HIPAA and Data Issues
The Health Insurance Portability and Accountability Act (HIPAA) and its regulations have existed for over twenty years. Although most health care providers are familiar with its requirements, most health care providers are less familiar with the ways in which HIPAA is enforced. They are likewise unaware of how HIPAA investigations are initiated, the processes they follow, nor the types of information the Department of Health and Human Services’ Office for Civil Rights (OCR) requires in the course of an investigation. Many also fear the imposition of stiff penalties, likely as a result of seeing headlines about multi-million dollar settlements by other providers. In “HIPAA Enforcement On the Books and In Practice: When It all Goes Wrong,” Dan addresses HIPAA enforcement, explaining both the regulatory provisions that govern it, and how that enforcement plays out in practice. In addition to explaining the enforcement rule and how the OCR actually employs it, Dan also offers practical guidance based on personal experience in helping clients navigate HIPAA breaches without having to pay penalties or enter into settlement agreements.
On December 20, 2022, the Department of Justice announced an almost $45 million settlement with BioTelemetry, Inc. and its subsidiary CardioNet, LLC to resolve allegations of False Claims Act violations arising from submitting claims to federal health care programs for cardiac monitoring tests. The claims were alleged to be false because a portion of the monitoring services were performed overseas. More specifically, CardioNet had sent certain tests for federal health care beneficiaries to be reviewed by technicians based in India. Medicare will not pay for services that are performed outside of the United States or United States territories (e.g., Guam, Puerto Rico). Because the services in question were performed in India, this rendered the claims false. The settlement arose from a whistleblower lawsuit brought by two former CardioNet employees. Dan has examined these issues and the complications associated with using offshore personnel to perform services in “The Lure of Foreign Shores: Outsourcing of Overseas Health Care Functions,”
When things go wrong with software and IT providers, it is often almost impossible to find relief because of the way their contracts are written, Amazingly, a New Jersey health-care provider was allowed to proceed with its lawsuit against two health-care information technology firms that represented they could convert patient files from NextGen to Allscripts, computer software programs physicians use to track all aspects of patient care. Nearly 200,000 patient charts were corrupted when the conversion attempt failed. The plaintiff sued under the New Jersey Consumer Fraud Act and the defendants argued the Act didn’t apply. The court had none of it. They found the defendants apparently offered a guarantee of results, and professed to have expertise in the conversions when they had never done it before. The court found the risk of harm was obvious, the nature of the data was of public significance and that the case could proceed. It offers tantalizing possibilities in contracting with IT and software vendors.
On December 13, 2016, Congress passed the 21st Century Cures Act, which, among other things, sought to promote electronic health record (“EHR”) interoperability by prohibiting the practice known as “information blocking” – where an EHR prevents the sharing of electronic health information (“EHI”). In addition, the Act sought to promote patient access to their own EHI. In May, 2020, the Office of the National Coordinator for Health Information Technology (the “ONC”) published a final implementing rule for compliance by April 5, 2021.
Health care providers (including physicians), health information exchanges (HIEs), health information networks (HINs), and software developers must share with patients a specified range of information with some exceptions. While the right of a patient to access their records already exists under HIPAA, this new rule requires that information to be provided to patients immediately, such as through a patient portal. The regulations are complex, and include similar terminology to that used in the HIPAA regulations, but with different definitions (e.g., a “health care provider” is defined differently under the two sets of rules). Blocking of data includes the delay of data availability.
As a practical matter, health care providers must examine their policies and procedures, and revisit how and when they provide patients access to their EHI. This issue may be especially concerning to physicians who are not used to providing patients with such wide-ranging access to their records, or who otherwise place limits on how and when information is shared with patients. (e.g., “We don’t send lab results to the patient portal until 2 days after the doctor has reviewed them.”) Existing practices and policies that may restrict patient access to information will need to be carefully considered. Dan has developed a DFS List as a practical checklist to begin confronting this challenge.
The use of off shore services and personnel to contribute to the delivery of health care has a long standing presence in health care. Yet, state law, federal reimbursement principles and other federal laws create barriers to the use of overseas personnel, resources, information technology and more in the delivery of health care. Issues of whether supervision can be rendered from afar, licensure requirements, HIPAA restrictions and Medicare reimbursement prohibitions create a challenging context to make these arrangements work. Dan Shay explores all of this and offers practical contractual language to use in any of these undertakings in his article "The Lure of Foreign Shores: Outsourcing of Overseas Health Care Functions" in the 2021 edition of the Health Law Handbook.
Electronic health records (“EHRs”) are a fact of life in the current healthcare industry, with adoption of EHRs having increased steadily since the early 2000s, and especially in connection to Medicare’s Meaningful Use program. But most physician practices will not keep the same EHR software forever. Changes in certification requirements, software obsolescence and patches that change how the software functions, as well as practice mergers and sales can all lead physicians and physician practices to switch EHRs. In “Maintaining EHR Records Access – Legal and Technical Risks”, Dan discusses what happens to physicians’ records when switching EHRs. It is a physician’s duty to maintain access to their records, and this article provides insight into issues surrounding this subject.
In “What Are the Legal Risks Associated with Social Media and Online Review Sites?”, Dan examines potential problems for health care practitioners in the social media context, and with respect to online review sites. Managing one’s online reputation is a relatively new business aspect for those in health care, and sometimes one’s initial instincts may not be the smartest move. This article discusses both practical and legal considerations that health care practitioners should bear in mind before deciding how and when to respond online.
With the reemphasis on 'transparency' in health care quality policy, more and more quality information about providers will be made available. The commercial value of provider data is also increasing. Providers enter into many contractual relationships where data about them may be in play, even if that is not the focus of the relationship. For example, a managed care contract, a practice management company relationship, obtaining an electronic medical record from a software vendor, or hiring a billing company are all relationships where significant provider data will be at issue. In "Commerce in Provider Data: What, Why and Provider Contractual Controls" Daniel Shay looks at what is proprietary to a provider, considers who is reporting data and why, and offering actual contract language as well as case law, addresses contractual protections providers should think about in entering into relationships with a range of other entities.
The last five years have heard a relentless call for information technology dissemination to improve quality and lower costs in health care. Electronic health records (EHR) have been touted as the first and most important step to a real technology revolution. For physicians, though, the cost of EHR implementation has often proven prohibitive. The Stark and anti-kickback protections for donated medical records was expected to jumpstart this effort. Not so fast. In his consideration of downstreamed EHR licenses Dan Shay takes his primer on EHR license agreements a step further in explicating the special complications of tri-partite license agreements. What happens on termination is at least as important as what is entailed in implementation.
For quality to advance in this country, it is becoming increasingly clear that universal electronic medical records will be necessary. Proposed regulations to permit hospitals to provide record systems to their physicians have been published under Stark. Many physician practices are looking to obtain these programs. Whatever the source of an electronic health record system, it is certain there will have to be a license agreement by which the practice obtains access to the software, unless they build their own. In "A Primer on Electronic Health Records License Agreements", Daniel Shay reviews the context for these contracts, elucidates their common features, based on reviews of real-life documents, and points out pitfalls that physician practices should avoid in obtaining access to these vital practice accessories. In a practical, easily applied application of the deeper issues addressed in the primer, Daniel has also offered guidance on “Top Ten Questions To Ask When Looking At An EHR License Agreement.”