- November 2017
- April 2017
- February 2017
- January 2017
- December 2016
- August 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- November 2015
- October 2015
- August 2015
- June 2015
- April 2015
- February 2015
- January 2015
- December 2014
- November 2014
- September 2014
- June 2014
- May 2014
- April 2014
- February 2014
- January 2014
- December 2013
- November 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- February 2013
- January 2013
- November 2012
- September 2012
- August 2012
- June 2012
- May 2012
- April 2012
- December 2011
- November 2011
- Accountable Care Act
- Criminal Prosecution
- Current Affairs
- Employers and Healthcare
- Employment Agreements
- healthcare compliance
- healthcare marketing
- Healthcare Regulatory Matters
- Home Healthcare
- Home Nursing
- Kinley Law Practice
- Medical Insurance
- Medical Licensing
- Nurse Practioner
- Obstetrician law
- Physician Assistant
- physician compensation
- Tredway, Lumsdaine & Doyle, LLP
Attorney’s Role in Breach Analysis
An attorney’s role in any potential breach is to lead an assessment of the breach and to help clients determine whether to disclose a breach by applying the law to the factual investigation. Such an assessment is required for covered entities when a breach is suspected under Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, and under the HITECH Act and the Genetic Information Nondiscrimination Act (GINA) and the corresponding regulations. As the company and experts review the potential breaches, the attorney should apply the law implicated by the facts. The appropriate law may not only be the federal law, but state law, as well. For example, the very stringent California Privacy Law which applies to breaches in California.
IF it is determined that there is a reportable breach, the attorney assists with the proper methods to make notification.
Any attorney chosen for this task should have experience and education in healthcare law. Some examples include a healthcare LLM, such as the one offered by Loyola Chicago’s Beazley Institute for Health Law and Policy. and designations in compliance, such as someone certified in Healthcare Compliance (CHC).
My background includes retention by several clients to help with such an assessment, a Masters of Law (LLM) in Healthcare Law from Chicago Loyola Law School and I am Certified in Healthcare Compliance (CHC). I help healthcare institutions comply with HIPAA and other federal and state regulations.
Definition of Breach
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment.
The risk assessment requires the following investigation:
1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the protected health information or to whom the disclosure was made;
3. Whether the protected health information was actually acquired or viewed; and,
4. The extent to which the risk to the protected health information has been mitigated.
The team must also complete an analysis on three potential exceptions to the definition of “breach.” The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.
Unsecured Protected Health Information and Guidance
Covered entities must only provide the required notifications if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of specific technology or methodology.
10 RED FLAGS
Under current law, physicians are required to maintain an effective, comprehensive compliance program to detect, correct and prevent incidences of non-compliance with state and federal regulatory law. Goals of a comprehensive compliance program is to prevent the significant criminal and civil penalties that might come with a violation of the False Claims Act, Stark, the Anti-Kickback Statutes, HIPAA and state law equivalents. Failure to comply might lead to exclusion from health payments. Here is a summary of the core components of a complete compliance plan:
#1 MISSING OR INCOMPLETE WRITTTEN POLICIES, PROCEDURES AND STANDARDS OF CONDUCT
#2 PEOPLE: NO COMPLIANCE OFFICER OR COMPLIANCE COMMITTEE
#3 TRAINING: THE FACILITY LACKS EFFECTIVE TRAINING AND EDUCATION
#4. COMMUNICATION: THE FACILITY LACKS
#5. PERSONEL: FAILURE TO PUBLISH DISCIPLINARY STANDARDS & TO EFFECTIVELY DISCIPLINE VIOLATORS
#6. NO SYSTEM TO AUDIT AND MONITOR ORGANIZATION COMPLIANCE AND COMPLIANCE RISKS
#7 FAILURE TO CREATE PROCEDURES TO PROMPTLY RESPOND TO IDENTIFIED ISSUES AND SELF DISCLOSURE OBLIGATIONS
#8. LACK OF SUPPORT FROM PHYSICIANS AND LEADERSHIP OF THE ORGANIZATION
#9. FAILURE TO INSTITUTE PRIVATE HEALTH INFORMATION POLICIES
#10. FAILURE TO MONITOR NEW LAW AND UPDATE COMPLIANCE ACCORDINGLY
Is your business compliant with OSHA’s Bloodborne Pathogens Standard?
If you operate a business with employees that are exposed to blood or other potentially infectious materials (OPIM), your business is subject to OSHA’s Bloodborne Pathogens Standard (BPS) under the Code of Federal Regulations. In spite of its attempt to simplify these requirements on its online fact sheet, OSHA imposes a minefield of regulations for small to midsize businesses to navigate. This post provides a brief overview of the Bloodborne Pathogens Standard and what it means to your business.
Have an Updated Plan
All good businesses have a plan right? Well, OSHA adds to your plans by requiring an “exposure control plan.” 29 C.F.R. 1910.1030 (c)(1). Under this plan, employers must create a catalogue that classifies the employee positions in the company by the level of blood and OPIM exposure. 29 C.F.R. 1910.1030 (c)(2)(i)(A). Also, this plan must detail the tasks and procedures performed by each classification of employee that causes their exposure. 29 C.F.R. 1910.1030 (c)(2)(i)(C).
The Bloodborne Pathogens Standard not only requires the employer to have an exposure control plan but also requires that it be updated annually “to reflect changes in tasks, procedures, and positions that affect occupational exposure, and also technological changes that eliminate or reduce occupational exposure.” OSHA, OSHA’s Bloodborne Pathogens Standard, OSHA Fact Sheet.
In order to make these updates to the satisfaction of OSHA, the employer must also document in their plan that they both considered and begun using safer medical devices to minimize occupational exposure and engage with their employees “in identifying, evaluating, and selecting effective engineering and work practice controls.” OSHA, OSHA’s Bloodborne Pathogens Standard, OSHA Fact Sheet, And we’re just getting started.
It is imperative under the Bloodborne Pathogen Standard that the precautions used to prevent an exposure incident are universal. 29 C.F.R. 1910.1030 (b). As OSHA explains, this means “treating all human blood and OPIM as if known to be infectious for bloodborne pathogens.” OSHA, OSHA’s Bloodborne Pathogens Standard, OSHA Fact Sheet.
Be Well Stocked With the Right Equipment
The Bloodborne Pathogen Standard requires the examination, maintenance, and routine replacement of “engineering controls.” 29 C.F.R. 1910.1030 (d)(2)(ii). What are engineering controls you ask? They are “controls . . . that isolate or remove the bloodborne pathogens hazard from the workplace” such as sharps disposal cleaners and self-sheathing needles among others. 29 C.F.R. 1910.1030 (b). In other words, take the garbage out on a regular basis. Employers must also provide appropriate personal protective equipment (PPEs) for employees with occupational exposure such as “gloves, gowns, laboratory coats, face shields or masks and eye protection, and mouthpieces, resuscitation bags, pocket masks, or other ventilation devices.” 29 C.F.R. 1910.1030 (d)(3)(i). These PPEs must be provided by the employer at no cost to its employees. Id.
Take Preventative and Remedial Measures
Hepatitis B vaccinations must be made available to all employees with occupational exposure after they have received training and within 10 working days of their initial assignment. 29 C.F.R. 1910.1030 (f)(2)(i). Should there be an exposure incident, you must “make available post-exposure evaluation and follow-up to any occupationally exposed worker who experiences an exposure incident.” OSHA, OSHA’s Bloodborne Pathogens Standard, OSHA Fact Sheet. The procedures the employer must follow after an exposure incident can become complicated with consent and health-related confidentiality issues regarding investigations of the source individual and the employee.
The requirements surrounding warning labels and signs communicating hazards are lengthy enough to warrant their own blog post. The main takeaway from the BPS requirements for labels and signs is this: Anything that comes into contact in any way with blood or OPIM must have a label or sign that warns against the dangers of exposure. As the Code of Federal Regulations states, warning labels must be affixed to “containers of regulated waste, refrigerators and freezers containing blood or other potentially infectious material; and other containers used to store, transport or ship blood or other potentially infectious materials. 29 C.F. R. 1910.1030 (g)(1)(i). There are also specific regulations relating to warning signs for all entry ways in HIV and HBV research laboratories and production facilities. See 29 C.F.R. 1910.1030 (g)(1)(ii).
This post only scratches the surface of OSHA’s Bloodborne Pathogens Standard. If you run a business that exposes its employees to blood and other potentially infectious materials, you must comply with these regulations under federal law. Operating a healthcare facility is no simple task even before considering regulations such as the Bloodborne Pathogens Standard. Protect your business and ensure you are complying with these detailed requirements.
PHYSICIANS CAN OPT OUT OF ASSISTED SUICIDE LAW
California was the most recent state to adopt the End of Life Option Act, codified at Health & Safety Code section 443. It basically allows a competent patient who has been diagnosed with a terminal illness to seek and obtain a prescription for the necessary drugs to be self administered. The law is effective on June 9, 2016.
Aid-in-dying legislation has passed in Oregon, Washington, Vermont, and Montana. Doctors in those states are permitted to prescribe drugs to terminal patients that they will use to end their lives. The patients must meet certain requirements and undergo a set process to receive the medication.
California’s procedures, like the other states, seek to protect terminal patients from rash decisions or over-anxious relatives. While patients may designate agents to make all sorts of health care decisions on the patient’s behalf, an agent is not able to request aid-in-dying drugs on behalf of a patient, and therefore these drugs cannot be requested through an advanced healthcare directive.
The Act allows doctors, medical groups and hospitals to opt out of the law. Most, if not all, religious hospitals are expected to reject the law. Physicians are not required to prescribe life ending drugs to patients. The California Medical Association dropped it’s opposition to the bill. According to news reports, the state of California will pay for the costs of the drugs to be utilized.
According to the Act, the “aid-in-dying drug” means a “drug determined and prescribed by a physician for a qualified individual, which the qualified individual may choose to self-administer to bring about his or her death due to a terminal disease.” The Act does not describe what the appropriate drug might be.
Health and Safety Code section 443.22 provides the physician with a checklist to be used if a patient seeks the end of life drug. See, AttendingPhysicianChecklist
To summarize the requirements, in order for a person to seek aid-in-dying drugs, they must meet the following criteria:
- The patient must be at least 18 years old
- They must have capacity to make medical decisions
- Diagnosed with a terminal illness by an attending AND consulting physician
- The individual must voluntarily express the wish to receive the aid-in-dying drug
- They must request the drug twice orally—such requests should be made 15 days apart
- Must request by written request which is signed/dated and witnessed by two adults
- Must be California resident (and provide proof of such residency)
- Must have physical and mental ability to self-administer the drug
- The decision must be confirmed that it is not due to coercion or undue influence
- The attending physician must offer the qualified individual to withdraw or rescind the request
Upon filling the aid-in-dying prescription, the patient must complete a “Final Attestation for an Aid-in-Dying drug to End My Life in a Humane and Dignified Manner” form 48 hours prior to self-administering the drug.
Developments in the law should be closely monitored as it is likely that that state regulators may develop more detailed and specific standards when facing a terminal patient seeking end of life drugs.
HEALTHCARE PROVIDERS SHOULD PREPARE FOR END OF FEE FOR SERVICE PAYMENTS
Medicare reimbursement has slowly changed from a system primarily based on fee for service to a system paying for treatment of a population. Physicians and other providers who have relied on Medicare have seen payments reduced and general income levels decline as a result.
Covered California and Value Payments
Reinforcing the view that medical care can be less expensive if incentives are put in place for providers, Covered California has always promoted the utilization of value payments over fee for service for physicians and other healthcare providers. They view it as a method to reward quality care and patient satisfaction, even though it is having the effect of reducing payments to providers, making medicine more corporate medicine and driving smaller practices out of business. This has happened with similar Medicare reforms.
The Model QHP Contract
The Covered California Board has been considering its contract with Qualified Health Plans (“QHP”) for the coming years. A review of the 2017 Qualified Health Plan Contract and Attachments shows that the Covered California Board is continuing its advance to reform payment models under the Healthcare Exchange.
The Qualified Health Plan Model Contract (“Model Contract”) is the agreement entered into between the Qualified Health Plans (“QHP”) and Covered California. The contract sets the terms for the QHP operate under in order to participate in California’s healthcare exchange. These contracts have become the major method by which Covered California promotes its major policy initiatives, such as appropriate healthcare networks and payment reform to healthcare providers.
The Model Contract specifically references federal policy on incentivizing quality by tying payments to providers by measuring performance. When providers meet specific quality indicators or enrollees make certain choices or exhibit behaviors associated with improved health, providers receive a higher level of payment. Such policy requires quality reporting, care coordination; chronic disease management, patient-centered care, evidence based medicine and health information technology. (Quality Improvement Strategy: Technical Guidance and User Guide for the 2017 Coverage Year.)
Attachment 7 to the QHP Model Contract
Attachment 7 to Covered California 2017 Model Contract provides the meat of the policy. According to Attachment 7, QHPs are to work with Covered California to create healthcare networks that are based on value. By working with Covered California, all QHPs will share data which they have received from providers across the state. The plan also contemplates meetings where best practices are discussed.
QHPs Must Select Healthcare Providers Who Are Utilizing Quality Measurements
Under Attachment 7, all plans must include “quality” measurements in the selection and utilization of providers, including “clinical quality, patient safety and patient experience and cost.” Covered California will carefully monitor the plans to assure that that QHPs only contract with providers and hospitals that demonstrate quality care.
QHPs are to ensure that providers which are serving enrollees with conditions that require highly specialized management have “documented special experience and proficiency based on volume and outcome data.” Attachment 7 further specifically requires the submission of the Consumer Assessment of Healthcare Providers and Systems, developed by the Agency for Healthcare Research and Quality. The CAHPS requests information from the consumer experience, including:
Asking about aspects of care for which a patient or enrollee is the best or only source of information.
Asking about the aspects of care that patients say are most important.
Asking patients to report on the health care they receive.
Reflecting input from a broad spectrum of stakeholders, including patients, clinicians, administrators, accrediting bodies and policymakers.
Finally, Attachment 7 promotes the use of Patient-Centered Medical Homes as well as integrated care models, with quality and patient satisfaction as key data points; population-based care, including integrated care; utilization of electronic health record technology, including utilization of data for results management and clinical decision support and patient support.
2017 continues the trend toward value added care. Physicians and other providers should start preparing practices for this new payment models if they intend to continue in medicine.
Various news organizations (for example, Law360) reported on Aetna’s jury verdict against Northern California surgery centers for over-billing the insurer for out-of-network procedures. The jury determined that the surgery center should pay $37.4 million in damages. The complaint by Aetna included allegations that surgery centers waived patient co-pays and other fees, sales of shares to physicians (who received substantial ROI) in addition to the physician’s own fee for service and other “fraud.”
Other lawsuits with similar allegations are pending. United Healthcare Services has a complaint against several Bay Area ASC’s claiming the ASCs’ bills are artificially inflated, that the providers utilizes different charges for different patients (out-of-network charges being the highest), that the ASCs failed to disclose waiver of co-pays, and inappropriate incentives to physicians for referring patients to the ASC.
The insurers in these cases are attempting to utilize the courts to stop out-of-network billings, especially for ASCs. The conduct they are complaining about is a common issue of our medical landscape. Surgery centers are typically physician owned and tend not to have insurance with the typical plans that exist. Physicians will often promote the ASC as providing superior service, especially compared with alternative medical centers and hospitals. In order to encourage the patient to have procedures at a facility which does not accept their insurance, the physician and the ASCs will often assure the patient that they will seek reimbursement from the out-of-network insurance provider and that any service received will be at no cost to the patient. Freed from in-network contracts, these facilities seek their “reasonable fees” from the insurer.
The current litigation will certainly lead to appeals and opinions by courts that will alter the legal landscape. The facts in the Aetna case appear to include evidence of communications between physicians encouraging referrals to the surgery centers, which would appear inflammatory to the jury.
However existing law does not appear to support the insurers claims. For instance, the Accountable Care Act actually requires discounting co-payments for out-of-network emergencies. (“Any cost-sharing requirement expressed as a copayment or coinsurance rate imposed with respect to a participant, beneficiary, or enrollee for out-of-network emergency services cannot exceed the cost-sharing requirement imposed with respect to a patient, beneficiary or enrollee if the services were provided in network.” 45 C.F.R. 147.138.) The California Attorney General that waiver of copayments for out-of-network insurance companies was appropriate. (Dentists routine waiver of co-pay appropriate. 64 Ops. Cal. Atty. Gen. 782 (1981).) Discounts to encourage patient referrals is not impermissible. (People v. Duz-Mor Diagnostic Laboratory, Inc. (1998) 68 Cal. App. 4th 654.) Likewise, it is legal for physicians to refer to surgery centers where they have a financial interest. (California Business Code section 650(d).)
Providers who routinely bill to out-of-network providers should monitor these cases closely. The Courts will be making ground-making decisions in this area in coming months.
By Matt Kinley, Esq, LL.M. Mr. Kinley represents health care clients in Southern California.
Insurance companies issuing commercial general liability (CGL) policies are undoubtedly taking note of a recent noteworthy, though unpublished, federal appeals court decision. In April 2016, a federal appeals court in Virginia upheld a lower court’s ruling that a CGL policy may cover a data breach. The decision centered on the interpretation of policy language that the court said should be construed broadly. The ruling will likely cause insurers to scrutinize coverage language more closely and revise future policy definitions. For insureds, the decision should prompt a second look at policy language to determine whether a data breach arguably falls within the scope of coverage. The case, Travelers Indemnity Company of America v. Portal Healthcare Solutions, L.L.C. (https://www.scribd.com/doc/308033367/Travelers-v-Portal-Healthcare-Fourth-Circuit-Court-of-Appeals) (hereinafter referred to as “Portal Healthcare“), is at odds with other recent state court decisions.
The factual prompt for the suit was a class-action lawsuit brought by a patients of a hospital whose confidential medical records were publicly posted online by the hospital’s electronic record-keeping service, Portal Healthcare Solutions (“Portal”). Portal tendered the matter under the two separate but substantially identical CGL policies issued by Travelers. In a declaratory relief action, Travelers argued data breach was not covered under the policies, but the District Court for the Eastern District of Virginia in Alexandria ruled that Travelers had a defense obligation under its Personal and Advertising Injury coverage section of the policies. The policies language obligated coverage because of an advertising or website injury arising from the “electronic publication of material that…gives unreasonable publicity to a person’s private life” or “the electronic publication of material that discloses information about a person’s private life.”
Travelers argued that the action of posting the medical records online was not a “publication” within the meaning of the policy because it could not be proven that the records were actually viewed by a third-party. The lower court and appellate court rejected this narrow and “pars[ing]” definition of publication. The appellate court also held that the class-action complaint by the patients, “at least potentially or arguably alleges a publication of private medical information” and that the conduct if proven, would have given unreasonable publicity to and disclosed information about the patients’ private lives. The court determined that any doubt in the meaning of the word “publication” should be interpreted in a manner that grants coverage rather than withholds it.
The lower court’s opinion distinguished a Connecticut case which ruled that a CGL policy did not cover the loss of computer tapes that contained personal information. See Recall Total Info. Mgmt. Inc. v. Fed. Ins. Co., 83 A.3d 664 (Ct. App. Conn. 2013). In that case, computer tapes fell out of the back of a van, were taken by an unknown person, and never recovered. Id. at 667. This fact pattern was distinguished because it involved a single thief and no allegation that the stolen information had been placed on the internet. In the Portal Healthcare case, the court stressed that the facts alleged “potentially or arguably” constituted “publication.”
While insurers offer policies specifically addressing cyber liability and data breach, these policies can often be cost-prohibitive and/or scarce. Business owners should consult with their legal counsel to look closely at the terms of the business’ CGL policies to determine whether they may potentially or arguably cover data breaches. The exorbitant cost of defending a data breach lawsuit, especially a class-action suit, may justify a declaratory relief action against a CGL carrier to determine the claims trigger a defense obligation. All companies should evaluate their cyber risks and exposures to make an informed decision about whether cyber liability insurance coverage is worth it. Despite the holding in Portal Healthcare, securing coverage for data breach incidents under a CGL policy is still an uphill battle.
Matt Kinley Speaks to Los Angeles County Medical Association on March 23, 2016. Contact Mr. Kinley at firstname.lastname@example.org if your interested in attending.
CONGRESS DIRECTS ACTION IN HEALTHCARE CYBERSECURITY
In December of 2015 Congress passed a 2000-page spending bill which was enacted into law. Included in the text was the Cybersecurity Information Sharing Act of 2015 (CISA). While that legislation received most of the headlines, the spending bill also implemented some major developments in the field of privacy for the healthcare industry. Section 405 of Title IV directs the Department of Health and Human Services (HHS) to develop best practices for organizations in the healthcare industry.
The legislation mandates HHS to report to Congress regarding the preparedness of the health care industry in responding to cybersecurity threats. This includes identifying the HHS official responsible for coordinating threat efforts and including plans on how HHS divisions communicate with one another regarding threats. Congress also mandated a one-year task force to plan a threat reporting system in real time, and to prepare a cybersecurity preparedness information for dissemination in the healthcare industry. Most notably, HHS has been directed to collaborate with other governmental entities and experts to establish a best practices standards specific to healthcare cybersecurity. The intent is to create an industry standard and cost-effective method to reduce cybersecurity risks for healthcare organizations.
Inclusion of Section 405 of the Cybersecurity Act of 2015 reinforces the federal government’s well-established priority of protecting personal health information. Protection is necessary because of the high value of personal health information on the black market. According to the The Insurance Journal, a complete health record containing a patient’s entire health profile can fetch as much as $500. The value is based on the ability of lawbreakers to fraudulently bill insurers for medical services. Compared to industries like the credit card payment industry—which has implemented its own cybersecurity standards—the healthcare industry is woefully behind in its efforts to protect valuable private information.
Healthcare facilities, both public and private, should stay ahead of HHS and develop their own internal policies, security measures, and best practices to protect confidential information of their patients. While guidance form HHS in the future will help establish industry standard best practices, healthcare providers should evaluate their cybersecurity needs and work with experts—attorneys, technologists, and governmental agencies—to stay ahead of the curve. Undoubtedly the attention given to healthcare cybersecurity in the next years will increase the scrutiny on healthcare providers who fail to meet industry standards.