Header graphic for print

New York Health Law

OCR’s First Settlement with a Business Associate for HIPAA Violations

Posted in HIPAA and Privacy, Information Technology and EMR, Regulatory Issues

Picture1Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) is the first business associate to be held directly liable for violations under the HIPAA rules. CHCS provided management and information technology services to six nursing homes. According to the OCR Resolution Agreement, OCR received separate notifications from each of the six nursing homes regarding a breach of unsecured electronic protected health information (ePHI) by CHCS resulting from the theft of a CHCS mobile device. The mobile device containing ePHI of 412 nursing home residents was neither encrypted nor password-protected. The settlement includes a monetary payment of $650,000 and a two-year corrective action plan.

OCR’s investigation concluded that:

  1. CHCS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by CHCS; and
  2. CHCS failed to implement appropriate security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level to comply with the HIPAA Security Rule.

It is important for Business Associates and subcontractors of Business Associates to understand that since enactment of the Omnibus Rule in 2013, Business Associates and their subcontractors can be held directly liable for HIPAA violations, including the failure to conduct appropriate risk assessments and the failure to adopt adequate written policies and procedures to reduce the risk of violations.

Consequences for Failure to Have a Required Business Associate Agreement

Posted in Audit and Compliance, HIPAA and Privacy, Regulatory Issues

The Department of Health and Human Services, Office for Civil Rights (“OCR”), enforces the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). This includes the requirement that Covered Entities (health care providers and health plans) have Business Associate Agreements with their “Business Associates.”

“Business Associates” are persons or entities who “create, receive, maintain or transmit Protected Health Information (“PHI”) in performing services on behalf of a Covered Entity. Furthermore, a subcontractor of a Business Associate that creates, receives, maintains or transmits PHI on behalf of a Business Associate is also a “Business Associate.”

Both Covered Entities and Business Associates are directly liable for failing to have a compliant Business Associate Agreement in place. In addition, Business Associates must have Business Associate Agreements with their subcontractors who create, receive, maintain or transmit PHI on behalf of a Business Associate.

Recent cases of OCR enforcement for failure to have a required Business Associate Agreement include:

  • North Memorial Health Care of Minnesota agreed to pay $1.55 million to settle OCR charges for failing to have a Business Associate Agreement in place when a business associate’s laptop containing thousands of individuals’ PHI was lost.
  • Raleigh Orthopedic Clinic agreed to pay $750,000 and to enter into a Corrective Action Plan in settlement of OCR charges that it failed to have a Business Associate Agreement in place with its Business Associate engaged to transfer x-rays to electronic media.
  • Triple-S Management Corporation agreed to pay $3.5 million to settle OCR charges of multiple violations, including “impermissible disclosure of its beneficiaries’ PHI to an outside vendor without having a required Business Associate Agreement in place.”

To avoid multi-million dollar settlements, Covered Entities must evaluate their relationships with third parties, and Business Associates must evaluate their relationships with subcontractors, to ensure required Business Associate Agreements are in place. Covered Entities and Business Associates should consider adopting written policies and procedures regarding their Business Associates and subcontractors to demonstrate their efforts at compliance.

 

*My thanks to Farrell Fritz summer associate Joanna Lima for her assistance with this blog posting.

Sixth Amendment Prevents Pretrial Restraint on Health Care Defendant’s Use of Untainted Funds To Pay Counsel

Posted in Fraud and Abuse and Stark, Litigation, Medicaid and Medicare, OMIG and OIG, Physicians and Other Licensed Professionals

The Supreme Court held last week that in a federal health care fraud prosecution, the Sixth Amendment prevents the government from obtaining a pretrial freeze of assets that were untainted by the alleged crime and that defendant sought to use to pay her lawyer.

In Luis v. United States, the government alleged that the defendant had been engaged in paying kickbacks and conspiring to commit health care violations, and had fraudulently obtained close to $45 million.  The government sought a pretrial order restraining $2 million under 18 U.S.C. § 1345, which allows a restraint on property obtained as a result of health care fraud or “property of equivalent value.”  Here, however, the property the government sought to restrain was not connected with the alleged crime, and defendant sought to use those funds to hire counsel to defend her in the criminal case.

The Supreme Court held that the pretrial restraint of legitimate, untainted assets needed to retain counsel of choice violates the Sixth Amendment. Justice Breyer’s plurality opinion first emphasized that the Sixth Amendment right to counsel is “fundamental” and “guarantees a defendant the right to be represented by an otherwise qualified attorney whom that defendant can afford to hire.” The government argued that the important interests of keeping assets available for statutory penalties and compensation of victims justified the restraint.

Justice Breyer found controlling the fact that the funds at issue were untainted by the alleged crimes, so they belonged to the criminal defendant “pure and simple.” In contrast, tainted funds—assets connected to a crime—may be subject to pretrial restraint.  The Court, for example, has held that tainted funds subject to forfeiture may be restrained pretrial even if the defendant seeks to use those funds to pay a lawyer. Caplin & Drysdale v. United States, 491 U.S. 617 (1989); United States v. Monsanto, 491 U.S. 600 (1989).  A significant factor in the forfeiture cases was that title to forfeited property passes to the government at the time of the crime.  The government, however, had no present interest in the defendant’s untainted funds in the case before the Court.

While in some circumstances a party without a present interest may restrain property, here the criminal defendant sought to use the funds to hire counsel, and the Sixth Amendment right to counsel does not permit such a restraint.  Justice Breyer noted that accepting the government’s position could erode the right to counsel, as Congress may provide more statutory provisions allowing for restraint of untainted assets equivalent in value to the criminal proceeds.

The decision did not break along usual lines for the Court. The plurality opinion authored by Justice Breyer was joined by Chief Justice Roberts and Justices Ginsberg and Sotomayor.  Justice Thomas concurred in the judgment, writing that he would not engage in any balancing and would hold strictly that the Sixth Amendment does not allow a pretrial asset freeze infringing the right to counsel.  Justices Kennedy, Alito and Kagan dissented, asserting on various grounds that where the government has established probable cause to believe that it will eventually recover all of the defendant’s assets, she has no right to use them pretrial to pay for a lawyer.

In the end, the decision draws a clear Constitutional line between: (1) tainted funds, which may be subject to pretrial restraint, and (2) innocent or untainted funds needed to pay for counsel, which may not.

Who is a “Qualified Person” for Purposes of Access to a Patient’s Medical Records

Posted in Audit and Compliance, HIPAA and Privacy, Hospitals and Health Care Facilities, Physicians and Other Licensed Professionals, Regulatory Issues

imagesPA8ET6EQIn our previous post [found here], we explained that, under the Privacy Rule, HIPAA covered entities (health care providers and health plans) must provide individuals and their “personal representatives” with access to the individual’s protected health information. An individual’s personal representative is determined under State law. In this post, we will define who is a “personal representative” under New York law.

Section 18(2) of the New York Public Health Law (PHL) states that, upon written request, a health care provider shall provide an opportunity, within ten days, for a patient to inspect the patient’s information concerning or relating to the examination or treatment of the patient. Upon the written request of any qualified person, a health care provider shall furnish to the qualified person, within a reasonable time, a copy of any patient information requested which the authorized person may inspect. The law provides no specific time period by which copies of medical records must be provided. However, the New York State Department of Health considers 10 to 14 days to be a reasonable time in which a practitioner should respond to such a request.

A “qualified person” under PHL§ 18(1)(g) includes:

  1. the properly identified patient;
  2. a guardian for an incapacitated person appointed under article eighty-one of the mental hygiene law;
  3. a parent of an infant or a guardian of an infant appointed under article seventeen of the Surrogate’s Court Procedure Act or other legally appointed guardian of an infant who may request access to a clinical record;
  4. a distributee of any deceased subject for whom no personal representative, as defined in the Estates, Powers and Trusts Law, has been appointed; or
  5. an attorney representing a qualified person or the subject’s estate who holds a power of attorney from the qualified person or the subject’s estate explicitly authorizing the holder to execute a written request for patient information.

PHL§ 18(1)(g) states that a qualified person shall be deemed a “personal representative of the individual” for purposes of HIPAA and its implementing regulations. Although not a “qualified person,” an agent appointed under a patient’s Health Care Proxy may also receive medical information and medical and clinical records necessary to make informed decisions regarding the patient’s health care (See PHL § 2982(3)). Presumably, the holder of a Health Care Proxy would also be a “personal representative of the individual” for purposes of HIPAA, although there is no explicit statement to that effect in PHL § 2982.

There are circumstances where a qualified person may be denied access to inspect or obtain a copy of the patient’s records. In the next post, we will explain those circumstances.

The Individual’s Rights Under HIPAA to Access their Health Information- Verifying the Identity of the Person Requesting PHI

Posted in Audit and Compliance, HIPAA and Privacy, Hospitals and Health Care Facilities, Information Technology and EMR, Long Term Care, Home Health and DME, Physicians and Other Licensed Professionals, Regulatory Issues

Picture1Under the Privacy Rule, HIPAA covered entities (health care providers and health plans) are required to provide individuals, upon request, with access to their protected health information (PHI) in one or more “designated record sets” maintained by or for the covered entity.

Covered entities are also required to protect the individual’s PHI from unauthorized disclosure. How must a covered entity verify the identity of the individual requesting the PHI so as to comply with the Privacy Rule without at the same time violating it?

Recent guidance from the Office of Civil Rights (OCR) is somewhat helpful.

According the guidance, the Privacy Rule requires a covered entity to take “reasonable steps” to verify the identity of an individual requesting access (citing 45 CFR 164.514(h)).  OCR confirms the Privacy Rule does not mandate the form of verification, but rather leaves the manner of verification to the professional judgment of the covered entity, provided the verification processes and measures “do not create barriers to or unreasonably delay the individual from obtaining access to her PHI”.  OCR explains that verification may be oral or in writing and states that the type of verification depends on how the individual is requesting or receiving access. For instance, a person may request access in person, by phone, by fax or e-mail, or through a web portal hosted by the covered entity.

OCR suggests that standard request forms ask for basic information about the individual to enable the covered entity to verify the individual is the subject of the information requested.  For those covered entities providing individuals with access to their PHI through web portals, the portals should be set up with appropriate authentication controls, as required by the HIPAA Security Rule (for instance password protection and required periodic password updates).

For individuals who may call requesting access to their PHI, good policy might require verification of the requestors date of birth, address, and perhaps the condition the individual was treated for.

Verifying the authority of an individual’s personal representative is determined under State law. In the next blog post, we will look at the law in New York on who is a qualified person for purposes of access to an individual’s medical records.

‘Incident To’ Billing: Billing Physician as the Supervising Physician and Ancillary Personnel Requirements

Posted in Audit and Compliance, Medicaid and Medicare, Physicians and Other Licensed Professionals

imagesNG7ROJJTCMS has published a Proposed Rule to clarify how physicians are to bill for services furnished “incident to” the professional services of a physician.

When a medical practice bills Medicare “incident to” for NPP services (i.e. “non-physician practitioners” such as nurses or physician assistants), the bill is rendered by the physician using the physician’s NPI number. Incident to services billed by the physician are paid at 100 percent of the fee schedule amount even though the physician did not perform the services. When the same services are billed by the NPP, the services are paid at 85 percent of the fee schedule amount. Specific requirements must be met for physicians to bill Medicare for incident to services. The services must be:

  • Furnished in a noninstitutional setting to noninstitutional patients.
  • An integral, though incidental, part of the service of a physician in the course of diagnosis or treatment of an injury or illness (understood to mean a physician has seen the patient first and initiated a plan of care being carried out by the NPP).
  • Furnished under direct supervision of a physician or other practitioner eligible to bill and directly receive Medicare payment (meaning the physician is present in the office suite).
  • Furnished by a physician, a practitioner with an incident to benefit, or auxiliary personnel.

NPP services may be billed under the physician’s NPI number when the services are part of the patient’s normal course of treatment, during which a physician performed an initial service and remains actively involved in the treatment.

The current regulations have caused confusion. The regulations state that the “physician supervising the auxiliary personnel need not be the same physician upon whose professional service the incident to service is based.” My interpretation of this is that a physician other than the physician that initiated the plan of care may supervise the NPP in the provision of services and such services will qualify as “incident to” if all other requirements are met. What remains unclear is which physician should bill for the incident to services, the supervising physician or the physician that initiated the plan of care. The proposed rule attempts to clarify that the billing physician must be the physician that supervised the services and not the physician that initially saw the patient and instituted the plan of care.

Care must be taken to ensure the supervising physician’s NPI number is used. This can be a challenge in busy medical offices where the physicians are regularly in the OR or conducting rounds.

EDNY Judge Refuses To Unseal Grand Jury Minutes In Health Care Identity Theft Prosecution

Posted in Fraud and Abuse and Stark, HIPAA and Privacy, Litigation, Medicaid and Medicare

Earlier this month, EDNY Judge Joanna Seybert examined the elements of Aggravated Identify Theft in an interesting context: a motion to unseal grand jury minutes in a health care fraud prosecution, United States v. Cwibeker

Defendants were charged with billing Medicare for fictitious or non-compensable treatments of residents of assisted living facilities.  Defendants would allegedly visit residents at the facilities, not provide Medicare-reimbursable services, and then generate a list of patients they allegedly visited.  Defendants would then use the list to submit fictitious claims to Medicare.  Significantly, defendants legally obtained the personal information from residents in the first instance; the alleged subsequent unlawful use of the information formed the basis of the criminal charges. 

Defendant Cwibeker argued that patients had consented to use of their personal information, and non-consent is an element of the Aggravated Identity Theft charge.  Thus, the grand jury minutes should be unsealed because this element was likely not disclosed.  

The Court first noted the long-established policy of maintaining secrecy of the grand jury.  The Court next looked to the Supreme Court’s three part analysis for allowing disclosure.  A party must show: (1) the material sought is needed to avoid a possible injustice; (2) the need for disclosure is greater than the need for continued secrecy; and (3) the request is structured to cover only the material needed. 

The Court denied the motion, holding that non-consent of the defendant’s purported patients for releasing the information is not an element of the Aggravated Identity Theft offense, which provides that whoever “knowingly transfers, possesses or uses, without lawful authority, a means of identification of another person,” is subject to an additional two years in prison. The Court found that consent of the victim has no bearing on “without lawful authority”  under the statute, as it is the improper use of the information that forms the offense.  The Court distinguished a Seventh Circuit case where the person whose identity was appropriated was a participant in the fraud.  In Cwibeker, the Medicare recipients whose identification was misappropriated were victims, with no knowledge of or participation in the alleged fraud. 

This case highlights again the need for vigilance concerning patients’ personal information.  Courts will hold persons who seek to profit from the improper use of such information accountable.  Providers must take all available steps to safeguard patient information, however, as those who allow such information to fall into the wrong hands will also be held accountable.

Second Circuit Rejects Constitutional Challenge To New York School Vaccination Requirement

Posted in Litigation, Regulatory Issues

The Second Circuit yesterday rejected a Constitutional challenge to New York’s requirement that children be vaccinated to attend public school, and upheld a school’s decision to exclude from class, during a chicken pox outbreak, students with a religious exemption to the vaccination requirement. 

In Phillips v. City of New York, two Catholic parents received a religious exemption from the statutory vaccination requirement for their children. The statute provides an exemption for children of parents who have “genuine and sincere religious beliefs” against vaccination.   A state regulation provides that school officials may exclude children with an exemption from school “in the event of an outbreak … of a vaccine-preventable disease in a school.”  Plaintiffs’ children were excluded from school when a fellow student was diagnosed with chicken pox. 

Plaintiffs first argued that mandatory vaccination violates substantive due process.  The Court upheld New York’s requirement, based on the Supreme Court’s decision in Jacobson v. Commonwealth of Massachusetts, 197 U.S. 11 (1905), that school vaccination is a proper exercise of the State’s police powers.  The Second Circuit rejected the argument that an alleged growing body of scientific evidence against vaccinations altered this rule.     

The Court next addressed the exclusion of plaintiffs’ children from school during the chicken pox outbreak, which plaintiffs alleged to be an unconstitutional burden on their free exercise of religion.  The Second Circuit held that the law was neutral and of general applicability, and therefore the State need nor show a compelling government interest, even if there was an incidental burden on religion.  The Court cited the Supreme Court’s statement in Prince v. Massachusetts, 321 U.S. 158 (1944), that “[t]he right to practice religion freely does not include liberty to expose the community or the child to communicable disease or the latter to ill health or death.”  The Court determined that because the State could exclude unvaccinated children from school altogether, the more limited exclusion during a chicken pox outbreak was Constitutional. 

Another plaintiff on the appeal was not granted a religious exemption from vaccination for her children.  The District Court had adopted the Magistrate Judge’s findings that this plaintiff’s objections to vaccination were health-related and not based on genuine and sincere religious beliefs.  The Second Circuit held that this determination had not been appealed and could not therefore be addressed.

5 Lessons for Health Care Providers from Joan Rivers’ Death

Posted in Audit and Compliance, HIPAA and Privacy, Hospitals and Health Care Facilities, Physicians and Other Licensed Professionals

On November 10, 2014, the US Department of Health and Human Services released its investigation report regarding the death of actress and comedian Joan Rivers.  The report, called a “Statement of Deficiencies and Plan of Correction”, highlights numerous mistakes and violations made by Yorkville Endoscopy, the treating facility where Ms. Rivers died (Ms. Rivers was identified as “Patient #1”).  Health care providers, facility owners, and administrators can learn some basic but important lessons from the report’s findings. 

1. Have appropriate policies and procedures (“P&Ps”) in place as required by your licensing agency and accrediting body.  Yorkville Endoscopy is licensed by the State of New York as an ambulatory surgery center (“ASC”) under Article 28 of the Public Health Law, and accredited by the American Association for Accreditation of Ambulatory Surgery Facilities.  The State regulatory requirements for an ASC are much more rigorous than the requirements for non-licensed outpatient surgery centers in New York.  P&Ps cover issues including clinical practices, patient consents, procedures, anesthesia, billing, provider credentialing, employment and more.  An administrator, compliance officer, or other responsible party may review the regulations and accreditation standards, consult with the accrediting body, legal counsel or a consultant, and can purchase policy manuals from numerous sources.  

2. Follow your own policies and procedures.  The report cites numerous examples of Yorkville Endoscopy failing to follow its own P&Ps.  For example, the staff failed to follow the “Time Out” policy which helps ensure that the correct procedure is being performed; also, one of the physicians performing the procedures was not credentialed by the facility, in violation of the Physician Credentialing P&P. A facility’s P&P manual should not be gathering dust on a shelf in a back office (same goes for the Compliance Manual).  If a particular policy or procedure is not effective, the facility should develop a new policy or procedure that works better.  A facility that consistently follows its own P&Ps exhibits traits of a compliant and quality oriented organization; while this will not prevent accidents or unexpected occurrences, many issues may be avoided.  All staff, including physicians, should be regularly educated on the facility’s P&Ps.

3. Credentialing protects you.  The federal report stated that one of the physicians performing a procedure on Ms. Rivers was not credentialed by the facility.  Credentialing is a fairly simple process that allows a facility to review a provider’s licensure, education and work history, insurance, and past lawsuits or disciplinary actions before allowing them to treat patients.  This enables a facility to determine whether a provider meets facility requirements in general, and often whether they are qualified for specific procedures.  This helps weed out bad providers up front, limits certain procedures to physicians with an appropriate level of training and experience, and allows the facility to have a record of who is providing services under its roof.

4. Keep the cameras away from the patients.  The report notes that one of the physicians took a photograph of Ms. Rivers with his cell phone while she was under sedation during a procedure.  There is no evidence she consented to this photo.  This is a violation of Ms. Rivers’ right to privacy (under HIPAA and State laws), and violated the facility’s own “Cell Phone Policy.”  Taking photos of patients without their consent exposes the individuals and their facilities to liability, and often results in loss of employment for the offending staff.  Facilities should review their photo and video policies, with an eye toward protection of the privacy of patients, staff and guests.

5. Beware of “VIP Medicine”. Accommodating a VIP in certain ways is reasonable and acceptable, but it is not occasion to ignore important policies and procedures.  The investigation states that Ms. Rivers’ medical record did not contain an informed consent for the nasolaryngoscopy, and contained no documentation of her body weight (needed to calculate anesthesia dosages).  Allowing a VIP to enter though a separate door to increase their privacy, keeping their visit private, or using a private room are certainly appropriate.  However, clinical guidelines should be followed regardless of the star power of the patient.  This means they must be subject to the same clinical oversight, undergo the same process for obtaining informed consent for any procedure, and receive the same pre-procedure screening and testing in accordance with good medical practices.

It is unknown whether compliance with any of the above-noted issues would have resulted in a better outcome for Ms. Rivers – sometimes the negative risks discussed during the informed consent process do occur, and sometimes this results in the death of a patient.  What is clear is that inattention to regulations, failing to follow basic policies and procedures, and violating a patient’s rights suggest a facility and providers that fail to place a high value on quality of care and the safety of their patients.

Visiting Nurse Service Settles Some SDNY False Claims Act Allegations, Leaves Others Open As Part Of A “Remaining Investigation”

Posted in Audit and Compliance, Fraud and Abuse and Stark, Insurance and Managed Care, Litigation, Long Term Care, Home Health and DME, Medicaid and Medicare, Physicians and Other Licensed Professionals

An interesting SDNY settlement agreement resolves some False Claims Act allegations, but leaves others for another day.  Visiting Nurse Service of New York (VNS) paid just under $35 million to the United States and New York State to settle allegations that VNS improperly billed Medicaid for 1,740 members whose needs did not qualify for a managed care plan.  The government alleged that these members were improperly referred by social adult day care centers (SADCC), or received services primarily from SADCCs, many of which provided substandard and minimal care.   

In the settlement agreement, VNS admitted that 1,740 Medicaid long term care  program members were referred by SADCCs or used SADCC services, and were not eligible to be members of the plan; and that various SADCCs in the provider network did not provide services that qualified as “personal care services” under the long term care program contract with New York’s Department of Health. 

The settlement agreement has a unique “Remaining Investigation” provision.  Most FCA settlement agreements are designed to settle all claims against the defendants.  The VNS settlement agreement, however, provides that it resolves only part of the United States investigation. Examples of allegations that are part of the “Remaining Investigation” are redacted in the publicly-filed document.  In a provision that could lead to interesting questions of interpretation, VNS agrees  “to cooperate with the Remaining Investigation,” but without waiving attorney-client or joint defense privileges, work product protections, or factual or legal defenses covering claims the government may bring against VNS.  The issue of whether VNS is satisfying its duty of cooperation under the agreement while maintaining assertions of privilege and factual and legal defenses will be difficult to sort out if it is ever litigated.  The settlement agreement carves out any potential claims against the president of the corporation that administered the managed health care plan, so that individual could be the focus of the “Remaining Investigation.”  In addition, the Court approved keeping the relator’s complaint and the government’s complaint-in-intervention under seal.

During the pendency of the “Remaining Investigation,” VNS agrees to monitor and further revise standards for credentialing SADCCs; only credential SADCCs that have necessary certificates; monitor SADCCs to ensure compliance with credentialing; ensure that SADCCs provide proper personal care services; and prohibit marketing practices directed at enrolling members through SADCCs.