March 22, 2021

HIPAA, Patient Access, and Designated Record Sets

With limited exceptions,¹ HIPAA generally gives individuals the right to access or obtain copies of their protected health information (“PHI”) from covered entities. (45 CFR § 164.524(a)). But the right of access does not apply to all PHI that a covered entity might have; instead, individuals only have a right to access information in their “designated record set”. This article summarizes relevant standards for determining which records patients have a right to access. Continue reading →

December 11, 2020

HHS Proposes Modifications to the HIPAA Privacy Rule

On December 10, the U.S. Department of Health and Human Services (HHS) announced proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the healthcare industry. The Holland & Hart Healthcare Group shares this important update from HHS for your information:

Read the HHS Update.

We will continue to monitor this news and will provide more in-depth insights on the impacts of the proposed modifications.

December 7, 2020

New Stark and Anti-Kickback Statute Comparisons

By Kim Stanger, J. Malcolm DeVoy, and Amber Ellis

On November 20, 2020, CMS and the OIG published their much anticipated amendments to the federal Stark and Anti-Kickback laws. As summarized in our recent client alert, the changes open the door to value-based contracting with potential referral sources. They also modify existing regulations and create new safe harbors applicable to provider relationships.

Continue reading →

December 4, 2020

HHS Amends PREP Act Declaration, Including to Expand Access to COVID-19 Countermeasures Via Telehealth

On December 3, the U.S. Department of Health and Human Services (HHS) issued a fourth amendment to the Declaration under the Public Readiness and Emergency Preparedness Act (PREP Act) to increase access to critical countermeasures against COVID-19. The Holland & Hart Healthcare Group shares this important update from HHS for your information:

Read the HHS Update

We will continue to monitor this news and will provide more in-depth insights on the impacts of this amendment.

Continue reading →

November 23, 2020

Final Rules for Stark and Anti-Kickback Reforms Issued by CMS and OIG

By Amber Ellis and J. Malcolm DeVoy

On November 20, 2020 the Centers for Medicare & Medicaid Services (CMS) and the Department of Health and Human Services Office of the Inspector General (OIG) issued two final rules to modernize and clarify the Physician Self-Referral regulations (the Stark Law, or Stark) and the Anti-Kickback Statute (AKS) safe harbor regulations. These new final rules generally take effect on January 19, 2021.

The prior Stark and AKS regulations were developed in a volume-based health care delivery and payment system. Over time, and with the rise of data that could be used by providers and payers to better anticipate patient needs and payment for them, concern arose that the existing regulations and policies would potentially inhibit the innovation necessary for moving toward a value-based system of care and payment. These new final rules aim to alleviate those concerns and advance the transition to value-based care and encourage the coordination of care among providers, while continuing to provide important safeguards to protect against fraud, abuse, and overutilization. Continue reading →

November 11, 2020

wRVU Compensation Formulas: Time to Review

By Kim Stanger

Many hospitals, physician groups, or other providers compensate employed or contracted practitioners based on the work relative value units (“wRVUs”) they generate, e.g., a physician may be paid $x per wRVU performed. Depending on the contract terms, those wRVU values may soon be affected by the 2021 Medicare Physician Fee Schedule. If you have not already done so, you should review your wRVU compensation formula for the following issues:

1. Changes to RVU Values. The 2021 Medicare Physician Fee Schedule will increase the CMS-assigned wRVUs for several codes, including common E/M codes. (See https://www.cms.gov/Medicare/Medicare-Fee-for-Service-Payment/PhysicianFeeSched). If your wRVU compensation formula is based on the then-current CMS wRVU values or automatically incorporates the 2021 changes, you may soon owe your physicians more pay than you otherwise anticipated. You may want to adjust your contractual wRVU conversion factor to account for unanticipated and unwarranted increases in practitioner compensation. If your contract does not allow for unilateral adjustments, you may need to obtain the practitioner’s agreement to the change or, alternatively, invoke contract termination provisions. Going forward, you may want to tie the wRVUs to the CMS values that existed at the time the contract was executed rather than the operative CMS values, thereby avoiding the need to monitor or update CMS changes to wRVUs. Continue reading →

October 26, 2020

HIPAA Enforcement: Lessons from the OCR’s Recent Settlements

By Kim Stanger

The OCR has announced a surprising number of HIPAA settlements in the past few months with penalties ranging from $10,000 to $6.5 million. Here are some of the key takeaways for healthcare providers:

1. Protect against cyberattacks. Healthcare entities remain a prime target for healthcare entities with disastrous effects for victims, including providers and patients whose information is compromised or destroyed. The HIPAA security rule is intended to ensure that healthcare entities maintain the integrity, availability and confidentiality of electronic protected heath information; successful cyberattacks often expose security rule violations. Premera Blue Cross agreed to pay $6.85 million after a phishing scam deployed malware that affected the information of 10.4 million persons. Another entity agreed to pay $2.3 million after a hacker accessed records of 6.1 million persons. Per the OCR, “The health care industry is a known target for hackers and cyberthieves. The failure to implement the security protections required by HIPAA Rules …. is inexcusable.” https://www.hhs.gov/about/news/2020/09/23/hipaa-business-associate-pays-2.3-million-settle-breach.html. Cybersecurity is a major focus for HHS. In December 2018, the federal government published a guide to help healthcare providers of all sizes protect against cyberthreats, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients, available at https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx. In July 2020, HHS launched its Health Sector Cybersecurity Coordination Center (“HC3”) website, https://www.hhs.gov/about/agencies/asa/ocio/hc3/index.html, to offer additional support for healthcare providers. Cybersecurity is vital not only for regulatory compliance; it is essential to protect patients and ensure continued operation of the provider. Continue reading →

September 25, 2020

Paying Employees for Referring Healthcare Business

By Kim Stanger

Many healthcare employers may want to incentivize or compensate their employees for referring patients to or generating business for the employer, but they (appropriately) fear application of the federal Stark law or Anti-Kickback Statute. The “Paying for Referrals” White Paper analyzes these laws and relevant exceptions that may permit referral-based compensation structures under certain circumstances.

August 31, 2020

Telehealth in Idaho and Elsewhere

By Kim Stanger

Telehealth expanded dramatically in response to the COVID pandemic. Now that providers, patients, payers and public officials have seen the benefits, it is almost certain that telehealth will continue to play an increasingly important role in our healthcare delivery system. Providers wishing to practice telehealth in Idaho (and elsewhere) must beware the legal and practical requirements, including those set forth in statute or licensing board regulations. Continue reading →

August 26, 2020

Healthcare Providers: Beware New Information Blocking Rule

By Kim Stanger

Healthcare providers focusing on COVID-19 may have missed the final Interoperability and Information Blocking Rule that was published May 1, 2020 and takes effect November 3, 2020. (45 C.F.R. Part 171). The Rule implements the 21st Century Cures Act and furthers the government’s efforts to enable the exchange of electronic health information (“EHI”) to facilitate better outcomes, lower costs, and greater patient access to information. In general, the Rule prohibits covered actors from blocking the flow of EHI; violations may result in significant civil penalties as discussed below.

Application to Healthcare Providers. The Rule applies to healthcare providers, health IT developers of certified health IT,¹ health information exchanges, and health information networks (collectively referred to as “actors”). “Healthcare provider” is defined to include nearly any entity rendering healthcare, including physicians, practitioners, group practices, hospitals, long term care facilities, clinics, ambulatory surgery centers, and other entities determined appropriate by HHS.²

Prohibited Information Blocking. The Rule generally prohibits “information blocking,” i.e., a practice that the healthcare provider “knows³…. is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information”⁴ unless (i) the practice is required by law, or (ii) the practice fits within one of the exceptions listed below. (45 C.F.R. § 171.103(a)). Information blocking may occur, for example, when a healthcare provider refuses, ignores, delays, or imposes unreasonable conditions in response to requests to share EHI, including requests from patients, other providers, or payors. (See 85 FR 25811). It may occur when contracts, business associate agreements, license terms, or organizational policies unnecessarily restrict data sharing, or when technology is implemented, configured, or disabled so as to limit system interoperability. (85 FR 82511-12). The Rule generally prohibits any practices that increase the cost, complexity or burdens associated with accessing, exchanging or using EHI, or that limit the utility, efficacy or value of EHI such as diminishing the integrity, quality, completeness, or timeliness of the data. (85 FR 25809). Ultimately, “[a]ny analysis of whether an actor’s practices constitute information blocking will depend on the particular facts and circumstances of the case,” including whether the action rises to the level of an impermissible interference, whether the actor acted with the requisite intent, and whether the actor had control over the EHI or interoperability elements necessary to access, exchange or use the EHI in question. (85 FR 25811 and 25820).⁵ Continue reading →