Disclaimer
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.
Privacy Policy
View our privacy policy.
Home Health Care Workers to Receive Minimum Wage and Overtime Protections
/in Employee Benefits, EmploymentBy Mark Wiletsky
If your organization is in the home health field, be aware that the rules for how to pay home care workers is going to significantly change. Under a recently issued Final Rule, the U.S. Department of Labor (DOL) will extend FLSA pay protections to an estimated 1.9 million home care workers in the U.S. who currently are treated as exempt under the companionship exemption. As a result, workers who provide in-home care to ill, elderly, or disabled individuals through a third party employer will be covered by the minimum wage and overtime provisions of the Fair Labor Standards Act (FLSA) beginning January 1, 2015.
Companionship Services Exemption Narrowed
The so-called “companionship exemption,” implemented in 1975, allowed organizations employing workers who provide home care assistance to elderly, ill, injured or disabled persons to treat these workers as exempt from the federal minimum wage and overtime pay provisions. The new Final Rule narrows the exemption for companionship services in two key ways. Read more
Providing Auxiliary Aids to Hearing or Visually Impaired Persons
/in Nondiscrimination, Interpreters and Translatorsby Kim Stanger, Holland & Hart LLP
We are often asked whether healthcare providers must provide interpreters or other auxiliary aids to persons who are hearing or visually impaired. The Americans with Disability Act (“ADA”) prohibits places of public accommodation (including private physician offices and hospitals) from discriminating against persons with disabilities. Healthcare providers must provide auxiliary aids to patients or companions of the patient (e.g., parents, spouses, or personal representatives) if doing so is necessary to ensure effective communication unless doing so would cause undue hardship or fundamentally alter the nature of the provider’s services—standards that are very difficult to prove. The fact that an appropriate auxiliary aid costs more than reimbursement for the provider’s service is not “undue hardship.” Appropriate auxiliary aids may include interpreters, video remote interpreting (“VRI”), written materials, exchange of written notes, assistive listening devices, etc. The provider should consult with the patient, but the ultimate decision as to what measures to take rests with the provider so long as the measures ensure effective communication. For simple communications involving hearing impaired persons, lip reading or using a pen and note pad may be sufficient; for communications involving complex information (e.g., discussions about significant medical issues, treatment options, or instructions), the Department of Justice (“DOJ”) has suggested that ASL interpreters may be required.
ADA regulations confirm that providers may not charge the patient for the cost of the auxiliary aids, nor may providers require the patient to bring their own interpreter or supply other auxiliary aids. Providers may not rely on adults accompanying the patient to interpret unless it is an emergency and there is no other interpreter available, or the patient requests that the adult interpret and the provider believes reliance on the adult is appropriate. Providers may not rely on minors to interpret unless it is an emergency and there is no other interpreter available. Providers may not coerce, threaten, intimidate or retaliate against a patient or their companion for requesting auxiliary aids or exercising their rights.
For more information, see the ADA regulations at 28 CFR part 36; the OCR’s website, www.hhs.gov/ocr/civilrights; or the DOJ’s ADA website, www.ada.gov. Among other things, the DOJ’s website contains information about its ongoing Barrier-Free Health Care Initiative.
Kim Stanger is the Chairman of Holland & Hart LLP’s Health Law Group. He can be reached at kcstanger@hollandhart.com or (208) 383-3913. To subscribe to Holland & Hart’s free e-newsletter or blog concerning health law issues, please e-mail Mr. Stanger.
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.
Checklist for HIPAA Business Associate Agreements
/in HIPAAby Kim Stanger, Holland & Hart LLP
In the wake of the HITECH Act and recent Omnibus Rule changes, business associates1 of covered entities must comply with most of the HIPAA Privacy and Security Rules applicable to covered entities or face penalties of $100 to $50,000 per violation.2 Among other things, covered entities and business associates must execute agreements whereby the business associate agrees to comply with certain Privacy and Security Rule provisions affecting protected health information (“PHI”).3 The Omnibus Rules will require most covered entities and business associates to review and update their business associate agreements (“BAAs”) by September 23, 2013.4 The Omnibus Rules will also require covered entities to execute BAAs with certain entities that were not considered business associates in the past, including data storage companies and entities that provide data transmission services and require access to the data on a routine basis.5 To see a decision tree for determining business associate status, click here.
Checklist for BAA Compliance. Under the HIPAA Privacy and Security Rules, BAAs generally must contain the following terms.6 To the extent the business associate enters a BAA with its subcontractors, those subcontract BAAs should also contain equivalent terms.7
§ 164.526.
§ 164.528, including certain information concerning disclosures of PHI in violation of the Privacy Rule.
Additional Terms. The OCR has published sample BAA language at its website, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html. However, the OCR’s sample language may not include additional terms that covered entities and business associates may want to include in their agreements. For example, while not required by HIPAA, covered entities may want to:
Business associates may want to include additional or alternative terms that minimize their exposure, such as:
Liability for Business Associate’s Action. The HIPAA Privacy and Security rules confirm that a covered entity violates HIPAA if the covered entity knew of a pattern of activity or practice of a business associate that constituted a material breach or violation of the BAA unless the covered entity took reasonable steps to cure the breach, end the violation, or terminate the contract.11 In addition, a covered entity may be vicariously liable for the business associate’s misconduct if the business associate was acting as the agent of the covered entity.12 The same rules apply to a business associates with respect to their subcontractors.13 Accordingly, covered entities and business associates should ensure that their BAAs:
Effect of No BAA. Covered entities and business associates violate HIPAA if there is no required BAA in place; however, business associates must still comply with the relevant HIPAA Rules even if there is no BAA.
Additional Resources. If you have questions about these or other issues, the Office of Civil Rights maintains a helpful website on HIPAA issues, http://www.hhs.gov/ocr/privacy/. In addition, Holland & Hart has prepared sample HIPAA forms for its clients, including sample business associate and subcontractor agreements. If you are interested in obtaining such forms, please contact me at kcstanger@hollandhart.com.
1Under HIPAA, “business associates” are generally defined as those entities outside of the covered entity’s workforce who create, receive, maintain or transmit PHI on behalf of a covered entity to perform certain enumerated functions, including claims processing; data analysis; utilization review; quality assurance; patient safety activities; billing; benefit management; practice management; legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services; data transmission services if routine access to data is required; and subcontractors of business associates. 45 CFR § 160.103.
2Id. at §§ 164.402 and .404.
3Id. at §§ 164.308(b) and .502(e)(1)-(2).
4The Omnibus Rule extends the deadline to September 23, 2014, if (1) the BAA complied with HIPAA rules as they existed before January 25, 2013, and (2) the BAA is not renewed or modified prior to September 23, 2014. See id. at
§ 164.532(e).
5Id. at § 164.103.
6A covered entity need not execute a BAA if the covered entity disclosed only a limited data set (as defined by HIPAA) to the business associate and the covered entity has a data use agreement with the business associate that complies with §§ 164.514(e)(4) and 164.314(a)(1), if applicable. See id. at § 164.504(e)(3)(iv). If the covered entity and business associate are both governmental entities, the BAA may contain certain alternative or additional provisions. See id. at
§ 164.504(e)(3).
7Id. at §§ 164.314(a)(2)(iii) and .504(e)(5).
8Id. at § 164.504(e)(2)(i) and (4)(i)-(ii).
9Id. at §§ 164.504(e)(2)(ii) and .314(a)(2)
10Id. at § 164.504(e)(2)(ii)(J) and (iii). The covered entity may omit the provision authorizing termination if such authorization is inconsistent with the statutory obligations of the covered entity or its business associate. See id.
at § 164.504(e)(3)(iii).
11Id. at § 164.504(e)(1)(ii).
12Id. at § 160.402(c).
13Id. at §§ 160.402(c) and 164.504(e)(1)(iii).
For questions regarding this update, please contact
Kim C. Stanger
Holland & Hart, U.S. Bank Plaza, 101 S. Capitol Boulevard, Suite 1400, Boise, ID 83702-7714
email: kcstanger@hollandhart.com, phone: 208-383-3913
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.
Idaho University to Pay $400,000 for HIPAA Violations: Lessons Learned and Resources to Avoid Penalties
/in HIPAAby Kim Stanger, Holland & Hart LLP
This week, Idaho State University agreed to pay $400,000 to settle HIPAA Security Rule violations that allegedly left the electronic health information of 17,500 patients accessible for at least 10 months. According to the Office of Civil Rights (“OCR”):
All of these items were required by the Security Rule. The OCR’s press release is located here.
This case offers several lessons for all providers and their business associates:
Holland & Hart HIPAA Resources. Holland & Hart has prepared resources to help clients and contacts comply with the HIPAA rules, including the following:
We hope these resources will help our clients and friends comply with HIPAA and avoid the penalties.
For questions regarding this update, please contact
Kim C. Stanger
Holland & Hart, U.S. Bank Plaza, 101 S. Capitol Boulevard, Suite 1400, Boise, ID 83702-7714
email: kcstanger@hollandhart.com, phone: 208-383-3913
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.
OIG Issues Revised Self-Disclosure Protocol
/in Fraud and Abuseby Patricia (Pia) Dean, Holland & Hart LLP
On April 17, 2013, the Department of Health and Human Services Office of Inspector General released a revised provider self-disclosure protocol (SDP) that supersedes and replaces the 1998 Federal Register Notice and the Open Letters to Health Care Providers issued in 2006, 2008, and 2009. The SDP reaffirms the obligation on all members of the health care industry to take measures to detect and prevent fraudulent and abusive activities, and establishes new reporting requirements and guidance on calculating penalty multipliers.
Importance of Voluntary Self-Disclosure
The new SDP reaffirms the importance of self-disclosure, including OIG’s position that individual and entities that use the SDP and cooperate with OIG during the SDP process deserve to pay a lower multiplier on single damages than would normally be required. For the first time, the SDP states OIG’s general practice of requiring a minimum multiplier of 1.5 times the single damages, although the specific multiplier accepted may vary depending on the facts of each case.
CMS 60-Day Report and Repay Rule
The new protocol addresses CMS’s proposed 60-day “report and repay” rule. The Affordable Care Act generally requires that providers report and return Medicare or Medicaid overpayments within 60 days of the date the overpayment is first identified. Failure to report and repay within 60 days may create liability under the Civil Monetary Penalties Law (CMPL) and False Claims Act. CMS issued its proposed rule implementing the 60-day repayment obligation in February 2012. (77 FR 9179). The proposed rule would suspend the obligation to report overpayments when OIG acknowledges receipt of a submission on the SDP, provided the submission is timely made. In return for suspending the 60-day requirement, the new SDP states that OIG expects disclosing parties to disclose with a good-faith willingness to resolve all liability within the CMPL’s six-year statute of limitations. OIG has indicated it will provide additional guidance regarding the 60-day obligation and SDP process after CMS releases a final rule.
Eligibility Criteria and Guidance
The SDP provides greater guidance on how to investigate potentially fraudulent conduct, quantify damages, and report the conduct to OIG. According to the SDP, over the past 15 years, it has resolved over 800 disclosures, resulting in recoveries of more than $280 million to Federal health care programs. The SDP states that all health care providers, suppliers, or other individuals or entities that are subject to OIG’s civil monetary penalty authority are eligible to use the SDP. Accordingly, the SDP is not limited to any particular industry, medical specialty, or type of service. By way of example, the SDP states that a pharmaceutical or medical device manufacturer may use the SDP to disclose potential violations of the Federal anti-kickback statute (AKS) because such violations trigger CMP liability.
In addition, the new protocol delineates conduct that is not eligible for the SDP, including (1) matters that do not involve potential violations of Federal criminal, civil, or administrative law for which civil monetary penalties are authorized, such as one exclusively involving overpayments or errors, (2) requests for opinions from OIG regarding whether an actual or potential violation has occurred, and (3) disclosure of an arrangement that involves only liability under the physician self-referral law (Stark) without accompanying potential liability under the AKS for the same arrangement. Conduct that only involves Stark violations should be disclosed to CMS through CMS’s Self-Referral Disclosure Protocol.
Among other requirements, the SDP requires that the disclosing parties explicitly identify the laws that were potentially violated, and not just refer broadly to federal laws, rules and regulations. The SDP provides details for the content of all submissions as well as the specific requirements for conduct involving false billing, excluded persons, and the anti-kickback statute and physician self referral law.
The revised SDP is available here.
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.