Author Archives: Matthew Kinley


The American Medical Association publicaiton, Americn Medical News recently quoted Mr. Kinley in it's article, "Collaboration can save medical practices time, money and effort."

"Matt Kinley, a partner of Tredway, Lumsdaine & Doyle, LLP, a Southern California-based law firm, said some concerns were raised that ACOs would violate antitrust laws, leading to certain exceptions being made.

“With ACOs, physicians agree to a certain payment, but that payment is based on improved quality of care,” Kinley said. “The government is very interested in a system that improves quality of care and uses technology, which ACOs do.”

Kinley said it’s too early to tell if ACOs will replace IPAs."

HIPAA Settlement Shows How To Comply

HHS’s Office of Civil Rights
recently completed an enforcement action against Wellpoint.  Wellpoint
suffered security breaches and settled with the Office of Civil Rights for $1.7
million.  Wellpoint self-reported the breach to HHS’s, which mitigates the
penalties that it agreed to pay.  The breach was leaving their database
open to unauthorized users over the Internet.  There is no evidence that
the database was accessed or information utilized.

What is
unique is that the OCR has published the actual settlement agreement with
Wellpoint.  From a providers point of view, the settlement shows what to avoid to be HIPAA compliant.  OCR
lists the violations of HIPAA law that caused the fine.  

this demonstrates is that it’s the “technical violation” that will get entities
into trouble. In this case, not having all the safeguards in place to safeguard
protected healthcare information (“PHI” or electronic protected healthcare
information, “ePHI”).

from the agreement:

Factual Background and Covered Conduct

June 18, 2010, HHS received notification from WellPoint regarding abreach
of certain of its unsecured electronic protected health information (ePHI). OnSeptember
9, 2010, HHS notified WellPoint of HHS’s investigation regardingWellPoint’s
compliance with the Privacy, Security, and Breach Notification Rules.

investigation indicated that the following conduct occurred (“CoveredConduct”):

 (1) Beginning on
October 23, 2009, until March 7, 2010, WellPoint did not adequately
implement policies and procedures for authorizing access to ePHI
maintained in its web-based application database consistent with theapplicable
requirements of the Security Rule.

 (2) WellPoint did
not perform an adequate technical evaluation in responseto
a software upgrade, an operational change affecting the security of ePHI maintained
in its web-based application database that would establish the extent
to which the configuration of the software providing authentication safeguards
for its web-based application met the requirements of the Security

 (3) Beginning on
October 23, 2009, until March 7, 2010, WellPoint did not adequately
implement technology to verify that a person or entity seekingaccess
to ePHI maintained in its web-based application database is the one claimed.

(4) Beginning on
October 23, 2009, until March 7, 2010, WellPointimpermissibly
disclosed the ePHI, including the names, dates of birth,addresses,
Social Security Numbers, telephone numbers and healthinformation,
of approximately 612,000 individuals whose ePHI was maintained
in the web-based application database."



Steps That
Covered Entities Can Take to Protect Against HIPAA Enforcement

  • Review
    relationships and the documentation of such relationships among and
    between Affiliated Covered Entities and other related entities with which
    they share PHI
  • Revisit
    risk analyses, especially following any changes to the underlying
  • Update
    policies and procedures as necessary to account for changes in technology
    or practices
  • Continue
    workforce training
  • Audit
    ongoing programs
  • Monitor
    security intrusions
  • Implement
    a breach response plan


This is the third in a series of articles on
avoiding fraud and theft in healthcare professionals
The article is meant for medical professionals including physicians,
dentists, home nursing and mental health professionals. If you have any
questions about this series, feel free to contact attorney Matthew L. Kinley, a
healthcare lawyer in Long Beach, California at 562.901-3050

           Practices in California should be wary
of prescribing pain killers for their patients.
The Medical Board has told various audiences that they are reviewing
physicians who prescribe such medications, and will review patient files for

           There is good reason for the Medical
Board to be concerned: There has been great abuse by patients who utilize pain
killers.  There has also been an epidemic
of deaths caused by such abuse.  One
estimate has it that American physicians prescribe enough pain killers to
medicate every American around the clock for a month.

           In order to avoid a visit by the
Medical Board, or to be prepared if they do visit,  and to make sure that your painkiller practice
is beneficial for patients, physician offices should adopt protocols to make
sure that patients actually need the painkillers you prescribe.  Such protocol will help keep prescribed drugs
making it on the black market.

 Action Items to Protect Your Practice:

 1. Carefully
document the patient chart.  Carefully
explain the side effects of the prescription, and for long term use, the
potential detrimental effects of potential addiction.

 2. Screen
and monitor for substance abuse and mental health problems.

 3. Be
vigilant for scams and identity theft.

 4. Prescribe
pain killers only after examining the patient.

           California Business and Professions
Code provides some guidance.  Section
2242 provides  that it is
“unprofessional conduct” to prescribe or furnishing dangerous drugs without
an appropriate prior examination and a medical indication.

 5.  Only prescribe painkillers after other treatments
have not been effective for pain.

 6.  Use legally required form. California Healt  & Safety Code section 11162.1 provides standards
for prescription forms for controlled substances. 

Limit the
number of pills prescribed. 

 7. The
quantity prescribed should be based on the expected length of pain.California
Health Safety Code section 11158 provides for limits on number of pills
(“may dispense directly to an ultimate user a controlled substance
classified in Schedule II in an amount not to exceed a 72-hour supply for the
patient in accordance with directions for use given by the dispensing
practitioner only where the patient is not expected to require any additional
amount of the controlled substance beyond the 72 hours. )

 8. Using
patient-provider agreements combined with urine drug tests for people using
painkillers long term.

 9.  Talking with patients about safely using,
storing and disposing of prescription of painkillers.  (

 10.  Check the prescription monitoring programs with the California Attorney


By Matthew L. Kinley, Esq.


Seminar: Fraud in the Medical Providers Office


Web Version  |  Update preferences  |  Unsubscribe



Facebook icon




Twitter icon




Forward icon










Preventing Fraud in the Medical
Office Practice

Tredway Lumsdaine & Doyle's Matthew L. Kinley along with
representatives from The Doctors Company and HMWC CPA's as they tackle
the topic of "Preventing Fraud in the Medical Office."

program is intended to provide information, education, and case
examples to illustrate risks associated with fraud in documentation,
prescriptions, billing, collections, physician and employee conduct,
and the internal controls necessary to reduce your risks.

you have any questions, please contact Matthew
L. Kinley


Tuesday, July 30, 2013

6:00 PM – Dinner

6:30-8:00 PM – Seminar

more details and to register, please click here.




Please contact Matthew L. Kinley at or 562-901-3050.




This is the second in a series of articles on
avoiding fraud and theft in healthcare professionals
The article is meant for medical professionals including physicians,
dentists, home nursing and mental health professionals. If you have any
questions about this series, feel free to contact attorney Matthew L. Kinley, a
healthcare lawyer in Long Beach, California at 562.901-3050.

Medical providers store all sorts of private information.  Patients give medical providers virtually every identifying fact about themselves possible.  Records kept in the office include information about the health of the patient.  Billing records have banking and other important financial contacts.

Medical providers have an obligation to protect private health infomration.  Federal and state laws impose specific obligations to protect information provided to medical providers. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and related regulations, the Health Inforamtion TEchnology for Economic and Clinical Health  (HITECH) and realated regulations, and the California Business and Professions Codes and related regulations are all laws designed to protect patient’s privacy and to require providers to keep information private.

Medical providers, if they expect payment from Medicare, Medicaid (Medi-Cal in California) or from private payors, will have Electronic Medical Rerords systems in place.  This expansion of electronic records require medical providers to institute plans to follow complicated regulations to make sure they are able to survive government audits and in order to make sure that medical records are safe.  Failure to do so may result in penalties and fines.


What to do to protect electronic information?

1.  Hire competent people. 

Take the time to carefully research people you hire.  Check their references.  Make sure they are not on the Office of Inspector Generals Excluded Persons list. (Persons on this list have been found by the OIG to be involved in some sort of fraudulent scheme.)

2.  Prepare a HIPAA Compliance Plan.  Every medical provider, no matter how small, should prepare such a plan.  Failure to do so can result in serious fines and penalties, even if no information is leaked.  The basics of such a plan include:

a.  Appointment of a privacy officer.  Takes charge of the office’s privacy efforts.

b. Security Rule Analysis.  This is the first part of preparing a HIPAA plan.

c.  Prepare a Breach Policy.  This is what to do if there’s a breach and confidential helath information is made public.

d.  Training of your employees.  All employees need to be trained in basic patient privacy.

e.  Privacy Notice.  The law requires every health provider to have and have published a Privacy Notice.

f.  Business Associate Agreements.  The provider is required to protect all information if using other entities to help with collections or other information gathering.

g.  Policies relating to release of information.   When can a patient’s information be released?  To whom can the information be released?  How is such information sent (internet? e-mail?).

Some of the nuts and bolts of your plan will include:

a. Negotiating Leases.  Make sure your landlord does not have access to protected health information.  Most leases allow the landlord to enter the premises, either upon notice or during emergencies.  These entrances into the medical space should be limited.

b. Patient sign-in sheets don’t disclose protected medical information.

c. Patient schedules can’t be seen.

d. Confidential discussions can’t be overheard.

e. Computers have proper encryption and passwords.

f.  Computer monitors can’t be seen by passersby

g. Internet use is secure.

h. Filing cabinets are locked.

i.  Use encryption.  Monitor lap tops and portable storage devices to make sure they are not lost.

e. Keys and access items are retireved from former employees.

Modern electronic information requires that all medical providers comply with the law and institute privacy procedures.  Our office provides guidance on such matters for a flat fee.  You can call for a no cost consultation at any time.

By: Matthew L. Kinley, Esq.











This is the first in a series of articles on avoiding fraud
and theft in healthcare professionals
offices.  The article is meant for medical
professionals including physicians, dentists, home nursing and mental health
professionals. If you have any questions about this series, feel free to
contact attorney Matthew L. Kinley, a healthcare lawyer in Long Beach,
California at 562.901-3050. 


          Medical provider offices are subject to fraud and theft as much any business.  According to the Association of Certified
Fraud Examiners
, the amount stolen annually from all U.S. business by employees
exceeds $50 billion.  The Association
claims that as many as 75% of all employees have stolen from their employers.  Most theft is caught by other employees
reporting the theft.  Internal audits catch
a little less than 20% of all theft caught.
Accidental discovery accounts for the same amount of captured theft.

medical practice offers unique opportunities for theft.  Certainly employees steal the usual from
their employers, like supplies and computer parts and money.  Medical practices typically have a large
stream of money.  Employees in the
medical practice also have the opportunity to steal identities of their
employers and patients. There is also the opportunity to steal prescription
pads and controlled substances.

medical facility also has unique risks.
Because of strict regulatory controls, not only does the medical
practice suffer the dollar lost for activities such as theft of co-payments and
identity, there is also the risk of penalties and fines. There is also the risk
of whistle blowers within your own ranks.

are also legal issues associated with confronting the person who is stealing
from your practice.  Should you
electronically monitor employees?  Should you fire an employee?  Should you contact the police?


first article focuses on embezzlement from the medical practice.  Embezzlement from the medical practice can go
unnoticed for several reasons. Often, the embezzler is also the person who
records the receipt of money. Usually it is a trusted employee. Usually, there
is general surprise that the individual caught has committed the crime.

avoid employee theft, the office should have internal controls that immediately
record all transactions.  There should
also be a system of checks and balances to make sure that your employees aren’t
manipulating the system.


1. Record all transactions: accounts
payable, accounts receivable, refunds, adjustments, copayments and even write

Reconcile receivables and charges every day.

3. Issue a receipt with every
transaction; balance receipts every day with a second person verifying the

Immediately stamp checks “for deposit only.”

Retain charge sheets and explanation of benefit statements to support
daily transactions.

6. Routinely verify petty cash

7. Periodically hire an accountant to
conduct an audit.

8. Keep duplicates of all deposit

9. Periodically review all accounting
entries rather than just checking totals.

10. Require signatures from the
appropriate managers for all large checks.

11. Do not allow anyone to sign blank

11. Cross train employees for all

12. Have an outside book keeper
reconcile bank statements.

13. Have inventory cross checked by
different employees.

14.  Keep
strict controls over business credit cards.
Carefully review all statements.

Article by Matthew L. Kinley, Esq.



The decision of the United States Supreme Court in U.S. v.
Windsor, where the court struck Section 3 of the Defense of Marriage Act
(DOMA), will change many aspects of healthcare as it relates to same-sex
marriage.  The decision requires that the
federal government recognize same-sex marriages that are recognized under state


The Feds Follow the
The Court didn’t rule that the federal government must recognize all
same-sex marriage.  Instead they
determined that marriage is traditionally an issue for the states to

 States Follow Their Own
.  The Court did not
strike down Section 2 of DOMA, which provides that no state shall be required
to recognize a same-sex marriage that is recognized by another state. This
raises a number of issues for couples who move from state to state or who live
in a state that does not recognize same-sex marriage but travel to a state that
does and marry there.

 Retroactive?.  Another open issue is retroactivity. Windsor
did not specifically address whether same-sex couples have any retroactive
rights to any benefits. For example, suppose a 401(k) plan participant entered
into a same-sex marriage, designated someone other than the same-sex spouse as
beneficiary (without obtaining the spouse’s consent), and died before the
decision. Does the surviving spouse have a claim against the plan for survivor
benefits? Do same-sex couples have a right to claim refunds for health plan
benefits that were previously treated as taxable? The Courts and the IRS will
provide guidance on retroactivity at some point. 


In California, the Supreme Court, in a 5-4 decision issued on
the same day as U.S. v. Windsor, ruled against the backers of California’s
Proposition 8
gay marriage ban. With the court’s ruling, gay marriage is once
again officially legal in California. While many questions remain about the broader
constitutional issue concerning the right of gay and lesbian couples to get
married, June 26 will be remembered as the day California’s gay marriage ban


       1. Imputation of Income.
Same-sex partners will no longer pay federal taxes on income imputed for an
contribution to a same-sex spouse
medical, dental or vision coverage and employers will no longer be required to
pay federal payroll taxes on such amounts.

        2.     Employer Refunds.  Employers may be entitled to a refund for
payroll taxes previously paid.
Employers may be required to continue to impute income for state law
purposes in states that do not recognize same-sex marriage.

3.  Coverage.
Windsor does not address whether plans that provide spousal coverage must cover
same-sex spouses. Employers with self-insured plans subject to ERISA are not
required to cover spouses and if they do cover some spouses, they are not
necessarily required to cover all spouses. Employers with plans not subject to
ERISA would be subject to any applicable state laws regulating coverage.  The ACA requires coverage of offspring but
not spouses, same sex or not.

 4. Pre-tax premiums.
Employees with same-sex spouses may pay the cost of spousal health coverage by reducing
pay on a pre-tax basis.

 5. COBRA. Same-sex spouses have the same independent COBRA rights as
opposite-sex spouses.

 6.  Special
Enrollment Rights.
Marriage to or divorce from a same-sex spouse is now a
HIPAA special enrollment event under plans offering spousal coverage. Employees
may add a same-sex spouse to their health coverage outside of the open
enrollment period, if they marry or if the spouse loses coverage due to a job
loss or change.

 7.  Personal Representatives.  HIPAA provisions relating to providing
patient information will now clearly include same sex spouses. 

8.  Medical
Expenses Tax Treatment.
Eligible medical expenses incurred by a same-sex
spouse at least since the date of the Windsor decision are eligible for
tax-free reimbursement under health care flexible spending accounts, health
reimbursement arrangements, and health savings accounts. There may also be a
medical expense deduction.  An employee
and a same-sex spouse will share the deduction limit for HSA contributions and
the typical health care cost deduction.

 9.  Qualified Retirement Plans. Spouses have a
number of rights under qualified retirement plans (such as defined benefit and
401(k) plans) subject to ERISA. Some examples of these rights, which must now
be provided to same-sex spouses, include Qualified Joint and Survivor rights,
same-sex spouses who are divorced can obtain a qualified domestic relations
order dividing retirement benefits (QDRO’s), and other rights for spouses.


Impact on Medicaid/CHIP
the invalidation of DOMA, states that recognize gay marriage must treat
married, same-sex couples as part of the same household. To determine whether
an individual is eligible for Medicaid/CHIP, states assess a household’s
composition and countable income as a percentage of the federal poverty level.

Treating same-sex couples as spouses can make it more likely that they are eligible
for Medicaid/CHIP by increasing the size of their households or it can make a
household less likely to be eligible by increasing the total family income.
Ultimately, in terms of Medicaid/CHIP eligibility, whether a same-sex couple
benefits or loses from being treated as one household depends on the amount of
income each spouse contributes.

The DOMA decision will affect the access married, same-sex
couples have to many government programs, as well as to employer-sponsored
health insurance. With DOMA no longer in place:

spouses of federal employees will be entitled to federal healthcare           coverage.

spouses of military personal will be eligible to receive TRICARE           coverage.

           Individuals in
same-sex marriages
those in heterosexual marriages
be able to qualify for Medicare based
on a spouse
work history.



The FMLA now will provide entitlement to take leave to care
for a same-sex spouse to the same extent as an opposite-sex spouse.

Medicare Secondary Payer Rules

Same-sex spouses will now be treated as spouses, such that
plans covering spouses of active employees will be considered primary for
Medicare purposes.

Prohibited Transaction Rules

Spouses are treated as “family members” in
determining whether a person is a disqualified person for purposes of
prohibited transaction rules. Same-sex spouses are now disqualified persons to
the same extent that opposite-sex spouses are.

 Ownership Attribution Rules

 The same-sex spouse of a 5% owner of employer stock is now
considered to be a 5% owner by attribution, including for purposes of
identifying highly compensated employees and for top hat purposes.


 1.  Begin reimbursing
medical care expenses for same-sex spouses of participants.
Notify employees of the window (typically 30-days) under the
cafeteria plan for family status changes and special enrollment rights for
same-sex spouses and their dependents.

 2. Review definitional and choice-of-law provisions of benefit
plans concerning the definition of “spouse.”  Start obtaining spousal consent from same-sex
spouses for any defined benefit plan retirement distributions.

3. Advise employees married to same-sex spouses to review
their death beneficiary designations; if proper spousal consent has not been
obtained, their designations will be void.

4. Employers will want to ensure that same-sex spouses are
identified for its records in the same manner opposite-sex spouses are
identified. If the employer does not currently distinguish between same-sex
spouses and domestic partners in company records, for example, or identifies
opposite-sex spouses, but not same-sex spouses in its record keeping, the
employer should consider modifying its practices.

5.  Review all plan
documents, in particular the eligibility provisions, to determine if provisions
that were designed to provide coverage to domestic partners or same sex spouses
or designed to restrict coverage to opposite sex spouses should be changed or modified.

6.  Be sure that, at
least after the date of the Windsor decision, retirement plans in operation
provide lawfully married same-sex spouses residing in states where same-sex
marriages are recognized the benefit rights to which opposite sex spouses are
entitled. (See the lists above.)

7.  Cease imputing
income on health coverage and other benefits provided to same-sex spouses
residing in states that recognize same-sex marriage if income imputation is not
required for opposite-sex coverage.

 8. Permit employees to pay the 2013 cost of health care
coverage for lawfully married same-sex spouses residing in states where
same-sex marriages are recognized with pre-tax reductions in pay.

9.Consider whether to seek a refund for employment taxes paid
on imputed income for same-sex spouse benefits for open tax years.

10.  Begin a review of all
employee benefit plans, policies, procedures and handbooks to consider whether
changes are needed or desirable.

Matthew L. Kinley, Esq.

Farmers & Merchants Bank Offers Solutions for Physicians

Farmers & Merchants Bank logo

You Know? — Farmers & Merchants Bank offers a suite of financial services specifically
for practicing physicians. We’ve taken the most important banking products
including credit lines (for medical equipment investment, expansion and more),
merchant services, account analysis, remote deposit capture and business credit
cards, and have bundled them for physicians like you. Add in our exceptional
Concierge Service for a seamless process and you have the F&M Physician
Banking Suite. Now that's a prescription for success. 

Brian Nakamura, F&M Bank’s Physician Banking Suite Representative to get
started today at (714) 472 – 6611 or email him now at  Member FDIC.

Support for Compliance with HIPAA

Physicians must comply with HIPAA requriements or face investigations and audits by the Office of Civil Rights or the California Attorney General.  Under California State Law, you also could be sued in a civil lawsuit for a failure to comply.

Tredway, Lumsdaine & Doyle, LLP can support your HIPAA compliance by guiding your organization through the process and providing the forms necessary to be compliant.

The process requires that your institution:

  • Perform an assessment of your current uses and disclosures of patient health information.
  • Perform a “gap analysis” to determine where your current procedures do NOT meet HIPAA standards.
  • Choose methods for getting into compliance.
  • Implement and maintain the required changes.
  • Document your efforts so that, if necessary, you can prove that you are in compliance.

Call Matt Kinley at 562.901.3050 to start the process to comply today.

Matt Kinley, Esq.

Matt Kinley On HIPAA Final Rule: Talk before Orange County Medical Group Management Association


Tuesday, June 11, 2013 (12:00 PM – 1:30 PM)

Presented by: Kathleen Stillwell, MPA/HSA, RN, CPHRM Patient Safety
Risk Management Account Executive, The Doctors Company, and Matthew
Kinley, Esq.,  Partner, Tredway Lumsdaine & Doyle, LLP

Program Information:

The new HIPAA Omnibus Rule
includes new breach notification requirements; limits for use and
disclosure of Protected Health Information (PHI), defined Business
Associates and Subcontractors, increased Patient Rights, change in the
Notice of Privacy Practice, increased fines and penalties, and other
important changes. There is a new focus on investigating and penalizing
noncompliance due to “willful neglect.”

The Office of Civil Rights will begin enforcement of the Omnibus Rule September 23, 2013.

Attend this session to learn what actions your practice must take to meet the new federal compliance regulations.


  • Describe new limits on uses and disclosures of PHI
  • Recognize Business Associates and Subcontractors
  • Explain increased Patient Rights
  • Outline action steps for compliance with Omnibus Rule

Kathleen Stillwell Bio       Matt Kinley Bio

RSVP to Maria Taylor at 714-937-2182 or
Cost: Members – $25, Non-Member managers – $35, Members Vendors and
Vendors who attend the first time – $50. Other Non-Member vendors – $95.

1.0 CEU Available from ACMPE