Posts

Farrow-Gillespie Heath Witter LLP - Health Care Law

Corporate practice of medicine

Texas law generally prohibits the practice of medicine by any corporation, entity, or non-physician individual.  The “corporate practice of medicine” doctrine forbids a physician from entering into an agreement with a non-physician under which the non-physician would in any way control the physician’s medical practice.  Based on this doctrine, non-physician individuals and entities generally cannot employ physicians.

There are, of course, exceptions to this general rule.  For example, a nonprofit certified by the Texas Medical Board under Section 162.001(b) of the Texas Occupations Code — often called a “5.01(a) corporation” after the section of the Texas Medical Practice Act under which they were originally formed—may employ a physician if certain requirements are met.  The directors of such a corporation must all be licensed by the Texas State Board of Medical Examiners and must retain the sole authority to direct all medical, professional, and ethical aspects of the practice of medicine within the corporation.  Additional requirements must be met in case of any non-physician members of the corporation.  Further, a 5.01(a) corporation, like any Texas non-profit corporation, may not pay dividends to its members, so any profits must be paid through management agreements or as compensation.

In 2011, the Texas Legislature enacted laws designed to allow specific types of hospitals and hospital districts to hire physicians and to allow physicians to form certain ownership-sharing agreements with physician assistants.  Critical access hospitals, sole community hospitals, and hospitals in counties of 50,000 or fewer people may now employ physicians if certain protections are in place.  Physicians may also form corporations, partnerships, professional associations, and professional limited liability companies together with physician assistants, provided that statutory ownership and control requirements are met.

Farrow-Gillespie Heath Witter LLP - Health Care Law

$150,000 Fine for HIPAA Violation

The U.S. Department of Health and Human Services, Office for Civil Rights (HHS-OCR), has recently entered into another HIPAA settlement, emphasizing yet again the government’s focus on the HIPAA Security Rule.  The settlement highlights that health care entities cannot merely adopt HIPAA policies but that they must actually implement and follow those policies in practice on an ongoing basis.  In early December 2014, HHS-OCR confirmed that Anchorage Community Mental Health Services (ACMHS), a nonprofit organization providing behavioral health care services, had agreed to pay a $150,000 fine and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program and to report to HHS-OCR on the state of its compliance for two years.  The settlement was based on a HHS-OCR investigation regarding ACMHS’s breach of unsecured electronic protected health information (ePHI).  The breach was the result of a malware that compromised the security of ACMHS’ information technology (IT) resources and affected 2,743 individuals.

During its investigation, OCR-HHS found that ACMHS had adopted sample HIPAA Security Rule policies and procedures in 2005, but these policies and procedures were not followed and/or updated.  Thus, ACMHS could have avoided the breach (and not be subject to the settlement agreement), if it had followed its own policies and procedures and regularly assessed and updated its IT resources with available patches. The settlement with ACMHS is just one of several recent settlements arising from an HHS-OCR investigation, either because an organization self-reported a breach of ePHI or because HHS-OCR investigated an organization’s HIPAA compliance program after receiving a complaint or as part of its annual audit protocol.  No matter how the investigation begins, HHS-OCR will expect an organization to have fully implemented and updated its HIPAA compliance program and/or policies and procedures.  Compliance with the HIPAA Security Rule requires organizations (among other things) to assess risks to ePHI on a regular basis, including whenever new software, e.g., a patient portal, is implemented.  Organizations cannot simply adopt HIPAA policies and procedures, conduct training and then ignore HIPAA.  All organizations subject to HIPAA, both “covered entities” and “business associates” (regardless of size), must devote ongoing resources to protect personal health information from security threats.

Most of the activities that HHS-OCR found lacking in ACMHS are ones that can be efficiently developed, implemented or sustained with timely planning by health care providers.  Please let me know if you, or any of your clients, would like to discuss any of these activities with me.