Disclaimer
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.
Privacy Policy
View our privacy policy.
CardioNet Settlement Shows Need for Healthcare Providers to Secure Mobile Devices
/in HIPAA, ProvidersBy Kim Stanger
In the first Health Insurance Portability and Accountability Act (“HIPAA”) settlement involving a wireless health services provider, CardioNet on April 24 agreed to pay $2.5 million for allegedly losing a laptop containing individual health information.
The size of this and other recent settlements demonstrates the increasingly active stance being taken by the Department of Health and Human Services Office for Civil Rights (“OCR”) on the need for organizations to implement strong, HIPAA-compliant security policies – including those involving mobile devices used for work. The settlement was based on the impermissible disclosure of unsecured electronic protected health information (“ePHI”). Read more
HIPAA: Should You Ask Patients for Consent to Disclose Information?
/in HIPAAby Kim Stanger
Healthcare providers often limit unnecessarily their ability to use or disclose protected health information without the patient’s consent, thereby increasing their potential liability for unauthorized disclosures. For example, providers often:
They do so under the mistaken belief that HIPAA requires such. In reality, such practices may actually increase potential HIPAA liability. Read more
Group Compensation Arrangements: Stark Requirements
/in Legislationby Kim Stanger
Physician practices must ensure that their group compensation structures comply with the federal Ethics in Patient Referrals Act (“Stark”) if they intend to bill Medicare or Medicaid for services rendered or referred by the group physicians. Under Stark, if a physician1 (or a member of the physician’s family) has a financial relationship with an entity, the physician may not refer patients to the entity for certain designated health services (“DHS”)2 payable by Medicare and Medicaid unless the financial relationship is structured to fit within a regulatory safe harbor. (42 CFR § 411.353). Stark applies to DHS referrals within the group, so the physician’s compensation arrangement must be structured to comply with Stark; otherwise, the group may not bill Medicare and Medicaid for DHS that were referred improperly, and, if they were improperly billed, the entity must repay amounts improperly received. Failure to report and repay within 60 days may result in additional civil penalties of $15,000 per claim as well as False Claims Act liability. Repayments may easily run into hundreds of thousands of dollars. Given the potential liability, it is critical that physician group compensation arrangements be structured to fit within one of the following regulatory safe harbors if they intend to participate in Medicare or Medicaid. Read more
Withdrawing Care for Developmentally Disabled Persons: New Idaho Standards
/in ADAby Kim Stanger
Recent amendments will allow guardians and those treating developmentally disabled persons greater discretion in withholding or withdrawing artificial life-sustaining treatment, thereby avoiding situations in which developmentally disabled persons were forced to suffer painful, extended procedures which may be considered inhumane.
The Former Standard. Under Idaho law, the guardian or personal representative of an incompetent person may generally authorize the medically appropriate withdrawal of treatment for the patient. (I.C. §§ 39-4504(1) and 39-4514(3)). In the case of developmentally disabled persons, however, the former law prohibited guardians and physicians of developmentally disabled persons from withholding or withdrawing artificial life-sustaining treatment unless the treating physician and one other physician certified that the person had a terminal condition such that the application of artificial life-sustaining treatment would only serve to prolong death for a period of hours, days or weeks, and that death was imminent regardless of the life-sustaining procedures. (I.C. § 66-405(7)-(8)). Unfortunately, this standard looked only at the length of the patient’s life without considering the pain that the patient may be forced to endure in the meantime. Because of advances in medicine, healthcare providers are often able to keep persons alive for months or years, but at a terrible cost in suffering to the patient and their loved ones. Application of the former standard sometimes resulted in heartbreaking situations in which developmentally disabled persons—often with little or no cognition—were relegated to an existence that offered nothing more than perpetual pain or discomfort instead of allowing the medically appropriate withdrawal treatment. By so doing, the standard deprived developmentally disabled persons of rights that were offered to others. Read more
Report HIPAA Breaches Without Delay
/in HIPAAby Kim Stanger
If you experience a HIPAA breach, make sure you investigate and report the breach “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach” or you may be subject to HIPAA fines. (45 CFR 164.404(b)). The Office for Civil Rights just settled for $475,000 its first case against a covered entity for unreasonable delay in reporting a HIPAA breach.
On October 22, 2013, Presence St. Joseph Medical Center (“Presence Health”) discovered that its paper-based operating schedules were missing from its surgery center. The schedules contained protected health information of 836 persons, including names, birthdates, procedure information, and medical record information. Because the breach involved more than 500 persons, Presence Health was required to report the breach to HHS and local media at the time it notified affected individuals. However, due to a miscommunication between its workforce members, Presence Health did not report breach to HHS until January 31, 2014 (101 days after the breach was discovered); did not notify affected individuals until February 3, 2014 (104 days after the breach was discovered); and did not notify the media until February 5, 2014 (105 days after the breach was discovered). The HIPAA Breach Notification Rule requires that covered entities notify individuals and, if the breach involves more than 500 persons, report breaches to HHS and local media without unreasonable delay and in no event later than 60 calendar days after discovery of the breach. (45 CFR 164.404-.410). A separate HIPAA violation occurs for each day the covered entity fails to report the breach beyond the deadline. Presence Health settled the alleged violations for $475,000. A copy of the OCR’s press release is available here. Read more