Disclaimer
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.
Privacy Policy
View our privacy policy.
What Healthcare Providers Need to Know About EKRA
/in Healthcare LawBy Eric Maxfield
In October 2018, the President signed the SUPPORT for Patients and Communities Act, a portion of which is known as the “Eliminating Kickbacks in Recovery Act of 2018” or “EKRA.” EKRA, aimed at the ongoing opioid crisis, is meant to prevent patient brokering, referrals, and kickbacks related to drug recovery and substance abuse treatment centers. EKRA’s language, however, is very broad and goes well beyond the opioid crisis to deal with “patient brokering,” which is when a substance abuse facility or provider pays a third party for referring or directing potential patients. EKRA violations carry significant penalties, including fines upwards of $200,000 per “occurrence,” as well as significant prison time.
While EKRA’s purpose is to address kickbacks related to the broader issues surrounding opioids, it is not limited exclusively to treatment centers per se. Instead, EKRA precludes the solicitation or receipt of value for referrals to recovery homes, clinical treatment centers, or laboratories. EKRA applies to public and – importantly – private commercial health benefit programs. This is effectively an expansion of the Federal Anti-Kickback Statute’s prohibition on kickbacks involving individuals covered by federal programs like Medicare, Medicaid, or TRICARE.
Read moreCommon Stark Concerns for Hospitals
/in Compliance, Fraud and Abuseby Kim Stanger
Unless structured properly, a hospital’s financial relationship with referring physicians or other providers may violate the federal Ethics in Patient Referrals Act (“Stark”) and Anti-Kickback Statute (“AKS”), resulting in civil and criminal fines, penalties, and repayments. Under Stark, if a hospital has a financial relationship with a physician, the physician may not refer patients to the hospital for certain designated health services1 payable by Medicare or Medicaid unless the arrangement fits within a regulatory safe harbor. (42 USC § 1395dd; 42 CFR § 411.353). The AKS generally prohibits knowingly offering, paying, soliciting or receiving remuneration to induce referrals for items or services payable by federal healthcare programs unless the arrangement fits within a regulatory safe harbor. (42 USC § 1320a-7b(b); 42 CFR § 1001.952). Below are some of the top compliance concerns arising from relationships with referring providers:
1. No Written Agreement. Except for employment arrangements, Stark and the AKS generally require that financial arrangements are documented in writing and signed by the parties, including arrangements involving the payment for services, sale or lease of space or equipment, recruitment subsidies, etc. (See, e.g., 42 CFR §§ 411.357(a), (b), (d), (e), (l), (p), (y), and 1001.952(b)-(d)). CMS has confirmed that a single formal contract is not necessarily required; instead, “a collection of documents, including contemporaneous documents evidencing the course of conduct between the parties, may satisfy the writing requirement…” (80 FR 71315).
Read moreTelehealth: Practicing Across the Idaho Border
/in Telehealthby Kim Stanger
More healthcare practitioners are using telehealth to render patient care or expand their practices. When telehealth crosses state borders, the practitioner must ensure that he or she is licensed in or otherwise authorized to practice medicine in the state where the patient resides. The Model Policy issued by the Federation of State Medical Boards states:
A physician must be licensed, or under the jurisdiction, of the medical board of the state where the patient is located. The practice of medicine occurs where the patient is located at the time telemedicine technologies are used. Physicians who treat or prescribe through online services sites are practicing medicine and must possess appropriate licensure in all jurisdictions where patients receive care.
(Model Policy for the Appropriate Use of Telemedicine Technologies in the Practice of Medicine (2014), available here).
Read moreMedical Record Retention Guidelines
/in ProvidersBy Melissa Lou, Kim Stanger, and Christopher Mack
Clients frequently ask us how long they should retain medical records and related business records. The answer depends on various factors, including the type of record, applicable regulatory and contract requirements, and the provider’s risk tolerance and resources. Nevertheless, state record retention guides may be valuable to clients as they consider their internal policies. The Idaho, Utah, and Wyoming state charts below are intended as a guideline. Providers should confirm laws that may apply in their particular state, or that may apply to their particular situation. Read more
Identifying Business Associates: Make Sure You Have BAAs in Place
/in HIPAAby Kim Stanger
Failing to have HIPAA business associate agreements (“BAAs”) can result in significant penalties for healthcare providers and business associates. Last month, the OCR imposed a $500,000 settlement and robust corrective action plan against a physician group that failed to have a BAA with its billing company. After the billing company improperly allowed access to protected health information on its website, the OCR looked to the physician group to pay the price. (See https://www.hhs.gov/about/news/2018/12/04/florida-contractor-physicians-group-shares-protected-health-information-unknown-vendor-without.html).
Under HIPAA, “business associates” are essentially those entities who create, access, maintain or transmit PHI on behalf of a healthcare provider. (45 CFR § 160.103, definition of “business associate”). HIPAA requires healthcare providers to execute a BAA before disclosing protected health information (“PHI”) to their business associate. (45 CFR § 164.502(e)). It also requires business associates to execute a BAA with their subcontractors who handle PHI on behalf of the business associate. (Id.). The BAA must contain certain required terms. As recent settlements confirm, healthcare providers who fail to execute a BAA are subject to HIPAA penalties and may be vicariously liable for their business associate’s misconduct.
Read more