Kaufman and Canoles

Kaufman & Canoles Law Blog

Health Care Law

Tuesday, July 26, 2016

Encryption: A Critical Safeguard Against HIPAA Liability

As we all know, physicians bear the responsibility of protecting patients from threats that can stem from the storage and use of patients’ protected health information.

Far too frequently a laptop is stolen from a car or a phone is misplaced. These unfortunate events can have grave consequences for everyone involved if the devices contain protected health information. Not only is a patient’s private, personal information at risk of disclosure, but the covered entity or business associate whose property was stolen or misplaced can face liability and monetary fines under the Health Insurance Portability and Accountability Act (HIPAA).

In order to avoid these serious threats, it is critical that covered entities and business associates encrypt all mobile devices that contain or may contain protected health information. This includes laptops, cellphones, thumb drives, tablets, and any other mobile device that may contain protected health information.

Significant potential liability and monetary fines can be avoided by simply encrypting all mobile devices. Under HIPAA, if a device that is properly encrypted is lost or stolen, such an incident is not considered a breach of protected health information. Therefore, if an encrypted laptop or thumb drive is stolen, you would not be required to notify your patients, the government, and the media of such incident. Since you would not be required to report this incident to the government, you would also avoid the potential of being fined for such incident.

In recent years the U.S. Department of Health and Human Services (HHS) has reached settlements with multiple healthcare providers as a result of HIPAA violations arising from lost or stolen mobile devices and laptops. HHS has imposed fines and penalties ranging from $250,000 to $1,725,220 on healthcare providers who have reported the loss or theft of an unencrypted device that contained protected health information. If these devices had been encrypted, the incidents would not have been considered HIPAA breaches and the practices would not have been required to report the incident to the affected patients, the government or the media.

In recent public appearances, HHS officials have indicated that, although encryption is not required under HIPAA, they expect all covered entities and business associates to be encrypting their laptops, tablets, thumb drives, phones, and other mobile devices containing protected health information.

Kaufman & Canoles remains available, even on short notice, to assist with your HIPAA compliance matters. In the event of a potential breach of protected health information, or if you have any questions about encrypting your devices or any other HIPAA compliance matters, contact our Health Care Practice Group or Cybersecurity Response Team.

* A special thanks to MaryKatelyn Lukish for assisting with the research for and preparation of this alert.

Thursday, August 20, 2015

Healthcare Client Alert – August 2015

As doctors, you are heroes. You are noble protectors who always work for the good of your patients. You protect our health, but also our privacy. In fact, one of the most significant facets of the physician/patient relationship is trust, which is largely based on confidentiality. Naturally, then, one of the most difficult tasks you might confront in your profession is to have to tell a patient that there has been a breach of her private health information. That undertaking becomes even more daunting when you are made to consider the legal ramifications of the breach. Not only must you consider the notification requirements and possible repercussions of the federal HIPAA law, but state law imposes potential liability as well.

As far as federal law is concerned, not all instances of unauthorized access or loss of control over protected health information (“PHI”) is a “breach”, as it is defined by HIPAA. For example, losing a laptop with PHI is not a breach if it was properly encrypted. Therefore, the first step in determining what, if any, HIPAA notification needs to be made, is to determine whether there has been a “breach” at all.

According to the updated HIPAA standard, there is a presumption that notification is required for all unauthorized uses, acquisitions, or disclosures except when: 1) the physician conducts a risk assessment and establishes that there is a low probability that PHI was compromised; or 2) one of the limited existing exceptions to the definition of breach applies.

The risk assessment analyzes four primary factors. If after performing the risk assessment there is doubt whether or not notification is required, the new rules favor notification.

Once you have determined that notification is warranted, you must then determine what kind of notification is required; the timing, method, and recipient. For example, notification must be made without unreasonable delay and should be sent in writing to the last known address of the patient. You would also need to notify the Secretary of Health and Human Services by submitting a log at the end of the calendar year. If the breach involves greater than 500 patients, however, you might also be required to notify the media and the Secretary immediately. An investigation by the Office of Civil Rights (“OCR”) may follow.

HIPAA isn’t the only legal hurdle you will have to overcome, though. The Virginia courts have recognized a claim in tort for breaching the duty not to disclose information gained in the course of treatment without a patient’s authorization. In one case, a patient was awarded $100,000 for the humiliation, embarrassment and hurt caused by a healthcare provider’s disclosure. It is important to keep this, along with potential liability in an OCR investigation, in mind when notifying or communicating with a patient regarding a breach.

The legal requirements for dealing with a breach of PHI may appear daunting, but with assistance, you can navigate your way through it, reestablish trust with your patients, and reclaim hero status once again. – Jason R. Davis and Beth A. Norton

Thursday, August 20, 2015

Health Care Client Alert – Federal Government Issues Fraud Alert on Medical Directorships

On June 9, 2015, the Office of Inspector General (“OIG”), within the United States Department of Health and Human Services, released a Fraud Alert regarding physician compensation arrangements, with a specific focus on payments made to physicians under medical directorship agreements. The fraud alert warns physicians of how a compensation arrangement may violate the federal anti-kickback statute (“AKS”) even if only one purpose of the arrangement is to compensate a physician for his or her past or future referrals of Federal health care business.

The Fraud Alert describes how the OIG recently entered into settlements with twelve physicians who entered into questionable medical directorship arrangements with a medical diagnostic and MRI center in Texas. OIG alleged that the physicians received improper remuneration under the medical directorship and office staff arrangements. Specifically, OIG alleged that (1) a portion of the payments took into consideration the volume and/or value of the physicians’ referrals, (2) the payments to the physicians did not reflect fair market value for the services performed, and (3) in some instances, the physicians did not actually provide the services required to be provided by them under the written agreements. These recent settlements also demonstrate how illegal kickbacks can take forms other than an inflated medical director’s salary. For example, in some of these settlements, the illegal remuneration took the form of inflated salaries paid to members of a physician’s office staff.

This most recent alert is the OIG’s third report in three years involving physicians. As you may recall, the OIG issued a fraud alert about physician-owned device distributorships in 2013 and issued a fraud alert about laboratory payments to physicians in 2014. This recent focus on physician compensation arrangements may reflect OIG’s renewed focus on pursuing fraud and abuse allegations against individual doctors, as opposed to the hospitals and organizations that pay the physicians.

Violations of the AKS may result in significant criminal penalties, with fines up to $25,000 per violation and imprisonment for up to five years. Additionally, violating the AKS may give rise to liability under the False Claims Act and/or Civil Monetary Penalties Law, both of which impose significant financial penalties.
This Fraud Alert serves as a not so subtle reminder by the federal government that physicians need to carefully scrutinize all of their compensation arrangements. Please contact the members of our Health Care Practice Group with any questions or concerns about a physician compensation arrangement or how the federal and state fraud and abuse laws may affect your practice. – Brac McKee, Laura Rixey

1DEPARTMENT OF HEALTH & HUMAN SERVICES, OFFICE OF INSPECTOR GENERAL, Fraud Alert: Physician Compensation Arrangements May Result in Significant Liability (June 9, 2015), https://oig.hhs.gov/compliance/alerts/guidance/Fraud_Alert_Physician_Compensation_06092015.pdf.

Monday, July 15, 2013

Compliance Deadline with New HIPAA Rule: September 23, 2013

In January 2013, the Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) released its long-anticipated rule (the “Omnibus Rule”) amending the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. The Omnibus Rule became effective on March 26, 2013 and covered entities must comply with most of the rule’s requirements no later than September 23, 2013.

Features of the New Omnibus Rule

  • Expansion of the definition of “Business Associates” to include subcontractors who access protected health information (“PHI”);
  • Enhanced compliance enforcement and harsher penalties for non-compliance;
  • Imposition of direct liability on Business Associates for compliance with certain requirements of the HIPAA Privacy and Security Rules;
  • Additional and revised provisions that covered entities and Business Associates must include in their Business Associate Agreements (“BAAs”) (all existing BAAs must comply with these requirements by September 22, 2014);
  • Additional disclosures in covered entities’ HIPAA Privacy Notices, including informing individuals of their right to be notified of breaches of their PHI;
  • Substantial lowering of the threshold for notification of affected individuals in the event of a breach of PHI;
  • Individuals’ enhanced ability to restrict disclosures of certain PHI;
  • Expansion of individuals’ rights to access their PHI, particularly in electronic format; and
  • Enhanced information system security requirements.

 What You Need to Do to Comply with the Omnibus Rule

  • Amend your Notice of Privacy Practices;
  • Revise your Business Associate Agreements;
  • Update your HIPAA Policies and Procedures;
  • Develop, conduct, and document regular system security risk assessments;
  • Implement specific administrative, physical and technical safeguards for the protection of PHI;
  • Revise your breach notification procedures;
  • Train staff on the rule’s new requirements; and
  • If you are a Business Associate, prepare to fully comply with HIPAA, including entering into Business Associate Agreements with subcontractors who have access to PHI.

In order to avoid criminal and civil liability and the imposition of large monetary penalties, Kaufman & Canoles is pleased to help bring you into compliance with the new requirements of the Omnibus Rule. Please contact us for assistance in creating, revising or implementing your organization’s privacy or data security practices, or if you have any questions regarding HIPAA as it may apply to your organization.  —T. Braxton McKee and Jason R. Davis

Friday, February 3, 2012

CMS Publishes Proposed Rule on Physician Payment Sunshine Law

On December 14, 2011, the Center for Medicare and Medicaid Services (CMS) released a notice of proposed rulemaking implementing the Physician Payment Sunshine provisions of Section 6002 of the Affordable Care Act. The Sunshine provisions seek to make publicly available information about payments or other transfers of value to physicians made by manufacturers of drugs and medical devices and supplies covered by Medicare and Medicaid. Under the proposed rule, manufacturers must annually report all payments, gifts, consulting fees, research activities, speaking fees, meals, and travel reimbursements paid to physicians and teaching hospitals to the Secretary of Health and Human Services. The definition of manufacturer would extend to include entities under common ownership with a manufacturer that are involved in manufacturing, marketing, selling or distributing covered products. The proposed rule would also make available to the public information about physician ownership or investment interests in manufacturers or group purchasing organizations. CMS is accepting public comments on the proposed rule through February 17, 2012. A copy of the proposed rule is available here.  —Meagan J. Thomasson

Thursday, December 15, 2011

U.S. Supreme Court to Hear Health Care Law Case

The U.S. Supreme Court has agreed to hear five and a half hours of oral arguments in the Florida v. Department of Health and Human Services case challenging the constitutionality of the controversial Patient Protection and Affordable Care Act (“PPACA”). The case arises out of an appeal by 26 states of a decision by The United States Court of Appeals for the Eleventh Circuit. The scope of what the Court has agreed to consider is limited to the issues of whether (1) it is within Congress’ power to require states to choose between complying with the provision of the PPACA or losing federal Medicaid funding, and (2) whether the “individual mandate” provision of the PPACA is constitutional and, if not, the extent to which it may be severed from the remainder of the Act. Arguments will be heard in March of 2012 and a decision is expected before the Court recesses in late June. A copy of the petition for certiorari submitted by Florida et al. is available here.  —Meagan J. Thomasson

Friday, November 18, 2011

CMS Releases Final Rule on Accountable Care Organizations

On November 2, 2011, the Center for Medicare & Medicaid Services (CMS) final rule governing Accountable Care Organizations (ACOs) under the Medicare Shared Savings Program appeared in the Federal Register. ACOs are legal entities that are designed to encourage collaboration between health care providers by allowing members of the ACO to share in any savings it generates with respect to Medicare beneficiary expenditures. The final rule presents several substantial changes from the proposed rule, many of which may make the formation of an ACO a more attractive option to healthcare providers. The most significant of the new developments are discussed below.

First, the track one ACO model no longer presents a downside risk to formation as the final rule eliminates the requirement of the proposed rule that an ACO pay back any incurred shared losses. In line with this change, the provision that CMS will withhold the first 25% of any savings in order to recover potential future losses has been eliminated. Second, the addition of the advance payment ACO initiative now offers selected participants access to capital to aid in the formation of an ACO. CMS will recoup the advance payments from the ACO’s shared savings. Third, the proposed sixty-five quality measures used to establish quality performance standards have been reduced to thirty-three. Fourth, ACOs may now share in the first dollar of any savings that they generate. This rule is in contrast to the proposed rule requirement that the ACO shares only in savings that are in excess of 2% of the savings benchmark. Finally, the savings cap has been increased to 10% for the first three years of participation (up from 7.5% in the first two years).

A copy of the final rule can be found here.  —Meagan J. Thomasson

Friday, October 14, 2011

Supreme Court Hears Case on Medicaid Rate Cuts

On Monday, October 3rd, the United States Supreme Court began a new term by hearing oral arguments on whether Medicaid recipients and healthcare providers can bring a lawsuit against a state for failing to pay the rates required under the federal Medicaid law. The case, Douglas v. Independent Living Centers of Southern California, arises out of the Ninth Circuit and stems from a decision made by the California legislature to cut the rates paid to healthcare providers due to budget concerns.

Under the Medicaid program, the federal government finances a significant portion of costs to doctors who provide healthcare services to the poor. In exchange for receiving the federal funds, states must agree to pay fees to health care providers of an amount sufficient to ensure that indigent patients have access to care. The federal Department of Health and Human Services makes the determination of whether the rates paid to doctors and hospitals are sufficient and any change to those rates must first by approved by the agency prior to implementation.  The concern is that lower fees will not cover the costs associated with patient care such that doctors and hospitals will be unable to afford to take care of Medicaid patients. In 2008 and 2009, California cut the fees paid to doctors by 10 percent without first obtaining approval of the federal government. In response, doctors, hospitals, and patients filed suit against the state and won temporary injunctive relief that required California to maintain the higher rate pending trial. The state appealed the decision.

Representing the state was California Deputy Attorney General Karen Schwartz, who argued that patients, doctors, and hospitals lacked standing to challenge the rate cuts in court because Congress had not specifically authorized such private party suits. According to Schwartz, the only available remedy for the unauthorized rate cuts is for the federal government to discontinue funding California’s Medicaid program, a measure Justice Ruth Bader Ginsburg called “a very drastic remedy that’s going to hurt the people that Medicaid was meant to benefit.”  In response to Schwartz, the attorney representing the medical providers and patients argued that the Supremacy Clause of the U.S. Constitution permitted the beneficiaries of a federal program to bring a claim against a state to ensure that federal law prevails in instances where a state’s actions are inhibiting the enforcement of federal law. No clear majority opinion was evident after oral arguments were completed but a decision is expected in the near future.
Meagan J. Thomasson

Friday, September 16, 2011

4th Circuit Dismisses Two Challenges to Obamacare

On September 8, 2011, the U.S. Court of Appeals for the Fourth Circuit dismissed two lawsuits challenging the constitutionality of the individual mandate provision contained in President Obama’s healthcare reform overhaul (“Obamacare”).

The three-judge panel declared that the Fourth Circuit does not have jurisdiction, citing the Tax Anti-Injunction Act as preventing the court from hearing a challenge to the constitutionality of Obamacare.

Therefore, the appellate court dismissed the two lawsuits—one filed by Virginia Attorney General Ken Cuccinelli and one filed by Liberty University—without ruling on the constitutionality issues presented.

The Fourth Circuit is the third appellate court to hear lawsuits challenging Obamacare, which includes the individual mandate provision requiring individuals to buy health insurance or pay a penalty.  The Sixth Circuit ruling upheld the constitutionality while the Eleventh Circuit declared the individual mandate provision to be unconstitutional.  The D.C. Circuit is yet to rule on the appeal pending in its appellate court.  This latest decision from the Fourth Circuit further paves the road heading toward the Supreme Court.
Christopher L. McLean

Tuesday, August 30, 2011

Physician Group Practice Demonstration Results

Earlier this month, the Centers for Medicare & Medicaid Services (“CMS”) announced the fifth year results of the Physician Group Practice (PGP) Demonstration, which was a precursor to and assisted in shaping and forming the Accountable Care Organization (ACO) model that was developed and rolled out to the public for consumption in the Patient Protection and Affordable Care Act (PPACA).  Under the PGP Demonstration, the participating physician group practices were afforded an opportunity to earn incentive payments based on meeting certain criteria for the quality of care delivered to the recipients of their professional services in addition to savings generated for the Medicare program. 

CMS reported that, of the ten total physician group practices participating in the PGP Demonstration, four such groups will share $29.4 million of the $36.2 million in total program savings generated in the fifth year of the five-year PGP Demonstration.  In addition, CMS reported that with respect to the 32 quality measures used to determine a physician group practice’s quality of care, seven of the ten participating physician group practices achieved the benchmarks set forth by CMS for all 32 measures, while the remaining three participating physician group practices achieved the quality benchmarks in at least 30 of the 32 quality measures.  This is in contrast to the first year of the PGP Demonstration in which only two of the ten participating physician group practices achieved the quality benchmarks set by CMS in all of the quality measures.  Over the course of the five-year PGP Demonstration, seven of the ten participating physician group practices have shared in $110 million in savings generated for the Medicare program.  Further, each of the physician group practices realized increases in quality scores for quality measures pertaining to heart failure, coronary artery disease, diabetes, cancer screening, hypertension and preventative care. 

Additionally, CMS announced that all ten of the participating physician group practices are participating in CMS’ PGP Transition Demonstration which is a follow up two year demonstration that began on January 1, 2011.  While the ACO regulations issued by CMS were inordinately complex and difficult for entities to comply with, one thing that seems fairly clear from the results of the five-year PGP Demonstration is that quality outcomes and reductions in costs to the Medicare program are achievable when physicians and physician groups are incentivized to achieve certain quality benchmarks.  It will be interesting to track the progress and results with respect to the PGP Transition Demonstration over the next couple of years. —Aaron J. Ambrose

Search all Blogs
Recent Posts
Practice Blogs