Five-Physician Cardiac Surgery Practice Paid $100,000 to Resolve HIPAA Investigation

Posted by Linda Terner on April 19, 2012

HeartOn April 17, 2012, the U.S. Department of Health and Human Services (HHS) announced a Resolution Agreement with a five-physician practice, Phoenix Cardiac Surgery, P.C. (Practice).  This agreement requires the Practice to pay $100,000 to resolve a HIPAA violation charge, and to implement a corrective action plan.  The Office of Civil Rights (OCR), which enforces HIPAA, alleged that the practice had disclosed electronic protected health information (ePHI) on a publicly accessible Internet-based calendar, and had emailed ePHI to its employee’s personal Internet-based email accounts.  Once having investigated the complaint, the OCR reviewed and found wanting the practice's HIPAA compliance for the preceding six years. 

Small physician groups have largely flown under the radar when it comes to HIPAA compliance, but times are changing.  The director of OCR specifically made this point in its press release on the settlement:

This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR.  “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.

This is a wake-up call to all providers of health care services.  Appropriate HIPAA policies, Business Associate Agreements with vendors who have access to protected health information, and workforce training are mandatory for all health care providers, regardless of size,  that qualify as a "covered entity" under the regulations.

$1.5 Million HIPAA Settlement After Breach Report Triggered Enforcement

Posted by Linda Terner on March 30, 2012

lockOn March 13, 2012, the U.S. Department of Health and Human Services (HHS) issued a news release publicizing its settlement with BlueCross BlueShield of Tennessee (BCBS) for $1.5 Million. This settlement resulted from a HIPAA enforcement action commenced after BCBS reported the theft of 57 unencrypted computer hard drives containing protected health information (ePHI).  BCBS also agreed to a “Corrective Action Plan” to bring their HIPAA compliance program up to regulatory standards.  The implementation of revised Privacy and Security policies will be monitored as a condition of the settlement.  If BCBS fails to follow the Corrective Action Plan, then pursuant to the Resolution Agreement, HHS may impose a civil money penalty for HIPAA violations.

A brief look at the Corrective Action Plan is useful for any entity required to comply with HIPAA because it is far better to meet compliance standards voluntarily and in a way which HHS expects:

  • Update HIPAA policies and procedures including conducting risk assessment of vulnerabilities and implementation of reasonable risk management plan, which includes physical safeguards and facility access controls;
  • Distribute HIPAA policies and procedures to all workforce members having access to ePHI. Have them certify that they have read, understand, and shall abide by these policies and procedures, and do not permit access to ePHI without this certification; and
  • Train all members of workforce with access to ePHI as well as new workforce members within 30 days of beginning service. Maintain records of training certification and of training materials.

Ultimately each entity is responsible to comply with HIPAA Privacy and Security regulations in a manner which addresses the particular risks and vulnerabilities of the individual entity.

Fair Labor Standards Act: Rounding Hours Worked

Posted by Brian M. Culnan on March 27, 2012

The federal Fair Labor Standards Act (FLSA) requires covered employers to pay non-exempt employees overtime pay for all hours worked over forty (40) hours in a given workweek.  The failure to count all hours, or portions thereof, can result in an overtime pay violation because employers have not fully accounted for hours worked in excess of forty (40) during the workweek. 

Many employers track employee hours worked in fifteen (15) minute increments, and the FLSA allows an employer to round employee time to the nearest quarter hour.  However, an employer may violate the FLSA’s overtime pay requirement if the employer always rounds down when the employee works less than a full fifteen-minute increment.  Employee time for one to seven minutes may be rounded down and not counted towards the employee’s hours worked, but employee time for eight to fourteen minutes must be rounded up and counted as a quarter hour of worked time.  See 29 CFR § 785.48(b). 

In a fact sheet explaining common FLSA violations that were discovered by the United States Department of Labor’s Wage and Hour Division (WHD) during investigations that it conducted in the health care industry, the WHD provided the following examples of how an employer can round an employee’s hours worked: 

Example #1:

An intermediate care facility docks employees by a full quarter hour (15 minutes) when they start work more than seven minutes after the start of their scheduled shift.  Does this practice comply with the FLSA requirements?  Yes, as long as the employees’ time is rounded up a full quarter hour when the employee starts working from 8 to 14 minutes before their shift or if the employee works from 8 to 14 minutes beyond the scheduled end of their shift. 

Example #2:

An employee’s schedule is 7:00 a.m. to 3:30 p.m., with a thirty minute unpaid lunch break.  The employee receives overtime compensation after working more than forty (40) hours in a workweek.  The employee clocks in 10 minutes early every day and clocks out 7 minutes late each day.  The employer follows the standard rounding rules.  Is the employee entitled to overtime compensation?  Yes.  If the employer rounds back a quarter hour each morning to 6:45 a.m. and rounds back each evening to 3:30 p.m., the employee will show a total of 41.25 hours worked during that workweek.  The employee will be entitled to additional overtime compensation for 1.25 hours.

Example #3:

An employer only records and pays for time if its employees work in full 15 minute increments.  An employee paid $10 per hour is scheduled to work 8 hours a day Monday through Friday, for a total of 40 hours a week.  The employee always clocks out 12 minutes after the end of her shift.  The employee is paid $400 per week.  Does this comply with the FLSA?  No, the employer has violated the overtime requirements.  The employee worked an hour each week (12 minutes times 5) that was not compensated.  The employer owes the employee for one hour of overtime each week.

OIG Posts "Compliance 101" Resources Web Page

Posted by Linda Terner on March 08, 2012

On March 5, 2005, the Office of the Inspector General (OIG) posted its Compliance 101 web page, with links to a wealth of easily accessible educational materials and guidance for the health care industry.

General Compliance Materials by Industry.  Industry-specific guidance has been compiled on a linked page, providing access to a series of OIG voluntary compliance programs for health care industry members, including hospitals, physician practices, nursing homes, third-party billers, pharmaceutical manufacturers, HHS and PHS research grant recipients, and durable medical equipment suppliers.  The industry guidance, issued over the last several years, identifies high-risk areas for each industry segment, so that compliance efforts can be focused.

Provider Compliance Training.  The Compliance 101 page has a link to a page collecting provider compliance education materials, including recently developed video and audio podcasts, webcasts,  and written presentation materials on such topics as the federal fraud and abuse laws, the Anti-kickback law, the Physician Self-Referral law (Stark), operating an effective compliance program, tips for the OIG Self-Disclosure protocol, enforcement, and health reform information.  These materials are in many ways a ready-made, easy to use, training program on general compliance. 

Compliance Education for Health Care Boards.  Video and presentation materials, and a toolkit for health care leaders, geared to helping directors create a corporate culture of high-quality care and compliance, are available through a link from the Compliance 101 web page.

Compliance Education Materials for Physicians.  The OIG web page also provides a link to its recently issued pamphlet entitled "A Road Map for New Physicians," which should be used by every hospital and physician practice to educate physicians in complying with the five most important fraud and abuse laws which govern relationships with payers, vendors, fellow physicians and other providers.

The Compliance 101 page is a helpful compilation of OIG resources and compliance guidance, but remember, compliance is the responsibility of the individual members of the  health care industry, who are also responsible for staying current with regulatory changes and developments.

 

New Statement Required in Informed Consents for Clinical Trials Initiated March 7, 2012

Posted by Linda Terner on March 01, 2012

The FDA has recently issued guidance on the new statement that must be included as part of “informed consent” forms for clinical trial participants.  Sponsors, investigators, and review boards conducting an  “applicable clinical trial” of drugs, biological products, and devices involving human subjects must inform participants of the availability of clinical trial information at www.ClinicalTrials.gov in order to comply with new FDA regulation, 21 CFR § 50.24(c). 

The following statement, word for word, must be included in the participant consent or in the consent of parents/guardians of child participants:

“A description of this clinical trial will be available on http://www.ClinicalTrials.gov, as required by U.S. Law.  This Web site will not include information that can identify you.  At most, the Web site will include a summary of the results.  You can search this Web site at any time.”

The requirement is not retroactive, so re-consents will not be needed for ongoing clinical trials as long as the IRB approved the consent form before March 7, 2012.  If the potential participants are non-English speaking, the statement should be translated. The statement must also be included in participant consents in FDA-regulated trials overseas.  The consequences for non-compliance are that the FDA may seek administrative, civil, and criminal penalties.  

Social Media Policies: NLRB Issues Guidance

Posted by Linda Terner on February 28, 2012

guy at computerOn January 24, 2012, the National Labor Relations Board (NLRB) released an Operations Management Memo detailing recent agency decisions on whether employees were properly disciplined for social media conduct. The take-away from the NLRB’s web release  is that “employer policies should not be so sweeping that they prohibit the kinds of activity protected by federal labor law, such as the discussion of wages or working conditions among employees.”  This guidance is important to both unionized and non-unionized workplaces, because the NLRB has jurisdiction over all  private-sector and not-for-profit employers whose revenues exceed $250,000, excluding agricultural, railroad and airline employers.

In each case, the employers’ social media and confidentiality policies that had been the basis for employee discipline were reviewed by the NLRB to determine whether these work rules improperly restricted employees' rights to engage in “Section 7” activity under the National Labor Relations Act.  Section 7 activity is concerted employee activity in which an employee initiates or acts with the authority of other employees to address the terms and conditions of employment for the mutual aid and protection of employees.  Where employers were identified as having vague or overbroad policies, the NLRB called for them to include clear definitions, examples of prohibited conduct, and/or limiting language to clarify that the policy did not restrict protected Section 7 concerted activity. 

Below are some examples of the three categories of social media policies - explicitly restrictive of Section 7 rights, overbroad, and lawful/acceptable.  Many of the invalidated provisions will be a surprise to employers, since these provisions are commonly used in social media policies.

A.       Policy failures--explicit restriction of concerted activity:

  • Policy prohibits employees from “making disparaging comments about the company through any media, including online blogs, other electronic media or through the media” [Problem: would reasonably be construed to restrict Section 7 activity.]
  • Policy restricts use of Employer’s confidential and/or proprietary information provided that, in external social networking situations, employees should generally avoid identifying themselves as Employer’s employees, unless there was a legitimate need to do so or when discussing terms and conditions of employment “in an appropriate manner.” [Problem:  Employees have a Section 7 right to discuss their wages and other terms and conditions of employment, and this prohibits “inappropriate” discussions, and “savings clause” seeking to interpret policy so as not interfere with Section 7 rights at the end of the policy did not remove chill and could not be understood to clarify what “inappropriate” discussions were.]
  • Policy prohibited employees from disclosing or communicating confidential, sensitive, or non-public information concerning the company on or through company property to anyone outside the company without prior approval of senior management or the law department.  [Problem:  policy that precludes employees from discussing terms and conditions of employment, or sharing information about themselves or fellow employees with outside parties violates law.]

B.      Policy failures--overbroad language (lacked clear definitions, examples, and limiting language):

  • Policies prohibiting “unprofessional communication,”  “disrespectful conduct,”  “inappropriate conversation,” or “inappropriate postings.”
  • Policy which prohibits employees from using social media to “engage in unprofessional communication that could negatively impact the Employer’s reputation or interfere with the Employer’s mission” or regarding members of the Employer’s community.
  • Policy prohibiting use of company’s name or service marks in social media.  [Reason: employer’s proprietary interests were not implicated by employee’s non-commercial use in Section 7 activity.]

C.      Approved policies:

  • Policy prohibited the use of social media to post or display comments about coworkers or supervisors or the Employer that are vulgar, obscene, threatening, intimidating, harassing, or a violation of the Employer’s workplace policies against discrimination, harassment, or hostility on account of age, race, religion, sex, ethnicity, nationality, disability, or other protected class, status, or characteristic.  [Reason:  prohibited conduct not reasonably understood to restrict Section 7 activity.]
  • Policy that required employees not to refer to the company in social networking if necessary to insure compliance with securities regulations and other laws.
  • Policy that prohibited employees from using or disclosing personal health information about patients.

Because social media law is developing, and involves the application of Federal labor and employment law and administrative agency guidance to specific situations, employers would do well to consult with legal counsel before implementing social media rules/policies,  or enforcing discipline based on those workplace rules.  Our prior blog reviewed the NLRB's first report on its social media decisions.

 

Recent New York Court of Appeals Decision Impacts Use of Patient Medical Records in Assisted Outpatient Treatment Proceedings

Posted by Marc A. Antonucci on February 23, 2012

In a prior blog post, I discussed the benefits of, and procedure for obtaining, Assisted Outpatient Treatment (AOT).  The New York Court of Appeals last year issued a decision In the Matter of Miguel v. Barron that may have implications for mental health providers during the AOT application process and perhaps for other mental hygiene related proceedings. 

In Miguel, the New York City Department of Health and Mental Hygiene (the Department) applied to the court for AOT for patient Miguel M.  During the court hearing, the Department offered into evidence the medical records from a hospital that treated Miguel M. for the purpose of demonstrating that he had been admitted to a mental health facility at least twice within the preceding 36 months as a result of his lack of compliance with treatment (a necessary requirement for AOT). The medical records were admitted into evidence over Miguel M.’s objection and testimony about their contents was permitted. The testimony revealed that the treating hospital had furnished his medical records in response to an informal request by the Department, but that Miguel M. had neither consented to the disclosure nor was he given notice of the Department’s request. 

The case made its way to the Court of Appeals, which analyzed the privacy protections afforded to patients like Miguel pursuant to the Health Insurance Portability and Accountability Act (HIPAA) and New York State law. In particular, the Court of Appeals reviewed the HIPAA Privacy Rule set forth at 45 C.F.R., Parts 160 and 164, and the exceptions that permit disclosure of medical records without patient authorization for purposes of “public health” and “treatment.”  The Court concluded that neither exception permitted the disclosure of Miguel M.’s medical records in the absence of his consent.  Ultimately, the Court held that the Department should have obtained Miguel’s medical records by court order or by service of a subpoena with notice to Miguel M.  

The Court’s ruling in Miguel may present administrative and legal challenges to providers that treat patients with mental illnesses, and could extend beyond AOT proceedings to hearings for retention and treatment over objection. Providers cannot rely on the “treatment” exception to the HIPAA Privacy Rule to obtain patient records.  Rather, in the event that a patient refuses to consent to the disclosure of his or her medical records, the provider must (i) serve a subpoena and/or (ii) apply to the court for an order directing the disclosure of the records.  Either option will result in the facility incurring legal expenses.  However, failure to implement one of these methods may result in the preclusion of those medical records, and their contents, at the patient’s hearing.

Using Information Technology to Detect Health Care Fraud

Posted by Laurie K. Chisolm on February 13, 2012

computerThe prevention and detection of Medicaid fraud and abuse was the general theme at the New York State Bar Association Health Law Section meeting held on January 25, 2012.  While speakers from various governmental agencies and private attorneys addressed the topic from different perspectives, one sub-theme emanated across the board: the government has increasing authority and ability to collect, store, and use information that participants in the health care world are required to disclose.

More than one speaker boasted about the wealth of information that is available right at his or her fingertips.  An ever increasing number of health care related entities must make information available to the government which, in turn, may disclose the information to the public generally via the internet.  The importance of information technology cannot be overstated.

Below are several points addressed by the speakers.

  • Early detection of fraud  The strategy of the Center for Program Integrity (CPI) within the Centers for Medicare & Medicaid Services (CMS) is to prevent payment of fraudulent claims by screening providers and spotting fraudulent practices before claims are ever paid.  To accomplish this, CPI has created a state of the art Medicaid data analysis management information system that captures and stores certain state Medicaid data.  Algorithm concepts have been developed and applied to detect payment anomalies, leading to the recovery of fraudulent payments and identifying targets for audits.

 

  • Sharing of information across states  Information stored electronically can be made available to multiple users.  For example, CPI has developed a platform for states to share information with one another on terminated providers and supplies.  A provider who has been terminated from participation under one state’s Medicaid program can now be identified by regulators in other states.  This sounds a death knell for a terminated provider since under 42 CFR § 455.416(c) a state Medicaid agency must deny enrollment or terminate the enrollment of any provider that is terminated on or after January 1, 2011, under Medicare, the Medicaid program, or CHIP of any other state. 

 

  • Sunshine Act  This law requires that by March 31, 2013, manufacturers of pharmaceutical, device, biological, and other medical supplies must report payments and gifts to physicians and teaching hospitals. The name, address, and NPI of the recipient of the payment or gift must be reported along with a description of the form of payment, the value, and the dates on which the payments were provided.  This information will be made public on the website of the Department of Health and Human Services by September  30, 2013.   Even if payments are legitimate and do not violate any fraud or abuse laws, there is sure to be great interest by the press and others in this information.

For health care providers, it is important to be aware not only of ever changing disclosure requirements, but to be cognizant that the information you disclose may be used by many different readers for many different purposes.

New York Hospital Paid Millions to Settle Stark Physician Recruitment Claims Made by Whistleblower

Posted by Linda Terner on February 09, 2012

whistleOn January 25, 2012, the United States Department of Justice issued a press release  announcing its settlement of a False Claims Act matter with Cayuga Medical Center of Ithaca, New York (the “Hospital”), for $3,576,056, in connection with recruitment agreements which allegedly violated Stark  regulations. The settlement resolves a lawsuit filed by a Dr. David Jorgenson, a physician who was a party to one of the allegedly flawed contracts. The False Claims act permits a whistleblower to file a lawsuit on behalf of the United States and to share in recoveries.  Dr. Jorgenson received $566,955, an 18% share of the settlement proceeds, for reporting his concerns and cooperating in the litigation.  The State of New York also received part of the settlement related to Medicaid recoveries.

This case is significant because the Hospital had self-disclosed four recruitment arrangements under the OIG’s Self-Disclosure Protocol six months before Dr. Jorgenson filed his qui tam lawsuit against the Hospital.  Dr. Jorgensen asserted a claim against the Hospital relating to his own contract, which had already been disclosed confidentially to the government, along with an additional claim relating to an undisclosed recruitment contract.

In general, if the hospital-physician practice recruitment contract violates the Stark law, then the hospital must return all of the proceeds of Medicare and Medicaid claims arising from referrals of patients, for designated health services in the hospital, made by all of the physician owners of the practice, during the period of non-compliance. 

The recruitment contracts here were alleged to have become non-compliant after they were signed, due to changes in the Phase II Stark regulations.  The government’s position that existing contracts are not grandfathered and must comply with subsequent Stark regulations has not been tested in any published court opinion, but the hospital self-disclosed, and the parties settled, without seeking a judicial determination of this issue.  The settlement was structured so that the government took less of a recovery, sharing the proceeds with the whistleblower in order to incentivize others to follow this physician's example of disclosure and cooperation.

To avoid this type of scenario,  

  • when self-disclosing regulatory non-compliance, disclose all instances;
  • when regulations change, review prior arrangements to ensure they continue to be compliant, especially recruitment contracts with currently ongoing benefits or loan forgiveness dated before July 26, 20004 (Stark II effective date); and
  • recognize that physicians and others with knowledge may serve as whistleblowers, as the government offers statutory incentives for private individuals to participate in corrective litigation in order to improve the integrity of the federal health care system.

 

High School Diploma Requirements Must Be Job Related to Withstand ADA Scrutiny

Posted by Brian M. Culnan on February 07, 2012

The United States Equal Employment Opportunity Commission (EEOC)’s Office of Legal Counsel recently issued an informal discussion letter in response to an inquiry as graduatesto whether the Americans With Disabilities Act (ADA) prohibits the State of Tennessee from requiring students with learning disabilities to take “Gateway tests” or “end-of-course assessments” in order to receive their “full” high school diplomas.  The inquiry was apparently prompted by concern that some individuals cannot obtain a high school diploma and, therefore, cannot obtain jobs requiring a high school diploma because their learning disabilities caused them to perform unsatisfactorily on end-of-course assessments.

In the discussion letter, EEOC noted that under the ADA:

[A] qualification standard, test, or other selection criterion, such as a high school diploma requirement, that screens out an individual or a class of individuals on the basis of a disability must be job related for the position in question and consistent with business necessity.  A qualification standard is job related and consistent with business necessity if it accurately measures the ability to perform the job’s essential functions (i.e. its fundamental duties).  Even where a challenged qualification standard test, or other selection criterion is job related and consistent with business necessity, if it screens out an individual on the basis of disability, an employer must also demonstrate that the standard or criterion cannot be met, and the job cannot be performed, with a reasonable accommodation.

As a result, it is EEOC’s position that, if an employer adopts a high school diploma requirement for a job, and that requirement effectively “screens out” individuals who are unable to graduate because of an impairment that meets the ADA’s definition of “disability,” the employer may not apply the standard unless the employer can demonstrate that the diploma requirement is job related and consistent with business necessity.  The employer will not be able to make this showing, for example, if the job’s essential functions can be performed by someone who does not have a diploma.

The EEOC also noted that, even if the diploma requirement is job related and consistent with business necessity, the employer may still have to determine whether a particular applicant whose learning disability prevents him from meeting the diploma requirement can perform the essential functions of the job, with or without a reasonable accommodation.  It may do so by considering the applicant’s relevant work history and/or by allowing the applicant to demonstrate an ability to do the job’s essential functions during the application process.  However, the employer is not required to prefer the applicant with an impairment over other applicants who are “better qualified.”