September 22, 2015

HIPAA: Disclosing Exam Results to Employers

Physicians and other providers are often paid by employers to conduct drug tests, fitness-for-duty or return-to-work exams, or employment physicals for employees. In such circumstances, the physician may mistakenly assume that they may disclose the test and exam results to the employer without the patient’s authorization, but that is not correct.

As with any other protected health information, physicians and other providers generally need the patient’s written, HIPAA-compliant authorization to disclose exam results to the employer. (45 CFR 164.508(a); see also 65 FR 82592 and 82640). However, unlike other treatment situations, a provider may condition the performance of an employee physical or test on the patient’s provision of an authorization, i.e., the provider may refuse to perform the exam unless the patient executes a valid authorization. (45 CFR 164.508(b)(4)(iii); 65 FR 82516 and 82658). In addition, the employer may condition the employee’s continued employment on the provision of the exam results (at least under HIPAA), thereby creating an incentive for the employee to execute the authorization. (65 FR 82592 and 82640). The foregoing rules also apply when the health care provider is the employer, e.g., when a hospital employee receives treatment or tests at the hospital. In those situations, the hospital/employer generally may not access or use the patient/employee’s health information for employment-related purposes without the patient’s written authorization. (67 FR 53191-92). Continue reading

September 15, 2015

Physician Contract Checklist

by Kim C. Stanger, Holland & Hart LLP

Regulatory Compliance. If the physician will be performing or referring items or services payable by government healthcare programs, you should generally structure the contract to satisfy applicable safe harbors under the federal Ethics in Patient Referrals Act (“Stark”), 42 CFR 411.355 or 411.357(c), (d) or (l), and the Anti-Kickback Statute (“AKS”), 42 CFR 1001.952(d) or (i). For information concerning those regulatory requirements, see our Client Alert, Stark Requirement for Physician Contracts. In addition, the federal Civil Monetary Penalties Law generally prohibits hospitals from offering inducements to physicians to limit services payable by government programs. (42 USC 1320a-7a(b)(1); 42 CFR 1003.102). If you are a tax-exempt entity, you will also want to ensure the compensation reflects fair market value to avoid 501(c)(3) tax issues. If your state recognizes the corporate practice of medicine doctrine, you may need to structure your arrangement to fulfill any unique requirements applicable to your state.

Written Agreement. Stark and AKS safe harbors generally require current written contracts for independent contractors. Although written contracts are not required for the employee safe harbors, it is usually a good idea to document the arrangement to avoid disputes, especially if there are special compensation requirements, employment is other than “at-will”, or you wish to include a restrictive covenant. Continue reading

September 9, 2015

HHS Issues New Rule Prohibiting Discrimination Based on Sex and Requiring Interpreters

by Pia Dean, Holland & Hart LLP

On September 3, 2015, the Department of Health and Human Services (HHS) issued a proposed rule intended to advance health equity and reduce disparities in health care. Section 1557 of the Patient Protection and Affordable Care Act (ACA) is the first federal civil rights law to prohibit discrimination, including denial of health services or health coverage, on the basis of race, color, national origin, age, disability, or sex. The proposed rule, Nondiscrimination in Health Programs and Activities, codifies and expounds on the these protections. The proposed rule applies to any health program or activity which receives funding from HHS, such as providers that accept Medicare or Medicaid patients. In addition, it applies to individuals enrolled in coverage through the Health Insurance Marketplaces (commonly referred to as “Exchanges”) and to all health plans offered by insurers that operate in Exchanges. Continue reading

August 21, 2015

Medical Record Retention

by Kim C. Stanger, Holland & Hart LLP

I am often asked how long a practice must maintain medical records. The answer depends on the type of provider you are and your risk tolerance. Providers should generally consider the following in establishing their record retention policies:

1. Patient care. The primary consideration should be patient care. Some practices (e.g., oncology) may want to retain medical records longer than the relevant regulatory requirement or statute of limitations period because the records may be important to future patient care. If your electronic records program allows, you may want to retain the records permanently.

2. Statutory or Regulatory Requirements. State and federal regulations require hospitals and certain other institutional providers to maintain medical records for specified periods, but those laws usually do not apply directly to physicians or physician groups. There are numerous guides online. For example, HealthIT.gov published a 50-state survey of record retention requirements at http://www.healthit.gov/sites/default/files/appa7-1.pdf. The Idaho Department of Health and Welfare published a helpful but incomplete summary of federal record retention regulations, which may be accessed at http://healthandwelfare.idaho.gov/Portals/0/Medical/LicensingCertification/RecordRetentionReqs.pdf. CMS published a MedLearn article on record retention at https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNMattersArticles/downloads/SE1022.pdf. AHIMA is usually a good source for online guidance about record retention laws and regulations. Continue reading

August 6, 2015

US District Court Decision Provides Cautionary Tale on False Claim Act Requirement to Return Identified Overpayments from Medicare or Medicaid

by Pia Dean, Holland & Hart LLP

A recent ruling from the United States District Court for the Southern District of New York is the first decision regarding the requirement of the Affordable Care Act (ACA) to return identified overpayments from Medicare and Medicaid within 60 days and provides a cautionary tale about the failure to do so. The Court’s opinion offers clarification about when the 60-day “report and repay” provision of the ACA starts and underscores the importance of identifying and acting on a notice of improper payments in a timely manner.

Background

The action stems from a computer glitch on the part of Healthfirst, Inc. (Healthfirst), a private, non-profit insurance program. The glitch caused three New York City hospitals to submit improper claims to Medicaid for services rendered to beneficiaries of a managed care program administered by Healthfirst. All three hospitals belong to a network of non-profit hospitals operated and coordinated by Continuum Health Partners, Inc. (Continuum). Continue reading

July 28, 2015

Recruiting Physicians: Beware Stark, Anti-Kickback Statutes, and IRS Rules

by Kim C. Stanger, Holland & Hart LLP

Hospitals and other entities that offer incentives to recruit physicians must ensure their arrangements comply with federal and state laws governing financial relationships with physicians, including the the Ethics in Patient Referrals Act (“Stark”), Anti-Kickback Statute (“AKS”), and the IRS’s 501(c)(3) requirements. Recruitment arrangements usually need to fit within one of the following safe harbors:

1. Employment Arrangements. If you are going to hire the physician as an employee and pay him or her no more than fair market value, you can structure the deal to fit within Stark’s bona fide employment safe harbor, which requires the following:

  • The employment must be for identifiable services.
  • The compensation (including benefits, housing, relocation reimbursement, stipends, and anything else of value given to the physician) must be consistent with fair market value.
  • The compensation may not take into account the volume or value of referrals. For example, you may not compensate the physician based on, or give the physician a percentage of, services performed by other persons or ancillary tests ordered by the physician. You may, however, compensate the physician based on services the physician personally performs.

(42 CFR 411.357(c)). Under the employment safe harbor, you are not required to have a written agreement or establish the compensation formula in advance, but it is generally a good idea to do so to avoid misunderstandings. Complying with the foregoing Stark parameters should also satisfy the AKS and 501(c)(3) rules. (See 42 CFR 1001.952(i); IRS Healthcare Provider Reference Guide, 2004 EO CPE Text at p.18). If you need to pay more than fair market value or provide additional incentives to recruit the physician, you will likely need to structure the deal to satisfy the Stark recruitment safe harbor described below. Continue reading

July 10, 2015

Appellate Court Affirms $237 Million Award Against Hospital for Stark Law Violations

by Teresa Locke, Holland & Hart LLP

The Fourth Circuit Court of Appeals recently issued an alarming decision affirming a $237 million judgment against Tuomey Healthcare Systems, a nonprofit hospital located in a small, largely rural South Carolina community that is a federally-designated medically underserved area. The judgment resulted from a jury’s finding that Tuomey submitted 21,730 false claims to Medicare for reimbursement knowing that the claims were generated through part-time physician employment contracts that violated the referral constraints found in the Stark Law. The decision clarifies that hospital “facility fees” associated with outpatient procedures performed by physicians constitute “referrals” under the Stark Law even when the “referring” physician is personally performing the outpatient procedure. The false claims themselves had a total value of $39 million, but with automatic treble damages and civil penalties in the minimum amount for each violation, the resulting judgment was for $237 million. Despite its affirmance of the judgment, the Fourth Circuit panel recognized “the troubling picture this case paints: An impenetrably complex set of laws and regulations that will result in a likely death sentence for a community hospital in an already medically underserved area.” U.S. ex rel. Drakeford v. Tuomey.

The part-time employment contracts at issue in Tuomey allowed the physicians to maintain their private practices, but required them to perform all outpatient surgical procedures exclusively at the hospital. The contracts had multiple compensation components, two of which proved problematic under Stark. First, each physician was paid an annual guaranteed base salary which was adjusted from year to year based on the amount the physician collected from all services rendered the previous year. Second, the bulk of the physicians’ compensation was earned in the form of a productivity bonus, which paid the physicians 80% of the amount of their collections for that year. Continue reading

June 8, 2015

HIPAA, E-mails, and Texts to Patients or Others

by Kim C. Stanger, Holland & Hart LLP

The HIPAA Privacy and Security Rules require covered entities (including healthcare providers and health plans) and their business associates to implement certain safeguards when e-mailing or texting electronic protected health information (“e-PHI”) to patients or others.

E-mails and Texts to Patients. The HIPAA Privacy Rule not only allows but requires covered entities to communicate with patients via e-mail or text if requested by the patient. (See 45 CFR 164.522(b)). However, the Privacy Rule requires covered entities to implement appropriate safeguards when e-mailing or texting e-PHI to patients. The Office for Civil Rights (“OCR”) explained:

The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. (See 45 CFR 164.530(c)). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 CFR Part 164, Subpart C.

(OCR FAQ dated 12/15/08, available at http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html). Continue reading

May 7, 2015

Idaho Passes Direct Primary Care Act

by Melissa Starry, Holland & Hart LLP

Direct Primary Care (“DPC”) is increasing in popularity in the United States as an alternative payment model for primary care medical services. Instead of fee-for-service insurance billing, typically a DPC medical provider enters into an agreement with its patients and charges its patients a monthly, quarterly, or annual fee that covers all or most primary care services. Given the fact that a DPC medical provider takes on a certain amount of risk in agreeing to provide primary care services to patients for a fixed amount (regardless of how often a patient is seen by the provider), there were concerns that such an arrangement could be interpreted under Idaho law as the provision of insurance. With the passage of the Idaho Direct Medical Care Act1 (the “Act”), and subsequent signing by Governor Butch Otter, Idaho is now the ninth state in the country to pass legislation to ensure that DPC medical providers are not treated as insurance products by state regulators. Continue reading

May 4, 2015

New OIG Guidance Emphasizes Health Care Compliance Oversight for Boards

by Ellen Bonner, Holland & Hart LLP

In late April, the Office of Inspector General, U.S. Department of Health and Human Services (“OIG HHS”) issued Practical Guidance for Health Care Governing Boards on Compliance Oversight (“Compliance Guidance”)1. The Compliance Guidance assists health care organization boards (“Boards”) with compliance plan oversight obligations. Highlighted below are a few of the Compliance Guidance’s numerous practical tips for proactive compliance oversight and review of health care organizations.

As a starting point for compliance assessment, the Compliance Guidance recommends the following publically available compliance resources:

  • The Federal Sentencing Guidelines2
  • OIG voluntary compliance program guidance documents3; and
  • OIG Corporate Integrity Agreements (“CIAs”)4

With a nod towards the “ever-changing regulatory landscape and operating environment,” the Compliance Guidance promotes the development of formal plans, including periodic updates from informed staff, to stay current with the changes in regulations and operating environments that impact the organization and its Compliance Program. The following four areas are emphasized in the Compliance Guidance: Continue reading