HHS Seeks Public Comment on the HIPAA Privacy Rule

Earlier today the U.S. Department of Health and Human Services Office of Civil Rights (HHS OCR) issued a Request for Information (RFI) seeking public input on the HIPAA Privacy Rule. Specifically, HHS OCR is interested in how the HIPAA Privacy Rule could be modified to further Secretary Azar’s goal of promoting coordinated, value-based health care. This is the latest RFI issued as part of the “Regulatory Sprint to Coordinated Care” initiative being spearheaded by Deputy Secretary Eric Hargan. Previous RFIs have sought information regarding the Stark Law and Anti-Kickback Statute. In the press release announcing the HIPAA RFI, HHS OCR emphasized its ongoing commitment to protect individual privacy and health information, while recognizing that current rules “may limit or discourage information sharing needed for coordinated care or to facilitate the transformation of value-based health care.” The announcement cites stories heard in addressing the opioid crisis about how the HIPAA Privacy Rule stood in the way of needed care. Health care providers and entities are encouraged to submit any information regarding HIPAA provisions that currently present barriers to coordinated, value-based care without meaningfully adding to patient privacy and security of PHI. … Continue reading

Posted in Health Care, HIPAA

Share this Article:

Required Reporting of Privileged Information

Arizona physicians must report to the Medical Board “any information that appears to show that a doctor of medicine is or may be medically incompetent, is or may be guilty of unprofessional conduct or is or may be mentally or physically unable to safely engage in the practice of medicine.”   A.R.S. § 32-1451(A).  In fact, failure to make such a report is an act of unprofessional conduct.  Id. Physicians typically learn of the unprofessional or incompetent practice of others either: (1) when seeing a new patient for the first time and learning of their past providers’ practices; or (2) witnessing the potentially unprofessional practices of colleagues or peers.  Occasionally, however, a physician may have another provider as her patient.  In this case, if a medical condition is causing the patient to be “mentally or physically unable to safely engage in the practice of medicine,” the treating physician likely has an obligation to report her patient to the Arizona Medical Board.  See id. The obligation and potential report, however, raise concerns for physician-patient privilege, HIPAA protections, and other privacy issues.  The Arizona Medical Board has taken the position that these concerns … Continue reading

Posted in direct primary care, Health Care, HIPAA

Share this Article:

Nevada’s Direct Primary Care Crisis

In 2012, Turntable Health opened its doors in downtown Las Vegas with one goal—providing preventive healthcare at a reasonable cost. As a direct primary care (“DPC”) clinic, Turntable Health offered unlimited access to primary care physicians for a monthly fee. Only five years after opening, Turntable permanently closed in January 2017, citing an inability to reconcile its practice with the economic demands of the healthcare industry.  Following Turntable’s lead, an industry forerunner based out of Seattle, Qliance Medical Management, closed in May.  These closures leave medical professionals and patients in Nevada questioning DPC’s viability and, in consequence, its future. While large-scale DPC providers like Turntable and Qliance are a relatively new concept, small DPC practices have existed for decades.  Under the DPC practice model, physicians offer contracts that allow patients to pay low monthly fees for unlimited access to primary care services, discounted blood work, and prescriptions.  However, DPC memberships do not cover all healthcare needs, including costly hospitalizations, specialist visits, and surgery. For that reason, providers suggest—and federal law requires—that patients hold, at a minimum, high-deductible health plans.  Rather than a standalone healthcare solution, a DPC membership is one … Continue reading

Posted in direct primary care, Health Care, Uncategorized

Share this Article:

Arizona Enacts “Surprise Out-Of-Network” Balance Billing Law

by Paul Giancola Arizona has joined the national trend of trying to solve the “problem” of “surprise medical out-of-network bills.” The prevalence of this concern was reported in the New England Journal of Medicine which stated that 22% of patients who visited an emergency department received a surprise bill from an out-of-network provider.  A “surprise bill” arises when an enrollee of a health plan receives care, and a medical bill, from a health care provider who does not belong to their health insurer’s provider network.  These bills are typically for medical services that are rendered at an in-network health care facility or at the request of an in-network physician.  The enrollee is then billed by the out-of-network provider for the remaining amount of the charge that is the difference or the “balance” of the charge less the allowable insurance amount paid under the enrollee’s health plan.  In contrast, in-network providers are generally prohibited from balance billing a patient under their plan contracts. The Arizona Senate Bill 1441, signed on April 24, 2017 by Governor Ducey, amends Title 20 of the Insurance Law, Section 20-3102 by adding Article 2 “out-of-network claim … Continue reading

Posted in Health Care, surprise bill

Share this Article:

(Un)Protected Health Information Held for Ransom

Recent experiences of major health care companies offer a reminder of the importance of data security and following a well-written policy for compliance with the HIPAA Privacy Rule. Lithuanian police reported on Tuesday that a hacking group had illegally obtained and published over 25,000 private photos and personal data from a chain of European plastic surgery clinics. According to the report, hackers made the theft known and demanded a $385,000.00 ransom for the data.  When the demands for payment were refused, the information was published on the Internet.  The investigation is in its early stages and it is not clear how many individual patients are affected. Although this breach involves a European provider, not covered by HIPAA, it highlights the value and vulnerability of healthcare data. In fact, there have been reports of similar breaches involving potentially millions of American patients.  Data security experts have estimated that nearly 1 million new malware threats are released every day, with ransomware being the most common type. The HIPAA Privacy Rule (42 C.F.R. Part 164) requires covered entities to implement administrative, physical, and technical safeguards to guard against the breach of protected health … Continue reading

Posted in Health Care, HIPAA, Uncategorized

Share this Article:

HIPAA and the Cloud’s Shared Responsibility Models

Cloud-based service providers (CSPs), like Amazon Web Services and Microsoft Azure, offer online access to shared computing resources. As such, they have developed a “shared responsibility model” for how CSPs and companies that use their cloud services will share responsibilities when it comes to ensuring security in the cloud. A lot of companies believe that, if they host protected health information (PHI) with a CSP, it is the CSP that is ultimately responsible for ensuring HIPAA compliance. That is NOT the case. While the CSP will generally be responsible for ensuring that their cloud infrastructure is secure under the HIPAA rules, companies using the cloud services are responsible for ensuring the use and disclosure of their own PHI, as well as any of their platforms, applications, and operating systems that live in the cloud, comply with HIPAA. Business Associate Agreements CSPs that want to do business with a company that is subject to HIPAA (like a hospital or physician) will need to sign a Business Associate Agreement (BAA) with that company before any PHI is transmitted or uploaded. Under this BAA, the CSPs generally will agree to maintain appropriate safeguards … Continue reading

Posted in Cloud Based Services, Health Care, HIPAA

Share this Article:

Is Your Arbitration Agreement Enforceable?

Health care providers may favor arbitration due to the perception that it is a faster, less expensive alternative to litigation. State and federal policy favors arbitration for the same reasons.  Because of the strong public policy favoring arbitration, doubts as to whether a case is subject to arbitration are resolved in favor of arbitration.  (Arbitration may also provide a desired level of confidentiality by preventing allegations from becoming a matter of public record in court.)  Arbitration agreements, however, are subject to the same defenses to enforceability as any other contract. A recent decision of the Arizona Court of Appeals provides guidance for evaluation of the enforceability of arbitration agreements. Gullett v. Kindred Nursing Centers West, LLC arose out of the plaintiff’s claims that a rehabilitation center had abused and neglected his father, who lived there for the last month of his life.  After the complaint was filed, the defendant moved to compel arbitration pursuant to an agreement signed by the decedent upon admission.  The plaintiff opposed arbitration, arguing that the agreement was substantively and procedurally unconscionable.  After evaluating several aspects of the agreement, the Court held that the agreement was … Continue reading

Posted in Health Care

Share this Article:

Does Defensive Medicine Impact the Cost of Healthcare?

By Paul Giancola Healthcare in the United States costs at least two to three times as much as healthcare in other developed countries. One of the reasons usually given is defensive medicine – doctors who order unnecessary tests and procedures due to fear of being sued.  Some also argue that such treatments unnecessarily drive up the cost of care and expose patients to the risk of complications.  Surveys vary but a significant majority of physicians surveyed do report practicing some defensive medicine.  The reasons include: to avoid being named in a lawsuit, defensive medicine is the standard of care, patients demand that everything possible be done, fear of missing something, and peer pressure. By way of example, several recent studies showed that in stable patients with the same degree of coronary artery occlusion, stents yielded no benefit over noninvasive treatment, yet most cardiologists would recommend a stent. Common rationales were that they had heard of someone dying suddenly, they could better defend themselves in a lawsuit if the patient did get a stent and then died, and the stent would relieve patient anxiety. The draft of the original Affordable Care … Continue reading

Posted in Health Care, Uncategorized

Share this Article:

Top Board Concerns Heading into 2017 Remain a Hot Topic

Each year, a number of surveys and commentators describe and predict the trending topics of interest and importance to boards of directors in the for-profit and non-profit sectors. As we wrap up the first quarter of 2017, it appears that many of the predicted hot topics continue to garner attention from various corners. Cybersecurity – According to various surveys, boards have ranked cybersecurity among their principal concerns coming into 2017.  An earlier blog post discussed some recent lawsuits against directors and officers alleging breach of fiduciary duties in shareholder derivative suits.  Amongst additional data breaches that have been reported in the news media as 2017 has been underway, the National Association of Corporate Directors recently published a Director’s Handbook for Cybersecurity Risk Oversight, illustrating the continued attention that the topic has been receiving in boardroom.  In March, three U.S. Senators have introduced the Cybersecurity Disclosure Act of 2017, which would require public companies to disclose whether any corporate directors have expertise in cybersecurity and, if so, the nature and extent of that expertise. Board Tenure, Diversity and Refreshment.  A number of boards and commentators have addressed their interest in balancing … Continue reading

Posted in Business Law, DOJ, Governance, Health Care, Securities | Tagged ,

Share this Article:

SAMHSA Issues Final Rule Modernizing Confidentiality Requirements for Patients Receiving Substance Use Disorder Treatment

Last month, the U.S. Department of Health and Human Services (“HHS”) Substance Abuse and Mental Health Services Administration (“SAMHSA”) released a Final Rule updating the Confidentiality of Alcohol and Drug Abuse Patient Records regulations at Title 42 of the Code of Federal Regulations Part 2 (“Part 2”). The Final Rule serves to modernize the regulations to facilitate information exchange and health integration while protecting the privacy of patients seeking treatment for substance use and the confidentiality of their medical records. The Part 2 regulations were promulgated in 1975 to protect the identities of individuals seeking substance use treatment from possible negative social consequences and stigma that could deter individuals from seeking treatment. They have not been substantively updated since 1987. The Final Rule was intended to go into effect February 17, 2017; however a Trump administration memorandum issued in mid-January establishing a “regulatory freeze” has delayed the effective date for at least sixty days from the date of the memorandum. In response to this directive, SAMHSA has postponed the Final Rule’s effective date to March 21, 2017. The updates to the Part 2 Regulations seek to enable improvements in healthcare … Continue reading

Posted in Health Care | Tagged

Share this Article: