December 6, 2016

Liability for Non-Employees: Beware Apparent Authority

by Kim Stanger

As a general rule, hospitals and other healthcare providers are not liable for the acts of non-employed medical staff members, independent contractors or vendors; instead, each party is responsible for its own actions or those of its employees or agents who are acting within the scope of their employment or agency. However, courts are sometimes willing to hold a hospital or provider vicariously liable for the acts of non-employees under the doctrine of “apparent authority”.

Apparent Authority. In Jones v. Healthsouth Treasure Valley, for example, the Idaho Supreme Court held that a hospital might be liable for the acts of an independent contractor if: (1) the hospital’s conduct would lead a plaintiff to reasonably believe that another person acts on the hospital’s behalf (i.e., the hospital held out that other person as the hospital’s agent); and (2) the plaintiff reasonably believes that the putative agent’s services are rendered on behalf of the hospital (i.e., the plaintiff is justified in believing that the actor is acting as the agent of the hospital). (147 Idaho 109, 206 P.3d 473 (2009)). The Idaho Supreme Court recently reaffirmed the apparent authority theory in Navo v. Bingham Memorial Hospital, 160 Idaho 363, 373 P.3d 681 (2016). Continue reading

November 29, 2016

Beware Gifts to Providers, Patients or Other Referral Sources

By Kim Stanger, Holland & Hart LLP

At this time of year, healthcare providers may want to give gifts to referring providers, patients or other sources of business; however, such gifts may violate federal and state fraud and abuse laws and result in fines—or worse—to both the giver and recipient. Here are some guidelines to ensure your gift giving does not get you in trouble with the government.

1. Gifts To Referral Sources. The federal Anti-Kickback Statute (“AKS”) prohibits soliciting, offering, giving, or receiving remuneration in exchange for referrals for items or services covered by federal healthcare programs (e.g., Medicare and Medicaid) unless the arrangement fits within a regulatory exception. (42 USC 1320a-7b(b)). AKS violations are felonies, and may result in criminal and civil penalties, False Claims Act liability, and exclusion from Medicare and Medicaid programs. The AKS is violated if “one purpose” of the remuneration is to induce federal program referrals, including gifts to referring practitioners or program beneficiaries to encourage or reward their business. (OIG Adv. Op. 12-14). Significantly, the AKS applies to both the giver and recipient; thus, soliciting or receiving gifts from vendors or other providers may expose the recipient to liability. The OIG has suggested that “nominal” gifts would not create much AKS risk, but offers no guidance as to what is “nominal”. (65 FR 59441). The AKS does not expressly apply to referrals for private pay business, but the OIG has warned that offering remuneration to obtain private pay referrals may also induce federal program business and thereby violate the AKS. (OIG Adv. Op. 12-06). In addition, offering gifts to induce or reward private pay business may violate state laws, including state laws prohibiting kickbacks, rebates, or fee splitting. (See, e.g., Idaho Code 41-348 and 54-1814). In short, you should not give or accept gifts to or from referral sources (especially those referring federal program business) unless the gift is truly nominal, is clearly and completely unrelated to past or future referrals, or is very unlikely to influence referrals. Continue reading

November 23, 2016

Responding to Negative Internet Reviews: Beware HIPAA

By Kim Stanger, Holland & Hart LLP

As a healthcare provider, you may log onto the internet one day only to discover a negative review from a disgruntled patient or family member. Undoubtedly, the review contains inaccurate, incomplete, or downright defamatory information. Your first impulse may be to post a response online, but doing so may subject you to HIPAA fines, adverse licensure action, or privacy lawsuits.

HIPAA generally prohibits healthcare providers from using or disclosing a patient’s protected health information without the patient’s authorization. (45 CFR 164.502). “Protected health information” includes information that “[r]elates to the past, present, or future physical or mental health or condition of an individual [or] the provision of health care to an individual, and … that [i]dentifies the individual, or [w]ith respect to which there is a reasonable basis to believe the information can be used to identify the individual.” (45 CFR 160.103). Thus, posting any information that identifies the individual as a patient likely violates HIPAA even if specific medical information is not disclosed; a patient does not waive their HIPAA rights by posting his or her own information, and there is no HIPAA exception that allows a healthcare provider to disclose information in response to a negative review. In 2013, Shasta Regional Medical Center paid $275,000 to settle claims that it violated HIPAA when it disclosed a patient’s health information to the media in response to a negative newspaper article. (See Press Release). ProPublica recently published a report identifying numerous HIPAA violations resulting from providers’ ill-considered responses to negative internet reviews. (See article).

Continue reading

October 31, 2016

Settlement Expands Developmental Disabilities Benefits in Idaho

By Rob Low, Holland & Hart LLP

On October 24, 2016 a federal judge approved a preliminary settlement between the Idaho Department of Health and Welfare and developmentally disabled Idaho residents. The settlement, if finalized, will end a class action lawsuit brought against the Department in 2012 by the Idaho American Civil Liberties Union (ACLU) of Idaho on behalf of 12 Idaho residents with severe disabilities.

The lawsuit alleged that the Department cut the residents’ benefits provided through Idaho’s developmentally disabled Medicaid waiver program by as much as 40 percent, and refused to disclose how it calculated such reduction in benefits (claiming the calculation formula was a state “trade secret”), which made it nearly impossible for the residents to appeal the benefit cuts. Judge B. Lynn Winmill, enjoined the cuts, which resulted in the restoration of approximately $30 million in Medicaid assistance annually. The Department appealed, but the injunction was upheld by the federal Ninth Circuit Court of Appeals. According to the ACLU of Idaho website, the settlement will impact about 4,000 people across Idaho, plus all future program participants. Continue reading

October 26, 2016

Conduct a Thorough HIPAA Risk Analysis or Pay Big Fines

by Kim Stanger, Romaine Marshall, and C. Matt Sorensen, Holland & Hart LLP

St. Joseph Health recently agreed to pay $2.14 million to settle allegations by the Department of Health and Human Services Office for Civil Rights Office (“OCR”) that its data security was inadequate.

In its investigation of St. Joseph’s handling of a 2012 data breach that exposed 31,800 patient medical records, OCR claimed St. Joseph did not change the default settings on a new server, which allowed members of the public to access via search engines the personal health information of 31,800 patients for a full year. By failing to switch off its servers’ default setting, St. Joseph potentially violated the HIPAA Security Rule’s requirement to conduct a technical and nontechnical evaluation of any operational changes that might affect the security of ePHI.

In addition to paying $2.14 million, St. Joseph Health agreed to implement a corrective action plan that requires it to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures. St. Joseph had conducted an enterprise-wide risk analysis in 2010, but the OCR deemed that to be inadequate because the analysis did not include an evaluation of the technical specifications of St. Joseph’s servers. Continue reading

October 10, 2016

Office of the National Coordinator for Health Information Technology Issues Formal Guidance for Selecting and Negotiating Contracts with Electronic Health Record Vendors

by Teresa Locke, Holland & Hart LLP

On September 26, 2016, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health Information Technology (ONC) released a practical and straightforward tool to assist health care providers as they select and negotiate the acquisition of an electronic health record system (EHR). The document’s title accurately encapsulates the content of the 53-page guide: “EHR Contracts Untangled: Selecting Wisely, Negotiating Terms, and Understanding the Fine Print.” The guide can be found at https://www.healthit.gov/sites/default/files/EHR_Contracts_Untangled.pdf. The new contract guide explains important concepts in EHR contracts and includes example contract language to help providers and health administrators in planning to acquire an EHR system and negotiating contract terms with vendors. Continue reading

October 4, 2016

Check Your Business Associate Agreements: OCR Tags Health System for Outdated BAA

By Kim Stanger, Holland & Hart LLP

The Office for Civil Rights (“OCR”) continues to emphasize the need for covered entities and business associates to have compliant business associate agreements (“BAAs”). Last week, the OCR announced a $400,000 settlement with a hospital system for failing to update its BAAs to include terms required by the 2013 HIPAA Omnibus Rule. In a press release, OCR Director Jocelyn Samuels stated,

This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule …. The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements which include provisions for reporting.”

See Press Release here. Earlier this year, the OCR entered settlement agreements of $1,550,000 and $750,000 based on the covered entity’s failure to execute BAAs where the business associate had experienced a data breach. See reported settlements at https://www.hhs.gov/hipaa/newsroom/index.html. The lesson is clear: covered entities must have BAAs, and those BAAs must contain the required terms; failure to do so may subject the covered entity to liability for the business associate’s breach. Continue reading

September 13, 2016

Idaho Board of Medicine Disavows the Corporate Practice of Medicine Doctrine

By Kim Stanger, Holland & Hart LLP

For decades, the Idaho Board of Medicine took the position that, with limited exceptions, the Idaho Medical Practice Act “prohibits unlicensed corporations and entities from hiring physicians as employees to provide medical services to patients.” Memo from J. Uranga to Idaho State Bd. of Medicine dated 2/26/07. This “corporate practice of medicine doctrine” had its Idaho foundation in a 1952 Idaho Supreme Court case which held that:

[n]o unlicensed person or entity may engage in the practice of the medical profession though licensed employees; nor may a licensed physician practice as an employee of an unlicensed person or entity. Such practices are contrary to public policy.

Worlton v. Davis, 73 Idaho 217, 221 (1952). The Board of Medicine warned that violations of the doctrine may result in disciplinary action against physicians and, more recently, physician assistants. Entities that improperly employed physicians or physician assistants risked the possibility of criminal action for the unauthorized practice of medicine.

Over the years, the corporate practice of medicine doctrine has been criticized as anachronistic and inconsistent with recent legislative action. See, e.g., M. Gustavson and N. Taylor, At Death’s Door—Idaho’s Corporate Practice of Medicine Doctrine, 47 Idaho L. Rev. 480 (2011). Continue reading

July 6, 2016

Providers Must Post New Nondiscrimination Notices

By Kim Stanger, Holland & Hart LLP

Under the new ACA Nondiscrimination Rules, covered entities (including most healthcare providers) must post and publish new mandatory nondiscrimination statements and taglines by October 16, 2016.

1. Notice of Nondiscrimination + Taglines: Facility, Website, and Significant Publications. The new mandatory “Notice of Nondiscrimination” must inform persons that:

  1. the covered entity does not discriminate on the basis of race, color, national origin, sex, age, or disability in its health programs and activities;
  2. the covered entity provides appropriate auxiliary aids and services, including qualified interpreters for individuals with disabilities and information in alternate formats, free of charge and in a timely manner, when such aids and services are necessary to ensure an equal opportunity to participate to individuals with disabilities;
  3. the covered entity provides language assistance services, including translated documents and oral interpretation, free of charge and in a timely manner, when such services are necessary to provide meaningful access to individuals with limited English proficiency;
  4. how to obtain the aids and services described above;
  5. if the covered entity has fifteen or more employees, identification of, and contact information for, the employee responsible for coordinating the covered entity’s compliance as required by the regulations;
  6. if the covered entity has fifteen or more employees, the availability of the grievance procedure required by the regulations and how to file a grievance; and
  7. how to file a discrimination complaint with the Office for Civil Rights (“OCR”).

(45 C.F.R. § 92.8(a) and (b)(1)). HHS has published a sample Notice of Nondiscrimination, which is available here. Although HHS encourages entities to post the Notice of Nondiscrimination in languages other than English, covered entities are not required to do so. Continue reading