Category Archives: healthcare compliance

KINLEY TO SPEAK ON “WHO OWNS PATIENT DATA”

R-HEALTH BY THE HEALTH MANAGEMENT INTEREST GROUP SEEKS TO EDUCATE ON THE DANGERS AND OPPORTUNITIES IN PATIENT DATA

University of California, Riverside. HIPAA and the Hi-Tech regulations impose burdens on healthcare providers on how private health information can be utilized.  Given the potential penalties for missteps, this is an important topic for the healthcare industry to grasp.  Tickets are still available!

As a recent Office of Civl Rights Report recently pointed out, 2016 was a record year for enforcement: “OCR has been on a tear, settling 11 cases in 2016 with resolution agreements and corrective action plans. The agency also won a decision by an administrative law judge in an enforcement action contested by a home healthcare and medical equipment supplier (see OCR Slaps Home Health Provider with Penalty.”

Private Health Information must be maintained and utilized in ways that protect the information from exposure.

Matt Kinley is a health care attorney and founder of Kinley Law Practice in California. You can contact him at matt@kinleylawpractice.com.

 

WHAT ABOUT A MANAGEMENT SERVICES ORGANIZATION?

AVOIDING THE PROHIBITION AGAINST NON-PHYSICIAN OWNERSHIP OF MEDICAL ORGANIZATIONS

A management services organization (“MSO”) is an entity which would contract with a physician or a medical corporation owned and operated by physicians. The MSO could be owned by non-physicians.  The physician or medical corporation can pay the MSO for everything. Employees would work for the MSO; the MSO would pay for the lease.  The MSO would pay for all significant expenses and receive a fee for its services.

The Corporate Practice Medicine Doctrine (CPOM) is strong in California. Under this doctrine, physicians must control clinical decisions. The concern is that if business entities owned by non-physicians are permitted to control the rendering of care, they will subordinate clinical care to commercial considerations and profits. The objective, therefore, is to prevent non-physicians and non-physician-owned business entities from influencing treatment decisions.

This presents a significant constraint to physician business ventures. Specifically, if physicians or other clinical personnel work for entities other than professional medical corporations, they may be exposed to disciplinary risks, as well as to forfeiture of revenues.. For non-physician business partners, violating the CPOM may also bring both civil and, in extreme cases, potential criminal liability for engaging in medical practice without a license.

MSO

In California, the solution for avoiding violations of the CPOM in business ventures in which physicians work with businesses owned by unlicensed persons is a contractual relationship between the physician entity and the unlicensed business entity, or a “management services organization (MSO).” This is a business vehicle that permits unlicensed persons to provide services to physicians and their professional medical corporations. In its simplest form, an MSO provides basic practice support services to physicians and professional medical corporations via a contractual relationship, commonly known as a management services agreement. These services frequently include activities such as billing and collection, administrative support in certain areas, and electronic data interchange (e.g. electronic billing). Some MSO’s provide a broader set of services: the MSO may purchase many of the assets in a medical practice, such as office space or equipment. MSO’s can employ office support staff, and assist with a wide range of non-clinical functions. MSO’s can also assist in functions such as marketing. Often, MSO’s can reduce costs by bringing economies of scale and professional management experience into physician practices, thereby improving operational efficiency and reducing overhead costs.

the MSO must be carefully considered and constructed.  Review and application of relevant laws and regulations is a must.

By Matt Kinley, Esq. of the Kinley Law Practice

Kinley Law Practice starts January, 2017

QUALITY HEALTH LAW ADVICE

The California Healthcare Law Blog was created several years ago to keep the healthcare industry abreast of new developments in health law.  It’s been an amazing journey!  It’s culminated in a new law firm, Kinley Law Practice, committed to supporting health care entities with quality advice.  Give me a call at 562.715.5557 or email me at matt@kinleylawpractice.com with comments or questions.

 

klp_newyearannouncement

How to Utilize an Attorney for HIPAA Breach Analysis

Attorney’s Role in Breach Analysis

An attorney’s role in any potential breach is to lead an assessment of the breach and to help clients determine whether to disclose a breach by applying the law to the factual investigation. Such an assessment is required for covered entities when a breach is suspected under Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, and under the HITECH Act and the Genetic Information Nondiscrimination Act (GINA) and the corresponding regulations. As the company and experts review the potential breaches, the attorney should apply the  law implicated by the facts.  The appropriate law may not only be the federal law, but state law, as well.  For example,   the very stringent California Privacy Law which applies to breaches in California.

IF it is determined that there is a reportable breach, the attorney assists with the proper methods to make notification.

Any attorney chosen for this task should have experience and education in healthcare law.  Some examples include a healthcare LLM, such as the one offered by Loyola Chicago’s Beazley Institute for Health Law and Policy. and designations in compliance, such as someone certified in Healthcare Compliance (CHC).

My background includes retention by several clients to help with such an assessment, a Masters of Law (LLM) in Healthcare Law from Chicago Loyola Law School and I am Certified in Healthcare Compliance (CHC). I help healthcare institutions comply with HIPAA and other federal and state regulations.

Definition of Breach

A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment.

The risk assessment requires the following investigation:

1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the protected health information or to whom the disclosure was made;
3. Whether the protected health information was actually acquired or viewed; and,
4. The extent to which the risk to the protected health information has been mitigated.

The team must also complete an analysis on three potential exceptions to the definition of “breach.” The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

Unsecured Protected Health Information and Guidance

Covered entities must only provide the required notifications if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of specific technology or methodology.

By Matt Kinley,Esq.,  LLM, CHC

562.715.5557

 

IS YOUR HEALTHCARE COMPLIANCE PROGRAM COMPLIANT?

HEALTHCARE COMPLIANCE

10 RED FLAGS

Under current law, physicians are required to maintain an effective, comprehensive compliance program to detect, correct and prevent incidences of non-compliance with state and federal regulatory law.  Goals of a comprehensive compliance program is to prevent the significant criminal and civil penalties that might come with a violation of the False Claims Act, Stark, the Anti-Kickback Statutes, HIPAA and state law equivalents. Failure to comply might lead to exclusion from health payments. Here is a summary of the core components of a complete compliance plan:

#1  MISSING OR INCOMPLETE WRITTTEN POLICIES, PROCEDURES AND STANDARDS OF CONDUCT

#2  PEOPLE:   NO COMPLIANCE OFFICER OR COMPLIANCE COMMITTEE

#3  TRAINING:  THE FACILITY LACKS EFFECTIVE TRAINING AND EDUCATION

#4.  COMMUNICATION:  THE FACILITY LACKS

#5.  PERSONEL:  FAILURE TO PUBLISH DISCIPLINARY STANDARDS & TO EFFECTIVELY DISCIPLINE VIOLATORS

#6.  NO SYSTEM TO AUDIT AND MONITOR ORGANIZATION COMPLIANCE AND COMPLIANCE RISKS

 #7  FAILURE TO CREATE PROCEDURES TO PROMPTLY RESPOND TO IDENTIFIED ISSUES AND SELF DISCLOSURE OBLIGATIONS

#8.  LACK OF SUPPORT FROM PHYSICIANS AND LEADERSHIP OF THE ORGANIZATION

#9.  FAILURE TO INSTITUTE PRIVATE HEALTH INFORMATION POLICIES

#10. FAILURE TO MONITOR NEW LAW AND UPDATE COMPLIANCE ACCORDINGLY

By Matt Kinley,Esq., LLM, CHC

562.715.5557