Monthly Archives: August 2013


The American Medical Association publicaiton, Americn Medical News recently quoted Mr. Kinley in it's article, "Collaboration can save medical practices time, money and effort."

"Matt Kinley, a partner of Tredway, Lumsdaine & Doyle, LLP, a Southern California-based law firm, said some concerns were raised that ACOs would violate antitrust laws, leading to certain exceptions being made.

“With ACOs, physicians agree to a certain payment, but that payment is based on improved quality of care,” Kinley said. “The government is very interested in a system that improves quality of care and uses technology, which ACOs do.”

Kinley said it’s too early to tell if ACOs will replace IPAs."

HIPAA Settlement Shows How To Comply

HHS’s Office of Civil Rights
recently completed an enforcement action against Wellpoint.  Wellpoint
suffered security breaches and settled with the Office of Civil Rights for $1.7
million.  Wellpoint self-reported the breach to HHS’s, which mitigates the
penalties that it agreed to pay.  The breach was leaving their database
open to unauthorized users over the Internet.  There is no evidence that
the database was accessed or information utilized.

What is
unique is that the OCR has published the actual settlement agreement with
Wellpoint.  From a providers point of view, the settlement shows what to avoid to be HIPAA compliant.  OCR
lists the violations of HIPAA law that caused the fine.  

this demonstrates is that it’s the “technical violation” that will get entities
into trouble. In this case, not having all the safeguards in place to safeguard
protected healthcare information (“PHI” or electronic protected healthcare
information, “ePHI”).

from the agreement:

Factual Background and Covered Conduct

June 18, 2010, HHS received notification from WellPoint regarding abreach
of certain of its unsecured electronic protected health information (ePHI). OnSeptember
9, 2010, HHS notified WellPoint of HHS’s investigation regardingWellPoint’s
compliance with the Privacy, Security, and Breach Notification Rules.

investigation indicated that the following conduct occurred (“CoveredConduct”):

 (1) Beginning on
October 23, 2009, until March 7, 2010, WellPoint did not adequately
implement policies and procedures for authorizing access to ePHI
maintained in its web-based application database consistent with theapplicable
requirements of the Security Rule.

 (2) WellPoint did
not perform an adequate technical evaluation in responseto
a software upgrade, an operational change affecting the security of ePHI maintained
in its web-based application database that would establish the extent
to which the configuration of the software providing authentication safeguards
for its web-based application met the requirements of the Security

 (3) Beginning on
October 23, 2009, until March 7, 2010, WellPoint did not adequately
implement technology to verify that a person or entity seekingaccess
to ePHI maintained in its web-based application database is the one claimed.

(4) Beginning on
October 23, 2009, until March 7, 2010, WellPointimpermissibly
disclosed the ePHI, including the names, dates of birth,addresses,
Social Security Numbers, telephone numbers and healthinformation,
of approximately 612,000 individuals whose ePHI was maintained
in the web-based application database."



Steps That
Covered Entities Can Take to Protect Against HIPAA Enforcement

  • Review
    relationships and the documentation of such relationships among and
    between Affiliated Covered Entities and other related entities with which
    they share PHI
  • Revisit
    risk analyses, especially following any changes to the underlying
  • Update
    policies and procedures as necessary to account for changes in technology
    or practices
  • Continue
    workforce training
  • Audit
    ongoing programs
  • Monitor
    security intrusions
  • Implement
    a breach response plan


This is the third in a series of articles on
avoiding fraud and theft in healthcare professionals
The article is meant for medical professionals including physicians,
dentists, home nursing and mental health professionals. If you have any
questions about this series, feel free to contact attorney Matthew L. Kinley, a
healthcare lawyer in Long Beach, California at 562.901-3050

           Practices in California should be wary
of prescribing pain killers for their patients.
The Medical Board has told various audiences that they are reviewing
physicians who prescribe such medications, and will review patient files for

           There is good reason for the Medical
Board to be concerned: There has been great abuse by patients who utilize pain
killers.  There has also been an epidemic
of deaths caused by such abuse.  One
estimate has it that American physicians prescribe enough pain killers to
medicate every American around the clock for a month.

           In order to avoid a visit by the
Medical Board, or to be prepared if they do visit,  and to make sure that your painkiller practice
is beneficial for patients, physician offices should adopt protocols to make
sure that patients actually need the painkillers you prescribe.  Such protocol will help keep prescribed drugs
making it on the black market.

 Action Items to Protect Your Practice:

 1. Carefully
document the patient chart.  Carefully
explain the side effects of the prescription, and for long term use, the
potential detrimental effects of potential addiction.

 2. Screen
and monitor for substance abuse and mental health problems.

 3. Be
vigilant for scams and identity theft.

 4. Prescribe
pain killers only after examining the patient.

           California Business and Professions
Code provides some guidance.  Section
2242 provides  that it is
“unprofessional conduct” to prescribe or furnishing dangerous drugs without
an appropriate prior examination and a medical indication.

 5.  Only prescribe painkillers after other treatments
have not been effective for pain.

 6.  Use legally required form. California Healt  & Safety Code section 11162.1 provides standards
for prescription forms for controlled substances. 

Limit the
number of pills prescribed. 

 7. The
quantity prescribed should be based on the expected length of pain.California
Health Safety Code section 11158 provides for limits on number of pills
(“may dispense directly to an ultimate user a controlled substance
classified in Schedule II in an amount not to exceed a 72-hour supply for the
patient in accordance with directions for use given by the dispensing
practitioner only where the patient is not expected to require any additional
amount of the controlled substance beyond the 72 hours. )

 8. Using
patient-provider agreements combined with urine drug tests for people using
painkillers long term.

 9.  Talking with patients about safely using,
storing and disposing of prescription of painkillers.  (

 10.  Check the prescription monitoring programs with the California Attorney


By Matthew L. Kinley, Esq.