Category Archives: HIPAA

BEST PRACTICES TO AVOID FRAUD AND THEFT IN THE MEDICAL OFFICE: PROTECTED HEALTH INFORMATION, IDENTITY THEFT AND THE LAW PRACTICE

Posted on July 25, 2013 by | Comments Off on BEST PRACTICES TO AVOID FRAUD AND THEFT IN THE MEDICAL OFFICE: PROTECTED HEALTH INFORMATION, IDENTITY THEFT AND THE LAW PRACTICE

IDENTITY THEFT, PROTECTED HEALTH INFORMATION EMRs and OTHER FEDERAL REGULATORY ISSUES

This is the second in a series of articles on
avoiding fraud and theft in healthcare professionals offices.
The article is meant for medical professionals including physicians,
dentists, home nursing and mental health professionals. If you have any
questions about this series, feel free to contact attorney Matthew L. Kinley, a
healthcare lawyer in Long Beach, California at 562.901-3050. 

Medical providers store all sorts of private information.  Patients give medical providers virtually every identifying fact about themselves possible.  Records kept in the office include information about the health of the patient.  Billing records have banking and other important financial contacts.

Medical providers have an obligation to protect private health infomration.  Federal and state laws impose specific obligations to protect information provided to medical providers. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and related regulations, the Health Inforamtion TEchnology for Economic and Clinical Health  (HITECH) and realated regulations, and the California Business and Professions Codes and related regulations are all laws designed to protect patient’s privacy and to require providers to keep information private.

Medical providers, if they expect payment from Medicare, Medicaid (Medi-Cal in California) or from private payors, will have Electronic Medical Rerords systems in place.  This expansion of electronic records require medical providers to institute plans to follow complicated regulations to make sure they are able to survive government audits and in order to make sure that medical records are safe.  Failure to do so may result in penalties and fines.

ACTION ITEMS:

What to do to protect electronic information?

1.  Hire competent people. 

Take the time to carefully research people you hire.  Check their references.  Make sure they are not on the Office of Inspector Generals Excluded Persons list. (Persons on this list have been found by the OIG to be involved in some sort of fraudulent scheme.)

2.  Prepare a HIPAA Compliance Plan.  Every medical provider, no matter how small, should prepare such a plan.  Failure to do so can result in serious fines and penalties, even if no information is leaked.  The basics of such a plan include:

a.  Appointment of a privacy officer.  Takes charge of the office’s privacy efforts.

b. Security Rule Analysis.  This is the first part of preparing a HIPAA plan.

c.  Prepare a Breach Policy.  This is what to do if there’s a breach and confidential helath information is made public.

d.  Training of your employees.  All employees need to be trained in basic patient privacy.

e.  Privacy Notice.  The law requires every health provider to have and have published a Privacy Notice.

f.  Business Associate Agreements.  The provider is required to protect all information if using other entities to help with collections or other information gathering.

g.  Policies relating to release of information.   When can a patient’s information be released?  To whom can the information be released?  How is such information sent (internet? e-mail?).

Some of the nuts and bolts of your plan will include:

a. Negotiating Leases.  Make sure your landlord does not have access to protected health information.  Most leases allow the landlord to enter the premises, either upon notice or during emergencies.  These entrances into the medical space should be limited.

b. Patient sign-in sheets don’t disclose protected medical information.

c. Patient schedules can’t be seen.

d. Confidential discussions can’t be overheard.

e. Computers have proper encryption and passwords.

f.  Computer monitors can’t be seen by passersby

g. Internet use is secure.

h. Filing cabinets are locked.

i.  Use encryption.  Monitor lap tops and portable storage devices to make sure they are not lost.

e. Keys and access items are retireved from former employees.

Modern electronic information requires that all medical providers comply with the law and institute privacy procedures.  Our office provides guidance on such matters for a flat fee.  You can call for a no cost consultation at any time.

By: Matthew L. Kinley, Esq.

 

 

 

 

 

 

 

 

Comments Off on BEST PRACTICES TO AVOID FRAUD AND THEFT IN THE MEDICAL OFFICE: PROTECTED HEALTH INFORMATION, IDENTITY THEFT AND THE LAW PRACTICE

Posted in Healthcare Regulatory Matters, HIPAA

DOMA: HOW IT CHANGES BENEFITS FOR SAME SEX COUPLES

Posted on July 18, 2013 by | Comments Off on DOMA: HOW IT CHANGES BENEFITS FOR SAME SEX COUPLES

THE SUPREME COURT STRIKES DOWN DEFENSE OF MARRIAGE ACT

The decision of the United States Supreme Court in U.S. v.
Windsor, where the court struck Section 3 of the Defense of Marriage Act
(DOMA), will change many aspects of healthcare as it relates to same-sex
marriage.  The decision requires that the
federal government recognize same-sex marriages that are recognized under state
law.

SOME OF THE THINGS THE
COURT DID NOT RULE

The Feds Follow the
State.
The Court didn’t rule that the federal government must recognize all
same-sex marriage.  Instead they
determined that marriage is traditionally an issue for the states to
decide. 

 States Follow Their Own
Path.  The Court did not
strike down Section 2 of DOMA, which provides that no state shall be required
to recognize a same-sex marriage that is recognized by another state. This
raises a number of issues for couples who move from state to state or who live
in a state that does not recognize same-sex marriage but travel to a state that
does and marry there.

 Retroactive?.  Another open issue is retroactivity. Windsor
did not specifically address whether same-sex couples have any retroactive
rights to any benefits. For example, suppose a 401(k) plan participant entered
into a same-sex marriage, designated someone other than the same-sex spouse as
beneficiary (without obtaining the spouse’s consent), and died before the
decision. Does the surviving spouse have a claim against the plan for survivor
benefits? Do same-sex couples have a right to claim refunds for health plan
benefits that were previously treated as taxable? The Courts and the IRS will
provide guidance on retroactivity at some point. 

CALIFORNIA RECOGNIZES
SAME SEX UNIONS

In California, the Supreme Court, in a 5-4 decision issued on
the same day as U.S. v. Windsor, ruled against the backers of California’s
Proposition 8 gay marriage ban. With the court’s ruling, gay marriage is once
again officially legal in California. While many questions remain about the broader
constitutional issue concerning the right of gay and lesbian couples to get
married, June 26 will be remembered as the day California’s gay marriage ban
died. 

 DOMA:  KNOWN EFFECTS

       1. Imputation of Income.
Same-sex partners will no longer pay federal taxes on income imputed for an
employers
contribution to a same-sex spouses
medical, dental or vision coverage and employers will no longer be required to
pay federal payroll taxes on such amounts.

        2.     Employer Refunds.  Employers may be entitled to a refund for
payroll taxes previously paid.
Employers may be required to continue to impute income for state law
purposes in states that do not recognize same-sex marriage.

3.  Coverage.
Windsor does not address whether plans that provide spousal coverage must cover
same-sex spouses. Employers with self-insured plans subject to ERISA are not
required to cover spouses and if they do cover some spouses, they are not
necessarily required to cover all spouses. Employers with plans not subject to
ERISA would be subject to any applicable state laws regulating coverage.  The ACA requires coverage of offspring but
not spouses, same sex or not.

 4. Pre-tax premiums.
Employees with same-sex spouses may pay the cost of spousal health coverage by reducing
pay on a pre-tax basis.

 5. COBRA. Same-sex spouses have the same independent COBRA rights as
opposite-sex spouses.

 6.  Special
Enrollment Rights. Marriage to or divorce from a same-sex spouse is now a
HIPAA special enrollment event under plans offering spousal coverage. Employees
may add a same-sex spouse to their health coverage outside of the open
enrollment period, if they marry or if the spouse loses coverage due to a job
loss or change.

 7.  Personal Representatives.  HIPAA provisions relating to providing
patient information will now clearly include same sex spouses. 

8.  Medical
Expenses Tax Treatment. Eligible medical expenses incurred by a same-sex
spouse at least since the date of the Windsor decision are eligible for
tax-free reimbursement under health care flexible spending accounts, health
reimbursement arrangements, and health savings accounts. There may also be a
medical expense deduction.  An employee
and a same-sex spouse will share the deduction limit for HSA contributions and
the typical health care cost deduction.

 9.  Qualified Retirement Plans. Spouses have a
number of rights under qualified retirement plans (such as defined benefit and
401(k) plans) subject to ERISA. Some examples of these rights, which must now
be provided to same-sex spouses, include Qualified Joint and Survivor rights,
same-sex spouses who are divorced can obtain a qualified domestic relations
order dividing retirement benefits (QDRO’s), and other rights for spouses.

HEALTHCARE SPECIFIC
ISSUES

Impact on Medicaid/CHIP
Eligibility.  With
the invalidation of DOMA, states that recognize gay marriage must treat
married, same-sex couples as part of the same household. To determine whether
an individual is eligible for Medicaid/CHIP, states assess a household’s
composition and countable income as a percentage of the federal poverty level.
Treating same-sex couples as spouses can make it more likely that they are eligible
for Medicaid/CHIP by increasing the size of their households or it can make a
household less likely to be eligible by increasing the total family income.
Ultimately, in terms of Medicaid/CHIP eligibility, whether a same-sex couple
benefits or loses from being treated as one household depends on the amount of
income each spouse contributes.

The DOMA decision will affect the access married, same-sex
couples have to many government programs, as well as to employer-sponsored
health insurance. With DOMA no longer in place:

           Same-sex
spouses of federal employees will be entitled to federal healthcare           coverage.

           Same-sex
spouses of military personal will be eligible to receive TRICARE           coverage.

           Individuals in
same-sex marriageslike
those in heterosexual marriageswill
be able to qualify for Medicare based
on a spouses
work history.

 OTHER ISSUES

FMLA

The FMLA now will provide entitlement to take leave to care
for a same-sex spouse to the same extent as an opposite-sex spouse.

Medicare Secondary Payer Rules

Same-sex spouses will now be treated as spouses, such that
plans covering spouses of active employees will be considered primary for
Medicare purposes.

Prohibited Transaction Rules

Spouses are treated as “family members” in
determining whether a person is a disqualified person for purposes of
prohibited transaction rules. Same-sex spouses are now disqualified persons to
the same extent that opposite-sex spouses are.

 Ownership Attribution Rules

 The same-sex spouse of a 5% owner of employer stock is now
considered to be a 5% owner by attribution, including for purposes of
identifying highly compensated employees and for top hat purposes.

ACTION
ITEMS

 1.  Begin reimbursing
medical care expenses for same-sex spouses of participants. Notify employees of the window (typically 30-days) under the
cafeteria plan for family status changes and special enrollment rights for
same-sex spouses and their dependents.

 2. Review definitional and choice-of-law provisions of benefit
plans concerning the definition of “spouse.”  Start obtaining spousal consent from same-sex
spouses for any defined benefit plan retirement distributions.

3. Advise employees married to same-sex spouses to review
their death beneficiary designations; if proper spousal consent has not been
obtained, their designations will be void.

4. Employers will want to ensure that same-sex spouses are
identified for its records in the same manner opposite-sex spouses are
identified. If the employer does not currently distinguish between same-sex
spouses and domestic partners in company records, for example, or identifies
opposite-sex spouses, but not same-sex spouses in its record keeping, the
employer should consider modifying its practices.

5.  Review all plan
documents, in particular the eligibility provisions, to determine if provisions
that were designed to provide coverage to domestic partners or same sex spouses
or designed to restrict coverage to opposite sex spouses should be changed or modified.

6.  Be sure that, at
least after the date of the Windsor decision, retirement plans in operation
provide lawfully married same-sex spouses residing in states where same-sex
marriages are recognized the benefit rights to which opposite sex spouses are
entitled. (See the lists above.)

7.  Cease imputing
income on health coverage and other benefits provided to same-sex spouses
residing in states that recognize same-sex marriage if income imputation is not
required for opposite-sex coverage.

 8. Permit employees to pay the 2013 cost of health care
coverage for lawfully married same-sex spouses residing in states where
same-sex marriages are recognized with pre-tax reductions in pay.

9.Consider whether to seek a refund for employment taxes paid
on imputed income for same-sex spouse benefits for open tax years.

10.  Begin a review of all
employee benefit plans, policies, procedures and handbooks to consider whether
changes are needed or desirable.

Matthew L. Kinley, Esq.

Comments Off on DOMA: HOW IT CHANGES BENEFITS FOR SAME SEX COUPLES

Posted in Current Affairs, Healthcare Regulatory Matters, HIPAA, Medical Insurance

Support for Compliance with HIPAA

Posted on June 13, 2013 by | Comments Off on Support for Compliance with HIPAA

Physicians must comply with HIPAA requriements or face investigations and audits by the Office of Civil Rights or the California Attorney General.  Under California State Law, you also could be sued in a civil lawsuit for a failure to comply.

Tredway, Lumsdaine & Doyle, LLP can support your HIPAA compliance by guiding your organization through the process and providing the forms necessary to be compliant.

The process requires that your institution:

  • Perform an assessment of your current uses and disclosures of patient health information.
  • Perform a “gap analysis” to determine where your current procedures do NOT meet HIPAA standards.
  • Choose methods for getting into compliance.
  • Implement and maintain the required changes.
  • Document your efforts so that, if necessary, you can prove that you are in compliance.

Call Matt Kinley at 562.901.3050 to start the process to comply today.

Matt Kinley, Esq.

Comments Off on Support for Compliance with HIPAA

Posted in HIPAA

Matt Kinley On HIPAA Final Rule: Talk before Orange County Medical Group Management Association

Posted on June 11, 2013 by | Comments Off on Matt Kinley On HIPAA Final Rule: Talk before Orange County Medical Group Management Association

OCMGMA: HIPAA Update

Tuesday, June 11, 2013 (12:00 PM – 1:30 PM)

Presented by: Kathleen Stillwell, MPA/HSA, RN, CPHRM Patient Safety
Risk Management Account Executive, The Doctors Company, and Matthew
Kinley, Esq.,  Partner, Tredway Lumsdaine & Doyle, LLP

Program Information:

The new HIPAA Omnibus Rule
includes new breach notification requirements; limits for use and
disclosure of Protected Health Information (PHI), defined Business
Associates and Subcontractors, increased Patient Rights, change in the
Notice of Privacy Practice, increased fines and penalties, and other
important changes. There is a new focus on investigating and penalizing
noncompliance due to “willful neglect.”

The Office of Civil Rights will begin enforcement of the Omnibus Rule September 23, 2013.

Attend this session to learn what actions your practice must take to meet the new federal compliance regulations.

Objectives:

  • Describe new limits on uses and disclosures of PHI
  • Recognize Business Associates and Subcontractors
  • Explain increased Patient Rights
  • Outline action steps for compliance with Omnibus Rule

Kathleen Stillwell Bio       Matt Kinley Bio

RSVP to Maria Taylor at 714-937-2182 or mtaylor@osiortho.com.
Cost: Members – $25, Non-Member managers – $35, Members Vendors and
Vendors who attend the first time – $50. Other Non-Member vendors – $95.

1.0 CEU Available from ACMPE

Comments Off on Matt Kinley On HIPAA Final Rule: Talk before Orange County Medical Group Management Association

Posted in HIPAA, Medical Insurance, Medical Licensing, Tredway, Lumsdaine & Doyle, LLP

Mr. Kinley Speaks to OCMA regarding HIPAA Updates

Posted on June 3, 2013 by | Comments Off on Mr. Kinley Speaks to OCMA regarding HIPAA Updates

HIPAA Update: The Omnibus Rule

Date: 6/4/2013

Time: 6:00 PM – 8:00 PM

Location:
Irvine, CA

Registration Fees:

Synopsis:

EARN 1.5 CME CREDITS
The Doctors
Company is fiercely committed to advancing, protecting, and rewarding
the practice of good medicine. We remain the leader in developing
innovative tools that can help you improve the quality of patient care
and decrease the number of adverse events. We invite you to join us for
our seminar HIPAA Update: The Omnibus Rule.
 
Target Audience:
Physicians of All Specialties
 
Purpose:
The new
HIPAA Omnibus Rule includes new breach notification requirements; limits
for use and disclosure of Protected Health Information (PHI), defined
Business Associates and Subcontractors, increased Patient Rights, change
in the Notice of Privacy Practice, increased fines and penalties, and
other important changes. There is a new focus on investigating and
penalizing noncompliance due to "willful neglect." The Office of Civil
Rights will begin enforcement of the Omnibus Rule on September 23, 2013.
Attend this session to learn what actions your practice must take to
meet the new federal compliance regulations.
 
Objectives:
At the conclusion of this program, the physician should be able to:
  • Describe new limits on uses and disclosures of PHI
  • Recognize Business Associates and Subcontractors
  • Explain increased Patient Rights
  • Outline action steps for compliance with Omnibus Rule  
    •  
    Presenters:
    Kathleen Stillwell, MPA/HSA, RN, CPHRM, Patient Safety Risk Management Account Executive, The Doctors Company
     
    Matthew Kinley, JD, Partner, Tredway Lumsdaine & Doyle, LLP
     
    Date/Time:
    Tuesday, June 4, 2013
    6:00 PM – Dinner
    6:30 – 8:00 PM – Seminar
     
     
    Location:
    OCMA Conference Center
    17322 Murphy Ave.
    Irvine, CA 92614
     
     
     
    Price:
    OCMA Members and  Non-member physicians: Free
     
     
     
    RSVP:
     
    Questions:
    If
    you have any questions regarding the seminar, contact The Doctors
    Company's Patient Safety Department at (800) 421-2368, extension 1243.
     
     
    The
    Doctors Company is accredited by the Accreditation Council for
    Continuing Medical Education (ACCME) to sponsor continuing medical
    education for physicians.
     
    The
    Doctors Company designates this educational activity for a maximum of
    1.5 AMA PRA Category 1 Credit(s)™. Physicians should only claim credit
    commensurate with the extent of their participation in the activity.
     
    The
    Doctors Company wishes to take steps to ensure no individual with a
    disability is discriminated against because of the absence of auxiliary
    aids and services. If special arrangements are required for an
    individual to participate in the program, please contact The Doctors
    Company at least 10 days prior to the scheduled date.
     
     

    View Speakers

    Event Description:
    Attend this session to learn what actions your practice must take to meet the new federal compliance regulations.

    Comments Off on Mr. Kinley Speaks to OCMA regarding HIPAA Updates

    Posted in HIPAA

    HIPAA: Business Associates and Business Associate Agreements

    Posted on May 20, 2013 by | Comments Off on HIPAA: Business Associates and Business Associate Agreements

    Health care
    professionals working with personal medical information face major compliance
    obligations under the newest rules related to “protected health information
    (“PHI”).  The Omnibus rules were issued by the Department of
    Health and Human Services issued last January (the “Final Rule”).

    The Final Rule
    sets requirements and authorizes substantially increased penalties for
    violations of HHS’ regulations under the Health Insurance Portability and
    Accountability Act of 1996     (HIPAA) and the 2009 Health Information Technology
    for Economic and Clinical Health     (HITECH) Act. Particularly in light of those
    increased penalties, HIPAA covered entities (health plans, health care
    clearinghouses, and most health care providers) and their “business associates”
    — which are now directly subject to HHS regulations — should be actively
    reviewing their new responsibilities under the Final Rule.

    The Final Rule’s
    significant aspects relating to business associates are:

     

    • Make
      subcontractors (and sub-subcontractors, sub-sub-subcontractors, etc.) of
      HIPAA business associates themselves “business associates” and thus
      directly subject to most provisions of the HIPAA Privacy Rule, as well as
      the HIPAA Security Rule and HHS’ Breach Notification Rule;
    • Eliminate
      the “risk of harm” standard that HHS previously prescribed as a criterion
      for determining when it is necessary to notify individuals about a breach
      of security affecting their PHI; and
    • Require
      amendments to Notices of Privacy Practices, business associate agreements,
      and a variety of policies and procedures entailed in complying with the
      Privacy Rule.

    With limited
    exceptions, compliance with the Final Rule’s provisions is required by
    September 23, 2013.

    The HHS has
    compiled extensive information about the business associates at their WEBSITE .

    The site
    includes a generic, sample agreement for business associates.  The sight
    warns that not all of the sample should be used and parts should be modified to
    set the exact situation. This agreement is a good start for complying with the
    law. 

     By Matthew L. Kinley, Esq

    Comments Off on HIPAA: Business Associates and Business Associate Agreements

    Posted in Healthcare Regulatory Matters, HIPAA