Disclaimer
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.
Privacy Policy
View our privacy policy.
HIPAA: Releases of Information v. Authorization
/in HIPAAby Kim Stanger
Healthcare providers are often confused by or misunderstand the rules governing the release of a patient’s information at the patient’s request. HIPAA allows certain disclosures without the patient’s written authorization, including disclosures to other providers or third party payers for purposes of treatment, payment, or healthcare operations; to family members or others involved in the patient’s care or payment if certain conditions are met; or for certain government or public safety concerns if regulatory requirements are satisfied. (45 CFR 164.502, 164.506, 164.510 and 164.512). Other disclosures generally require the patient’s consent or written authorization. (45 CFR 164.502). The rules for such written releases of information (“ROI’s”) differ depending on who is requesting the records and to whom the disclosure will be made.
1. Disclosures to the Patient or Personal Representatives. Under HIPAA and subject to limited exceptions, a patient or the patient’s personal representative1 generally has a right to obtain a copy of the patient’s protected health information maintained in the patient’s designated record set.2 (45 CFR 164.524(a)(1)). If the provider chooses, the provider may require such requests to be in writing so long as the provider informs the individual of the requirement. (45 CFR 164.524(b)(1)). The provider must produce the records in the form or format requested (e.g., paper or electronic format) if readily producible. (45 CFR 164.524(c)(2)). It is usually a good idea to require written requests to document the date, scope, and format of the request. Once received, the provider has 30 days to respond to the request. (45 CFR 164.524(b)(2)). Although the provider may respond immediately, it is usually a good idea to take some time to collect and review the requested records before responding, thereby ensuring that the records provided are accurate, complete, and do not contain inappropriate information. Providers may charge the patients or personal representatives a reasonable cost-based fee for the records. (45 CFR 164.524(c)(4); see article at https://www.hollandhart.com/charging-patients-for-copies-of-their-records-ocr-guidance). The patient’s right to access information generally includes all information in their designated record set, including records created by or received from other providers. (OCR, Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524, hereafter “OCR Guide” available here). Read more
CardioNet Settlement Shows Need for Healthcare Providers to Secure Mobile Devices
/in HIPAA, ProvidersBy Kim Stanger
In the first Health Insurance Portability and Accountability Act (“HIPAA”) settlement involving a wireless health services provider, CardioNet on April 24 agreed to pay $2.5 million for allegedly losing a laptop containing individual health information.
The size of this and other recent settlements demonstrates the increasingly active stance being taken by the Department of Health and Human Services Office for Civil Rights (“OCR”) on the need for organizations to implement strong, HIPAA-compliant security policies – including those involving mobile devices used for work. The settlement was based on the impermissible disclosure of unsecured electronic protected health information (“ePHI”). Read more
HIPAA: Should You Ask Patients for Consent to Disclose Information?
/in HIPAAby Kim Stanger
Healthcare providers often limit unnecessarily their ability to use or disclose protected health information without the patient’s consent, thereby increasing their potential liability for unauthorized disclosures. For example, providers often:
They do so under the mistaken belief that HIPAA requires such. In reality, such practices may actually increase potential HIPAA liability. Read more
Group Compensation Arrangements: Stark Requirements
/in Legislationby Kim Stanger
Physician practices must ensure that their group compensation structures comply with the federal Ethics in Patient Referrals Act (“Stark”) if they intend to bill Medicare or Medicaid for services rendered or referred by the group physicians. Under Stark, if a physician1 (or a member of the physician’s family) has a financial relationship with an entity, the physician may not refer patients to the entity for certain designated health services (“DHS”)2 payable by Medicare and Medicaid unless the financial relationship is structured to fit within a regulatory safe harbor. (42 CFR § 411.353). Stark applies to DHS referrals within the group, so the physician’s compensation arrangement must be structured to comply with Stark; otherwise, the group may not bill Medicare and Medicaid for DHS that were referred improperly, and, if they were improperly billed, the entity must repay amounts improperly received. Failure to report and repay within 60 days may result in additional civil penalties of $15,000 per claim as well as False Claims Act liability. Repayments may easily run into hundreds of thousands of dollars. Given the potential liability, it is critical that physician group compensation arrangements be structured to fit within one of the following regulatory safe harbors if they intend to participate in Medicare or Medicaid. Read more
Withdrawing Care for Developmentally Disabled Persons: New Idaho Standards
/in ADAby Kim Stanger
Recent amendments will allow guardians and those treating developmentally disabled persons greater discretion in withholding or withdrawing artificial life-sustaining treatment, thereby avoiding situations in which developmentally disabled persons were forced to suffer painful, extended procedures which may be considered inhumane.
The Former Standard. Under Idaho law, the guardian or personal representative of an incompetent person may generally authorize the medically appropriate withdrawal of treatment for the patient. (I.C. §§ 39-4504(1) and 39-4514(3)). In the case of developmentally disabled persons, however, the former law prohibited guardians and physicians of developmentally disabled persons from withholding or withdrawing artificial life-sustaining treatment unless the treating physician and one other physician certified that the person had a terminal condition such that the application of artificial life-sustaining treatment would only serve to prolong death for a period of hours, days or weeks, and that death was imminent regardless of the life-sustaining procedures. (I.C. § 66-405(7)-(8)). Unfortunately, this standard looked only at the length of the patient’s life without considering the pain that the patient may be forced to endure in the meantime. Because of advances in medicine, healthcare providers are often able to keep persons alive for months or years, but at a terrible cost in suffering to the patient and their loved ones. Application of the former standard sometimes resulted in heartbreaking situations in which developmentally disabled persons—often with little or no cognition—were relegated to an existence that offered nothing more than perpetual pain or discomfort instead of allowing the medically appropriate withdrawal treatment. By so doing, the standard deprived developmentally disabled persons of rights that were offered to others. Read more