Thursday, May 21, 2015

What Physicians Should Know About New
Kentucky Law Regarding Physician Assistants

During the 2015 legislative session of the Kentucky General Assembly, HB 258 was approved by lawmakers and signed by Governor Beshear. This legislation amends KRS 311.854 to allow a physician to supervise up to four physician assistants at the same time. This amended regulation goes into effect on June 24, 2015.

PAs perform a wide range of duties, including providing routine care, treating acute and chronic illnesses, managing hospital inpatients, performing minor surgeries, and assisting during major surgeries. To a large degree, supervising physicians are granted the flexibility to delegate tasks to PAs and determine appropriate supervision methods, but state scope-of-practice laws sometimes limit physicians’ authority.

Tuesday, May 19, 2015

FDA Issues Guidance for Mobile Medical Apps

Just so you know, that iPhone or iPad you have with you may be an FDA-regulated medical device. More precisely, the apps on the device may meet the definition of a medical device under the Federal Food, Drug, and Cosmetic Act [1].  In February of this year, the FDA released a revised set of guidance concerning how it will apply regulatory oversight to mobile apps, addressing the growing number and potential uses of these apps as they proliferate alongside rapidly changing mobile technology.

In this new guidance, FDA set forth three classifications of mobile apps: those that do not meet the definition of a medical device under the FD&C Act, those that may meet the definition but pose a low risk to the public, and those that do meet the definition of a medical device, the functionality of which could risk patient safety in a malfunction. The determining factor in whether an app meets the definition of a medical device for purposes of the FD&C Act is the intended use of the app, which FDA will determine through labeling, advertising, and statements by the manufacturer. If a mobile app is intended to perform a medical device function, such as diagnosing or curing disease, it is considered a medical device.

Friday, May 15, 2015

Exclusive Laboratory Arrangements Under Fire

The Office of Inspector General of the Department of Health and Human Services recently released Advisory Opinion 15-04 [1], in which the OIG concluded that certain exclusive arrangements between a laboratory and various physician practices could potentially violate the Anti-Kickback Statute and result in exclusion from federal healthcare programs for excessive charges.

According to the laboratory that requested the opinion, physicians had expressed a desire to work with a single laboratory in an exclusive arrangement because of the convenience of receiving all test results with consistent reference ranges and because of the efficiency gained from maintaining a single interface with one laboratory. However, as the exclusive laboratory provider under the arrangements in question, the Requestor would be out-of-network for, and ineligible to receive payment from, payers covering approximately 10 to 40 percent of the practices' patients. Accordingly, for these patients, the Requestor proposed to waive the laboratory fees and not bill the patient, the physician practices or the payers. The Requestor would continue to bill all other patients, regardless of whether privately insured or covered under a federal healthcare program.

Thursday, May 7, 2015

New OIG Guidance: Great Expectations for Health Care Boards

For the first time in almost ten years, the Office of Inspector General at the U.S. Department of Health and Human Services issued new compliance guidance for healthcare-governing boards. This guidance, “Practical Guidance for Health Care Governing Boards on Compliance Oversight,” provides timely advice for Boards on how to exercise appropriate oversight of compliance programs at a time when healthcare companies and individuals are facing increasing fraud enforcement.

The Guidance is the product of a collaboration among the OIG, American Health Lawyers Association, Association of Healthcare Internal Auditors, and Health Care Compliance Association. It echoes the three-part compliance series issued by the OIG and AHLA in the early 2000s,[1] while also reflecting new industry trends and health reform efforts. The Guidance makes clear that compliance programs are not "one size fits all" but should be adapted to an organization's size and complexity.

Monday, May 4, 2015

HIPAA Rules and Procedures in the
Event of a Data Breach, Part Two

My last post focused on the discovery and investigation of a data security breach to determine if breach notification is needed. Today’s post now turns to the requirements of breach notification triggered by a data security breach.

Notification to Individual Patients
When a breach is discovered and a covered entity (CE) determines that unsecured ePHI has been compromised, that entity must notify all individuals whose information was affected by the breach without unreasonable delay, defined as within 60 calendar days from discovery of the breach.[6]   Discovery is legally defined as having occurred on the first day the breach is known or should have known.[7] This definition means that the clock begins running from the moment the breach is or should have been discovered.  This requirement means that an investigation must be conducted quickly and efficiently after discovery of the incident, so that determination of the necessity of notification occurs quickly and breach notification, if necessary, is timely.

HIPAA Rules and Procedures in the
Event of a Data Breach, Part One

As discussed in my prior post, recent massive data breaches at major retailers and health insurance providers paint a bleak picture of modern data and emphasize the importance of strong security safeguards and plans for handling suspected security breaches for electronic protected health information (“ePHI”). In the healthcare context, a security breach of a covered entity or a Business Associate’s (BA) data security system triggers the Security Rule and can trigger certain breach notification requirements under Health Insurance Portability and Accountability Act (“HIPAA”) and Health Information Technology for Economic and Clinical Health Act (“HITECH”). This post will discuss the investigation needed to determine whether a breach has taken place, while the next post will discuss the necessary notifications in the event of a breach.