The latest installation in our series on legislation recently passed by the New York State Legislature (introduced here) addresses legislation in the long term care and aging space.  It follows upon descriptions of legislation in the pharmacy space (here) and hospital space (here).  Like those areas, the long term care area was impacted by the same political turmoil that limited the number of bills passed – but some significant legislation was enacted nonetheless.

One of the more interesting aspects of the long term care and aging space is that it tends to be comprised of two very different regulatory regimes.  The first, primarily overseen by the Department of Health (DOH), regulates licensed long term healthcare providers like nursing homes, assisted living residences, home care and others.  The second, overseen by the State Office for the Aging (SOFA), focuses on the elderly more generally.  Sometimes, it can seem like these two agencies occupy two entirely different worlds; other times, they coordinate comprehensively and effectively.  Bills passed this year by the Legislature affect both agencies.

Except where otherwise indicated, these bills all await action by the Governor.

Assisted Living Programs and Hospice (A10459-A by Assemblymember Lupardo/S8353-A by Senator Hannon):  Continuing the State’s recent focus on expansion of assisted living program services (see our post on long term care provisions in the State Budget, here), this bill would allow hospice services to be delivered to individuals residing in assisted living programs.  Current Medicaid policy does not allow the delivery of hospice services in an assisted living program, requiring many residents to transfer to a nursing home in their last few weeks of life, compounding the issues they already face at the end of their lives.

Adult Care Facility Temporary Operators (A8159 by Assemblymember Wright/S766 by Senator Stewart-Cousins):  This bill would require the DOH to provide written notice when a temporary operator is appointed at any adult home, enriched housing program, residence for adults or assisted living program.  Temporary operators are entities appointed by DOH to operate a facility where an operator’s license has been suspended.

Deaths in Adult Care Facilities (A9034 by Assemblyman Gottfried/S7282 by Senator Alcantara):  This bill is a chapter amendment (see discussion of chapter amendments in our introductory post here) to Chapter 459 of the Laws of 2017, which added enriched housing programs to the list of adult care facilities that must report the death or attempted suicide of a resident or any felony committed against a resident to DOH, and to the Justice Center for the Protection of People with Special Needs, if they are receiving mental hygiene services.  That bill also reduced the time within which facilities must make such a report from 48 to 24 hours.  This bill eliminates the statutory time period in which a report must be made.  The bill was signed by the Governor on June 1, 2018.

Long Term Care Ombudsman (A11050 by Assemblymember Lupardo/S9002 by Senator Dilan):  This bill would make various changes to bring the provisions of state law establishing the Long Term Care Ombudsman Program (LTCOP) in line with federal statute and regulations.  The LTCOP investigates and resolves complaints made by or on behalf of residents, promotes the development of resident and family councils, and informs government agencies, providers and the general public about issues and concerns impacting residents of long term care facilities.  The bill would clarify (1) the structure of the LTCOP and the relationship between the LTCOP and the SOFA; (2) the required qualifications of the state ombudsman and assistant ombudsmen; (3) the state ombudsman’s duty to refer complaints to appropriate investigative agencies; (4) the state ombudsman’s duty to comment on actions pertaining to the health, safety, welfare, and rights of the residents of long term care facilities and services; (5) the state ombudsman’s duty to provide timely access to LTCOP services; (6) the state ombudsman’s duty to recommend changes to law, regulation and policy; (7) the state ombudsman’s duty to develop a certification training program and continuing education for ombudsmen; (8) the state ombudsman’s duty to provide administrative and technical assistance to ombudsmen; (9) the state ombudsman’s duty to support citizen organizations, resident and family councils, and other statewide systems advocacy efforts; and (10) the state ombudsman’s duty to advise SOFA in regard to plans or contracts governing local ombudsman entity operations.  The bill requires the state ombudsman to develop a grievance process to offer an opportunity for reconsideration of any decision regarding the appointment of any local ombudsman, and any decision of an ombudsman.  The bill also clarifies (a) the records to which ombudsmen must have access and the limitations on the use and further disclosure of such records; (b) that ombudsmen must be granted access to and cooperation from long term care facilities, and facilities may not retaliate against anyone for cooperating with ombudsmen; and (c) the conflict of interest rules applicable to the LTCOP.

Informal Caregiver Best Practices (A3958 by Assemblymember Dinowitz/S8730 by Senator Sepulveda):  This bill would require SOFA to develop a guide for businesses containing best practices for retaining employees who are also informal caregivers (i.e., who care for elders at home), and make that guide available on the agency’s website or via paper copy.

Veterans in Nursing Homes (A9981-A by Assemblymember Wallace/S8968 by Senator Helming):  This bill would add “assisted living” (presumably assisted living programs), assisted living residences, and adult care facilities to the list of entities which may report to SOFA on the veteran status or veteran spouse status of residents, so that SOFA may link them to counselors for review and potential linkage to veteran services.  SOFA would be required to include the number of such reports within its annual report.

Locator Technology Businesses (A1118-A by Assemblymember Rosenthal/S5221-A by Senator Stavisky):  This bill would require DOH to develop a list of businesses that manufacture, distribute or otherwise offer locator technology services designed to assist in the expedited location of individuals afflicted with Alzheimer’s disease or dementia who become lost or disoriented.  DOH must make the list available to physicians and the general public.  “Locator technology” includes, e.g., wrist transmitter tracking systems, software programs, data bases and products like necklaces and bracelets that contain identifying information.

*****

For additional information on any of the foregoing bills, please do not hesitate to contact Farrell Fritz’s Regulatory & Government Relations Practice Group at 518.313.1450 or NYSRGR@FarrellFritz.com.

The New York State Department of Health (DOH), in consultation with the Department of Labor (DOL), recently announced a Request for Applications for the Health Workforce Retraining Initiative (HWRI).  This program was established pursuant to NYS Public Health Law §2807-g and is funded through the State’s Health Care Reform Act.  The 2018-19 Enacted New York State Budget included $9 million for this initiative and DOH anticipates an additional $9 million to be available for this grant in SFY 2019-20.

The DOH is soliciting applications from eligible organizations that seek to train or retrain health industry workers for new or emerging positions in the health care delivery system.  The purpose of this initiative is to:

  • Assist health care workers in the development of new skills to maintain employment and achieve licensing/certification requirements;
  • Enable health care workers to pursue new career opportunities created due to market changes, new employment for displaced health care workers and those at risk of displacement;
  • Provide health care workers with the education and training necessary to utilize emerging health technologies and data analytics to support population health management and delivery of high quality, cost effective care;
  • Address current and future occupational shortages;
  • Provide expertise to support integrated and interdisciplinary team-based care;
  • Meet increased demand for home and community-based long-term care services; and
  • Ensure health care workers can effectuate appropriate care transitions, reduce avoidable hospital readmissions and emergency room visits.

Funding is based on the total amount available in each region and will be awarded on a competitive basis by project and region.  Interested organizations may submit up to 50 applications for multiple projects.  Below please find further information regarding the counties included in this initiative, as well as the amount of funding available per region.

Maximum Funding Levels by Region

Western

Rochester

Central

Utica/ Watertown

Northeastern

Northern Metropolitan

New York City

Long Island

Allegany

Livingston

Broome

Chenango

Albany

Columbia

Bronx

Nassau

Cattaraugus

Monroe

Cayuga

Franklin

Clinton

Delaware

Kings

Suffolk

Chautauqua

Ontario

Chemung

Hamilton

Essex

Dutchess

New York

Erie

Seneca

Cortland

Herkimer

Fulton

Orange

Queens

Genesee

Wayne

Schuyler

Jefferson

Greene

Putnam

Richmond

Niagara

Yates

Steuben

Lewis

Montgomery

Rockland

Orleans

Tioga

Madison

Rensselaer

Sullivan

Wyoming

Tompkins

Oneida

Saratoga

Ulster

Onondaga

Otsego

Schenectady

Westchester

Oswego

Schoharie

St.

Warren

Lawrence

Washington

$526,458

$1,045,833

$561,481

$66,643

$483,425

$861,535

$12,866,527

$1,908,098

Maximum Regional Funding Amounts

$67,784

$135,110

$73,280

$8,015

$63,662

$109,920

$1,588,115

$244,114

The following organizations may apply for funding under this initiative:

  • Health worker unions;
  • General hospitals;
  • Long term care facilities;
  • Certified home health agencies, licensed home care services agencies, long term health care programs, hospices, ambulatory care facilities, diagnostic and treatment facilities;
  • Office of Mental Health or the Office of Alcohol and Substance Abuse Services licensed providers;
  • Health care facilities trade associations;
  • Labor-management committees;
  • Joint labor-management training funds established by the Federal Taft-Hartley Act; and
  • Educational institutions.

Additionally, applicants must:

  • Be a legally established organization located in NYS;
  • Have a minimum of two years of training experience with health care workers;
  • Be capable of entering into a master contract with DOH; and
  • Identify a need for training in one or more areas:
    • Occupations with known shortages;
    • Educational opportunities in shortage occupations;
    • Provide training to affected health care workers who have experienced or will likely experience job loss/displacement due to changes in health care delivery;
    • New job certification or licensing requirements; and
    • Knowledge and use of emerging technologies.

Applicants that are able to thoroughly demonstrate a need for such training will be given higher scores.  Additionally, preference points will be provided to projects that increase workforce supply in the following professions:

    • Clinical laboratory technologists;
    • Registered Nurses and Licensed Practical Nurses;
    • RN Care coordinators;
    • Certified Nursing Aides;
    • Nurse Practitioners and Psychiatric Nurse Practitioners;
    • Nurse Managers and Directors;
    • Physician Assistants;
    • Licensed Master Social Workers and Licensed Clinical Social Workers;
    • Minimum Data Set Coordinators;
    • Home Health Aides;
    • Emergency Technicians and Paramedics;
    • Physical Therapists;
    • Occupational Therapists; and
    • Diagnostic Medical Sonographers.

Applicants must also clearly demonstrate an ability to:

    • Develop and manage the structure necessary to implement proposed projects;
    • Develop project curriculum and select program participants within three months of contract execution;
    • Ensure assessment, training and placement services for proposed program participants;
    • Provide DOH with monthly or quarterly outcome and expenditure reports, as well as a two year final report; and
    • Cooperate with DOH and DOL during the program review process and provide supporting documentation regarding outcomes, expenditures and any other information required to evaluate programmatic progress.

Interested organizations must submit applications via the NYS Grants Gateway on or before June 22, 2018 by 4:00 pm.

*  *  *  *  *  *  *  *  * * *

For additional information on this and other DOH initiatives, please do not hesitate to contact Farrell Fritz’s Regulatory & Government Relations Practice Group at 518.313.1450 or NYSRGR@FarrellFritz.com.

Filefax, Inc. (“Filefax”), an Illinois company that intimately handled sensitive Personal Health Information (“PHI”), paid $100,000 to the Department of Health and Human Services (“HHS”) to settle potential violations of the Health Insurance Portability and Accountability Act (“HIPAA”). The payment stemmed from, when still in business, Filefax allegedly improperly disclosing the PHI of approximately 2,150 people when not properly securing such information in an unlocked truck on Filefax property, as well as granting access to PHI to people who should not have been granted access. Pursuant to the Resolution Agreement, the court appointed receiver for Filefax did not admit liability on behalf of Filefax but, however, did agree to enter into a Corrective Action Plan to help mitigate potential exposure.

On its face, the Filefax case may appear to be just like other settlements with HHS resulting from a HIPAA violation, but this case is different for one critical reason—Filefax is no longer in business!

Yes, Filefax, a company no longer operating and which was involuntarily dissolved on August 11, 2017, settled these potential violations of HIPAA, making it clear that, just because the doors close, HIPAA still applies. Roger Severino, director of the Office of Civil Rights (“OCR”), the HHS enforcement arm of HIPAA, stated “[c]overed entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.”

Business owners, especially those that handle PHI on a day-to-day basis, must continue to take seriously the rules and guidelines HHS sets forth with respect to HIPAA and are on notice that penalties may still apply even if you are no longer conducting business. The Filefax case should serve as a stark warning to all business owners that you cannot escape liability and/or penalties under HIPAA by closing your doors.

It’s flu season again. Your PCP at WPMG is thinking of you!

So began the health care provider’s text message that prompted this month’s Second Circuit decision applying the Telephone Consumer Protection Act to a flu shot reminder, Latner v. Mount Sinai Health System, Inc.

Plaintiff had gone to defendant West Park Medical Group (WPMG) in 2003 for a routine health examination. While there, he provided contact information including his cell phone number, and signed, among other forms, a notification record that consented to defendants using his health information “for payment, treatment and hospital operations purposes.”

In 2011, defendants hired a third party to send mass messages, including flu shot reminder texts for WPMG. In 2014, plaintiff received the text message above, which also stated: Please call us at 212-247-8100 to schedule an appointment for a flu shot. Defendants had sent flu shot reminder texts to all active patients of WPMG who had visited the office within the prior three years. Plaintiff had visited the office in 2011, declining immunizations.

Plaintiff alleged a violation of the Telephone Consumer Protection Act (TCPA), which makes it unlawful to send texts or place calls to cell phones through automated telephone dialing systems, unless the recipient consents or an exemption applies.

The Second Circuit engaged in a two-step process to decide that the defendants did not violate the TCPA. First, the Court held that the flu shot reminder text message was within the scope of an FCC Telemarketing Rule providing that written consent was not needed for text messages that deliver a health care message made by, or on behalf of, a HIPAA covered agency.

The Court next determined that, although the FCC Telemarketing Rule exempts written consent, text messages within the healthcare exception are still covered by the TCPA’s general consent requirement. The Court held, however, that plaintiff had given his prior express consent by providing his cell phone number, acknowledging receipt of privacy notices, and agreeing that defendants could share his information for treatment purposes and to recommend possible treatment alternatives or health-related benefits and services.

The lesson of this case: the pile of forms you sign on the clipboard in the waiting room may lead to texted health care messages down the road.

On January 5, 2018, the United States Department of Health and Human Services released for public comment a draft Trusted Exchange Framework, which seeks to accomplish interoperability with respect to patients’ Electronic Health Information (“EHI”) through the creation of Health Information Networks (“HINs”). The 21st Century Cures Act, which Congress enacted in 2016, has the goal of creating a trusted exchange focusing on streamlining patient EHI and establishing a network designed to “achieve a system where individuals are at the center of their care and where providers have the ability to securely access and use health information from different sources.” The Trusted Exchange Framework is the federal government’s attempt to achieve that goal.

The draft Trusted Exchange Framework is broken down into two parts:

Part A—Principles for Trusted Exchange

Part B—Minimum Required Terms and Conditions for Trusted Exchange

Part A sets forth and relies on six principles:

(1) Standardization (adherence to industry standards and best practices);

(2) Transparency (an open free flowing exchange);

(3) Cooperation and Non-Discrimination (collaboration from all stakeholders);

(4) Privacy, Security, and Patient Safety (data protection and integrity);

(5) Access (conveniently obtain EHI); and

(6) Data-driven Accountability (streamlined process for a cohort of patients to help lower cost of care).

These principles are guidelines qualified HINs need to follow to help build a trusting relationship between participants and patients and, without adherence to this foundation, a new modernized system cannot properly flourish.

Part B sets forth the minimum required terms and conditions participants must adopt and follow to ensure a trusted exchange of EHI. This is accomplished through a trusted exchange framework and common agreement (“TEFCA”). The TEFCA seeks to ensure, among other things, that there is “[c]ommon authentication processes of trusted health information network participants, [a] common set of rules for trusted exchange, and [a] minimum core of organizational and operational policies to enable the exchange of EHI among networks.” A sample TEFCA can be found in the draft Trusted Exchange Framework.

In sum, it is clear that the federal government is finally taking a serious look at how our healthcare system can become more efficient and modernized in our ever-changing society. Putting into place a final Trusted Exchange Framework, with input from all stakeholders, is a great step towards reaching that goal.

The deadline for public comment is February 18, 2018.

In the wake of some of the worst storms our country has ever faced, as seen in the devastation caused by Hurricane Harvey in Texas, Hurricane Irma in Florida, and now Hurricane Maria in Puerto Rico and the U.S. Virgin Islands, it is important to understand some of the actions the United States federal government can take to assist victims of Mother Nature. How broad is the federal government’s authority? Who is that authority bestowed upon? Well, one such mechanism is the declaration of a Public Health Emergency by the Secretary of Health and Human Services (“HHS”) under Section 319 of the Public Health Service Act (“PHSA”).

Under Section 319 of the PHSA, the Secretary of HHS is empowered to declare a public health emergency, after consulting with public health officials, when the public is faced with either a (1) disease or disorder; or (2) public health emergency exists, including, but not limited to, an epidemic or bioterrorist attack.  Upon making such a declaration, the Secretary of HHS is authorized and empowered to “take such action as may be appropriate to respond to the public health emergency, including making grants, providing awards for expenses, and entering into contracts and conducting and supporting investigations into the cause, treatment, or prevention of a disease or disorder.” The Secretary’s expanded authority is not perpetual and only remains in effect for 90 days, or until the emergency ceases to exist if sooner than 90 days, with the option of a one-time renewal for an additional 90 days that can be made on the basis of new or the same facts underlying the initial declaration. However, once a declaration, and any renewal, if applicable, is made, the Secretary of HHS must inform the Congress, in writing, within 48 hours.

Practically speaking, what actions can the HHS Secretary take? Some discretionary actions include, but are not limited to: (1) waiving certain prescription and dispensing requirements under the Federal Food, Drug, and Cosmetic Act; (2) waiving or modifying particular requirements under Medicare, Medicaid, the Children’s Health Insurance Program and the Health Insurance Portability and Accountability Act; and (3) appointing temporary personnel for up to one year. These actions, in addition to others, help bring emergency relief to those in need.

On September 19, 2017, now former Secretary of HHS, Tom Price, declared a Public Health Emergency under Section 319 of the PHSA for the benefit of Puerto Rico and the U.S. Virgin Islands following the devastation caused by Hurricane Maria, and stated, in his press release, that “[d]eclaring a public health emergency for Puerto Rico and the U.S. Virgin Islands will aid in the department’s response capabilities – particularly as it relates to ensuring that individuals and families in those territories with Medicare, Medicaid and the Children’s Health Insurance Program (CHIP) maintain access to care.”  While this declaration is limited in scope, the actions authorized thereunder will help start the long recovery for the people who reside in Puerto Rico and the U.S. Virgin Islands.

Please kindly consider how you can get involved to help the people who have been negatively impacted by the devastation caused by Hurricanes Harvey, Irma and Maria.

Effective March 1, 2017, the New York State Department of Financial Services promulgated regulations to help protect against cybercriminals and their efforts to exploit sensitive electronic data. These cybersecurity regulations apply to all individuals and entities that “operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law”, with a few exceptions.  This will undoubtedly result in insurance companies and other related healthcare entities, which hold sensitive patient health information, beefing up their internal and external rules and policies.  New York’s proactive stance should be taken with the utmost seriousness seeing that there are more than 400 cyberattacks each day over the internet, or almost 3 every minute.

The United States Congress has enacted a similar law to protect health information, the Health Insurance Portability and Accountability Act (“HIPAA”). However, because HIPAA was enacted and modified years prior to cybersecurity becoming a prominent threat to our society, HIPAA does not provide as much protection to patients’ electronic data as the New York regulations do.  HIPAA does provide important guidelines and safeguards to ensure the integrity and confidentiality of protected health information, but does not elaborate on many of the issues presented in New York’s cybersecurity regulations.

New York’s cybersecurity regulations require all “Covered Entities”, as defined in the regulations, to maintain a cybersecurity program to guard the confidentiality of Nonpublic Information, which includes a risk assessment and a comprehensive cybersecurity policy.  In addition, Covered Entities are now required to designate an individual to serve as the Chief Information Security Officer (“CISO”).  The CISO is tasked with overseeing, implementing and enforcing the Covered Entity’s cybersecurity policy, and is required to report, in writing and at least annually, to the Covered Entity’s Board of Directors or similar governing body.  The CISO’s report must include, as applicable, information on “(1) the confidentiality of Nonpublic Information and the integrity and security of the Covered Entity’s Information Systems; (2) the Covered Entity’s cybersecurity policies and procedures; (3) material cybersecurity risks to the Covered Entity; (4) overall effectiveness of the Covered Entity’s cybersecurity program; and (5) material Cybersecurity Events involving the Covered Entity during the time period addressed by the report.”

Compliance with the cybersecurity regulations will be transitioned over a two-year period with full compliance required by March 1, 2019.

According to the 2016 Kaiser/HERT Employer Health Benefits Survey, the average annual premium for employer-sponsored family health insurance coverage in 2016 was $18,142 – representing a 20% increase since 2011 and a 58% increase since 2006.  As the cost of healthcare coverage has continued to rise dramatically, patients are seeing a reduced level of personal care.  The average wait to schedule an appointment with a doctor in the United States is 24 days – up 30% since 2014.  Meanwhile, physicians report that they spend, on average, only 13 to 24 minutes with a patient and of that time, approximately 37% of it is spent on EHR and other administrative tasks.

 

In 2010, the Affordable Care Act imposed a requirement that most Americans have insurance coverage.  But it also identified direct primary care as an acceptable option.  Whereas concierge and direct-pay medicine had once been limited to a very wealthy consumer base, it was suddenly poised to hit the mainstream.  And it can be a win-win for both physicians and consumers – physicians have the potential to devote more time to each patient and less time to paperwork, and consumers can pay for faster, more personalized attention from a physician instead of paying the pricey premiums now charged in the market for traditional insurance coverage.

 

But is concierge medicine right for every physician?

 

  1. Do you want to continue to participate in Medicare? If so, you will still be required to bill Medicare for your concierge patients and will not be able to charge Medicare patients extra for Medicare covered services.  Nor can you charge a membership fee (aka an access fee) that includes extra charges for services Medicare usually covers.  (The exception is if you do not accept assignment, in which case you can charge up to 15% more than the Medicare-approved amount for a Medicare covered services.)  If Medicare usually covers a service but will not pay for it, you must still provide the patient with an ABN.  And even if you do choose to opt out of Medicare, give extreme care to following the proper procedures or you could be subjected to substantial penalties.

 

  1. You still need to price services at fair market value. Even if you opt out of Medicare, providing “free” services because they are included in the access fee could run afoul of state anti-kickback laws.  Obtain advice regarding your state laws before setting your contract, and set a fair market value at which you provide each service.

 

  1. Check with your state to make your concierge/direct-pay contract is in compliance. Some states – including New York and New Jersey – have questioned whether these arrangements are deemed to be the practice of insurance but even where they are not, certain provisions of state insurance law could apply to your contract.

 

  1. Termination of existing patients. You can expect attrition by many, if not most, of your existing patients when transitioning from a traditional practice to a concierge or direct-pay model.  You will need to comply with state laws and ethical rules with regard to finding alternate care.

 

  1. Compliance with HIPAA. To the extent you are not participating in insurance or Medicare, you might not be a “covered entity” under HIPAA; however, there are many state privacy and confidentiality laws that you will still be required to comply with.

 

In some instances, transitioning to a concierge or direct-pay business model could be a win-win for both doctors and patients.  However, there are many legal issues that require careful consideration as you set up your practice.  There are many consulting firms that specialize in planning this transition, and a good attorney can help you avoid any pitfalls and ensure compliance with all applicable laws and regulations.

Picture1Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) is the first business associate to be held directly liable for violations under the HIPAA rules. CHCS provided management and information technology services to six nursing homes. According to the OCR Resolution Agreement, OCR received separate notifications from each of the six nursing homes regarding a breach of unsecured electronic protected health information (ePHI) by CHCS resulting from the theft of a CHCS mobile device. The mobile device containing ePHI of 412 nursing home residents was neither encrypted nor password-protected. The settlement includes a monetary payment of $650,000 and a two-year corrective action plan.

OCR’s investigation concluded that:

  1. CHCS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by CHCS; and
  2. CHCS failed to implement appropriate security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level to comply with the HIPAA Security Rule.

It is important for Business Associates and subcontractors of Business Associates to understand that since enactment of the Omnibus Rule in 2013, Business Associates and their subcontractors can be held directly liable for HIPAA violations, including the failure to conduct appropriate risk assessments and the failure to adopt adequate written policies and procedures to reduce the risk of violations.

The Department of Health and Human Services, Office for Civil Rights (“OCR”), enforces the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). This includes the requirement that Covered Entities (health care providers and health plans) have Business Associate Agreements with their “Business Associates.”

“Business Associates” are persons or entities who “create, receive, maintain or transmit Protected Health Information (“PHI”) in performing services on behalf of a Covered Entity. Furthermore, a subcontractor of a Business Associate that creates, receives, maintains or transmits PHI on behalf of a Business Associate is also a “Business Associate.”

Both Covered Entities and Business Associates are directly liable for failing to have a compliant Business Associate Agreement in place. In addition, Business Associates must have Business Associate Agreements with their subcontractors who create, receive, maintain or transmit PHI on behalf of a Business Associate.

Recent cases of OCR enforcement for failure to have a required Business Associate Agreement include:

  • North Memorial Health Care of Minnesota agreed to pay $1.55 million to settle OCR charges for failing to have a Business Associate Agreement in place when a business associate’s laptop containing thousands of individuals’ PHI was lost.
  • Raleigh Orthopedic Clinic agreed to pay $750,000 and to enter into a Corrective Action Plan in settlement of OCR charges that it failed to have a Business Associate Agreement in place with its Business Associate engaged to transfer x-rays to electronic media.
  • Triple-S Management Corporation agreed to pay $3.5 million to settle OCR charges of multiple violations, including “impermissible disclosure of its beneficiaries’ PHI to an outside vendor without having a required Business Associate Agreement in place.”

To avoid multi-million dollar settlements, Covered Entities must evaluate their relationships with third parties, and Business Associates must evaluate their relationships with subcontractors, to ensure required Business Associate Agreements are in place. Covered Entities and Business Associates should consider adopting written policies and procedures regarding their Business Associates and subcontractors to demonstrate their efforts at compliance.

 

*My thanks to Farrell Fritz summer associate Joanna Lima for her assistance with this blog posting.