Posts

FGHW Anti-Kickback Laws 2

What Is the “Anti-Kickback” Statute?

Physicians and health care other providers face numerous prohibitions against self-referrals and against making referrals in exchange for remuneration.  The federal Anti-Kickback Statute is a criminal law that prohibits the knowing and willful payment of remuneration in exchange for referrals of services payable by federal health programs, which include health care services for Medicare or Medicaid patients.  The law prohibits any person from offering, paying, soliciting, or receiving anything of value—whether it is money or something less obvious, such as free product, tickets, hotel vouchers, speaking fees, or lowered rent payments.  This law creates restrictions on virtually all business dealings involving physicians, including dealings with landlords, drug companies, device manufacturers, physical therapy clinics, hospitals, or other physicians.

Anti-kickback violations must be knowing and willful for criminal liability to attach; successful prosecution can lead to fines of up to $25,000 per violation and prison time.  Further, any doctor who submits false Medicare or Medicaid claims, whether knowingly or with reckless disregard for their truth or falsity, also faces civil liability under the False Claims Act.

The parameters of anti-kickback law include specific carve-outs that allow medical providers to enter mutually-beneficial transactions with impunity.  These carve-outs are known as “safe harbors” and are detailed and complex. To avoid potential violations, health care providers should review all transactions carefully with the aid of experienced counsel.

Farrow-Gillespie Heath Witter LLP - Health Care Law

$150,000 Fine for HIPAA Violation

The U.S. Department of Health and Human Services, Office for Civil Rights (HHS-OCR), has recently entered into another HIPAA settlement, emphasizing yet again the government’s focus on the HIPAA Security Rule.  The settlement highlights that health care entities cannot merely adopt HIPAA policies but that they must actually implement and follow those policies in practice on an ongoing basis.  In early December 2014, HHS-OCR confirmed that Anchorage Community Mental Health Services (ACMHS), a nonprofit organization providing behavioral health care services, had agreed to pay a $150,000 fine and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program and to report to HHS-OCR on the state of its compliance for two years.  The settlement was based on a HHS-OCR investigation regarding ACMHS’s breach of unsecured electronic protected health information (ePHI).  The breach was the result of a malware that compromised the security of ACMHS’ information technology (IT) resources and affected 2,743 individuals.

During its investigation, OCR-HHS found that ACMHS had adopted sample HIPAA Security Rule policies and procedures in 2005, but these policies and procedures were not followed and/or updated.  Thus, ACMHS could have avoided the breach (and not be subject to the settlement agreement), if it had followed its own policies and procedures and regularly assessed and updated its IT resources with available patches. The settlement with ACMHS is just one of several recent settlements arising from an HHS-OCR investigation, either because an organization self-reported a breach of ePHI or because HHS-OCR investigated an organization’s HIPAA compliance program after receiving a complaint or as part of its annual audit protocol.  No matter how the investigation begins, HHS-OCR will expect an organization to have fully implemented and updated its HIPAA compliance program and/or policies and procedures.  Compliance with the HIPAA Security Rule requires organizations (among other things) to assess risks to ePHI on a regular basis, including whenever new software, e.g., a patient portal, is implemented.  Organizations cannot simply adopt HIPAA policies and procedures, conduct training and then ignore HIPAA.  All organizations subject to HIPAA, both “covered entities” and “business associates” (regardless of size), must devote ongoing resources to protect personal health information from security threats.

Most of the activities that HHS-OCR found lacking in ACMHS are ones that can be efficiently developed, implemented or sustained with timely planning by health care providers.  Please let me know if you, or any of your clients, would like to discuss any of these activities with me.