HHS TO CREATE NEW CYBERSECURITY REGULATIONS FOR HEALTH CARE

CONGRESS DIRECTS ACTION IN HEALTHCARE CYBERSECURITY

In December of 2015 Congress passed a 2000-page spending bill which was enacted into law. Included in the text was the Cybersecurity Information Sharing Act of 2015 (CISA). While that legislation received most of the headlines, the spending bill also implemented some major developments in the field of privacy for the healthcare industry. Section 405 of Title IV directs the Department of Health and Human Services (HHS) to develop best practices for organizations in the healthcare industry.

The legislation mandates HHS to report to Congress regarding the preparedness of the health care industry in responding to cybersecurity threats. This includes identifying the HHS official responsible for coordinating threat efforts and including plans on how HHS divisions communicate with one another regarding threats. Congress also mandated a one-year task force to plan a threat reporting system in real time, and to prepare a cybersecurity preparedness information for dissemination in the healthcare industry. Most notably, HHS has been directed to collaborate with other governmental entities and experts to establish a best practices standards specific to healthcare cybersecurity. The intent is to create an industry standard and cost-effective method to reduce cybersecurity risks for healthcare organizations.

Inclusion of Section 405 of the Cybersecurity Act of 2015 reinforces the federal government’s well-established priority of protecting personal health information. Protection is necessary because of the high value of personal health information on the black market. According to the The Insurance Journal, a complete health record containing a patient’s entire health profile can fetch as much as $500. The value is based on the ability of lawbreakers to fraudulently bill insurers for medical services. Compared to industries like the credit card payment industry—which has implemented its own cybersecurity standards—the healthcare industry is woefully behind in its efforts to protect valuable private information.

Healthcare facilities, both public and private, should stay ahead of HHS and develop their own internal policies, security measures, and best practices to protect confidential information of their patients. While guidance form HHS in the future will help establish industry standard best practices, healthcare providers should evaluate their cybersecurity needs and work with experts—attorneys, technologists, and governmental agencies—to stay ahead of the curve. Undoubtedly the attention given to healthcare cybersecurity in the next years will increase the scrutiny on healthcare providers who fail to meet industry standards.

TLD Law regularly advises healthcare industry clients in all aspects of their business practices. Questions regarding the healthcare industry and cybersecurity can be addressed to Matt Kinley and/or Michael Hellbusch.

PHYSICIAN ALIGNMENT WITH HEALTH CARE SYSTEMS

HEALTH CARE SYSTEMS SHOULD UTILIZE REAL ESTATE TO CAPITALIZE ON PHYSICIAN ALIGNMENT

Health care systems have recently increased acquisitions and joint ventures with physician groups in order to increase hospital exposure and revenue.  While regulations which limit referrals should be carefully considered and followed, some of the following real estate assets that hospital systems have can be utilized to attract new physicians.

Office Condo Projects:  Allows physicians to invest in projects on or near campus.

New Construction: Building new office buildings with an eye toward comprehensive care and alignment of patient experience.

Hosting New Clinics and facilities which promote the hospital community.

Key to complying with regulations is fair market value agreements and documentation. Both the hospital and physician should have appropriate legal representation to assure compliance.

By:  Matt Kinley, Esq.

 

 

OSHA GUNNING FOR MEDICAL PRACTICES

NEW GUIDE LINES BRING NEW RESPONSIBILITIES

The Occupational Safety and Health Act of 1970 requires employers to provide their employees with working conditions that are free from known dangers.  There are thousands of pages interpreting the meaning of that simple statement, including primarily what is a “known danger.”

For medical facilities, OSHA has attempted to provide guidelines for protecting healthcare workers from violence in the work place.  In OSHA: Guidelines for Preventing Workplace Violence for Healthcare Workers (2015) OSHA explores its expectations for organizations in complying with the obligation to provide a safe workplace and to prevent violence.  Many of the obligations are structural, that is, they provide for a system to protect against violence:  polices, training, work place evaluation, and documentation of an organizations efforts to complete these tasks.  Like HIPAA and Compliance, the solution to medical office problems are a new policy, a committee and training.

Along with this new resource comes a new obligation.  In an OSHA Instruction, OSHA reviews the inherent dangers in the healthcare setting and the higher rates of violence and injury in the healthcare setting.  It instructs it’s investigators to pay more attention to the healthcare setting utilizing its 2015 guidelines.

If you are a healthcare company, it makes sense to pay attention to these OSHA materials.  Even if you are not investigated by OSHA itself, it does set up a standard for behavior and a potential negligence suit should your facility suffer violence.

By Matt Kinley, Esq.

Fraud Alert Issued by OIG Puts Medical Directorships Under Suspicion

Make Sure Your Medical Directorship is Legal

HHS’s Office of Inspector General’s Fraud Alert issued in June of this year  puts an often-used tool for compensating physicians in the regulatory cross hairs. “Medical directorships,” or the payment of a physician for overseeing clinics or other medical services, will violate the Federal and state Anti-Kickback statutes if “even one purpose of the arrangement is to compensate a physician for his or her past or future referrals.”

Compensation arrangements between hospitals, physician groups and other medical providers that contemplate management or directorships by a physician should be carefully evaluated by competent counsel. OIG has said that it will be reviewing such arrangements with particular interest. If a violation is found, the result could include criminal, civil and regulatory fines, and exclusion from federal health care payment systems.

Some of the elements of an appropriate directorship or management position for a physician might include a written contract for at least a year with a salary that constitutes a fair market value for services actually provided. Such an agreement should be backed up by salary surveys or other documentation that the compensation is based on similar positions within the community.

By Matt Kinley, Esq.

NY TIMES ARTICLE: MISUSE OF HIPAA PREVELANT

IN this important article,  the author makes the point of the misuse of HIPAA.  Medical privacy is an important subject, but hospitals and doctor’s offices sometimes misunderstand and misapply the law.

http://www.nytimes.com/2015/07/21/health/hipaas-use-as-code-of-silence-often-misinterprets-the-law.html?_r=2

Matt Kinley, Esq.

 

PHYSICIAN COMPENSATION UNDER OIG REVIEW

Physician Compensation Arrangements Under Scrutiny

On June 9, 2015, the Office of Inspector General issued a special Fraud Alert warning physicians that compensation arrangements (such as medical directorships) must ensure that the arrangement reflects fair market value. Such arrangements “may violate the anti-kickback statute even if one purpose of the arrangement is to compensation a physician for his or her past or future referrals of Federal health care program business.”

California statures and rules can be even stricter.

In this era of merger and consolidation, medical providers must be careful to create appropriate compensation arrangements. They must carefully document attempts at establishing fair market value, or be subject to regulatory prosecution.

This alert comes after the OIG recently reached settlements with 12 physicians who entered into medical directorships and other arrangements, which the OIG concluded violated the Federal Anti-Kickback Statute. In those cases, the arrangements appeared to be illegal for one or more of the following reasons:

• The payments to the physicians took into account the physicians’ volume or value of referrals.

• The payments did not reflect fair market value for the physicians’ services.

• The physicians did not actually provide the services required under the agreements.

• The entities contracting the physicians paid the salaries of the physicians’ front office staff.

Certain physician compensation arrangements – and particularly medical director arrangements – are perceived as risk areas for Anti-Kickback Statute violations. Facilities and physicians entering into such arrangements should review existing and new arrangements for compliance in light of this Fraud Alert and should seek the expertise of health care legal counsel.

By Matt Kinley, LL.M., Esq.

Home Care Stakeholder Workshop

The Home Care Services Bureau conducts Care Services Consumer Protection Act Stakeholder’s Meetings pursuant to California’s AB 1217, the Home Care Licensure Act.   Those who are interested in the subject are encouraged to submit their questions to: HCSB@dss.ca.gov AND to our Policy Director, Braden Oparowski at boparowski@cahsah.org.

The Department has announced that they expect to release the licensing fees and aide registration fees sometime in July. Information was also presented on the following topics: fingerprint transfer process, home care aide training requirements, written directives verses regulations, licensing inspections, personnel and administrative file requirements, abuse reporting requirements, reporting organizational changes and TB clearance.

The Home Care Bureau’s website DSS’ Home Care Services Bureau will be posting the Power Point presentation from the webinar on the main page of their website. Additional questions about the Home Care Services Consumer Protection Act Stakeholder Meetings or AB 1217, may be directed to CAHSAH’s Legislative Specialist Mary Adorno at
(916) 641-5795 extension: 124.

LAWS AND REGULATIONS SPECIFIC TO IN HOME CARE ORGANIZATIONS IN CALIFORNIA

New Emphasis on Patient Safety Will Cause Greater Scrutiny of Home Care Providers

While In Home Care Organizations (“HCOs”) have been relatively free of laws and regulation, such companies are coming under increasing scrutiny in California. There have been concerns about patient safety and security, which has caused the state to enact laws and regulations that impose safety checks and training. There are also concerns about abuse of HCO workers, causing minimums standards for companies employing such workers. While many of these reforms appear to be appropriate, they also make the utilization of in home services more expensive, which will make such services unaffordable for a large segment of the population.

HOME CARE SERVICES CONSUMER PROTECTION ACT

The most significant reform is the Home Care Services Consumer Protection Act of 2013 (AB 1217), signed into law on October 13, 2013. It covers “home care services,” which are formally defined as nonmedical services and assistance provided by a registered home care assistant (“HCA”) to a client who, because of advanced age or physical or mental disability needs assistance in activities of daily living, allowing the client to stay in their residence. Such services include assistance in the following areas:
• Dressing
• bathing
• exercising
• personal hygiene and grooming
• transferring
• ambulating
• positioning
• toileting and incontinence care
• housekeeping
• meal planning and preparation
• laundry
• transportation
• correspondence
• making telephone calls
• shopping for personal care items or groceries
• companionship

WHAT IS INCLUDED IN THE ACT?

This legislation requires agencies to: List aides in an online registry, conduct background checks on workers, obtain finger prints of all aides, provide five hours of training for new hires, and obtain a license from the state certifying their compliance with basic standards.

The commencement date of the law was extended to January 1, 2016. It provides that the California Department of Social Services (CDSS) will regulate HCOs and provide background checks of affiliated Home Care Aides (HCAs) and independent HCAs who wish to be listed on the Home Care Services (HCS) Registry. Currently CDSS is implementing regulations, including the formation of newly formed Home Care Services Bureau (HCSB)  in partnership with the Caregiver Background Check Bureau (CBCB). HCSB will oversee the licensing and oversight of the HCOs and CBCB will oversee the background checks for the HCAs and will maintain the HCS Registry.

Some of the penalties found in the Act include:
• $900 fine per day for each day if not licensed by Department of Social Services

• Potential cease and desist order, which shall remain in effect until the individual or entity has obtained a license pursuant to this chapter.

Potential imposition of a civil penalty; or

Potential civil action against the individual or entity.
If CDSS finds that an individual has been convicted of a crime other than a minor traffic violation, the individual cannot work for or be present in any community care facility unless they receive a criminal record exemption from the Community Care Licensing Division, Caregiver Background Check Bureau.

CALIFORNIA’S IHSS PROGRAM

California has established the In Home Supportive Services (IHSS)  program, which is a Medi-Cal program providing payment to providers who are serving aged and/or disabled patients who are without the means to pay for such services Persons wanting to become a IHSS provider must provide a U.S. government issued picture identification and an original Social Security card and the provider must complete the Provider Enrollment Form (SOC 426) and obtain finger prints. The California Department of Justice (DOJ) will obtain a criminal background check on the individual.

DEPARTMENT OF LABOR WAGE AND HOUR RULES

On January 1, 2015, the Domestic Worker Bill of Rights (AB 241), took effect. It regulates the number of consecutive hours for home health care workers and requires overtime pay for long work shifts.
California now is one of 16 states with some type of overtime requirement for home health workers. Personal attendants covered by this law are now entitled to overtime pay at 1.5 times their regular rate of pay for any hours worked in excess of nine (9) hours in a day or in excess of 45 hours in a week.

The new law, due to sunset in 2017, calls for formation of an evaluation committee to review and analyze the effectiveness of the overtime provision over the next three years. The California Department of Industrial Relations is charged with reviewing the law.
One of the areas the committee will monitor is whether the law prompts more underground caregiving, as Janz said is happening.
MINIMUM WAGE

Domestic workers are entitled to the minimum wage, with the exception of babysitters under the age of 18 and the employer’s parent, spouse, or child. The Labor Commissioner enforces the California minimum wage. The Labor Commissioner may enforce local minimum wage laws if the work is performed in a city and/or county that has a higher minimum wage ordinance.

If your employer discriminates or retaliates against you in any manner whatsoever (for example by terminating you or giving you fewer hours), you can file a discrimination/retaliation complaint with the Labor Commissioner’s Office. Alternatively, you can file a lawsuit against your employer in court.

ACTION ITEMS

Institute security check program with all home aides working for your organization, including back ground check and finger printing.

Obtain an exemption or terminate those home aides that fail the background check.

Institute a training program for all home aides working for your organization
Review wage and hour polices and ensure that your organization has all employee manuals with the proper overtime and minimum wage rules.

By Matt Kinley, Esq

TELEMEDICINE AND STATE LICENSING

According to the California Medical Board, physicians who see California patients over the internet must be licensed in California. As stated by the Board: “Physicians using telehealth technologies to provide care to patients located in California must be licensed in California. Physicians are held to the same standard of care, and retain the same responsibilities of providing informed consent, ensuring the privacy of medical information, and any other duties associated with practicing medicine regardless of whether they are practicing via telehealth or face-to-face, in-person visits.” That seems straight-forward enough.

The American Medical Association has said that a physician should not issue prescriptions or treat a patient without having physician-patient relationship, which the AMA says includes a face-to-face encounter before utilizing telemedicine.

What is the status of the telehealth industry?

LiveHealth Online Mobile. LiveHealth is an app that “gives mobile users an easy way to connect with a live doctor for an online video visit using your own mobile device.” It advertises a “live video interaction between you and a trusted, board-certified doctor.” A friend used it for his daughters illness, and viola, the daughter was given antibiotics at a local pharmacy. I logged on and there were three available physicians under Providers – CA. There names were Michael Catalano, an internist; Cameron McCoin, a family physician; and, Andrea Gabel, a family physician. No other information was posted about these physicians. The California Medical Board confirms that all three were licensed in California. However, LiveHealth does not mandate a face-to-face relationship with the patient before giving medical advice and prescribing drugs.

TeleMedicine Physician Group. Another web-based model, TeleMedicine Physician Group, offers physicians who are “U.S. trained, board certified, licensed and credentialed and typically have been practicing 10-15 years. Most are primary care physicians, certified in internal medicine, family practice, and/or pediatrics, but we also employ specialists as needed to meet the requirements of patients. All doctors are verified through the National Physician Data Base (NPDB) and the American Medical Association (AMA) for medical licensure, training and education, work history and malpractice history. Telemedicine Physician Group doctors are credentialed every 3 years, with NCQA provider credentialing standards.” There is no information about whether they are licensed in California or any other specific state. Again, I called to get a physician; a California physician called me back. TeleMedicine does not require a face-to-face meeting.

States and physicians need to continue to work together to create state policies that promote telemedicine in the best interests of patients.  Patients should be careful to make sure that physicians are properly licensed and capable of giving care with telemedicine.

Posted by Matt Kinley, Esq.

 

 

TELEMEDICINE IN CALIFORNIA

DOES THE LAW STRANGLE ATTEMPTS TO SAVE COSTS THROUGH TELEHEALTH?

Telehealth can take different forms.  It’s one thing to offer consultations and second opinions.  But once this useful tool is utilized for diagnosis and treatment, the rules change.

How can a compnay offer telemedicine, including diagnosis, treatment and prescriptions in California?  Does the physician have to be licensed?  How does a telemedicine company avoid the corporate practice of medicine doctrine?

THE PHYSICIAN MUST BE LICENSED IN CALIFORNIA

California’s Medical Board describes telehealth as: “Telehealth (previously called telemedicine) is seen as a tool in medical practice, not a separate form of medicine. There are no legal prohibitions to using technology in the practice of medicine, as long as the practice is done by a California licensed physician.”

Telehealth is not a telephone conversation, email/instant messaging conversation, or fax; it typically involves the application of videoconferencing or store and forward technology to provide or support health care delivery.” One statute states: Any law allowing telehealth shall not be construed to alter the scope of practice of any health care provider.

THE CORPORATE MEDICINE DOCTRINE

California prohibits the corporate practice of medicine, which among other things, requires that business or management decisions and activities resulting in control over a physician’ practice of medicine, be made by a licensed California physician and not by an unlicensed person or entity. In order to avoid the direct violation of state prohibitions on the corporate practice of medicine.  While there are legal structures that may promote non-physician investment in telehealth, (many companies use the so-called “friendly PC” model).

Enforcement by the medical board regarding the prohibition against the corporate practice of medicine generally is inconsistent.
Although there is no hard and fast rule as to when a given arrangement may be deemed to constitute corporate practice, the focus in any enforcement action likely will be on the level of control a physician exercises over the operation of the medical practice, specifically the professional judgment of licensed health care professionals. Where a high level of control exists, the arrangement may be found to be a sham intended to disguise the de facto practice of medicine by an unlicensed entity.

By Matt Kinley