Disclaimer
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.
Privacy Policy
View our privacy policy.
Medical Record Retention
/in Hospitals & Health Systems, Physician Practicesby Kim C. Stanger, Holland & Hart LLP
I am often asked how long a practice must maintain medical records. The answer depends on the type of provider you are and your risk tolerance. Providers should generally consider the following in establishing their record retention policies:
1. Patient care. The primary consideration should be patient care. Some practices (e.g., oncology) may want to retain medical records longer than the relevant regulatory requirement or statute of limitations period because the records may be important to future patient care. If your electronic records program allows, you may want to retain the records permanently.
2. Statutory or Regulatory Requirements. State and federal regulations require hospitals and certain other institutional providers to maintain medical records for specified periods, but those laws usually do not apply directly to physicians or physician groups. There are numerous guides online. For example, HealthIT.gov published a 50-state survey of record retention requirements at http://www.healthit.gov/sites/default/files/appa7-1.pdf. The Idaho Department of Health and Welfare published a helpful but incomplete summary of federal record retention regulations, which may be accessed at http://healthandwelfare.idaho.gov/Portals/0/Medical/LicensingCertification/RecordRetentionReqs.pdf. CMS published a MedLearn article on record retention at https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNMattersArticles/downloads/SE1022.pdf. AHIMA is usually a good source for online guidance about record retention laws and regulations. Read more
US District Court Decision Provides Cautionary Tale on False Claim Act Requirement to Return Identified Overpayments from Medicare or Medicaid
/in Fraud and Abuseby Pia Dean, Holland & Hart LLP
A recent ruling from the United States District Court for the Southern District of New York is the first decision regarding the requirement of the Affordable Care Act (ACA) to return identified overpayments from Medicare and Medicaid within 60 days and provides a cautionary tale about the failure to do so. The Court’s opinion offers clarification about when the 60-day “report and repay” provision of the ACA starts and underscores the importance of identifying and acting on a notice of improper payments in a timely manner.
Background
The action stems from a computer glitch on the part of Healthfirst, Inc. (Healthfirst), a private, non-profit insurance program. The glitch caused three New York City hospitals to submit improper claims to Medicaid for services rendered to beneficiaries of a managed care program administered by Healthfirst. All three hospitals belong to a network of non-profit hospitals operated and coordinated by Continuum Health Partners, Inc. (Continuum). Read more
Recruiting Physicians: Beware Stark, Anti-Kickback Statutes, and IRS Rules
/in Fraud and Abuseby Kim C. Stanger, Holland & Hart LLP
Hospitals and other entities that offer incentives to recruit physicians must ensure their arrangements comply with federal and state laws governing financial relationships with physicians, including the the Ethics in Patient Referrals Act (“Stark”), Anti-Kickback Statute (“AKS”), and the IRS’s 501(c)(3) requirements. Recruitment arrangements usually need to fit within one of the following safe harbors:
1. Employment Arrangements. If you are going to hire the physician as an employee and pay him or her no more than fair market value, you can structure the deal to fit within Stark’s bona fide employment safe harbor, which requires the following:
(42 CFR 411.357(c)). Under the employment safe harbor, you are not required to have a written agreement or establish the compensation formula in advance, but it is generally a good idea to do so to avoid misunderstandings. Complying with the foregoing Stark parameters should also satisfy the AKS and 501(c)(3) rules. (See 42 CFR 1001.952(i); IRS Healthcare Provider Reference Guide, 2004 EO CPE Text at p.18). If you need to pay more than fair market value or provide additional incentives to recruit the physician, you will likely need to structure the deal to satisfy the Stark recruitment safe harbor described below. Read more
Appellate Court Affirms $237 Million Award Against Hospital for Stark Law Violations
/in Fraud and Abuseby Teresa Locke, Holland & Hart LLP
The Fourth Circuit Court of Appeals recently issued an alarming decision affirming a $237 million judgment against Tuomey Healthcare Systems, a nonprofit hospital located in a small, largely rural South Carolina community that is a federally-designated medically underserved area. The judgment resulted from a jury’s finding that Tuomey submitted 21,730 false claims to Medicare for reimbursement knowing that the claims were generated through part-time physician employment contracts that violated the referral constraints found in the Stark Law. The decision clarifies that hospital “facility fees” associated with outpatient procedures performed by physicians constitute “referrals” under the Stark Law even when the “referring” physician is personally performing the outpatient procedure. The false claims themselves had a total value of $39 million, but with automatic treble damages and civil penalties in the minimum amount for each violation, the resulting judgment was for $237 million. Despite its affirmance of the judgment, the Fourth Circuit panel recognized “the troubling picture this case paints: An impenetrably complex set of laws and regulations that will result in a likely death sentence for a community hospital in an already medically underserved area.” U.S. ex rel. Drakeford v. Tuomey.
The part-time employment contracts at issue in Tuomey allowed the physicians to maintain their private practices, but required them to perform all outpatient surgical procedures exclusively at the hospital. The contracts had multiple compensation components, two of which proved problematic under Stark. First, each physician was paid an annual guaranteed base salary which was adjusted from year to year based on the amount the physician collected from all services rendered the previous year. Second, the bulk of the physicians’ compensation was earned in the form of a productivity bonus, which paid the physicians 80% of the amount of their collections for that year. Read more
HIPAA, E-mails, and Texts to Patients or Others
/in HIPAAby Kim C. Stanger, Holland & Hart LLP
The HIPAA Privacy and Security Rules require covered entities (including healthcare providers and health plans) and their business associates to implement certain safeguards when e-mailing or texting electronic protected health information (“e-PHI”) to patients or others.
E-mails and Texts to Patients. The HIPAA Privacy Rule not only allows but requires covered entities to communicate with patients via e-mail or text if requested by the patient. (See 45 CFR 164.522(b)). However, the Privacy Rule requires covered entities to implement appropriate safeguards when e-mailing or texting e-PHI to patients. The Office for Civil Rights (“OCR”) explained:
The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. (See 45 CFR 164.530(c)). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 CFR Part 164, Subpart C.
(OCR FAQ dated 12/15/08, available at http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html). Read more