Tuesday, May 28, 2013

Plan for the Worst, Hope for the Best:
Why You Must Have a HIPAA Risk Assessment

“The single biggest and most common compliance weakness is the lack of a timely and thorough risk analysis.”
     - Leon Rodriguez, head of the U.S. Health and Human Services Office for Civil Rights

When the Office for Civil Rights (“OCR”) auditor drops by your health facility to ensure that you are complying with HIPAA, one thing is for certain: he will be asking to see your Risk Assessment. Do you have one? Is it complete? Has it been used to develop and implement appropriate policies and procedures?

Audit Risks Are Real
OCR is cracking down on covered entities’ and business associates’ compliance with HIPAA. Audits are becoming commonplace and resulting in more and more providers being hit with fines and sanctions. You may think that even if you are subject to an audit, the penalty will only be a slap on the wrist. Think again. The maximum penalty for a HIPAA violation is now $1.5 million. Maybe you are too small a provider to be the target of an audit? Again, think again. In January 2013, Hospice of North Idaho agreed to pay the Department of Health and Human Services (“HHS”) $50,000 to settle potential HIPAA violations stemming from a 2010 incident involving a stolen, unencrypted laptop. It was the first HIPAA breach settlement involving less than 500 people. The hospice did not have a risk assessment in place.

Tuesday, May 21, 2013

Tools for the Trade: Understanding HIPAA

As a result of the intricate details and requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), it comes as no surprise that HIPAA Privacy and Security Rules can cause challenges and confusion for even the most sophisticated providers. With this in mind, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) has recently provided tools meant to educate both consumers and providers on HIPAA.

Before OCR published this guidance on HIPAA and HITECH on its website, consumers (i.e., patients) routinely accepted and signed HIPAA Notices of Privacy Practice without understanding what rights HIPAA protects.  As a result, OCR aimed to familiarize consumers with their health information privacy and security rights by posting factsheets (available in eight languages) on their website. With this new online guidance, patients may come into a provider’s facility more informed and educated about their privacy rights and may demand greater privacy protections from their provider.  Thus, the OCR guidance could potentially change the privacy expectations of patients.

Thursday, May 16, 2013

Association Group Coverage Changes

Trade associations in Kentucky are being asked to show that they meet ERISA “bona fide association” requirements in order to continue to provide group health insurance for their members under health reform requirements effective in 2014.  Such group health insurance may be a more affordable option for some businesses as new health reform requirements begin to take effect.

In a nutshell, ERISA requires that an association be considered an “employer” to sponsor a group health plan at the association level.  In order to qualify as an “employer,” an association must meet bona fide association requirements, including like-industry and participant control requirements.  By sponsoring a group health insurance plan at the association (rather than the individual employer) level, associations are able to pass along to their employer members reduced-coverage premiums available under large group plans.

Tuesday, May 7, 2013

Doe v. Guthrie Clinic, Ltd.:
A New Privacy Battleground?

Most healthcare providers are aware of the significant liability implications of a breach of protected health information, including, in some cases, the cost of issuing a breach notification to affected individuals.  Providers have not, however, faced significant liability from patient lawsuits filed directly against a hospital or medical practice for damages arising from a breach of confidentiality.  The reason is, patients face an uphill battle when suing a hospital or medical practice directly because most laws that protect patient information, including HIPAA, do not provide a private right of action for patients to sue the provider.

Wednesday, May 1, 2013

Get Ready to Negotiate: OIG Authorizes Hospitals
to Pay Physicians for Call Coverage

Since the enactment of EMTALA in 1986, hospitals have struggled with providing sufficient call coverage to meet federal requirements as physicians have been increasingly hesitant to take on the added responsibility, cost, and risk of responding to emergency department requests for consultation.  With patients often presenting increasingly acute conditions with no health insurance coverage, physicians understandably find themselves between a rock and a hard place as utilization of hospital emergency departments has skyrocketed, particularly in Eastern Kentucky. And, it is becoming increasingly difficult to see these patients in the hospital emergency departments without also seeing the patients for follow-up in private physician offices, often without payment. Thus, the movement for hospitals to pay for physician call services started amid a tangled web of intricate financial relationships, power struggles between hospitals and medical staff, and a statutory and regulatory maze of the Stark Law and anti-kickback statutes.  Finally, good news is on the horizon as a result of a series of recent Department of Health and Human Services Office of Inspector General’s Advisory Opinions, which essentially give the okay for a hospital to pay a per diem fee to specialists providing unrestricted on-call coverage for hospital emergency departments within certain parameters.  For physicians, these OIG Opinions give clear guidance and should be a tool to negotiate payment for calls within the parameters of fair market value.

Final Rule for Physician Payments
Sunshine Act Recently Released

The long-awaited final regulations for the Physician Payments Sunshine Act (“Sunshine Act” or “Act”) were finally released on February 1, 2013. I previously discussed the Sunshine Act (see Here Comes the Sun, Are You Prepared?, 10/18/2012), but with the final rule now implemented, providers should take a second look at it and reconsider its implications.

The Act requires applicable manufacturers of drugs, devices, biological, or medical supplies covered by Medicare, Medicaid, or the Children’s Health Insurance Program (“CHIP”) to report payments or transfers of value provided to physicians or teaching hospitals. Additionally, applicable manufacturers and group purchasing organizations (“GPOs”) must annually report to CMS certain information regarding ownership or investment interests held by physicians (or their immediate family members).