In the wake of some of the worst storms our country has ever faced, as seen in the devastation caused by Hurricane Harvey, in Texas, Hurricane Irma, in Florida, and now Hurricane Maria, in Puerto Rico and the U.S. Virgin Islands, it is important to understand some of the actions the United States federal government can take to assist victims of Mother Nature. How broad is the federal government’s authority? Who is that authority bestowed upon? Well, one such mechanism is the declaration of a Public Health Emergency by the Secretary of Health and Human Services (“HHS”) under Section 319 of the Public Health Service Act (“PHSA”).

Under Section 319 of the PHSA, the Secretary of HHS is empowered to declare a public health emergency, after consulting with public health officials, when the public is faced with either a (1) disease or disorder; or (2) public health emergency exists, including, but not limited to, an epidemic or bioterrorist attack.  Upon making such a declaration, the Secretary of HHS is authorized and empowered to “take such action as may be appropriate to respond to the public health emergency, including making grants, providing awards for expenses, and entering into contracts and conducting and supporting investigations into the cause, treatment, or prevention of a disease or disorder.” The Secretary’s expanded authority is not perpetual and only remains in effect for 90 days, or until the emergency ceases to exist if sooner than 90 days, with the option of a one-time renewal for an additional 90 days that can be made on the basis of new or the same facts underlying the initial declaration. However, once a declaration, and any renewal, if applicable, is made, the Secretary of HHS must inform the Congress, in writing, within 48 hours.

Practically speaking, what actions can the HHS Secretary take? Some discretionary actions include, but are not limited to: (1) waiving certain prescription and dispensing requirements under the Federal Food, Drug, and Cosmetic Act; (2) waiving or modifying particular requirements under Medicare, Medicaid, the Children’s Health Insurance Program and the Health Insurance Portability and Accountability Act; and (3) appointing temporary personnel for up to one year. These actions, in addition to others, help bring emergency relief to those in need.

On September 19, 2017, now former Secretary of HHS, Tom Price, declared a Public Health Emergency under Section 319 of the PHSA for the benefit of Puerto Rico and the U.S. Virgin Islands following the devastation caused by Hurricane Maria, and stated, in his press release, that “[d]eclaring a public health emergency for Puerto Rico and the U.S. Virgin Islands will aid in the department’s response capabilities – particularly as it relates to ensuring that individuals and families in those territories with Medicare, Medicaid and the Children’s Health Insurance Program (CHIP) maintain access to care.”  While this declaration is limited in scope, the actions authorized thereunder will help start the long recovery for the people who reside in Puerto Rico and the U.S. Virgin Islands.

Please kindly consider how you can get involved to help the people who have been negatively impacted by the devastation caused by Hurricanes Harvey, Irma and Maria.

Effective March 1, 2017, the New York State Department of Financial Services promulgated regulations to help protect against cybercriminals and their efforts to exploit sensitive electronic data. These cybersecurity regulations apply to all individuals and entities that “operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law”, with a few exceptions.  This will undoubtedly result in insurance companies and other related healthcare entities, which hold sensitive patient health information, beefing up their internal and external rules and policies.  New York’s proactive stance should be taken with the utmost seriousness seeing that there are more than 400 cyberattacks each day over the internet, or almost 3 every minute.

The United States Congress has enacted a similar law to protect health information, the Health Insurance Portability and Accountability Act (“HIPAA”). However, because HIPAA was enacted and modified years prior to cybersecurity becoming a prominent threat to our society, HIPAA does not provide as much protection to patients’ electronic data as the New York regulations do.  HIPAA does provide important guidelines and safeguards to ensure the integrity and confidentiality of protected health information, but does not elaborate on many of the issues presented in New York’s cybersecurity regulations.

New York’s cybersecurity regulations require all “Covered Entities”, as defined in the regulations, to maintain a cybersecurity program to guard the confidentiality of Nonpublic Information, which includes a risk assessment and a comprehensive cybersecurity policy.  In addition, Covered Entities are now required to designate an individual to serve as the Chief Information Security Officer (“CISO”).  The CISO is tasked with overseeing, implementing and enforcing the Covered Entity’s cybersecurity policy, and is required to report, in writing and at least annually, to the Covered Entity’s Board of Directors or similar governing body.  The CISO’s report must include, as applicable, information on “(1) the confidentiality of Nonpublic Information and the integrity and security of the Covered Entity’s Information Systems; (2) the Covered Entity’s cybersecurity policies and procedures; (3) material cybersecurity risks to the Covered Entity; (4) overall effectiveness of the Covered Entity’s cybersecurity program; and (5) material Cybersecurity Events involving the Covered Entity during the time period addressed by the report.”

Compliance with the cybersecurity regulations will be transitioned over a two-year period with full compliance required by March 1, 2019.

According to the 2016 Kaiser/HERT Employer Health Benefits Survey, the average annual premium for employer-sponsored family health insurance coverage in 2016 was $18,142 – representing a 20% increase since 2011 and a 58% increase since 2006.  As the cost of healthcare coverage has continued to rise dramatically, patients are seeing a reduced level of personal care.  The average wait to schedule an appointment with a doctor in the United States is 24 days – up 30% since 2014.  Meanwhile, physicians report that they spend, on average, only 13 to 24 minutes with a patient and of that time, approximately 37% of it is spent on EHR and other administrative tasks.

 

In 2010, the Affordable Care Act imposed a requirement that most Americans have insurance coverage.  But it also identified direct primary care as an acceptable option.  Whereas concierge and direct-pay medicine had once been limited to a very wealthy consumer base, it was suddenly poised to hit the mainstream.  And it can be a win-win for both physicians and consumers – physicians have the potential to devote more time to each patient and less time to paperwork, and consumers can pay for faster, more personalized attention from a physician instead of paying the pricey premiums now charged in the market for traditional insurance coverage.

 

But is concierge medicine right for every physician?

 

  1. Do you want to continue to participate in Medicare? If so, you will still be required to bill Medicare for your concierge patients and will not be able to charge Medicare patients extra for Medicare covered services.  Nor can you charge a membership fee (aka an access fee) that includes extra charges for services Medicare usually covers.  (The exception is if you do not accept assignment, in which case you can charge up to 15% more than the Medicare-approved amount for a Medicare covered services.)  If Medicare usually covers a service but will not pay for it, you must still provide the patient with an ABN.  And even if you do choose to opt out of Medicare, give extreme care to following the proper procedures or you could be subjected to substantial penalties.

 

  1. You still need to price services at fair market value. Even if you opt out of Medicare, providing “free” services because they are included in the access fee could run afoul of state anti-kickback laws.  Obtain advice regarding your state laws before setting your contract, and set a fair market value at which you provide each service.

 

  1. Check with your state to make your concierge/direct-pay contract is in compliance. Some states – including New York and New Jersey – have questioned whether these arrangements are deemed to be the practice of insurance but even where they are not, certain provisions of state insurance law could apply to your contract.

 

  1. Termination of existing patients. You can expect attrition by many, if not most, of your existing patients when transitioning from a traditional practice to a concierge or direct-pay model.  You will need to comply with state laws and ethical rules with regard to finding alternate care.

 

  1. Compliance with HIPAA. To the extent you are not participating in insurance or Medicare, you might not be a “covered entity” under HIPAA; however, there are many state privacy and confidentiality laws that you will still be required to comply with.

 

In some instances, transitioning to a concierge or direct-pay business model could be a win-win for both doctors and patients.  However, there are many legal issues that require careful consideration as you set up your practice.  There are many consulting firms that specialize in planning this transition, and a good attorney can help you avoid any pitfalls and ensure compliance with all applicable laws and regulations.

Picture1Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) is the first business associate to be held directly liable for violations under the HIPAA rules. CHCS provided management and information technology services to six nursing homes. According to the OCR Resolution Agreement, OCR received separate notifications from each of the six nursing homes regarding a breach of unsecured electronic protected health information (ePHI) by CHCS resulting from the theft of a CHCS mobile device. The mobile device containing ePHI of 412 nursing home residents was neither encrypted nor password-protected. The settlement includes a monetary payment of $650,000 and a two-year corrective action plan.

OCR’s investigation concluded that:

  1. CHCS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by CHCS; and
  2. CHCS failed to implement appropriate security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level to comply with the HIPAA Security Rule.

It is important for Business Associates and subcontractors of Business Associates to understand that since enactment of the Omnibus Rule in 2013, Business Associates and their subcontractors can be held directly liable for HIPAA violations, including the failure to conduct appropriate risk assessments and the failure to adopt adequate written policies and procedures to reduce the risk of violations.

The Department of Health and Human Services, Office for Civil Rights (“OCR”), enforces the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). This includes the requirement that Covered Entities (health care providers and health plans) have Business Associate Agreements with their “Business Associates.”

“Business Associates” are persons or entities who “create, receive, maintain or transmit Protected Health Information (“PHI”) in performing services on behalf of a Covered Entity. Furthermore, a subcontractor of a Business Associate that creates, receives, maintains or transmits PHI on behalf of a Business Associate is also a “Business Associate.”

Both Covered Entities and Business Associates are directly liable for failing to have a compliant Business Associate Agreement in place. In addition, Business Associates must have Business Associate Agreements with their subcontractors who create, receive, maintain or transmit PHI on behalf of a Business Associate.

Recent cases of OCR enforcement for failure to have a required Business Associate Agreement include:

  • North Memorial Health Care of Minnesota agreed to pay $1.55 million to settle OCR charges for failing to have a Business Associate Agreement in place when a business associate’s laptop containing thousands of individuals’ PHI was lost.
  • Raleigh Orthopedic Clinic agreed to pay $750,000 and to enter into a Corrective Action Plan in settlement of OCR charges that it failed to have a Business Associate Agreement in place with its Business Associate engaged to transfer x-rays to electronic media.
  • Triple-S Management Corporation agreed to pay $3.5 million to settle OCR charges of multiple violations, including “impermissible disclosure of its beneficiaries’ PHI to an outside vendor without having a required Business Associate Agreement in place.”

To avoid multi-million dollar settlements, Covered Entities must evaluate their relationships with third parties, and Business Associates must evaluate their relationships with subcontractors, to ensure required Business Associate Agreements are in place. Covered Entities and Business Associates should consider adopting written policies and procedures regarding their Business Associates and subcontractors to demonstrate their efforts at compliance.

 

*My thanks to Farrell Fritz summer associate Joanna Lima for her assistance with this blog posting.

imagesPA8ET6EQIn our previous post [found here], we explained that, under the Privacy Rule, HIPAA covered entities (health care providers and health plans) must provide individuals and their “personal representatives” with access to the individual’s protected health information. An individual’s personal representative is determined under State law. In this post, we will define who is a “personal representative” under New York law.

Section 18(2) of the New York Public Health Law (PHL) states that, upon written request, a health care provider shall provide an opportunity, within ten days, for a patient to inspect the patient’s information concerning or relating to the examination or treatment of the patient. Upon the written request of any qualified person, a health care provider shall furnish to the qualified person, within a reasonable time, a copy of any patient information requested which the authorized person may inspect. The law provides no specific time period by which copies of medical records must be provided. However, the New York State Department of Health considers 10 to 14 days to be a reasonable time in which a practitioner should respond to such a request.

A “qualified person” under PHL§ 18(1)(g) includes:

  1. the properly identified patient;
  2. a guardian for an incapacitated person appointed under article eighty-one of the mental hygiene law;
  3. a parent of an infant or a guardian of an infant appointed under article seventeen of the Surrogate’s Court Procedure Act or other legally appointed guardian of an infant who may request access to a clinical record;
  4. a distributee of any deceased subject for whom no personal representative, as defined in the Estates, Powers and Trusts Law, has been appointed; or
  5. an attorney representing a qualified person or the subject’s estate who holds a power of attorney from the qualified person or the subject’s estate explicitly authorizing the holder to execute a written request for patient information.

PHL§ 18(1)(g) states that a qualified person shall be deemed a “personal representative of the individual” for purposes of HIPAA and its implementing regulations. Although not a “qualified person,” an agent appointed under a patient’s Health Care Proxy may also receive medical information and medical and clinical records necessary to make informed decisions regarding the patient’s health care (See PHL § 2982(3)). Presumably, the holder of a Health Care Proxy would also be a “personal representative of the individual” for purposes of HIPAA, although there is no explicit statement to that effect in PHL § 2982.

There are circumstances where a qualified person may be denied access to inspect or obtain a copy of the patient’s records. In the next post, we will explain those circumstances.

Picture1Under the Privacy Rule, HIPAA covered entities (health care providers and health plans) are required to provide individuals, upon request, with access to their protected health information (PHI) in one or more “designated record sets” maintained by or for the covered entity.

Covered entities are also required to protect the individual’s PHI from unauthorized disclosure. How must a covered entity verify the identity of the individual requesting the PHI so as to comply with the Privacy Rule without at the same time violating it?

Recent guidance from the Office of Civil Rights (OCR) is somewhat helpful.

According the guidance, the Privacy Rule requires a covered entity to take “reasonable steps” to verify the identity of an individual requesting access (citing 45 CFR 164.514(h)).  OCR confirms the Privacy Rule does not mandate the form of verification, but rather leaves the manner of verification to the professional judgment of the covered entity, provided the verification processes and measures “do not create barriers to or unreasonably delay the individual from obtaining access to her PHI”.  OCR explains that verification may be oral or in writing and states that the type of verification depends on how the individual is requesting or receiving access. For instance, a person may request access in person, by phone, by fax or e-mail, or through a web portal hosted by the covered entity.

OCR suggests that standard request forms ask for basic information about the individual to enable the covered entity to verify the individual is the subject of the information requested.  For those covered entities providing individuals with access to their PHI through web portals, the portals should be set up with appropriate authentication controls, as required by the HIPAA Security Rule (for instance password protection and required periodic password updates).

For individuals who may call requesting access to their PHI, good policy might require verification of the requestors date of birth, address, and perhaps the condition the individual was treated for.

Verifying the authority of an individual’s personal representative is determined under State law. In the next blog post, we will look at the law in New York on who is a qualified person for purposes of access to an individual’s medical records.

Earlier this month, EDNY Judge Joanna Seybert examined the elements of Aggravated Identify Theft in an interesting context: a motion to unseal grand jury minutes in a health care fraud prosecution, United States v. Cwibeker

Defendants were charged with billing Medicare for fictitious or non-compensable treatments of residents of assisted living facilities.  Defendants would allegedly visit residents at the facilities, not provide Medicare-reimbursable services, and then generate a list of patients they allegedly visited.  Defendants would then use the list to submit fictitious claims to Medicare.  Significantly, defendants legally obtained the personal information from residents in the first instance; the alleged subsequent unlawful use of the information formed the basis of the criminal charges. 

Defendant Cwibeker argued that patients had consented to use of their personal information, and non-consent is an element of the Aggravated Identity Theft charge.  Thus, the grand jury minutes should be unsealed because this element was likely not disclosed.  

The Court first noted the long-established policy of maintaining secrecy of the grand jury.  The Court next looked to the Supreme Court’s three part analysis for allowing disclosure.  A party must show: (1) the material sought is needed to avoid a possible injustice; (2) the need for disclosure is greater than the need for continued secrecy; and (3) the request is structured to cover only the material needed. 

The Court denied the motion, holding that non-consent of the defendant’s purported patients for releasing the information is not an element of the Aggravated Identity Theft offense, which provides that whoever “knowingly transfers, possesses or uses, without lawful authority, a means of identification of another person,” is subject to an additional two years in prison. The Court found that consent of the victim has no bearing on “without lawful authority”  under the statute, as it is the improper use of the information that forms the offense.  The Court distinguished a Seventh Circuit case where the person whose identity was appropriated was a participant in the fraud.  In Cwibeker, the Medicare recipients whose identification was misappropriated were victims, with no knowledge of or participation in the alleged fraud. 

This case highlights again the need for vigilance concerning patients’ personal information.  Courts will hold persons who seek to profit from the improper use of such information accountable.  Providers must take all available steps to safeguard patient information, however, as those who allow such information to fall into the wrong hands will also be held accountable.

On November 10, 2014, the US Department of Health and Human Services released its investigation report regarding the death of actress and comedian Joan Rivers.  The report, called a “Statement of Deficiencies and Plan of Correction”, highlights numerous mistakes and violations made by Yorkville Endoscopy, the treating facility where Ms. Rivers died (Ms. Rivers was identified as “Patient #1”).  Health care providers, facility owners, and administrators can learn some basic but important lessons from the report’s findings. 

1. Have appropriate policies and procedures (“P&Ps”) in place as required by your licensing agency and accrediting body.  Yorkville Endoscopy is licensed by the State of New York as an ambulatory surgery center (“ASC”) under Article 28 of the Public Health Law, and accredited by the American Association for Accreditation of Ambulatory Surgery Facilities.  The State regulatory requirements for an ASC are much more rigorous than the requirements for non-licensed outpatient surgery centers in New York.  P&Ps cover issues including clinical practices, patient consents, procedures, anesthesia, billing, provider credentialing, employment and more.  An administrator, compliance officer, or other responsible party may review the regulations and accreditation standards, consult with the accrediting body, legal counsel or a consultant, and can purchase policy manuals from numerous sources.  

2. Follow your own policies and procedures.  The report cites numerous examples of Yorkville Endoscopy failing to follow its own P&Ps.  For example, the staff failed to follow the “Time Out” policy which helps ensure that the correct procedure is being performed; also, one of the physicians performing the procedures was not credentialed by the facility, in violation of the Physician Credentialing P&P. A facility’s P&P manual should not be gathering dust on a shelf in a back office (same goes for the Compliance Manual).  If a particular policy or procedure is not effective, the facility should develop a new policy or procedure that works better.  A facility that consistently follows its own P&Ps exhibits traits of a compliant and quality oriented organization; while this will not prevent accidents or unexpected occurrences, many issues may be avoided.  All staff, including physicians, should be regularly educated on the facility’s P&Ps.

3. Credentialing protects you.  The federal report stated that one of the physicians performing a procedure on Ms. Rivers was not credentialed by the facility.  Credentialing is a fairly simple process that allows a facility to review a provider’s licensure, education and work history, insurance, and past lawsuits or disciplinary actions before allowing them to treat patients.  This enables a facility to determine whether a provider meets facility requirements in general, and often whether they are qualified for specific procedures.  This helps weed out bad providers up front, limits certain procedures to physicians with an appropriate level of training and experience, and allows the facility to have a record of who is providing services under its roof.

4. Keep the cameras away from the patients.  The report notes that one of the physicians took a photograph of Ms. Rivers with his cell phone while she was under sedation during a procedure.  There is no evidence she consented to this photo.  This is a violation of Ms. Rivers’ right to privacy (under HIPAA and State laws), and violated the facility’s own “Cell Phone Policy.”  Taking photos of patients without their consent exposes the individuals and their facilities to liability, and often results in loss of employment for the offending staff.  Facilities should review their photo and video policies, with an eye toward protection of the privacy of patients, staff and guests.

5. Beware of “VIP Medicine”. Accommodating a VIP in certain ways is reasonable and acceptable, but it is not occasion to ignore important policies and procedures.  The investigation states that Ms. Rivers’ medical record did not contain an informed consent for the nasolaryngoscopy, and contained no documentation of her body weight (needed to calculate anesthesia dosages).  Allowing a VIP to enter though a separate door to increase their privacy, keeping their visit private, or using a private room are certainly appropriate.  However, clinical guidelines should be followed regardless of the star power of the patient.  This means they must be subject to the same clinical oversight, undergo the same process for obtaining informed consent for any procedure, and receive the same pre-procedure screening and testing in accordance with good medical practices.

It is unknown whether compliance with any of the above-noted issues would have resulted in a better outcome for Ms. Rivers – sometimes the negative risks discussed during the informed consent process do occur, and sometimes this results in the death of a patient.  What is clear is that inattention to regulations, failing to follow basic policies and procedures, and violating a patient’s rights suggest a facility and providers that fail to place a high value on quality of care and the safety of their patients.

          In March 2013, the Second Circuit certified to the New York Court of Appeals the issue of whether a medical corporation may be liable for the unauthorized disclosure of medical information, when the employee responsible for the breach was not a physician and was acting outside the scope of her employment (see post).  In Doe v. Guthrie, decided last week, the New York Court of Appeals answered that question in the negative.

The plaintiff in Doe v. Guthrie went to a healthcare clinic to be treated for a sexually transmitted disease.  A nurse at the clinic was the sister-in-law of the plaintiff’s girlfriend, and sent six text messages to her about plaintiff’s medical condition.  The plaintiff learned of the messages and complained to the clinic, which fired the nurse.  The clinic advised plaintiff that his confidential information had been improperly disclosed, and that disciplinary action had been taken.

Plaintiff sued, alleging among other claims the common law breach of fiduciary duty to maintain the confidentiality of personal health information.  The Second Circuit, which determined that the nurse’s actions were neither foreseeable to defendants not within the scope of her employment, certified the question whether there was a cause of action for breach of fiduciary duty of confidentiality without respondeat superior liability.

The New York Court of Appeals stated that a medical corporation is generally not liable for an employee’s tort outside the scope of employment, and refused to impose absolute liability on a medical corporation for an employee’s dissemination of a patient’s confidential medical information.  “A medical corporation’s duty of safekeeping a patient’s confidential medical information is limited to those risks that are reasonably foreseeable and to actions within the scope of employment.”

The Court counseled, however, that a medical corporation can still be liable for its own conduct, including negligent hiring or supervision, failing to establish adequate policies and procedures, and failing to properly train employees in safeguarding confidential information.  This potential liability incentivizes medical corporations to properly safeguard medical information.

The dissent would have recognized a claim against a medical corporation for acts of employees outside the scope of employment.  This view would have unfairly expanded the liability of medical providers, imposing absolute liability for any release of medical information.  The Court’s holding recognizes an appropriate balance, declining to find liability against a provider for employee acts outside the scope of employment, while at the same time recognizing that a provider can be liable for acts within the scope of employment as well as for the provider’s own negligence in maintaining confidential information.

While the medical provider in Doe v. Guthrie was not liable, the decision highlights the need for medical providers to have stringent standards governing the confidentiality of medical information, and to ensure that these standards are clearly communicated to all employees.