April 25, 2017

HIPAA: Should You Ask Patients for Consent to Disclose Information?

by Kim Stanger

Healthcare providers often limit unnecessarily their ability to use or disclose protected health information without the patient’s consent, thereby increasing their potential liability for unauthorized disclosures. For example, providers often:

  • Tell the patient that the provider will only disclose the patient’s information to those persons identified by the patient, thereby precluding disclosures to others who are not identified.
  • Ask the patient to list those to whom the provider may disclose information, thereby expressly or impliedly suggesting that they will not disclose information to others.
  • Ask that the patient authorize disclosures to payers and/or other providers, thereby expressly or impliedly agreeing that they will not disclose information to payers or providers if not authorized by the patient.

They do so under the mistaken belief that HIPAA requires such. In reality, such practices may actually increase potential HIPAA liability. Continue reading

April 17, 2017

Group Compensation Arrangements: Stark Requirements

by Kim Stanger

Physician practices must ensure that their group compensation structures comply with the federal Ethics in Patient Referrals Act (“Stark”) if they intend to bill Medicare or Medicaid for services rendered or referred by the group physicians. Under Stark, if a physician1 (or a member of the physician’s family) has a financial relationship with an entity, the physician may not refer patients to the entity for certain designated health services (“DHS”)2 payable by Medicare and Medicaid unless the financial relationship is structured to fit within a regulatory safe harbor. (42 CFR § 411.353). Stark applies to DHS referrals within the group, so the physician’s compensation arrangement must be structured to comply with Stark; otherwise, the group may not bill Medicare and Medicaid for DHS that were referred improperly, and, if they were improperly billed, the entity must repay amounts improperly received. Failure to report and repay within 60 days may result in additional civil penalties of $15,000 per claim as well as False Claims Act liability. Repayments may easily run into hundreds of thousands of dollars. Given the potential liability, it is critical that physician group compensation arrangements be structured to fit within one of the following regulatory safe harbors if they intend to participate in Medicare or Medicaid. Continue reading

April 10, 2017

Withdrawing Care for Developmentally Disabled Persons: New Idaho Standards

by Kim Stanger

Recent amendments will allow guardians and those treating developmentally disabled persons greater discretion in withholding or withdrawing artificial life-sustaining treatment, thereby avoiding situations in which developmentally disabled persons were forced to suffer painful, extended procedures which may be considered inhumane.

The Former Standard. Under Idaho law, the guardian or personal representative of an incompetent person may generally authorize the medically appropriate withdrawal of treatment for the patient. (I.C. §§ 39-4504(1) and 39-4514(3)). In the case of developmentally disabled persons, however, the former law prohibited guardians and physicians of developmentally disabled persons from withholding or withdrawing artificial life-sustaining treatment unless the treating physician and one other physician certified that the person had a terminal condition such that the application of artificial life-sustaining treatment would only serve to prolong death for a period of hours, days or weeks, and that death was imminent regardless of the life-sustaining procedures. (I.C. § 66-405(7)-(8)). Unfortunately, this standard looked only at the length of the patient’s life without considering the pain that the patient may be forced to endure in the meantime. Because of advances in medicine, healthcare providers are often able to keep persons alive for months or years, but at a terrible cost in suffering to the patient and their loved ones. Application of the former standard sometimes resulted in heartbreaking situations in which developmentally disabled persons—often with little or no cognition—were relegated to an existence that offered nothing more than perpetual pain or discomfort instead of allowing the medically appropriate withdrawal treatment. By so doing, the standard deprived developmentally disabled persons of rights that were offered to others. Continue reading

January 19, 2017

Report HIPAA Breaches Without Delay

by Kim Stanger

If you experience a HIPAA breach, make sure you investigate and report the breach “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach” or you may be subject to HIPAA fines. (45 CFR 164.404(b)). The Office for Civil Rights just settled for $475,000 its first case against a covered entity for unreasonable delay in reporting a HIPAA breach.

On October 22, 2013, Presence St. Joseph Medical Center (“Presence Health”) discovered that its paper-based operating schedules were missing from its surgery center. The schedules contained protected health information of 836 persons, including names, birthdates, procedure information, and medical record information. Because the breach involved more than 500 persons, Presence Health was required to report the breach to HHS and local media at the time it notified affected individuals. However, due to a miscommunication between its workforce members, Presence Health did not report breach to HHS until January 31, 2014 (101 days after the breach was discovered); did not notify affected individuals until February 3, 2014 (104 days after the breach was discovered); and did not notify the media until February 5, 2014 (105 days after the breach was discovered). The HIPAA Breach Notification Rule requires that covered entities notify individuals and, if the breach involves more than 500 persons, report breaches to HHS and local media without unreasonable delay and in no event later than 60 calendar days after discovery of the breach. (45 CFR 164.404-.410). A separate HIPAA violation occurs for each day the covered entity fails to report the breach beyond the deadline. Presence Health settled the alleged violations for $475,000. A copy of the OCR’s press release is available here. Continue reading

December 28, 2016

Idaho Peer Review Privilege

by Kim Stanger

Idaho has enacted a broad privilege that protects the confidentiality of credentialing, quality improvement, and similar peer review activities by Idaho hospitals and other health care entities. The statute encourages participation and protects the integrity of such peer review activities by ensuring that peer review communications and proceedings remain confidential, and that participants are immune from liability.

Application. The privilege applies to “peer review” activities conducted by “healthcare organizations”. (I.C. § 39-1392).

“Health care organization” means a hospital, in-hospital medical staff committee,1 medical society, managed care organization, licensed emergency medical service, group medical practice, or skilled nursing facility.

(I.C. § 39-1392a(3)).

“Peer review” means the collection, interpretation and analysis of data by a health care organization for the purpose of bettering the system of delivery of health care or to improve the provision of health care or to otherwise reduce patient morbidity and mortality and improve the quality of patient care. Peer review activities by a health care organization include, without limitation:
(a) Credentialing, privileging or affiliating of health care providers as members of, or providers for, a health care organization;
(b) Quality assurance and improvement, patient safety investigations and analysis, patient adverse outcome reviews, and root-cause analysis and investigation activities by a health care organization; and
(c) Professional review action, meaning an action or recommendation of a health care organization which is taken or made in the conduct of peer review, that is based on the competence or professional conduct of an individual physician or emergency medical services personnel where such conduct adversely affects or could adversely affect the health or welfare of a patient or the physician’s privileges, employment or membership in the health care organization or in the case of emergency medical services personnel, the emergency medical services personnel’s scope of practice, employment or membership in the health care organization.

(I.C. § 39-1392a(11)). Continue reading

December 19, 2016

Requiring Referrals from Employees and Contractors

by Kim Stanger

Many providers mistakenly believe that the federal Stark law prohibits hospitals and other employers from requiring employed or contracted physicians to refer healthcare services to the employer. Stark actually allows a hospital or other employer to require contracted physicians to refer items or services to the hospital if the items or services relate to the physician’s services under the contract and certain additional conditions are satisfied.

Stark Regulations. Stark’s “special rules on compensation” state:

A physician’s compensation from a bona fide employer … or other arrangement for personal services may be conditioned on the physician’s referrals to a particular provider, practitioner, or supplier, provided that the compensation arrangement meets all of the following conditions. The compensation arrangement:
(i) Is set in advance for the term of the arrangement.
(ii) Is consistent with fair market value for services performed (that is, the payment does not take into account the volume or value of anticipated or required referrals).
(iii) Otherwise complies with an applicable exception under [42 CFR] §411.355 or §411.357.
(iv) Complies with both of the following conditions:

(A) The requirement to make referrals to a particular provider, practitioner, or supplier is set out in writing and signed by the parties.
(B) The requirement to make referrals to a particular provider, practitioner, or supplier does not apply if the patient expresses a preference for a different provider, practitioner, or supplier; the patient’s insurer determines the provider, practitioner, or supplier; or the referral is not in the patient’s best medical interests in the physician’s judgment.

(v) The required referrals relate solely to the physician’s services covered by the scope of the employment, the arrangement for personal services, or the contract, and the referral requirement is reasonably necessary to effectuate the legitimate business purposes of the compensation arrangement. In no event may the physician be required to make referrals that relate to services that are not provided by the physician under the scope of his or her employment, arrangement for personal services, or contract.

Continue reading

December 6, 2016

Liability for Non-Employees: Beware Apparent Authority

by Kim Stanger

As a general rule, hospitals and other healthcare providers are not liable for the acts of non-employed medical staff members, independent contractors or vendors; instead, each party is responsible for its own actions or those of its employees or agents who are acting within the scope of their employment or agency. However, courts are sometimes willing to hold a hospital or provider vicariously liable for the acts of non-employees under the doctrine of “apparent authority”.

Apparent Authority. In Jones v. Healthsouth Treasure Valley, for example, the Idaho Supreme Court held that a hospital might be liable for the acts of an independent contractor if: (1) the hospital’s conduct would lead a plaintiff to reasonably believe that another person acts on the hospital’s behalf (i.e., the hospital held out that other person as the hospital’s agent); and (2) the plaintiff reasonably believes that the putative agent’s services are rendered on behalf of the hospital (i.e., the plaintiff is justified in believing that the actor is acting as the agent of the hospital). (147 Idaho 109, 206 P.3d 473 (2009)). The Idaho Supreme Court recently reaffirmed the apparent authority theory in Navo v. Bingham Memorial Hospital, 160 Idaho 363, 373 P.3d 681 (2016). Continue reading

November 29, 2016

Beware Gifts to Providers, Patients or Other Referral Sources

By Kim Stanger, Holland & Hart LLP

At this time of year, healthcare providers may want to give gifts to referring providers, patients or other sources of business; however, such gifts may violate federal and state fraud and abuse laws and result in fines—or worse—to both the giver and recipient. Here are some guidelines to ensure your gift giving does not get you in trouble with the government.

1. Gifts To Referral Sources. The federal Anti-Kickback Statute (“AKS”) prohibits soliciting, offering, giving, or receiving remuneration in exchange for referrals for items or services covered by federal healthcare programs (e.g., Medicare and Medicaid) unless the arrangement fits within a regulatory exception. (42 USC 1320a-7b(b)). AKS violations are felonies, and may result in criminal and civil penalties, False Claims Act liability, and exclusion from Medicare and Medicaid programs. The AKS is violated if “one purpose” of the remuneration is to induce federal program referrals, including gifts to referring practitioners or program beneficiaries to encourage or reward their business. (OIG Adv. Op. 12-14). Significantly, the AKS applies to both the giver and recipient; thus, soliciting or receiving gifts from vendors or other providers may expose the recipient to liability. The OIG has suggested that “nominal” gifts would not create much AKS risk, but offers no guidance as to what is “nominal”. (65 FR 59441). The AKS does not expressly apply to referrals for private pay business, but the OIG has warned that offering remuneration to obtain private pay referrals may also induce federal program business and thereby violate the AKS. (OIG Adv. Op. 12-06). In addition, offering gifts to induce or reward private pay business may violate state laws, including state laws prohibiting kickbacks, rebates, or fee splitting. (See, e.g., Idaho Code 41-348 and 54-1814). In short, you should not give or accept gifts to or from referral sources (especially those referring federal program business) unless the gift is truly nominal, is clearly and completely unrelated to past or future referrals, or is very unlikely to influence referrals. Continue reading

November 23, 2016

Responding to Negative Internet Reviews: Beware HIPAA

By Kim Stanger, Holland & Hart LLP

As a healthcare provider, you may log onto the internet one day only to discover a negative review from a disgruntled patient or family member. Undoubtedly, the review contains inaccurate, incomplete, or downright defamatory information. Your first impulse may be to post a response online, but doing so may subject you to HIPAA fines, adverse licensure action, or privacy lawsuits.

HIPAA generally prohibits healthcare providers from using or disclosing a patient’s protected health information without the patient’s authorization. (45 CFR 164.502). “Protected health information” includes information that “[r]elates to the past, present, or future physical or mental health or condition of an individual [or] the provision of health care to an individual, and … that [i]dentifies the individual, or [w]ith respect to which there is a reasonable basis to believe the information can be used to identify the individual.” (45 CFR 160.103). Thus, posting any information that identifies the individual as a patient likely violates HIPAA even if specific medical information is not disclosed; a patient does not waive their HIPAA rights by posting his or her own information, and there is no HIPAA exception that allows a healthcare provider to disclose information in response to a negative review. In 2013, Shasta Regional Medical Center paid $275,000 to settle claims that it violated HIPAA when it disclosed a patient’s health information to the media in response to a negative newspaper article. (See Press Release). ProPublica recently published a report identifying numerous HIPAA violations resulting from providers’ ill-considered responses to negative internet reviews. (See article).

Continue reading

October 31, 2016

Settlement Expands Developmental Disabilities Benefits in Idaho

By Rob Low, Holland & Hart LLP

On October 24, 2016 a federal judge approved a preliminary settlement between the Idaho Department of Health and Welfare and developmentally disabled Idaho residents. The settlement, if finalized, will end a class action lawsuit brought against the Department in 2012 by the Idaho American Civil Liberties Union (ACLU) of Idaho on behalf of 12 Idaho residents with severe disabilities.

The lawsuit alleged that the Department cut the residents’ benefits provided through Idaho’s developmentally disabled Medicaid waiver program by as much as 40 percent, and refused to disclose how it calculated such reduction in benefits (claiming the calculation formula was a state “trade secret”), which made it nearly impossible for the residents to appeal the benefit cuts. Judge B. Lynn Winmill, enjoined the cuts, which resulted in the restoration of approximately $30 million in Medicaid assistance annually. The Department appealed, but the injunction was upheld by the federal Ninth Circuit Court of Appeals. According to the ACLU of Idaho website, the settlement will impact about 4,000 people across Idaho, plus all future program participants. Continue reading