March 14, 2019

Common Stark Concerns for Hospitals

by Kim Stanger

Unless structured properly, a hospital’s financial relationship with referring physicians or other providers may violate the federal Ethics in Patient Referrals Act (“Stark”) and Anti-Kickback Statute (“AKS”), resulting in civil and criminal fines, penalties, and repayments. Under Stark, if a hospital has a financial relationship with a physician, the physician may not refer patients to the hospital for certain designated health services1 payable by Medicare or Medicaid unless the arrangement fits within a regulatory safe harbor. (42 USC § 1395dd; 42 CFR § 411.353). The AKS generally prohibits knowingly offering, paying, soliciting or receiving remuneration to induce referrals for items or services payable by federal healthcare programs unless the arrangement fits within a regulatory safe harbor. (42 USC § 1320a-7b(b); 42 CFR § 1001.952). Below are some of the top compliance concerns arising from relationships with referring providers:

1. No Written Agreement. Except for employment arrangements, Stark and the AKS generally require that financial arrangements are documented in writing and signed by the parties, including arrangements involving the payment for services, sale or lease of space or equipment, recruitment subsidies, etc. (See, e.g., 42 CFR §§ 411.357(a), (b), (d), (e), (l), (p), (y), and 1001.952(b)-(d)). CMS has confirmed that a single formal contract is not necessarily required; instead, “a collection of documents, including contemporaneous documents evidencing the course of conduct between the parties, may satisfy the writing requirement…” (80 FR 71315).

Continue reading

February 12, 2019

Telehealth: Practicing Across the Idaho Border

by Kim Stanger

More healthcare practitioners are using telehealth to render patient care or expand their practices. When telehealth crosses state borders, the practitioner must ensure that he or she is licensed in or otherwise authorized to practice medicine in the state where the patient resides. The Model Policy issued by the Federation of State Medical Boards states:

A physician must be licensed, or under the jurisdiction, of the medical board of the state where the patient is located. The practice of medicine occurs where the patient is located at the time telemedicine technologies are used. Physicians who treat or prescribe through online services sites are practicing medicine and must possess appropriate licensure in all jurisdictions where patients receive care.

(Model Policy for the Appropriate Use of Telemedicine Technologies in the Practice of Medicine (2014), available here).

Continue reading

February 5, 2019

Medical Record Retention Guidelines

By Melissa LouKim Stanger, and Christopher Mack

Clients frequently ask us how long they should retain medical records and related business records.  The answer depends on various factors, including the type of record, applicable regulatory and contract requirements, and the provider’s risk tolerance and resources.  Nevertheless, state record retention guides may be valuable to clients as they consider their internal policies.  The Idaho, Utah, and Wyoming state charts below are intended as a guideline.  Providers should confirm laws that may apply in their particular state, or that may apply to their particular situation. Continue reading

January 23, 2019

Identifying Business Associates: Make Sure You Have BAAs in Place

by Kim Stanger

Failing to have HIPAA business associate agreements (“BAAs”) can result in significant penalties for healthcare providers and business associates. Last month, the OCR imposed a $500,000 settlement and robust corrective action plan against a physician group that failed to have a BAA with its billing company. After the billing company improperly allowed access to protected health information on its website, the OCR looked to the physician group to pay the price. (See https://www.hhs.gov/about/news/2018/12/04/florida-contractor-physicians-group-shares-protected-health-information-unknown-vendor-without.html).

Under HIPAA, “business associates” are essentially those entities who create, access, maintain or transmit PHI on behalf of a healthcare provider. (45 CFR § 160.103, definition of “business associate”). HIPAA requires healthcare providers to execute a BAA before disclosing protected health information (“PHI”) to their business associate. (45 CFR § 164.502(e)). It also requires business associates to execute a BAA with their subcontractors who handle PHI on behalf of the business associate. (Id.). The BAA must contain certain required terms. As recent settlements confirm, healthcare providers who fail to execute a BAA are subject to HIPAA penalties and may be vicariously liable for their business associate’s misconduct.

Continue reading

January 8, 2019

HIPAA Breach Notification: When and How to Self-Report

by Kim Stanger

So you just discovered that protected health information (“PHI”) from your organization was improperly accessed or disclosed. Are you required to self-report the violation to the affected individual and HHS?

HIPAA Breach Notification Rule. Not all HIPAA violations are required to be reported to the relevant patient or HHS. Under the breach notification rule, covered entities are only required to self-report if there is a “breach” of “unsecured” PHI. (45 CFR § 164.400 et seq.).

Continue reading

November 27, 2018

EMTALA: Guide for Exams, Treatment and Transfers

by Kim Stanger

The Emergency Medical Treatment and Active Labor Act (“EMTALA”) generally requires hospitals to provide emergency care to patients who come to the hospital; violations may result in penalties of $53,000 to $105,000; private lawsuits; and/or termination of the hospital’s Medicare provider agreement.  To help hospitals and providers comply, Holland & Hart has published it’s EMTALA Guide, which is available here.  Among other things, the Guide addresses:

  • Which entities are covered by EMTALA?
  • When and where is EMTALA triggered?
  • EMTALA and urgent care centers.
  • Ambulances and diversions.
  • When and what is required for an appropriate medical screening exam (“MSE”)?
  • Who can perform MSEs?
  • How to determine if a patient is stabilized.
  • What is required for an appropriate transfer?
  • When must another facility receive transfers?
  • Documenting refusal of treatment or transfers.
  • Reporting EMTALA violations.

For questions regarding this update, please contact:
Kim C. Stanger
Holland & Hart, 800 W Main Street, Suite 1750, Boise, ID 83702
email: kcstanger@hollandhart.com, phone: 208-383-3913

This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.

October 31, 2018

Department of Health & Human Services Upgrades Security Risk Assessment Tool

By Kim Stanger, Steven Lau, and Romaine Marshall

Under the Health Information Privacy and Portability Act (HIPAA), “covered entities” (generally speaking health care providers and their business associates) must all complete a risk assessment to identify and mitigate potential security risks (45 C.F.R. 164.308(a)(1)(ii)(A)). As many companies and providers have discovered, completing a risk assessment is time and resource-intensive and can be an overwhelming and expensive undertaking. Continue reading

October 22, 2018

Handling HIPAA Breaches: Investigating, Mitigating and Reporting

by Kim Stanger

HIPAA privacy and security violations can result in fines of $110 to $55,100 to covered entities (including healthcare providers and health plans) and their business associates. (45 CFR 160.404). If the violation resulted from “willful neglect”, the Office for Civil Rights (“OCR”) must impose a mandatory fine of $11,002 to $55,100. (45 CFR 160.404). To make matters worse, covered entities and their business associates must self-report breaches of unsecured protected health information (“PHI”) to the affected individual and to HHS (45 CFR 164.400); failure to do so may constitute “willful neglect” resulting in mandatory fines. The good news is that the OCR may not impose a fine so long as the covered entity or business associate did not act with “willful neglect” and corrected the problem within 30 days. (45 CFR 160.410(b)).

Responding to Possible Breaches. Given the potential consequences, it is critical that covered entities and business associates respond appropriately to potential HIPAA breaches to avoid or minimize their liability. Below are steps that you may follow to help identify and timely respond to HIPAA breaches. Continue reading

October 10, 2018

Producing Records of Other Providers

by Kim Stanger

There is a common misunderstanding that healthcare providers may not or should not produce medical records that were created by another healthcare provider.

Under HIPAA, patients have a right to access all records that a provider maintains in a designated record set, i.e., documents the provider uses to make decisions about a patient’s healthcare or payment for healthcare. (45 CFR 164.524). This would generally include records the provider obtains or receives from other providers relating to the patient’s care. Thus, providers generally must produce such records in response to the patient’s request; failure to do so would violate HIPAA. The OCR published the following FAQ relevant to this issue:

A provider might have a patient’s medical record that contains older portions of a medical record that were created by another previous provider. Will the HIPAA Privacy Rule permit a provider who is a covered entity to disclose a complete medical record even though portions of the record were created by other providers?

Answer: Yes, the Privacy Rule permits a provider who is a covered entity to disclose a complete medical record including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule, such as treatment. Continue reading

October 5, 2018

Idaho Fraud and Abuse Statutes: Requirements, Penalties and Repayments

By Kim Stanger

Most Idaho healthcare providers are—or should be—aware of federal fraud and abuse laws, including the False Claims Act, Anti-Kickback Statute, Ethics in Patient Referrals Act (“Stark”), and the Civil Monetary Penalties Law, but they may not realize that Idaho has its own fraud and abuse laws that also apply. Violations may result in criminal, civil, and administrative penalties in addition to the obligation to repay amounts received in violation of the rules and provider agreement.

1. Idaho Anti-Kickback Statute. It is illegal for a health care provider to engage in the following misconduct:

(1)(a) Knowing that the payment is for the referral of a claimant to a service provider, either to accept payment from a [healthcare] provider or, being a [healthcare] provider, to pay another; or

(b) To provide or claim or represent to have provided services to a claimant, knowing the claimant was referred in violation of paragraph (a); [or]

(2) [E]ngage in a regular practice of waiving, rebating, giving, paying, or offering to waive, rebate, give or pay all or part of a claimant’s deductible or claim for casualty, disability insurance, worker’s compensation insurance, health insurance or property insurance.

(Idaho Code § 41-348). The statute applies to referrals for “health care services”, which are defined as “a service provided to a claimant for treatment of physical or mental illness or injury arising in whole or substantial part from trauma.” (Id. at § 41-348(2)). Violations may result in civil monetary penalties of up to $5,000. (Id. at §§ 41-348(4) and 41-347(1)). Significantly, the Idaho statute is broader than its federal counterpart: it applies to services payable by private payers as well as government programs. Continue reading