Health Law Blog

Healthcare practitioners need to be aware of revised, heightened patient privacy requirements.  On January 17, 2013, the U.S. Department of Health and Human Services ("HHS") released new rules expanding protections afforded by the Health Insurance Portability and Accountability Act (“HIPAA”).  The rules are expected to place greater burdens on healthcare practices and affiliated entities than ever before.   

The new rule’s focus is two-fold: more individual protections for patients, and higher privacy protection obligations on practices and affiliated entities, with tougher penalties resulting from privacy breaches. 

More Individual Protections for Patients

Under the new rules, patients will have the right to receive electronic copies of their health information.  Practitioners will need to have electronic versions of medical records readily accessible.  Patients will have the added benefit of their treatment being protected from disclosure to health plans where they pay in full for their treatment.  The new rule also prohibits or places significant restrictions on the use of patient data for marketing or fundraising purposes.

Heightened Privacy Protection Obligations and Penalties

Under the new privacy rules, practices now must assume the worst-case scenario in the event of a possible privacy breach. Previous regulations had required a practice to notify affected patients and the federal government only if it determined that a breach involving patient records had occurred and that it carried a significant risk of financial or reputational harm to patients.  The new rules eliminate that standard and replace it with a stricter one. Now any incident involving patient records is assumed to be a breach, and unless a practice conducts a risk assessment that proves a low probability that any protected information was compromised, the breach must be reported.  Such assessments should be conducted in cooperation with knowledgeable counsel specializing in HIPAA-related issues. 

Practices are also going to be responsible for any breaches that occur as a result of actions or inactions of the practices’ business associates.  HIPAA typically has focused on health care professionals, health plans and other entities that process health insurance claims. But because some of the largest security breaches have involved business associates of plans, doctors and other professionals, HHS said it was extending many of the law’s requirements to these entities, as well as their subcontractors.

For healthcare practices, a business associate may be any firm that handles patient data, such as a storage provider or a shredding company. With contractors becoming as fully liable as everyone else affected by HIPAA, healthcare practices will be subject to penalties for actions of their business associates. For example, if someone paid to shred patient files instead throws the documents into a trash bin and causes a breach, the practice also is subject to enforcement violations caused by that business associate.

Potential penalties associated with these violations range from fines up to $1.5 million to criminal penalties in particularly egregious cases.  The government is expected to take a much more aggressive stance in investigating and enforcing potential privacy violations.

HOW TO PREPARE FOR NEW HIPAA REQUIREMENTS

Healthcare practices must urgently and aggressively tackle the new challenges presented by the changed privacy rules.  With the new rules becoming effective as of March 26, 2013, and compliance expected by September 23, 2013, healthcare practices must act fast. 

First, healthcare providers must review and revise all existing business arrangements and agreements with third parties to make sure that the contractors are compliant with the new privacy regulations.  The contactors’ privacy policies need to be carefully examined, and practices need to assure themselves that these policies are in fact followed. 

Healthcare practices will need to revise their notices of privacy practices to explain their relationships with business associates and their new status under the final rule. They also will need to explain the breach notification process. These notices must be displayed in prominent places in providers’ offices and on practices’ websites.

Joining a Hospital:  What every physician must understand before signing an employment contract.

It is very often the case that a young physician presented with an employment agreement from a hospital feels that there is absolutely no room for negotiation.  The key, as with any instance of leverage balance between contracting parties, is the initial impression and assessment of the benefit to each respective party.  And while it is true that certain industry-wide accepted provisions may be standard, many important terms of a hospital employment agreement can and should be negotiated.  And notwithstanding acceptance of any changes to the proposed terms of the agreement by the hospital-employer, what is most important for a physician is to fully understand the terms of the contract, which is a legally binding document.  Entering into an employment agreement without guidance of competent legal counsel specializing in healthcare law is a mistake that can impact the physician both financially and professionally. Therefore, a physician reviewing a proposed employment agreement should carefully analyze the terms and conditions of the contract and make sure that it reflects his or her understanding of the position offered.  If a physician discussed and agreed upon the particulars of the position with the employer, such as compensation, amount of call, vacation time, CME reimbursements, malpractice coverage and the like during an interview, all of these details must be accurately reflected in the written agreement.

The important provisions in any physician employment agreement pertain to compensation, benefits, professional liability coverage, duties, term and termination of the agreement as well as the effects of termination and the scope of the restrictive covenant. These clauses may often seem fairly straightforward. However these and numerous other important clauses in an employment agreement are likely to contain numerous and not so obvious details that may not be clearly understood by the physician and that may often be tweaked somewhat to the benefit of the physician-employee with the help of qualified healthcare counsel.  For instance, every physician considering hospital employment needs to consider what if any, is the bonus structure and will the physician be entitled to prorated bonus compensation in the event of early termination, what is the basis of the hospital compensation calculation and are there any dangerous clauses related to compensation, which simply must be negotiated out of the agreement such as a provision of “clawbacks” of compensation in the Relative Value Units or RUVs are not met.   

In sum, any physician considering hospital employment must be certain that he or she fully understands all the terms in the proposed employment agreement.  Physicians should remember that while it is generally not costly to have an agreement reviewed by an attorney practicing in the area of healthcare transactions but employment disputes occurring as a result of even an unintentional violation of a covenant contained in a contract are often considerable.  Therefore, it is of utmost importance that every physician presented with a hospital employment contract consult with a qualified attorney for clarification and proper counsel with respect to all the rights and obligations created under the terms of the proposed agreement. 

New York Assembly is considering a bill, A00183, that would eliminate the licensure requirement of citizenship or permanent residence where such requirement presently exists in the professions of, among others, chiropractic, dental hygiene and dentistry, massage, medicine, midwifery, pharmacy, professional engineering, veterinary medicine and veterinary technology.  If it becomes law, this bill would allow foreign individuals, after satisfying all licensing requirements, to practice these professions in New York State.  The bill is designed to attract qualified foreign individuals to work for New York institutions.  The bill's sponsors cite various problems for professionals who have been offered academic or clinical appointments in New York State institutions or who work for large corporations that do business in a number of different states.

 

New York has legislation pending that would require physicians to access computerized drug monitoring databases every time they write a prescription for a controlled substance.

New York officials found that of the 80,000 health care professionals licensed to prescribe pain medications and other controlled substances, only 47,000 have opened an account that would grant them access to the database that went live in February 2010. As of November 2011, only 2,216 had used the system.

Attorney General Eric Schneiderman issued a report on Jan. 11 showing that the number of prescriptions for narcotic painkillers in New York increased from 16.6 million in 2007 to 22.5 million in 2010.

Schneiderman drafted a proposed bill that would require the Dept. of Health to establish and maintain a database capable of real-time information capture. Schneiderman's proposal would require a check of the database every time a physician writes a prescription for a schedule II, III, IV, or IV controlled substance. Assemblyman Michael Cusick, a Democrat from Staten Island, and State Sen. Andrew Lanza, a Republican from Staten Island, are sponsoring the proposed bill.

The portion of the bill regarding a real-time database is meant to address a flaw in databases -- the information often is updated in an inconsistent and untimely manner.

What monitoring programs cover and how often they are updated vary from state to state. But generally, a physician is assigned a login and password to a database that shows what prescriptions a patient has filled and who has prescribed them. The information can be used either to initiate addiction treatment or to report illegal activity.

An estimated 20 million Americans 12 and older have used prescription drugs for nonmedical reasons, according to the National Institutes of Health. Forty-eight states have enacted legislation to create a prescription drug monitoring program to help combat the rising epidemic, according to the National Alliance for Model State Drug Laws. Thirty-seven of those states have a program up and running, but several have found use of the system is either very low or not keeping pace with the abuse the programs are meant to detect and reduce.

Physicians meeting criteria in 2011 to earn federal electronic medical record incentives will have more time before the Dept. of Health and Human Services requires them to satisfy tougher standards for attaining additional bonuses.

Doctors and hospitals who currently meet stage 1 meaningful use criteria would be able to vie for bonuses for an extra year under the same requirements, HHS Secretary Kathleen Sebelius announced on Nov. 30. These bonus recipients would not need to upgrade their EMR systems to comply with stage 2 standards until 2014, instead of 2013 under the initial plan.

The delay of stage 2 affects only physicians and hospitals who met stage 1 criteria in 2011. Doctors who will report meeting stage 1 requirements for the first time in 2012 will still be expected to meet stage 2 requirements starting in 2014. Before the new policy change, those who waited until 2012 to adopt would have had a later upgrade deadline but still would have been eligible to receive the same total bonus amounts as the early adopters.

Oct. 3 was the last day a physician could begin a 90-day reporting period for 2011, according to the Centers for Medicare & Medicaid Services. Physicians who met the requirements will have until Feb. 29, 2012, to register and attest to receive a bonus for 2011. Physicians can earn up to $44,000 over five years from the Medicare program or up to $63,750 over six years from Medicaid.