May 23, 2016

Charging Patients for Copies of Their Records: OCR Guidance

by Kim C. Stanger, Holland & Hart LLP

HIPAA generally gives patients or their personal representative the right to access or obtain copies of the patient’s protected health information (“PHI”) in their designated record set1, and limits the amount that providers may charge patients for PHI to a reasonable cost-based fee. (45 CFR 164.524). In February 2016, the OCR issued guidance (“Guidance”) which clarifies allowable fees and identifies additional actions providers should take when charging fees. The OCR’s Guidance may be accessed here.

Allowable Charges. The OCR confirmed that a provider may only charge the patient or personal representative for the following:

1. Labor for copying the requested PHI, whether in paper or electronic form. This includes only the labor for actually creating and delivering the paper or electronic copy in the form and format requested or agreed upon by the patient once the responsive information has been identified, retrieved, collected, compiled and/or collated. For example, allowable costs may include photocopying paper PHI; scanning paper PHI into an electronic format; converting electronic PHI in one format to the format requested by or agreed to by the patient; creating and executing a mailing or e-mail with the responsive PHI; and/or uploading, downloading, attaching, burning, or otherwise transferring electronic PHI from a provider’s system to portable media, e-mail, app, personal health record, web-based portal (where the PHI is not already maintained in or accessible through the portal), or other manner of delivery of the PHI. (See also 78 FR 5636). Labor for copying does not include costs associated with reviewing the patient’s request; searching for, reviewing, retrieving, segregating, collecting, compiling, or otherwise preparing the responsive information for copying; verifying that only information about the requested patient is included; complying with HIPAA; updating or maintaining record systems; etc. (See also 78 FR 5636). Likewise, it does not include administrative or other costs associated with outsourcing record functions to business associates or others beyond the business associate’s labor costs described above. Continue reading

February 5, 2016

Prompt Pay Discounts

by Kim C. Stanger, Holland & Hart LLP

Healthcare providers sometimes offer “prompt pay” discounts to encourage patients to pay their bills within a certain period, including outstanding copayments or deductible amounts. Such programs should be structured appropriately to ensure compliance with applicable laws and payer contracts.

1. Federal Fraud and Abuse Laws. If the discount is offered to induce the patient to receive other services payable by Medicare, Medicaid, or other government programs, the discount may violate federal fraud and abuse laws. The federal Anti-Kickback Statute (“AKS”) prohibits knowingly offering any remuneration to persons to induce or reward referrals for items or services covered by federal health programs, including Medicare or Medicaid. See 42 U.S.C. § 1370a-7b. The AKS applies to discounts offered to federal program beneficiaries if the purpose of the discount is to induce referrals. See, e.g., OIG, Special Advisory Bulletin: Offering Gifts and Other Inducements to Beneficiaries (8/30/02); OIG, Special Fraud Alert regarding Routine Waiver of Part B Co-Pays and Deductibles (12/19/94). Similarly, the federal Civil Monetary Penalties Law (“CMPL”) prohibits knowingly offering anything of value to Medicare or Medicaid beneficiaries that is likely to influence the beneficiary’s selection of a particular provider of services payable by Medicare or Medicaid, including waivers or discounts of coinsurance or deductible amounts. See 42 U.S.C. § 1320a-7a(a)(5); 42 C.F.R. § 1003.102 and .103(b)(13). Continue reading

January 8, 2016

HIPAA Privacy Rule Modified to Permit Covered Entities to Make Certain Limited Disclosures to the National Instant Criminal Background System

by Teresa Locke, Holland & Hart LLP

On Tuesday, January 6, 2016, the U.S. Department of Health and Human Services (the Department) issued a final rule, effective February 5, modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to expressly permit – but not require – certain HIPAA covered entities to disclose to the National Instant Criminal Background System (NICS) certain personal health information (PHI) related to individuals who are subject to a Federal “mental health prohibitor” that disqualifies them from shipping, transporting, possessing, or receiving a firearm. Among the persons subject to the Federal mental health prohibitor established under the Gun Control Act of 1968 and implementing regulations issued by the U.S. Department of Justice are individuals who have been: (a) involuntarily committed to a mental institution; (b) found incompetent to stand trial or not guilty by reason of insanity; or (c) otherwise determined by a court, board, commission, or other lawful authority to be a danger to themselves or others or to lack the mental capacity to contract or manage their own affairs as a result of marked subnormal intelligence or mental illness, incompetency, condition, or disease. Fearing that States might not be fully reporting relevant information to the NCIS because of actual or perceived barriers related to HIPAA, the Department enacted the revision to the Privacy Rule by adding a new category of permitted disclosures to 45 CFR 164.512(k). The new rule is narrowly tailored to appropriately balance public safety goals with important patient privacy interests to ensure that individuals are not discouraged from seeking voluntary treatment for mental health issues.

The new category of permitted disclosures is very limited in scope, applying only to a specific subset of HIPAA covered entities who, under narrow circumstances, may provide discrete personal health information to the NICS. Specifically, the new rule is limited in three ways. First, it applies only to covered entities involved in ordering involuntary commitments or other adjudications that make an individual subject to the Federal mental health prohibitor. It does not apply to disclosures about individuals who are subject to state-only mental health prohibitors. Moreover, the Federal mental health prohibitor does not apply to individuals in a psychiatric facility for observation or who have been admitted voluntarily. Thus, the new rule does not create a permission for most treating providers to disclose PHI about their own patients for these purposes. The Department recognized that encouraging voluntary treatment is critical to ensuring positive outcomes for individuals’ health as well as the public’s safety. The new rule was designed to balance that goal with public safety interests served by the NICS. Continue reading

December 18, 2015

Physician Timeshare Arrangements: New Stark Option for Sharing Space with Visiting Specialists and Others

by Kim C. Stanger, Holland & Hart LLP

Recent Stark law amendments will make it easier for physicians to share space, and for hospitals to provide space, equipment, and services to visiting specialists and other physicians on a non-exclusive, “as-needed” basis. Hospitals and physicians may want to review their current lease arrangements to determine whether the new exception is a better fit for their current or future relationships and, if so, structure their arrangements accordingly.

Prior Law. The federal Ethics in Patient Referrals Act (“Stark”) generally prohibits physicians from referring patients for certain designated health services (“DHS”) payable by Medicare to entities with which the physician has a financial relationship unless the relationship is structured to fit within a regulatory safe harbor. (42 USC 1395nn; 42 CFR 411.353). Providing space or equipment to a referring physician generally creates a financial relationship that triggers Stark1; consequently, such arrangements generally needed to be structured to satisfy Stark safe harbors for leases of space or equipment. Unfortunately, those safe harbors required, among other things, that the physician enter a formal lease that provided for exclusive use of the leased premises or equipment during defined lease terms (42 CFR 411.357(a)-(b)); the physician and lessor were generally not permitted to share space or equipment during the lease term, nor could the lease be on an “as needed” basis. Traditional timeshare arrangements in which physicians share space or equipment on a non-exclusive basis did not satisfy Stark, thereby forcing physicians and their landlords to enter formal, inefficient, and sometimes impractical lease arrangements. Continue reading

December 1, 2015

Medicare Issues Final Rule Requiring Bundled Payments for Inpatient and Post-Acute Care Services for Hip and Knee Replacements in 67 Geographic Regions

by Pia Dean, Holland & Hart LLP

On November 16, 2015, The Centers for Medicare & Medicaid Services, CMS, issued a finalized rule requiring bundled payments for all lower extremity replacement and reattachment surgeries for Medicare fee-for-service beneficiaries in 67 geographic locations. The new payment model covers all Part A and B services provided to eligible beneficiaries for DRGs 469 (major joint replacement or reattachment of lower extremity with major complications or comorbidities) and 470 (major joint replacement or reattachment of lower extremity without major complications or comorbidities). The bundled payment program includes all items and services during the initial hospitalization and within 90 days of discharge. In addition to physician and inpatient hospital services, the bundled payment includes all services received in an inpatient psychiatric facility, long-term care hospital, inpatient rehabilitation facility, skilled nursing facility, home health agency, hospital outpatient setting, independent outpatient therapy, clinical laboratory, as well as durable medical equipment, Part B drugs, and hospice.

As initially proposed in July 2015, the bundled payment program would have started on January 1, 2016 and been implemented in over 800 hospitals in 75 geographic reasons having populations of more than 50,000 people. The finalized rule scales back the program to 67 geographic regions with a start date of April 1, 2016. Despite these concessions, CMS’ bundled payment initiative, called the Comprehensive Care for Joint Replacement (CJR), is a significant change to Medicare’s reimbursement policy. CMS’ previous bundled payment initiatives – most notably the Bundled Payment for Care Improvement (BPCI) Initiative – were voluntary, allowing only those hospitals, post-acute care facilities, and physician groups who wished to be involved to participate. Continue reading

November 10, 2015

TRICARE Claims Processing Suspension

by Ellen Bonner, Callaway Bonner Law LLC (Guest Author)

Warning: TRICARE Claims Processing Suspension May Occur During Health Care Fraud Investigations for Compounding Pharmacy Prescriptions

Yesterday, the Wall Street Journal (WSJ) reported on a significant federal investigation regarding compounding pharmacies and compound pharmaceutical prescriptions for TRICARE beneficiaries in at least four states. TRICARE, the federal health benefit program under the Defense Health Agency, provides health care benefits for more than 9.5 million current and retired members of the uniformed services and their families. TRICARE health care fraud allegations can result not only in civil and criminal sanctions, but also in TRICARE claims processing temporary suspensions, as well as provider exclusion and termination from TRICARE and other federal healthcare programs.

Health Care Fraud: Civil and Criminal Action

According to the WSJ there were four civil fraud settlements by Florida pharmacies last month that will soon be reported. These settlements – amounting to $12.8 million – are based upon allegations of falsely billing TRICARE for expensive pharmaceutical creams and gels to treat pain, scars, and other ailments. The WSJ reported that federal prosecutors are pursuing “numerous criminal investigations,” and the U.S. Attorney for the Middle District of Florida anticipates filing criminal charges in early 2016 against pharmacies, drug marketers, and physicians cited in the settlements. Separate Justice Department investigations on compounding pharmacies are ongoing in California, Mississippi, and Texas. Continue reading

November 9, 2015

Responding to HIPAA Breaches

by Kim C. Stanger, Holland & Hart LLP

HIPAA privacy and security breaches can result in fines of $100 to $50,000 to covered entities (including healthcare providers and health plans) and their business associates. (45 CFR 160.404). If the violation resulted from “willful neglect”, the Office for Civil Rights (“OCR”) must impose a mandatory fine of $10,000 to $50,000. (45 CFR 160.404). To make matters worse, covered entities and their business associates must self-report breaches of unsecured protected health information (“PHI”) to the affected individual and to HHS (45 CFR 164.400); failure to do so may constitute “willful neglect” resulting in additional fines. The good news is that the OCR may not impose a fine so long as the covered entity or business associate did not act with “willful neglect” and corrected the problem within 30 days. (45 CFR 160.410(b)).

Responding to Possible Breaches. Given the potential consequences, it is critical that covered entities and business associates respond appropriately to potential HIPAA breaches to avoid or minimize their liability. Below are steps that you may follow to help you identify and timely respond to HIPAA breaches. Continue reading

October 26, 2015

Complying With HIPAA: A Checklist for Business Associates

by Kim C. Stanger, Holland & Hart LLP

The HIPAA Privacy, Security, and Breach Notification Rules now apply to both covered entities (e.g., healthcare providers and health plans) and their business associates. A “business associate” is generally a person or entity who “creates, receives, maintains, or transmits” protected health information (PHI) in the course of performing services on behalf of the covered entity (e.g., consultants; management, billing, coding, transcription or marketing companies; information technology contractors; data storage or document destruction companies; data transmission companies or vendors who routinely access PHI; third party administrators; personal health record vendors; lawyers; accountants; and malpractice insurers).1 With very limited exceptions, a subcontractor or other entity that creates, receives, maintains, or transmits PHI on behalf of a business associate is also a business associate.2 To determine if you are a business associate, see the attached Business Associate Decision Tree.

Business associates must comply with HIPAA for the following reasons: Continue reading

October 20, 2015

Nevada Supreme Court Upholds $350,000 Medical Malpractice Cap

by Brian Anderson, Holland & Hart LLP

In a unanimous decision on Friday, October 1, 2015, the Nevada Supreme Court (the Court) upheld as constitutional the state’s $350,000 statutory limitations on plaintiffs’ recovery of noneconomic damages in a medical malpractice or professional negligence suit.

In Tam v. Eighth Jud. Dist. Ct., 131 Nev. Adv. Op. 80 (Nev. Oct. 1, 2015), after the death of Charles Thomas Cornell, Sherry Cornell (individually, and as administrator of Mr. Cornell’s estate) filed a complaint against numerous defendants, including petitioner Stephen Tam, M.D., alleging medical malpractice. Dr. Tam filed a motion requesting in part that the Eighth Judicial District Court (district court) confirm that the Plaintiff’s noneconomic damages be capped pursuant to NRS 41A.035, which limits to $350,000 the recovery of a plaintiff’s noneconomic damages in a healthcare provider’s professional negligence action. The district court denied the motion, concluding that: (1) NRS 41A.035 is unconstitutional, as it violates a plaintiff’s constitutional right to trial by jury;(2) the statutory cap does not apply to the case as a whole, but a separate cap applies to each plaintiff for each of the defendants; and (3) the statutory cap does not apply to medical malpractice claims. Dr. Tam challenged the district court’s order, filing a petition for a writ of mandamus to compel the district court to vacate its order. The Court granted the petition in its entirety, holding that the district court erred in: (1) finding the statute unconstitutional; (2) finding the statutory cap applies per plaintiff and per defendant; and (3) finding the statute only applies to professional negligence and not to medical malpractice. Continue reading

September 29, 2015

HIPAA and Records of Deceased Persons

by Kim C. Stanger, Holland & Hart LLP

The HIPAA privacy and security rules generally apply to protected health information of deceased persons as well as the living. Providers may generally use or disclose such information as follows:

1. Treatment, Payment, or Operations. As with living persons, HIPAA allows providers to use or disclose protected health information of deceased persons for purposes of treatment, payment, or the provider’s healthcare operations, unless the provider has agreed otherwise. (See 45 CFR 164.506 and 164.522(a)). This may include treatment of other living relatives. As the Office for Civil Rights (OCR) explained, “disclosures of protected health information for treatment purposes—even the treatment of another individual—do not require an authorization; thus, a covered entity may disclose a decedent’s protected health information, without authorization, to the health care provider who is treating the surviving relative.” (OCR FAQ, available here). Continue reading