures be updated and documented “as needed.” While the Rule does not state how frequently risk analysis must be performed, regular review and modification of security measures is undoubtedly key in ensuring HIPAA compliance. Security assessments and training should take place on an ongoing basis, and legal audits in compliance are advisable on a periodic basis or when an entity has experienced a security incident, a change in ownership, or a turnover in key staff, or when the entity is planning to incorporate new technology.

For more information, contact board-certified health care attorney Scott Chase.

FGHW Affordable Care Act

Affordable Care Act employer information

The Affordable Care Act is a federal statute that creates new responsibilities for employers.  Employers who have fewer than 25 “full-time equivalent” employees can qualify for a small business health care tax credit if they pay at least 50% of the employees’ health insurance premium costs and offer coverage through the Small Business Health Options Program (“SHOP”) Marketplace.  Larger employers face new requirements to insure their employees—and steep penalties, should they fail to comply with the requirements.  In 2015, employers with 100 or more full-time equivalent (“FTE”) employees must offer coverage to 70% of those employees and their dependents.  And beginning in 2016, all employers with 50 or more FTE employees must offer coverage to 95% of those employees and their dependents.

For an employer to determine whether it comes within these new requirements, the employer must first calculate its number of full-time equivalent (“FTE”) employees.  Each employee who works 30 hours or more per week, over at least 120 days per year, is a full-time employee.  But hours worked by part-time employees also add to the FTE number; if, for example, five part-time employees work a total of 60 hours per week, their employer would need to add two FTE employees to its total.  Notably, affiliated companies may be treated as a single employer under the Act.  As a result, three companies each having 20 FTE employees could either: 1) qualify for small business health care tax credits, if they are treated as three separate employers; or 2) be subject to the employer coverage mandate, if they are sufficiently connected to be treated as a single employer.  It is therefore particularly important that companies who share ownership or control, or who otherwise coordinate their business activities, consult with counsel to determine their employer status under the ACA.

Once an employer confirms that it is subject to the employer mandate, it has more decisions to make.  For each year that the employer does not offer any insurance coverage to its employees, it will face a $2,000 penalty per FTE, minus the first 30 employees (or, in 2015, minus the first 80 employees).  To avoid such penalties, the employer should offer its employees an “affordable” plan that provides “minimum value” under the ACA.  These calculations are complex.  Generally, “minimum value” requires that the employer pays at least 60% of the plan’s costs, and “affordable” requires that an employee’s premiums cost no more than 9.5% of his or her household income.  If the employer’s plan is deemed to not provide minimum value, or to not be affordable, the employer will be fined $3,000 for any full-time employees who receive federal premium subsidies for marketplace coverage.  Some employers may, nevertheless, opt for “skinny plans” that may not meet the required minimum essential coverage under the Act, but which will avoid the $2,000-per-employee penalty and reduce coverage costs.

For more information about how the Affordable Care Act may affect your business, please contact board-certified health care attorney Scott Chase.

Stark Law FGHW 2

What Is the Stark Law?

Federal Stark law applies alongside anti-kickback law to create strict civil penalties for any physician who makes a “self-referral.”  Specifically, the law bars a physician from referring a Medicare or Medicaid patient to receive any designated health care service from any person or entity with which the physician has a financial relationship.  This relationship could be an ownership interest, investment interest, or structure compensation agreement.

Unlike anti-kickback laws, Stark is a strict-liability statute, meaning that any violation, whether intentional or not, leads to liability.

The parameters of the Stark law include specific carve-outs that allow medical providers to enter mutually-beneficial transactions with impunity.  These carve-outs are known as “safe harbors” and are detailed and complex. To avoid potential violations, health care providers should review all transactions carefully with the aid of experienced counsel.

FGHW Anti-Kickback Laws 2

What Is the “Anti-Kickback” Statute?

Physicians and health care other providers face numerous prohibitions against self-referrals and against making referrals in exchange for remuneration.  The federal Anti-Kickback Statute is a criminal law that prohibits the knowing and willful payment of remuneration in exchange for referrals of services payable by federal health programs, which include health care services for Medicare or Medicaid patients.  The law prohibits any person from offering, paying, soliciting, or receiving anything of value—whether it is money or something less obvious, such as free product, tickets, hotel vouchers, speaking fees, or lowered rent payments.  This law creates restrictions on virtually all business dealings involving physicians, including dealings with landlords, drug companies, device manufacturers, physical therapy clinics, hospitals, or other physicians.

Anti-kickback violations must be knowing and willful for criminal liability to attach; successful prosecution can lead to fines of up to $25,000 per violation and prison time.  Further, any doctor who submits false Medicare or Medicaid claims, whether knowingly or with reckless disregard for their truth or falsity, also faces civil liability under the False Claims Act.

The parameters of anti-kickback law include specific carve-outs that allow medical providers to enter mutually-beneficial transactions with impunity.  These carve-outs are known as “safe harbors” and are detailed and complex. To avoid potential violations, health care providers should review all transactions carefully with the aid of experienced counsel.