Disclaimer
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.
Privacy Policy
View our privacy policy.
Changes to Idaho Health Care Consent Law
/in ConsentEffective July 1, 2012, amendments to Idaho’s health care consent statutes, Idaho Code § 39-4501 et seq., take effect. The changes resolve some concerns, but raise others. The following summarizes the more significant changes.
1. Application of consent statutes. The amended statute expressly confirms that it applies to all forms of health care, not just medical or dental care. (I.C. § 39-4503).
2. Capacity to consent. As amended, “any person who comprehends the need for, the nature of and the significant risks ordinarily inherent in” the contemplated health care may consent to or refuse their own care. (I.C. § 39-4503). The change removes the additional condition that the person must have “ordinary intelligence and awareness”, which created ambiguity and potentially unwarranted discrimination in applying the standard.
3. Surrogate decision makers. The amendment clarifies the authority of “surrogate decision makers” to make health care decisions for persons who lack capacity to make their own decisions. Surrogates may make decisions for minors and other persons who are not capable of giving consent. As amended, the statute establishes the following hierarchy for surrogates:
(I.C. § 39-4504(1)). Importantly, the amendment clarifies that the surrogate decision maker must themselves have sufficient capacity under § 39-4503 to make their own health care decisions before they can make decisions for others. In addition, the surrogate cannot trump the prior wishes of the patient expressed while the patient was competent, e.g., through a POST, advance directive, or other method. (I.C. § 39-4504(1)).
4. Responsibility for obtaining consent. The amendment confirms that the health care provider upon whose order or at whose direction the contemplated care is rendered is responsible for ensuring that sufficient consent is obtained, either by themselves or by their agents. (I.C. § 39-4508).
5. Advance directives. The old statute contemplated certain forms of advance directives, e.g., a living will, durable power of attorney for health care, or physician’s orders for scope of treatment (“POST”). Questions sometimes arose concerning other forms of advance directives, or the validity of a directive that did not contain the statutory elements required for a living will, durable power of attorney, or POST. The amended statute confirms that any advance directive ought to be honored, including any “document which represents a competent person’s authentic expression of [the] person’s wishes concerning his or her health care.” (I.C. § 39-4502(8); see also I.C. §§ 39-4509(3) and 39-4514(6)).
6. POSTs. The amended statute broadens the availability of POSTs. The former statute made POSTs “appropriate” if the patient had an incurable or irreversible injury, disease, illness or condition, or if such conditions were anticipated. The amended statute removes that condition, making POSTs possible for all patients. (See I.C. § 39-4512A). The amended statute also expands the persons who may execute a POST. In addition to physicians, the new statute allows advanced practice nurses or physician assistants to execute POSTs on behalf of the provider. (I.C. § 39-4512A). Similarly, in addition to the patient, the new statute allows surrogate decision makers to execute POSTs on behalf of the patient so long as the POST is not contrary to the patient’s last known expressed wishes. (I.C. § 39-4512A(1)). The amendment allows a provider or person to suspend a POST for a period of time, although such suspension is not automatic. (I.C. § 39-4512A(2)). For example, contrary to some providers’ belief, POSTs and other advance directives are not automatically suspended during surgery.
7. DNRs. When enacted, the former version of the statute removed the laws that authorized “do not resuscitate orders” (“DNRs”), apparently intending POSTs to replace DNRs. The amended statute expressly allows hospitals and other health care providers to continue to use DNRs, provided that if the patient presents a POST, they must accept the POST and not require a separate DNR to validate the POST. (I.C. §§ 39-4512B(3) and 39-4514).
8. Withdrawal or denial of treatment. A new section was added to limit a provider’s ability to withdraw or deny certain forms of treatment requested by the patient or surrogate. As amended, assisted feeding or artificial nutrition and hydration may not be withdrawn or denied if such care is requested by the patient or surrogate decision maker. Other forms of treatment cannot be withdrawn or denied if requested by the patient or surrogate decision maker unless the treatment that medically is inappropriate or futile. (I.C. § 39-4514(3)). Unfortunately and unlike other amendments, this section is poorly drafted and may inappropriately limit a provider’s professional judgment. For example, under both the former and amended law, the consent statute shall not be construed “to require medical treatment that is medically inappropriate or futile”; however, the new law expressly states that this limitation “does not authorize any violation” of the new withdrawal of care provisions described above, i.e., the requirement that requested treatment must be provided unless futile. (I.C. § 39-4514(3) and (6)). The limitation on withdrawal or denial of care does not reference medically inappropriate treatment. (I.C. § 39-4514(3)). The net effect appears to be that a provider may not withdraw or deny requested treatment even if medically inappropriate unless the treatment is also futile, which result defies logic and cannot be what was intended. At the very least, the amendment creates ambiguity concerning the proper response to treatment that is requested but is medically inappropriate.
9. Futile care. As amended, the statute only permits the withdrawal or denial of requested treatment if the treatment is futile. The statute now defines “futile care” as a course of treatment:
(I.C. § 39-4514(6)). This definition of “futility” only considers the length of a patient’s life without considering qualitative factors, including the pain or suffering that an incompetent patient may be forced to endure simply to preserve life or the fact that a patient may be in a permanent comatose state. It is inconsistent with Idaho’s “Baby Doe” regulations which also factor in the humanity of a patient’s care. (See IDAPA 16.06.05.004.10). In some cases, the provider may deem continued treatment to be unethical or unconscionable if not “futile” as defined in the statute, in which cases the provider’s alternative is to withdraw as the treating provider after making a good faith effort to transfer care to another provider pursuant to I.C. §§ 39-4513(2) or 18-611. That may be a viable alternative for a physician or other individual health care provider, but it is more difficult for a hospital or other health care facility. The practical effect is that it is even more important for providers and facility ethics committees to come to an agreement with patients or surrogate decision makers concerning the appropriate course of treatment or withdrawal thereof.
10. Minor consents. The amended statute does not explicitly resolve whether mature minors may consent to their own care. Section 39-4503 states that “any person” with sufficient comprehension may consent to their own care, not any “adult” person. Similarly, § 39-4509 was amended to define “competent person” to mean any person who meets the standard in § 39-4503, not just adults or emancipated minors. On the other hand, § 39-4504(1) states that surrogate decision makers may consent for minors. Until clarified by a court, the conservative approach would be to require surrogate consent for minors unless another statute grants the minor authority to make their own health care decisions or the minor is clearly deemed to be emancipated under Idaho law.
Conclusion. The amended consent statute resolves some of the concerns that have bothered providers in recent years; however, the new “withdrawal of treatment” provisions may prove problematic in some cases. Redlined copies of the amended statute may be accessed at http://www.legislature.idaho.gov/legislation/2012/S1294E1.pdf and http://www.legislature.idaho.gov/legislation/2012/S1348E1.pdf.
If you have questions concerning these or other legal issues, please contact Kim Stanger at kcstanger@hollandhart.com or (208) 383-3913, or visit Holland & Hart’s website at www.hollandhart.com
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.
Avoid New HIPAA Penalties
/in HIPAARecent changes to the HIPAA privacy and security rules dramatically increase health care providers’ and their business associates’ potential liability for HIPAA violations.
HIPAA Civil Penalties Are Now Mandatory. In 2009, the penalties for HIPAA violations were increased 500 times their prior limits. Effective February 2011, the Office of Civil Rights (“OCR”) is required to impose HIPAA penalties if the covered entity or its business associate acted with willful neglect, i.e., with “conscious, intentional failure or reckless indifference to the obligation to comply” with HIPAA requirements. The following chart summarizes the penalty structure:
Up to $1,500,000 per identical violation per year
Up to $1,500,000 per identical violation per year
Up to $1,500,000 per identical violation per year
Up to $1,500,000 per identical violation per year
The federal government is serious about the new penalties: the OCR has imposed millions of dollars in penalties or settlements since the mandatory penalties took effect. State attorneys general may also sue for HIPAA violations and recover penalties of $25,000 per violation plus attorneys’ fees. When implemented, HITECH amendments will allow patients to recover a portion of any settlement or penalties related to a HIPAA violation, thereby increasing patients’ incentive to report HIPAA violations.
The good news is that if the covered entity or business associate does not act with willful neglect, the OCR may waive or reduce the penalties, depending on the circumstances. More importantly, if the covered entity or business associate does not act with willful neglect and corrects the violation within 30 days, the OCR may not impose any penalty; timely correction is an affirmative defense.
HIPAA Violations May Be A Crime. Federal law prohibits any individual from improperly obtaining or disclosing protected health information from a covered entity without authorization; violations may result in the following criminal penalties:
Physicians, hospital staff members, and others have been prosecuted for improperly accessing, using or disclosing protected health information.
Entities Must Self-Report HIPAA Breaches. The risk of penalties is compounded by the fact that covered entities and business associates must self-report HIPAA breaches that pose a significant risk of financial, reputational or other harm to the individual whose information was breached. If the business associate learns of such a breach, it must report the breach to the covered entity without unreasonable delay. The covered entity must report a breach to the affected individual or their personal representatives and the federal Department of Health and Human Services (“HHS”). If the breach involves more than 500 persons, the covered entity must also publish information about the breach through local media.
What You Need To Do To Avoid Penalties. Given this increased exposure, health care providers and their business associates should do the following to avoid HIPAA penalties:
1. Assign HIPAA responsibility. Covered entities must designate persons to serve as their HIPAA privacy and security officers, and document the designation in writing. The privacy and security officers are responsible for ensuring HIPAA compliance.
2. Know the use and disclosure rules. The basic privacy rules are simple: covered entities and business associates may not use, access or disclose protected health information without the patient’s valid, HIPAA-compliant authorization unless the use or disclosure fits within an exception. Covered entities and business associates may use or disclose protected health information for purposes of treatment, payment or certain health care operations without the patient’s consent; however, they may not use or disclose more than is minimally necessary for the permitted purpose. Additional exceptions apply to specific situations. The OCR maintains a very helpful website to aid covered entities’ compliance: http://www.hhs.gov/ocr/privacy/.
3. Know patients’ rights. HIPAA grants patients certain rights concerning their health information. Among others, patients generally have a right to obtain copies of their protected health information; request amendment to their information; and obtain an accounting of impermissible disclosures. Covered entities and business associates must know and allow patients to exercise their rights. Cignet Health was fined $4.3 million for, among other things, failing to timely respond to patient requests to access their health information.
4. Maintain written policies. HIPAA requires covered entities and business associates to develop and maintain written policies that implement the privacy and security rule requirements, including those dealing with confidentiality and patients’ rights. Having the required policies is a key to avoiding penalties. According to HHS, maintaining the required written policies is a significant factor in avoiding penalties imposed for “willful neglect.” Rite Aid paid $1,000,000 to settle HIPAA violations based in part on its failure to maintain required HIPAA policies. This week, a Phoenix cardiology group was fined $100,000 in part because it failed to have written policies required by HIPAA. To obtain a checklist of required policies, contact me at kcstanger@hollandhart.com.
5. Develop compliant forms. HIPAA requires that certain documents used by covered entities and business associates satisfy regulatory requirements. For example, HIPAA authorizations must contain certain elements to be valid. Covered entities must provide patients with a notice of privacy practices that contains certain statements. Other forms may be developed to ensure compliance with patient rights. Ensure your HIPAA forms satisfy the regulatory requirements.
6. Execute business associate agreements. Although HIPAA now applies directly to business associates, HIPAA still requires covered entities to execute “business associate agreements” with their business associates before disclosing protected health information to the business associate. Under proposed rules, business associates must execute similar agreements with subcontractors to whom the business associate discloses protected health information. The business associate agreements must contain certain elements. Breach of the business associate agreement exposes the business associate to contract claims by the covered entity in addition to civil or criminal penalties imposed by the government. Covered entities are generally not liable for the actions of their business associates unless the business associate is acting as the agent of the covered entity. Make sure your business associate agreements confirm that the business associate is an independent contractor, not your agent.
7. Train employees and agents. Having the policies and forms is only the first step; covered entities and business associates must train their employees to comply with the policies and document. HIPAA requires that new employees are trained within a reasonable period of time after hire, and as needed thereafter. Documented training is a second critical step to avoid HIPAA compliance. According to HHS commentary, covered entities may avoid HIPAA penalties based on the misconduct of a rogue employee so long as the covered entity implemented appropriate policies and adequately trained the employee.
8. Use appropriate safeguards. The government recognizes that patient privacy cannot be absolutely protected. HIPAA does not impose liability for “incidental disclosures” so long as the covered entity or business associate implemented reasonable administrative, technical and physical safeguards designed to protect against improper disclosures. The security rule contains detailed regulations concerning safeguards that must be implemented to protect electronic health information. The privacy rule is less specific. The reasonableness of safeguards depends on the circumstances, but may include, e.g., not leaving protected health information where it may be lost or improperly accessed; checking e-mail addresses and fax numbers before sending messages; using fax cover sheets; etc.
9. Respond immediately to any breach. This is critical for several reasons. First, HIPAA requires covered entities and business associates to investigate any privacy complaints, mitigate any breach, and impose appropriate sanctions against any agent who violates HIPAA. It may also require covered entities to terminate an agreement with a business associate due to the business associate’s noncompliance. Second, an entity may be able to ameliorate or negate any risk of harm to the patient by taking swift action, thereby avoiding the obligation to self-report HIPAA violations to the individual and HHS. Third, a covered entity or business associate can avoid HIPAA penalties altogether if it does not act with willful neglect and corrects the violation within 30 days.
10. Timely report breaches. If a breach of unsecured protected health information poses a risk of significant financial, reputational or other harm to the patient, business associates must promptly report the breach to covered entities, and covered entities must notify the patient within 60 days. If the breach involves less than 500 persons, the covered entity must notify HHS by filing an electronic report no later than 60 days after the end of the calendar year. If the breach involves 500 or more persons, the covered entity must file the electronic report when it notifies the patient. The written notice to the patient must satisfy regulatory requirements.
11. Document your actions. Documenting proper actions will help you defend against HIPAA claims. Covered entities and business associates are required to maintain documentation required by HIPAA for six years.
As I write this article, the Office of Management and Budget is reviewing new HIPAA regulations. Covered entities and business associates should watch for the new regulations and implement any additional changes as necessary.
For questions regarding this update, please contact:
Kim C. Stanger
Holland & Hart, 800 W Main Street, Suite 1750, Boise, ID 83702
email: kcstanger@hollandhart.com, phone: 208-383-3913
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.
Beware Professional Courtesies
/in Fraud and AbuseMany health care practices or facilities waive or discount co-pays or deductibles for other physicians, the physician’s family members, or the physician’s staff as a “professional courtesy.” Although often well-intentioned, such practices can violate state and federal laws and managed care contracts.
Courtesies to Referring Physicians. Giving professional courtesies to a physician or their family members will violate the federal Stark law if the physician refers certain designated health services payable by Medicare or Medicaid unless specific regulatory standards are satisfied, including the following:
Stark law violations require repayment of amounts received from Medicare and Medicaid for services rendered or items provided per improper referrals. Additional administrative penalties may apply.
Courtesies to Induce Referrals. Even if an arrangement satisfies Stark, it may still violate state and federal anti-kickback statutes if offered to induce referrals. The federal Anti-Kickback Statute prohibits soliciting, offering, or giving remuneration to induce referrals for items or services covered by federal health care programs, including Medicare or Medicaid. Similarly, the federal Civil Monetary Penalties Law prohibits offering inducements to federal program beneficiaries, including waiving co-pays and deductibles absent a showing of financial need. Violations of the federal statutes may result in significant criminal and administrative penalties. State anti-kickback laws may also apply.
Courtesies to Patients with Private Insurance. Even if no government health care programs are involved and there is no intent to induce referrals, state laws and managed care contracts may still prohibit waiving co-pays and deductibles. For example, Idaho Code § 41-348 prohibits engaging in a regular practice of waiving or rebating deductibles. Violations may result in a $5000 fine. In addition, most managed care contracts require providers to collect co-pays and deductibles; failure to do so may breach the contract. Blue Cross of Idaho recently sent a letter to providers warning of such actions.
The Bottom Line. Given the foregoing statutes, providers should ensure that their professional courtesy policies comply with the following:
For questions regarding this update, please contact:
Kim C. Stanger
Holland & Hart, 800 W Main Street, Suite 1750, Boise, ID 83702
email: kcstanger@hollandhart.com, phone: 208-383-3913
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.