Tag: HIPAA

Employer Liability for Employees’ Privacy Violations: What Your Organization Should Learn from Walgreens’ Expensive Lesson (Hint: It Has Little To Do with HIPAA)

Poyner Spruill Law firm

You may already have read the scintillating facts surrounding a jury award of $1.44 million (recently challenged unsuccessfully on appeal) against Walgreen Co. following its pharmacist’s alleged inappropriate review and disclosure of patient records. What caught our attention was not so much the lurid details (the pharmacist was alleged to have looked up her boyfriend’s ex in Walgreens’ patient records, apparently to determine whether the ex might have passed an STD to her boyfriend). The more notable development was an employer footing the bill for a large jury verdict even though the employee violated the company’s policies as well as the law. This alert describes how Walgreens was put on the hook for its employees’ misdeeds, and examines whether a similar rationale could be applied in other privacy contexts (not just HIPAA) to create a new trend in employer liability for employee privacy violations. The implications are significant given the relative lack of success plaintiffs have encountered to-date when attempting to prosecute perceived privacy violations in court.

Employer Liability

Against the pharmacist, the patient pursued state-law claims of negligence/professional malpractice, invasion of privacy/public disclosure of private facts, and invasion of privacy/intrusion. She sought to hold Walgreens liable through respondeat superior (vicarious liability), and also included direct claims for negligent training, negligent supervision, negligent retention, and negligence/professional malpractice. While the trial judge dismissed the negligent training claim against Walgreens and the invasion of privacy by intrusion claim against the pharmacist, he allowed the other claims to proceed. The jury returned a general verdict for the patient, finding the pharmacist and Walgreens jointly liable for $1.44 million in damages.

The linchpin of respondeat superior is that an employer can only be held vicariously liable for damage caused by an employee if the employee was acting “within the scope of employment” when the injury occurred. When it appealed the jury verdict, Walgreens seized on this factor and argued that the pharmacist’s actions were outside the scope of employment because she clearly violated Walgreens policy. The appellate court disagreed, citing case law holding an employee’s actions are within the scope of employment if those actions are of the same “general nature” as the actions authorized by the employer, even when the employee’s specific actions are against company policy. The court reasoned that the pharmacist’s improper access of  the patient’s records was of the same “general nature” as the actions authorized by Walgreens because  the pharmacist took the same steps to access  the patient’s records as she would have in properly accessing records of other patients. The pharmacist was authorized to use the Walgreens computer system and printer, handle prescriptions for Walgreens customers, look up customer information on the Walgreens computer system, review patient prescription histories, and make prescription-related printouts. The court found that the pharmacist’s conduct in accessing  this patient’s records for personal reasons, while against company policy, was of the same “general nature” as the conduct authorized by Walgreens, and therefore at least some of her actions were within the scope of her employment. Since the pharmacist was acting within the scope of employment, the court affirmed that Walgreens could be held liable under respondeat superior.

Acknowledging Walgreens could not be held vicariously liable unless the pharmacist was also liable, the court turned next to the issue of the jury’s verdict concerning the pharmacist. As the jury returned only a general verdict (which does not indicate the specific grounds on which it made its decision), the court speculated on the theory of liability for the pharmacist, and held that the jury could have properly found the pharmacist liable under a general negligence theory. The key factors in a negligence claim are a duty owed to the plaintiff by the defendant, a breach of that duty by the defendant, causation, and damages. To establish the pharmacist owed a duty to the patient, the court looked to a state law requiring pharmacists to hold patient records and information in the strictest of confidences. Finding this statute to clearly establish that the pharmacist owed a duty of confidentiality the patient, the court found it unquestionable that the pharmacist’s actions breached that duty, and that the patient sustained at least some damages as a result. Therefore, the court concluded the jury could properly have found the pharmacist directly liable for the breach of confidentiality, and Walgreens vicariously liable for the breach.

Potential Impact

Commentary on this case has largely focused on HIPAA implications, and sometimes the more specific prospect of employer liability for employee HIPAA violations. Importantly, HIPAA was not a factor in the appellate court’s reasoning. Rather, the court looked primarily to state law for privacy expectations and a duty of confidentiality. That distinction creates broader implications for employer liability beyond HIPAA or health care generally.

A multitude of state laws now impose confidentiality, privacy and security obligations. Some are limited to certain professional occupations (e.g., pharmacists, physicians, even <<gasp>> lawyers), but many are more general. For example, many states have enacted requirements to maintain general or specific security measures without regard to industry. In fact, states increasingly read privacy and security obligations into their application of unfair and deceptive trade practices statutes, imposing a duty to maintain privacy and security across sectors and without regard to types of personal information affected.

The Indiana appellate court’s reasoning in the Walgreens’ case clearly suggests that employees owing a statutory duty of confidentiality under state law could be liable for a breach of such duties, and their employers may be vicariously liable for the reasons noted. While some state laws specifically enumerate such duties at the employee level (particularly where a license is held by the individual), it is not clear that distinction made a difference to the court’s rationale, meaning courts applying general privacy or security laws may consider following suit, even if the law does not create duties specifically aimed at employees.

Further, the Indiana appellate court’s broad characterization of what constitutes actions “within the scope of employment” could leave many employers on the hook for large damage awards, even if the underlying employee violation is indisputably against company policy.

While the Walgreens outcome alone may not establish a trend toward more frequent employer liability, it is important to recognize the case may be novel only in the size of the verdict awarded. For example, in 2006, the North Carolina Court of Appeals used similar reasoning to overturn the dismissal of a plaintiff’s negligent infliction of emotional distress claim against a doctor who allegedly allowed his office manager to improperly access the plaintiff’s medical records (Acosta v. Byrum).

What Should You Do?

The Walgreens outcome makes clear that policies, training and other compliance efforts may not indemnify employers against an employee’s breach of confidentiality or privacy. In addition to keeping an eye on further developments that either support or erode this potential liability trend, employers should consider whether broad technical access to systems is necessary and justified. Flat access rights can be necessary, particularly in health care settings where care often trumps privacy as a consideration. However, technical access limitations are the most effective way to demonstrate that employee misdeeds, when orchestrated in violation of systems-based (rather than merely policy-based) access controls, should not be held against the employer because they are clearly outside the scope of employment. Interestingly, the same approach can strengthen employer’s Computer Fraud and Abuse Act claims and can reduce the risk of HIPAA enforcement that may arise from similar facts.

ARTICLE BY

Jacob A. Lopes
Elizabeth H. Johnson
OF
Poyner Spruill LLP

Just in Time for the Holidays: Another HIPAA Settlement

Mcdermott Will Emery Law Firm

On December 2, 2014, the Office for Civil Rights (OCR) and Anchorage Community Mental Health Services, Inc., (ACMHS) entered into a Resolution Agreement and Corrective Action Plan (CAP) to settle alleged violations of the HIPAA Security Rule, which governs the safeguarding of electronic protected health information (ePHI).  OCR initiated an investigation into ACMHS’s compliance with HIPAA after receiving a March 2, 2012 notification from the provider regarding a breach of unsecured ePHI affecting 2,743 individuals.  The breach resulted from malware that compromised ACMHS’s information technology resources.

OCR’s investigation found that ACMHS (1) had never performed an accurate and thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by ACMHS; (2) had never implemented Security Rule policies and procedures; and (3) since 2008, had failed to implement technical security measures to guard against unauthorized access to ePHI transmitted electronically, by failing to ensure that appropriate firewalls were in place and regularly updated with available patches.

ACMHS agreed to pay $150,000 and to comply with the requirements set forth in the CAP to settle the allegations.  The CAP has a two-year term and obligates ACMHS to take the following actions:

  • Revise, adopt and distribute to its workforce updated Security Rule policies and procedures that have been approved by OCR

  • Develop and provide updated security awareness training (based on training materials approved by OCR) to applicable workforce members, and update and repeat the training annually

  • Conduct annual risk assessments of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by ACMHS, and document the security measures implemented to reduce the risks and vulnerabilities to a reasonable and appropriate level

  • Investigate and report to OCR any violations of its Security Rule policies and procedures by workforce members

  • Submit annual reports to OCR describing ACMHS’s compliance with the CAP

In announcing the settlement, OCR Director Jocelyn Samuels said, “[s]uccessful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis.  This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”  A copy of the Resolution Agreement and CAP can be found here.

The settlement is another reminder that covered entities and business associates should ensure that they have taken steps necessary and appropriate to safeguard the ePHI in their possession.  Conducting regular ePHI risk assessments, addressing any identified security vulnerabilities, implementing and updating comprehensive HIPAA policies and procedures, and appropriately training workforce members who have access to ePHI are all steps that covered entities and business associates must take to comply with HIPAA and protect ePHI.

HIPAA Considerations In The Event Of Employee Death or Incapacitation

McBrayer NEW logo 1-10-13

The Health Insurance Portability and Accountability Act of 1996, otherwise known as HIPAA, acts in part to provide federal protection for identifiable health information retained by covered entities, which includes most businesses that offer company health plans. While many employers have policies and procedures in place to ensure HIPAA compliance in routine, every day matters relating to the management of employee health data, few employers have developed policies or even considered how to manage protected health information in the unfortunate event of employee death or incapacitation.

Employee Benefits Folder

Importantly, HIPAA’s protection of identifiable health information does not expire in the event of incapacitation or even the death of an employee. In fact, HIPAA continues to protect identifiable health information for 50 years after death. Consequently, it is important for employers to know to whom protected health information may be disseminated during this time period in order to continue to ensure compliance and avoid the assessment of steep penalties and fines.

Covered health information for the deceased or incapacitated employee during this time may be released to their legal representative under state law. In most instances involving a diseased employee, this would be the appointed administrator of the deceased’s estate. It is permissible to release protected health information to non-representative family members, including but not limited to spouses, domestic partners, parents, children, or siblings, unless doing so is inconsistent with any prior expressed preference that is known to the covered entity. However, the information released to a non-representative family member must be limited to that information which is relevant to that person’s involvement in the decedent’s or incapacitated employee’s care or payment for care. The regulations leave the determination of this relevancy up to the entity’s “professional judgment.” 45 CFR 164.510(b)(5).

The Department of Health and Human Services gives the following example of what could be released: “For example, a covered health care provider could describe the circumstances that led to an individual’s death with the decedent’s sister who is asking about her sibling’s death. In addition, a covered health care provider or pharmacy could disclose billing information or records to a family member of a decedent who is assisting with closing a decedent’s estate. However, in both cases, a provider generally should not share information about past, unrelated medical problems.” (Click here to directed to The Department of Health and Human Services website.)

Consequently, unless protected information is requested by the legal representative of the deceased’s estate, or the information requested is directly related to the requestor’s involvement in the deceased’s care prior to death or payment for the deceased’s care prior to death, a signed HIPAA release by the legal representative is required prior to release of the protected information. Other exceptions allowing the release of protected health information covering special situations are also available, including the allowance of release to law enforcement to assist in a criminal investigation.

Medical History Questionnaire with Pen

It is important that employers understand their responsibilities to protect identifiable health information covered by HIPAA and develop policies to ensure compliance.

ARTICLE BY

Brandon K. Johnson
OF
McBrayer, McGinnis, Leslie and Kirkland, PLLC

Managing Ebola Concerns in the Workplace [PODCAST]

Jackson Lewis Law firm

Many employers are struggling to understand the potential workplace implications of Ebola hemorrhagic fever (EHF).  We invite you to listen to a complimentary 48-minute podcast during which three Jackson Lewis practice group leaders discuss some of the legal and practical issues relating to the virus.  Among the issues discussed are:

  • Steps employers should consider taking to ensure OSHA and state workplace health and safety laws are satisfied;

  • ADA, GINA and FMLA compliance challenges that may arise as employers attempt to lawfully identify and manage employees who are or may have been exposed to Ebola; and

  • HIPAA and other sources of privacy and medical confidentiality obligations that should be considered as employers respond to workplace Ebola concerns.

You can access the podcast here.

ARTICLE BY

Bradford T. Hammock
OF
Jackson Lewis P.C.

Ex Parte Communications between Treating Physician and Attorneys in Tennessee

Dickinson Wright Logo

Under HIPAA, physicians are permitted to disclose “protected health information” to their attorneys for purposes of their own healthcare operations. This allows physicians sued by patients for malpractice to provide their attorneys with the information needed to prepare and present a defense. Ordinarily, subpoenas or orders are a part of a court ordered deposition or trial at which the patients or their attorneys are present, so the need to protect health information is lessened.

HIPAA does not allow treating physicians in one practice to disclose “protected health information” to attorneys for a treating physician in another practice unless a subpoena or an order of a court permits that disclosure. Instead, HIPAA allows members of a group practice to transmit protected health information concerning a patient to business associates of that practice. This means that attorneys representing the other physicians in the group practice can receive information related to the practice’s healthcare operations, including information relating to representing the practice in malpractice lawsuits. A subpoena or court order is not required for this disclosure. Thus, when a physician is being sued for malpractice, HIPAA permits the practice’s attorney to meet with other physicians in that same practice and obtain protected health information related to the plaintiff.

While HIPAA may permit the disclosure of protected health information in this circumstance, state law is another matter altogether. For example, the Tennessee Supreme Court found that an implied covenant of confidentiality exists between the treating physician and his or her patient. Like HIPAA, this implied covenant of confidentiality absolutely prohibits an attorney for a treating physician from meeting with another treating physician unless the patient or the patient’s attorney is present. Like HIPAA, the court assumes that the patient’s interests are protected when the patient is present.

This in turn begs the question – does the implied covenant of confidentiality prohibit a physician employed in a group practice from meeting with the attorneys representing another employee of the practice who has been sued for malpractice without the patient being present? In Tennessee, this issue was recently addressed in Hall v. Crenshaw, W2013-00662-COA-R9-CV (Tenn. Ct. App. July 18, 2014). The court of appeals in Hall held that the implied covenant of confidentiality does not prohibit a physician in a group practice from meeting with attorneys representing another employee physician of the practice. The court of appeals reasoned that a corporation can only function through its agents and employees. Under state law, all knowledge of the corporation’s employees is imputed to the corporation. As a result, the court held that the corporation already possessed this information, meaning the corporation, through its employees, is able to discuss a patient’s medical record and history with the attorneys representing the corporation and its employees.

© Copyright 2014 Dickinson Wright PLLC
ARTICLE BY

Keith C. Dennen
OF
Dickinson Wright PLLC

Office for Civil Rights (OCR) to Begin Phase 2 of HIPAA Audit Program

Mcdermott Will Emery Law Firm

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) will soon begin a second phase of audits (Phase 2 Audits) of compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security and breach notification standards (HIPAA Standards) as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Unlike the pilot audits during 2011 and 2012 (Phase 1 Audits), which focused on covered entities, OCR will conduct Phase 2 Audits of both covered entities and business associates.  The Phase 2 Audit Program will focus on areas of greater risk to the security of protected health information (PHI) and pervasive noncompliance based on OCR’s Phase I Audit findings and observations, rather than a comprehensive review of all of the HIPAA Standards.  The Phase 2 Audits are also intended to identify best practices and uncover risks and vulnerabilities that OCR has not identified through other enforcement activities.  OCR will use the Phase 2 Audit findings to identify technical assistance that it should develop for covered entities and business associates.  In circumstances where an audit reveals a serious compliance concern, OCR may initiate a compliance review of the audited organization that could lead to civil money penalties.

The following sections summarize OCR’s Phase 1 Audit findings, describe the Phase 2 Audit program and identify steps that covered entities and business associates should take to prepare for the Phase 2 Audits.

Phase 1 Audit Findings

OCR audited 115 covered entities under the Phase 1 Audit program, with the following aggregate results:

  • There were no findings or observations for only 11% of the covered entities audited;
  • Despite representing just more than half of the audited entities (53%), health care providers were responsible for 65% of the total findings and observations;
  • The smallest covered entities were found to struggle with compliance under all three of the HIPAA Standards;
  • Greater than 60% of the findings or observations were Security Standard violations, and 58 of 59 audited health care provider covered entities had at least one Security Standard finding or observation even though the Security Standards represented only 28% of the total audit items;
  • Greater than 39% of the findings and observations related to the Privacy Standards were attributed to a lack of awareness of the applicable Privacy Standard requirement; and
  • Only 10% of the findings and observations were attributable to a lack of compliance with the Breach Notification Standards

The Phase 2 Audit Program

Selection of Phase 2 Audit Recipients

Unlike the Phase 1 Audit Program, which focused on covered entities, OCR will conduct Phase 2 Audits of both covered entities and business associates.  OCR has randomly selected a pool of 550–800 covered entities through the National Provider Identifier database and America’s Health Insurance Plans’ databases of health plans and health care clearinghouses.  OCR will issue a mandatory pre-audit screening survey to the pool of covered entities this summer.  The survey will address organization size measures, location, services and contact information.  Based on the responses, the agency will select approximately 350 covered entities, including 232 health care providers, 109 health plans and 9 health care clearinghouses, for Phase 2 Audits.  OCR intends to select a wide range of covered entities and will conduct the audits between October 2014 and June 2015.

OCR will notify and send data requests to the 350 selected covered entities this fall.  The data requests will ask the covered entities to identify and provide contact information for their business associates.  OCR will select the business associates that will participate in the Phase 2 Audits from this pool.

Audit Process

OCR will audit approximately 150 of the 350 selected covered entities and 50 of the selected business associates for compliance with the Security Standards, 100 covered entities for compliance with the Privacy Standards and 100 covered entities for compliance with the Breach Notification Standards.  OCR will initiate the Phase 2 Audits of covered entities by sending the data requests this fall and then initiate the Phase 2 Audits of business associates in 2015.

Covered entities and business associates will have two weeks to respond to OCR’s audit request.  The data requests will specify the content, file names and other documentation requirements, and the auditors may contact the covered entities and business associates for clarifications or additional documentation.  OCR will only consider current documentation that is submitted on time.  Failure to respond to a request could lead to a referral to the applicable OCR Regional Office for a compliance review.

Unlike the Phase 1 Audits, OCR will conduct the Phase 2 Audits as desk reviews with an updated audit protocol and not on-site at the audited organization.  OCR will make the Phase 2 Audit protocol available on its website so that entities may use it for internal compliance assessments.

The Phase 2 Audits will target HIPAA Standards that were sources of high numbers of non-compliance in the Phase 1 Audits, including:  risk analysis and risk management; content and timeliness of breach notifications; notice of privacy practices; individual access; Privacy Standards’ reasonable safeguards requirement; training to policies and procedures; device and media controls; and transmission security.  OCR also projects that Phase 2 Audits in 2016 will focus on the Security Standards’ encryption and decryption requirements, facility access control, breach reports and complaints, and other areas identified by earlier Phase 2 Audits.  Phase 2 Audits of business associates will focus on risk analysis and risk management and breach reporting to covered entities.

OCR will present the organization with a draft audit report to allow management to comment before it is finalized.  OCR will then take into account management’s response and issue a final report.

What Should You Do to Prepare for the Phase 2 Audits?

Covered entities and business associates should take the following steps to ensure that they are prepared for a potential Phase 2 Audit:

  • Confirm that the organization has recently completed a comprehensive assessment of potential security risks and vulnerabilities to the organization (the Risk Assessment);
  • Confirm that all action items identified in the Risk Assessment have been completed or are on a reasonable timeline to completion;
  • Ensure that the organization has a complete inventory of business associates for purposes of the Phase 2 Audit data requests;
  • If the organization has not implemented any of the Security Standards’ addressable implementation standards for any of its information systems, confirm that the organization has documented (i) why any such addressable implementation standard was not reasonable and appropriate and (ii) all alternative security measures that were implemented;
  • Ensure that the organization has implemented a breach notification policy that accurately reflects the content and deadline requirements for breach notification under the Breach Notification Standards;
  • Health care provider and health plan covered entities should ensure that they have a compliant Notice of Privacy Practices and not only a website privacy notice;
  • Ensure that the organization has reasonable and appropriate safeguards in place for PHI that exists in any form, including paper and verbal PHI;
  • Confirm that workforce members have received training on the HIPAA Standards that are necessary or appropriate for a workforce member to perform his/her job duties;
  • Confirm that the organization maintains an inventory of information system assets, including mobile devices (even in a bring your own device environment);
  • Confirm that all systems and software that transmit electronic PHI employ encryption technology or that the organization has a documented the risk analysis supporting the decision not to employ encryption;
  • Confirm that the organization has adopted a facility security plan for each physical location that stores or otherwise has access to PHI, in addition to a security policy that requires a physical security plan; and
  • Review the organization’s HIPAA security policies to identify any actions that have not been completed as required (e.g., physical security plans, disaster recovery plan, emergency access procedures, etc.)
ARTICLE BY

Patrick Callaghan
Daniel F. Gottlieb
Edward G. Zacharias
Of:
McDermott Will & Emery

A Look Ahead: Top 5 Health Law Issues for 2014

vonBriesen

 

From Affordable Care Act implementation to the continued transition to quality and evidence-based medicine, we expect to see a host of new regulatory and industry changes in 2014. Moreover, federal and state governments will continue to ramp up detection and enforcement of fraud, abuse, and other laws. These changes provide ample opportunities for lawyers to represent and counsel health care industry clients.

In addition to health lawyers, these changes and new opportunities will also affect lawyers who practice in other areas, including business, antitrust, technology, employee benefits, and elder law. Below is an overview of five hot issues in health care law that practitioners – new and seasoned – should monitor in 2014.

1. Affordable Care Act Implementation

Exchanges and the Individual Market. As millions of Americans obtain insurance on the individual market through Exchanges (a.k.a. the “Marketplace”), the ACA individual mandate and the individual insurance market will create a host of issues for health lawyers in 2014. Beginning early in the year, health lawyers will be called on to address coverage, enrollment, and compliance issues. Attorneys and firms looking to expand their ACA practice should consider employee benefits regulations and related legal issues as ACA implementation continues and employers look for help understanding and complying with coverage requirements and pay or play rules.

Medicaid. The ACA’s expansion of Medicaid will also bring increased attention to the Medicaid program in 2014. Attorneys should be prepared to see increased scrutiny of program integrity in the coming year, including inspector general attention at the state and federal levels (e.g., program audits). Attorneys may be called upon to address these and other Medicaid issues in 2014, including issues with eligibility, covered benefits, and movement between Exchanges and Medicaid.

Tax Exemption. Section 501(r) of the Internal Revenue Code, introduced as part of the ACA, requires, among other things, that tax-exempt hospitals conduct a community health needs assessment and adopt a written financial assistance policy. Hospitals that do not meet the 501(r) requirements risk an excise tax, taxing of hospital revenue, and revocation of exempt status. Proposed regulations outlining the 501(r) requirements were released in 2013, and final rules are expected in 2014.

2. Health Information Privacy and Security

This year is shaping up to be another big year for health information privacy and security and the Health Insurance Portability and Accountability Act (HIPAA), as providers, payers, and businesses that support the health care industry (including lawyers) adapt to new compliance requirements and increased liability under the Omnibus Rule regulatory scheme.

This is an area that will be important for health lawyers, as the Omnibus Rule outlines clear compliance requirements for lawyers providing legal services to providers and payers. (For more information on lawyers as business associates, see “Casting a Wider Net: Health Information Privacy is Not Just For Health Lawyers” in the September 2013 Wisconsin Lawyer).

Health lawyers are also awaiting the 2014 release of another major HIPAA rule – expected to outline requirements for tracking uses and disclosures of health information – as well as legislative changes in Wisconsin dealing with confidentiality of mental health records (an in-depth Wisconsin Lawyer article on this is forthcoming).

Lawyers that deal with health information should be familiar with HIPAA and other federal and state laws protecting the confidentiality of health information to address an increased emphasis on HIPAA audits, security, and technology issues in 2014.

3. Provider Reimbursement and Emphasis on Quality Care

Medicare Billing and Payment. As of this writing, Congress is still debating options for repealing the sustainable growth rate (SGR), which is part of a reimbursement formula used to calculate Medicare physician payments. For years, the SGR has resulted in cuts to physician payments. However, Congress has always used SGR “doc fixes” to extend and delay the cuts (most recently, on Dec. 18, 2013, a 23.7 percent cut set to take effect Jan. 1, 2014, was delayed until March).

However, bipartisan efforts in Congress may make 2014 the year of the SGR repeal. Health care attorneys should take note because the SGR repeal will mean significant changes in how Medicare physician reimbursement is calculated, and the wide-spread effect will touch any number of contractual arrangements that use Medicare reimbursement to set compensation terms.

Quality-based Reimbursement. We have seen a steady change from productivity-based compensation models, which pay for volume, to quality-based reimbursement models, and 2014 will continue this progression. Attorneys that represent physicians and physician practices should be prepared for the introduction (or addition) of quality metrics in physician compensation arrangements, as well as an increase in co-management arrangements and opportunities, which engage physicians in hospital management to better align physicians and hospitals.

Narrow Networks. With additional products available in the individual insurance market in 2014 and an increased focus on performance-based contracting, payers are tying rate increases to quality metrics and tightening provider networks. Attorneys representing physician groups may see an increase in narrow network products and, as a result, their clients’ exclusion from networks.

Changing reimbursement concepts are not new but some methodologies will affect physician behavior, require more patient engagement, and influence efficiency as the industry demands accountable care and continues to introduce quality-based incentives.

4. Increased Joint Venture Activity and Market Consolidation

We expect to see increased joint venture activity and market consolidation in 2014. Increasing market share and patient population allows providers and payers to introduce and monitor their quality care initiatives to a broader base of patients and standardize care with the hope of better outcomes and efficiency. Attorneys representing parties in these transactions should be mindful of fair market value and other fraud and abuse requirements, leasing and construction considerations, and potential antitrust implications.

5. Government Enforcement

The health care industry has seen increased government scrutiny, including emphasis on payment, program integrity, and compliance. From Medicare and Medicaid compliance audits, Strike Teams, increased HIPAA penalties, overpayment recoupment, to fraud and abuse self-disclosures and intervening in whistleblower suits, the federal government is improving its enforcement mechanisms used against hospitals and providers. The federal agencies and their contractors have increased their damages and penalty recoveries over the last few years, and we expect this to continue in 2014.

The primary goal of the U.S. Department of Health and Human Services Office of Inspector General’s (OIG) strategic plan for 2014 to 2018 is fighting fraud, waste, and abuse. In order to achieve its goal, the OIG intends to build upon existing enforcement models, refine self-disclosure protocols, and use all appropriate means (including exclusions and debarments) to maximize recovery.

If you are new to health care, or if you want to expand your practice into health law, these areas of strict liability and increased enforcement will be fundamental to your practice in 2014. Understanding the complex regulations and strict liability statutes is fundamental to providing sound legal and business advice to health care clients.

Honorable Mentions

Retail health clinics and on-site health services, changes in medical malpractice standards, increased emphasis on post-acute care, non-physician health care professionals, and the corporate practice of medicine will also be hot topics in 2014.

This article was first published in WisBar Inside Track, Vol. 6, No. 1, a State Bar of Wisconsin publication.

Article by:

Meghan C. O’Connor

Of:

von Briesen & Roper, S.C.

HIPAA Omnibus Rule Effective March 26, 2013

The National Law Review recently featured an article, HIPAA Omnibus Rule Effective March 26, 2013, written by the Health Care & Health Care Finance group with Vedder Price:

VedderPriceLogo

 

The omnibus final rule that amends the privacy, security and enforcement rules1 promulgated under the Health Insurance Portability and Accountability Act of 1996 (the statute and rules, together, HIPAA) requires that Covered Entities revise and redistribute their notice of privacy practices (NPP). As described below, this will generally involve updating NPPs for legally required changes and redistributing the NPPs, whether by posting on an intranet site or distributing hard copies, by September 23, 2013.

The final rule became effective on March 26, 2013; however, Covered Entities have until September 23, 2013 (the compliance date), unless otherwise excepted, to bring their NPPs into compliance. Many of the changes to the NPPs are required pursuant to statutory enactments under the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and the Genetic Information Nondiscrimination Act (GINA). Most new requirements are generally applicable to all Covered Entities, as defined under HIPAA, but certain requirements apply specifically to health plan Covered Entities and health care provider Covered Entities as summarized below.

New Requirements for Covered Entities’ NPPs

A Covered Entity must update its NPP to include these additional elements:

  1. A statement that certain uses and disclosures of protected health information (PHI) require an authorization from the subject individual, specifically psychotherapy notes (if recorded or maintained by the Covered Entity), PHI for marketing purposes and PHI in instances constituting the sale of PHI;
  2. A statement that uses and disclosures not addressed within the NPP require a written authorization;
  3. An acknowledgment that the individual may revoke any authorization granted for uses and disclosures requiring such authorization; and
  4. A notice of the individual’s rights following a breach of unsecured PHI, which can be sufficiently accomplished with a statement that the individual has a right to or will receive notification of a breach of his or her unsecured PHI.

Covered Entities that seek to contact individuals to raise funds for themselves must also include a notice of such intentions and of the individual’s right to opt out of such communications. However, the mechanism for opting out of fundraising communications does not need to be included in the NPP.

Specific Requirements for Health Care Providers’ NPPs

Tangential to new rights created by the final rule for individuals to restrict access to PHI, each health care provider must notify individuals of such new rights through its NPP.

  1. Notice Elements. In addition to those provisions discussed above, health care providers must include in their NPPs a statement notifying the individual of the individual’s right to restrict—and a health care provider’s affirmative obligation to agree to restrict—disclosures of PHI to the individual’s health plan where the individual has paid for the items or services out-of-pocket and in full.
  2. Distribution Methods. The final rule did not amend those provisions relating to the distribution of NPPs for health care providers; however, the preamble to the final rule did clarify the manner in which health care providers are expected to distribute NPPs by the compliance date. NPPs must be available at the delivery site, but health care providers may choose to post a summary of the policy with copies of the entire policy readily available at the patient’s request, with the exception of new patients, who must be given a complete copy and must return a good faith acknowledgment of receipt.

Specific Requirements for Health Plans’ NPPs

  1. Notice Elements. In addition to the above requirements, a health plan that uses PHI for underwriting purposes must include in its NPP a disclosure that the health plan may not use or disclose PHI that is genetic information for underwriting purposes.
  2. Distribution Methods. A health plan that currently posts its NPP on the company’s intranet site must (i) post the revised NPP (or the material changes to the NPP) on the website by September 23, 2013 and (ii) within the next annual mailing, provide the revised NPP or information about the material changes to the NPP and instructions for obtaining a copy of the revised NPP.

Alternatively, for those health plans that do not provide access to the NPP on the company’s intranet site, either (i) the revised NPP or (ii) information regarding the material change in the policy and instructions on how to obtain a copy of the revised notice must be distributed to individuals covered by the subject plan of the NPP within 60 days of such material revision. Distribution may be made via regular mail, hand delivery or, if applicable, electronic means. We anticipate many health plans will distribute a revised NPP as part of open enrollment.

Excepted Entities

The final rule exempts certain entities from specific aspects of the revised NPP provisions. Issuers of long-term care policies do not need to include notice of the restrictions on the use and disclosure of genetic information for underwriting purposes, as GINA did not apply such restrictions to these plans. As discussed above, health care providers are not required to disclose the protections afforded to individuals under GINA in NPPs, as health care providers may continue to disclose genetic information, subject to the minimum necessary requirements and in reliance upon a patient’s health plan’s exclusive obligation to comply with GINA’s restrictions on its use of and requests for such information.

Lastly, those health plans that have previously distributed NPPs in compliance with the final rule (as a result of the statutory enactment of such requirements under GINA and the HITECH Act) do not need to redistribute NPPs by the compliance date.

Action Items

Before September 23, 2013, Covered Entities should revise NPPs to be compliant with the final rule and distribute such revised NPPs in accordance with the specified distribution methods applicable to the Covered Entity. Furthermore, those health plans that have previously distributed NPPs to comply with GINA and the HITECH Act should ensure that all of the elements of the final rule, including those applicable to all Covered Entities, have been satisfied before determining that the exception granted under the final rule applies.

1 45 C.F.R. parts 160 and 164, subparts A and E, 45 C.F.R. parts 160 and 164, subparts A and C, and 45 C.F.R. parts 160, subparts C through E, respectively.

© 2013 Vedder Price