Health Law – Farrow-Gillespie Heath Witter LLP

The HIPAA Safe Harbor Bill: A New Incentive for Organizations to Prioritize Security

February 12, 2021/in Health Law/by Tahlia Clement

On January 5, 2021, the President signed H.R. 7898, The HIPAA Safe Harbor Bill, into law. This new legislation amends the HITECH act to require the Department of Health and Human Services (HHS) to incentivize best-practice cybersecurity for meeting HIPAA requirements.

Previously, organizations that experienced cyberattacks were subject to HIPAA enforcement actions that included severe penalties and fines despite such organization’s cybersecurity practices. Now, H.R. 7898 specifically requires that HHS evaluate whether the organization is using recognized security practices by reviewing the previous 12 months when calculating fines or penalties based on a cyberattack. However, the law also expressly states that it does not give HHS the authority to increase fines or even the extent of an audit when an organization is found to be out of compliance with recognized security practices.

According to the law, “the Term ‘recognized security practices’ means the standards, guidelines, best practices, methodologies, procedures, and processes developed under…the NIST Act, the approaches promulgated under… the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”

This new law is important since the healthcare industry continues to be the most impacted sector when it comes to cyberattacks. The healthcare industry accounted for 79 percent of all reported data breaches from January to November 2020, and attacks against healthcare organizations increased overall by 45 percent between November 2020 and January 2021. In addition, HIPAA violation fines can range from $100 per violation all the way up to $59,522 per violation. Since these fines are calculated on a “per violation” basis, in 2020 the fines imposed ranged from $3,500 to $6,850,000, with multiple fines imposed totaling over $1,000,000.

A recent example is when University of Texas M.D. Anderson Cancer Center was fined $4,300,000 for violations of the HIPAA and HITECH Act. However, on January 14, 2021 the United States Court of Appeals for the Fifth Circuit vacated the fine stating that it was “arbitrary, capricious, and otherwise unlawful.” The Court held that HIPAA does not require entities to use “bulletproof protection” and instead held that M.D. Anderson had adopted sufficient security practices. This case shows that even courts are now looking at security practices when determining if a HIPAA violation fine is reasonable.

For more information about your entity’s cybersecurity risks and HIPAA compliance, reach out to one of FGHW’s healthcare attorneys. Our attorneys have extensive experience with reviewing and analyzing HIPAA and cybersecurity practices to determine if they comply with recognized security practices under the new law. If your cybersecurity practices are not up to the new standards, FGHW’s attorneys can assist in implementing practices that are compliant.

Tahlia Clement’s primary practice areas are marketing, advertising and promotions law, health law, internet law, and general business transactions. Tahlia graduated from SMU Dedman School of Law and holds a B.A. in journalism and mass communications from Arizona State University.

The HIPAA-Potamus in the Room: HIPAA During the COVID-19 Pandemic

April 20, 2020/in Health Law/by Scott Chase

In light of the novel COVID-19 pandemic, it is now more important than ever to make sure you are complying with patient privacy matters. HIPAA, HITECH, and state laws all impact the responsibilities of health care providers and their business associates regarding the treatment and disclosure of confidential medical and health records. The HIPAA Security Rule, in particular, requires that covered entities must keep electronically-stored Protected Health Information in a manner that maintains the records’ confidentiality, integrity, and availability. Even during the pandemic, covered health care providers must do the following:

Carefully identify potential risks and vulnerabilities;
Protect against reasonably-anticipated threats or hazards to the security of confidential information;
Protect against reasonably-anticipated impermissible uses or disclosures;
Ensure compliance by their employees; and
Provide access to usable electronically-stored Protected Health Information to authorized persons on demand.

However, on March 15, 2020, the Secretary of the U.S. Department of Health and Human Services (HHS) waived certain provisions of the HIPAA Privacy Rule. HHS will waive sanctions and penalties arising from a hospital’s noncompliance with the following:

The requirement to obtain a patient’s agreement to speak with family members or friends;
The requirement to honor a patient’s request to opt out of the facility directory;
The requirement to distribute a notice of privacy practices;
The patient’s right to request privacy restrictions; and
The patient’s right to request confidential communications.

The waiver applies only to hospitals in an emergency area as identified in a public health emergency declaration, that have instituted a disaster protocol. In addition, the waiver only lasts for seventy-two hours after the disaster protocol is initiated.

Moreover, under a public health emergency, like the current COVID-19 pandemic, the HIPAA Security Rule does allow covered entities and business associates to disclose Protected Health Information in the following certain situations, even if the covered entity or business associate does not apply for the recent waiver:

Protected Health Information about the patient as necessary to treat the patient or to treat a different patient;
To a public health authority that is authorized by law to collect or receive such information;
To persons at risk of contracting or spreading a disease if other law authorizes it to prevent or control the spread of the disease or carry out public health activities;
To a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care;
To a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death; or
With anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law and the provider’s standards of ethical conduct.

It is also important to remember that HIPAA requires a risk analysis and security assessment if the following has occurred:

When an entity has experienced a security incident;
A change in ownership;
Turnover in key staff; or
When the entity is planning to incorporate new technology.

Healthcare activities are being affected by the current COVID-19 crisis and one or more of the aforementioned actions may occur. If so, risk analysis may be called for.

During this pandemic, HIPAA, HITECH, and state medical privacy laws are still applicable and, even with waivers, care should be exercised in all patient privacy matters.

For more information, contact Board Certified health care attorney Scott Chase.

Scott Chase, JD, has practiced health law, corporate law, and intellectual property law for more than 40 years. Mr. Chase is Board Certified in Health Law by the Texas Board of Legal Specialization. Mr. Chase is a partner at Farrow-Gillespie Heath Witter, LLP. His primary practice focus is business transactions for physicians and healthcare facilities, as well as healthcare regulatory issues, such as the Affordable Care Act, HIPAA and peer review. Mr. Chase handles general corporate matters and trademark/copyright issues for physicians and also for a variety of non-healthcare clients.

Telemedicine/Telehealth: Update on Regulatory Issues

February 5, 2020/in Health Law/by Scott Chase

This article was originally printed in Dallas County Medical Society’s Dallas Medical Journal, November 2019.

This article will focus on updates to regulatory issues that could impact a physician’s practice of telemedicine or any other provider’s practice of telehealth.

The terms ‘telemedicine’ and ‘telehealth’ are often used interchangeably, but there is a growing difference. Telemedicine can be defined as a healthcare service delivered by a licensed physician (or someone having delegated authority from that physician) to a patient using telecommunications or information technology. Telehealth, in contrast, is usually a health care service using telecommunications or information technology by a general health professional. For example, receiving health consultations remotely regarding dietary issues or exercise regimens would be considered telehealth.

Changes in Medicare Reimbursement

Medicare has evolved, and is still evolving, in its approach to reimbursement for telehealth and telemedicine services. Centers for Medicare & Medicaid services (CMS) has been busy in this area and the following are some highlights of recent changes.

CMS is making changes to add additional originating sites and geographic exemptions for the treatment of end-stage renal disease and acute stroke. As it does every year, CMS also considered new codes for inclusion in its list of services eligible to be delivered through telehealth, and have added G0513 and G0514, both codes related to prolonged preventive services. CMS also added new codes (99453, 99454, and 99457) for remote physiologic monitoring, as well as a new code (99491) for chronic care management.
The agency is also experimenting with a program that would reimburse providers using Mobile Integrated Heath (MIH) services to reduce unnecessary emergency room visits.
CMS also released its finalized 2019 Physician Fee Schedule containing many changes for Medicare. Among the changes, the proposed rule not only expands telehealth reimbursement, but communicates a new interpretation by CMS of the applicability of its statutory requirements for reimbursement of telehealth. Telehealth-delivered services under Medicare limits the use of telehealth to certain services, providers, technology (mainly live video) and patient locations (e.g., certain types of healthcare facilities in rural areas). The new rule expresses CMS’s belief that their obligations to impose those restrictions only apply to “the kinds of professional services explicitly enumerated in the statutory provisions, like professional consultation, office visits, and office psychiatry services.” Certain other kinds of services that are furnished remotely using communications technology are not considered “Medicare telehealth services” and, thus, are not subject to the restrictions. This includes interactions between a medical professional with a patient via remote communication technology. Thus, CMS has finalized reimbursement for virtual check-ins, remote evaluation of pre-recorded patient information and inter-professional internet consultation, which CMS believes fall outside the scope of Medicare telehealth services. All of these services have restrictions and physicians are strongly encouraged to analyze these restrictions carefully.
CMS has also taken action for Medicare Advantage plans:
- In a recent announcement about changes to the telehealth rules, it said, “Historically, Medicare Advantage plans have been able to offer more telehealth services, compared to Original Medicare, as part of their supplemental benefits.” CMS added that it will be more likely that plans will offer the additional telehealth benefits outside of supplemental benefits, whether they live in rural or urban areas.
- In January, CMS updated its Value-Based Insurance Design (VBID) model of care, introduced in 2017, to give providers treating people on Medicare Advantage plans more leeway in using telehealth in place of in-person checkups.

Federal Enforcement Actions in Telemedicine/Telehealth

As telemedicine becomes more common, it has, unfortunately, attracted some shady characters looking for physicians to participate in illegal reimbursement schemes. Several recent indictments and guilty pleas show that federal prosecutors are looking closely at fraudulent billing for telemedicine services. To quote from a case involving an order of bogus genetic tests via telemedicine, the Department of Justice said:

“Often, the test results were not provided to the beneficiaries or were worthless to their actual doctors. Some of the defendants allegedly controlled a telemarketing network that lured hundreds of thousands of elderly and/or disabled patients into a criminal scheme that affected victims nationwide. The defendants allegedly paid doctors to prescribe CGx testing, either without any patient interaction or with only a brief telephonic conversation [emphasis added] with patients they had never met or seen.”

In another case, the Justice Department’s Criminal Division described a conspiracy as “exploiting telemedicine technology [emphasis added] meant to help elderly and disable patients in need of health care.”

All these cases reinforce the fact that “medical necessity” is still required for any medical treatment and show that kickbacks and bribes are not lawful in telemedicine, just as they are illegal in all other facets of medical practice.

Federal Safe Harbors for Telemedicine Ventures

There are two Anti-Kickback Statute safe harbors particularly relevant to telemedicine: (1) when a provider receives free electronic prescribing technology or training; and, (2) when a provider receives free electronic health records software, information technology, or training. Thus, adherence to one of these safe harbors could, in theory, potentially reduce or eliminate associated kickback risks. In addition to regulatory considerations, the American Medical Association (AMA) emphasizes certain ethical consideration, including that:

All physicians who participate in telemedicine have an ethical responsibility to disclose to the patient any financial or other interests in connection to the application or service;
All physicians inform patients about the limitations of the service;
Physicians advise about follow-up care if needed; and,
Physicians encourage patients to inform their primary care provider about the online consultation.

Are Digital Health Devices “Telemedicine” or “Telehealth”?

There have been concerns that some interactions between digital health devices and healthcare providers could be construed as practicing “telehealth” or “telemedicine.” These concerns include the necessity of obtaining FDA approval for some devices that could be construed as a “medical device.” The FDA recently released six guidance documents as part of the agency’s continued focus on updating the regulatory stance on software and other digital health products as a medical device. The updated guidance documents reflect the need for a more flexible, risk-based approach to regulation that accommodates a rapidly evolving technological landscape.

The 21^st Century Cures Act, enacted in December 2016, amended the definition of “medical device” to exclude five distinct categories of software or digital health products – e.g., “off-the-shelf” devices or some “clinical decision support” devices — from the definition of “medical device.” These changes will take away some of the regulatory restrictions on bringing digital health devices to market and should make telehealth more convenient to physicians and patients.

All of these changes should provide more clarity about how to practice telemedicine and, as to the litigation, how not to practice telemedicine.

Scott Chase, JD, has practiced health law, corporate law, and intellectual property law for more than 40 years. Mr. Chase is Board Certified in Health Law by the Texas Board of Legal Specialization. Mr. Chase is a partner at Farrow-Gillespie Heat Witter, LLP. His primary practice focus is business transactions for physicians and healthcare facilities, as well as healthcare regulatory issues, such as the Affordable Care Act, HIPAA and peer review. Mr. Chase handles general corporate matters and trademark/copyright issues for physicians and also for a variety of non-healthcare clients.

2019 Update on Balance Billing and Texas Health Insurance Law

June 19, 2019/in Health Law/by Scott Chase

This article updates the prior article, “Balance billing and Texas healthcare law.”

“Balance billing” occurs when doctors, hospitals, or other health care providers who are not contracted with a patient’s health maintenance organization (HMO) or preferred provider benefit plan (PPO) bill the patient for the difference between the amount the health plan pays and the amount the provider believes to be the adequate cost of a service.

For example, a patient may visit the emergency room at a hospital that is contracted with her health plan, but the emergency room doctor who treats her is not contracted with that health plan. The emergency room doctor and the hospital each bill $1,000 for their services, and the health plan pays them each $400. The hospital, which is contracted with the patient’s health plan, may bill the patient only for the copayments, deductibles, and coinsurance amounts under her plan. However, the emergency room doctor, who is not contracted with the patient’s health plan, may bill her for the $600 that her health plan didn’t pay, as well as any copayments, deductibles, and coinsurance that she owes.

Some providers and health plans display cost information on their websites. Texas law also gives patients the right to request, in advance, estimates of charges from providers and facilities and estimated payments from health plans. However, the law allows doctors, other providers, and health plans up to 10 days to provide patients the estimates. As a result, patients cannot obtain advance notice of possible balance billing costs in emergent situations.

Senate Bill 1264

To combat this issue, the Texas Legislature recently passed Senate Bill 1264 (“SB 1264”), which makes balance billing illegal for emergency services but is limited to Texas regulated health plans. SB 1264 contains an exemption if the provider provides written disclosure to the patient informing them:

that their health plan does not cover the provider,
the projected cost the patient could be responsible for, and
under what circumstances the patient will be responsible for those amounts.

Before SB 1264, Texas law did not give consumers many rights with regard to disputing a balance billing they were surprised to receive. SB 1264 significantly improves the dispute resolution process for consumers by removing the patient from the process altogether.

Instead, the onus is on the health plan to initiate mediation or arbitration because the excess charges cannot be passed down to the patient.

Mediation is conducted for health plans and facility providers, i.e., hospitals, but is only applicable if the patient cannot be billed, and the charges are for emergency services, diagnostic imaging, or laboratory services. Arbitration will be for health plans and providers that are not facilities, i.e., individual physicians. While arbitration is binding, the arbitrator may only determine reasonable cost of the medical services rendered.

While the remedies of SB 1264 are still being implemented, including the mediation and arbitration processes, it is a great first step in protecting Texas consumers from inequitable balance billing practices.

Attorney Scott Chase is a health law and corporate attorney at Farrow-Gillespie Heath Witter LLP. Mr. Chase has been named to the lists of Best Lawyers in America (U.S. News & World Report), Texas Super Lawyers (a Thomson Reuters service), and Best Lawyers in Dallas (D Magazine) in every year for more than a decade.

Mr. Chase thanks intern Stephen Chance for his contributions to the article. Stephen Chance is a 2019 summer intern with Farrow-Gillespie Heath Witter and a law student at SMU Dedman School of Law.

The Revised AdvaMed Code of Ethics on Commercial Interactions with U.S. Health Care Professionals

April 22, 2019/in Health Law/by Scott Chase

Advanced Medical Technology Association (AdvaMed) is a trade association for companies producing medical devices, diagnostic products, and health information systems. Relationships between AdvaMed member companies and Health Care Professionals (HCPs) are vital to the development of medical technologies, their safe and effective use, and medical research and education. However, these relationships can also create risk under state and federal laws. To avoid such risks, AdvaMed created the AdvaMed Code of Ethics on Interactions with U.S. Health Care Professionals (AdvaMed Code) in 1993. Recently, AdvaMed has announced revisions to its code to clarify and refine its discussion of interactions between HCPs and AdvaMed member companies. Revisions become effective January 1, 2020.

AdvaMed Code: New Sections

Jointly Conducted Education and Marketing Programs: Companies who partner with HCPs to conduct joint education and marketing programs, which must be designed to highlight medical technology and an HCP’s ability to diagnose or treat medical conditions, should comply with the following guidelines:

A legitimate need must exist for the company to engage in the activity for its own educational or marketing benefit;
Companies should establish controls to ensure that the decisions to engage in such arrangements are not an unlawful inducement;
Jointly conducted education and marketing programs should be balanced and should promote all parties;
All parties should make equitable contributions towards the activity and costs of the program; and
The arrangement should be documented in a written agreement.

Communicating Information for the Safe and Effective Use of Medical Technology: Communicating information about unapproved or uncleared (off-label) uses for approved or cleared products should be in accordance with the code’s established principles. These principles recognize the industry’s responsibility to communicate medical and scientific information to achieve positive patient outcomes and to support public health. The code’s off-label communication guidelines reflect recent judicial opinions affirming First Amendment protections for truthful and non-misleading off-label speech. Industry appropriate communications can include:

Proper dissemination of peer-reviewed scientific and medical journal articles, reference texts, and clinical practice guidelines;
Presentations at education and medical meetings; and
Discussions with consultants and HCPs to obtain advice or feedback.

Companies should evaluate and implement these guidelines in light of existing FDA laws and the HHS/OIG instruction on off-label communications.

Company Representatives Providing Technical Support in the Clinical Setting: Company representatives may play an important role in the clinical setting by providing technical support on the safe and effective use of medical technology. For company representatives providing technical support, representatives should . . .

Be present in the clinical setting only at the request of and with supervision by an HCP;
Be transparent that they are acting on behalf of the company in a technical support capacity;
Not interfere with an HCP’s independent clinical decision-making;
Comply with applicable hospital or facility policies and requirements; and
Not eliminate an expense that the HCP should otherwise incur while providing patient care.

AdvaMed Code: Consolidations and Clarifications

Cornerstone Values: Innovation, education, integrity, respect, responsibility, and transparency form the basis of the updated AdvaMed Code. It directs medical technology companies to review all interactions with HCPs in light of these values and to avoid interactions designed to circumvent the code.

Scope and Applicability: The updated AdvaMed Code applies to all interactions regardless whether an interaction occurs outside the United States (such as at a conference or other event). The updated code clarifies that for companies with multiple lines of business, the code applies only to the company’s interactions linked to medical technology, including all interactions related to combination products that include a medical technological component (i.e., combination of biologic devices and drug products).

Consulting: Although the content regarding consulting remains mostly unchanged, the updated AdvaMed Code adds clarifying language defining what constitutes a “legitimate need” for the consultation. According to the code, a legitimate need arises when a company requires the services of an HCP to achieve a proper business objective. However, engaging an HCP for the purpose of generating business directly from such HCP (or health care provider affiliated with the HCP) is not a proper business objective.

The AdvaMed Code also explains how a company can establish “fair market value.” A third party may assist in developing an approach to assess fair market value, but in all instances, a company should incorporate objective and verifiable criteria. Companies are encouraged to document their methods to evaluate whether compensation reflects the fair market value of the services provided.

Consolidations: The AdvaMed Code consolidates the following sections:

Industry conducted training, education, and other business meetings into a comprehensive section that provides parameters for all industry-conducted programs;
Third-party education, charitable, and research programs into a comprehensive section regarding grants, donations, and commercial sponsorships; and
Meals, travel, lodging and venue sections into a comprehensive section that encourages companies to avoid selecting a setting because of its entertainment or recreational facilities, as well as encouraging companies to develop meal policies and review benchmarking information.

Next Steps

The updated AdvaMed Code notes that it does not replace any state laws, regulations, or codes that contain stricter requirements. Certain states, including California, Connecticut, and Nevada, have made the code’s provisions mandatory. Alleged violations of the federal Anti-Kickback Statute may provide a basis for whistleblowers or the government to file cases alleging that AdvaMed Code noncompliance is evidence of improper conduct. To reduce compliance risks, medical technology companies and HCPs should consider whether the updates to the AdvaMed Code warrant changes to their policies, procedures and practices, and contracts regarding interactions with one another. The delayed effective date of the new Code is intended to provide time to conduct this review.

Legal Assistance

Medical companies and Health Care Providers are well-advised to seek legal counsel to conduct a review of the paperwork governing their interactions. The health law attorneys at Farrow-Gillespie Heath Witter LLP can assist in that review.

Scott Chase | Farrow-Gillespie & Heath LLP | Health Law

Author Scott Chase is a health law and corporate attorney at Farrow-Gillespie Heath Witter LLP. Mr. Chase has been named to the lists of Best Lawyers in America (U.S. News & World Report), Texas Super Lawyers (a Thomson Reuters service), and Best Lawyers in Dallas (D Magazine) in every year for more than a decade.

The Physician Payments Sunshine Act

August 22, 2018/in Health Law/by Scott Chase

The Physician Payments Sunshine Act (“PPSA”) requires medical product manufacturers of drugs, devices, biologics, and medical supplies covered by Medicare, Medicaid, or the Children’s Health Insurance Program to annually disclose to the Centers for Medicare and Medicaid Services (“CMS”) any payments or transfers of value made to physicians or teaching hospitals. The PPSA is designed to increase transparency around the financial relationships between physicians and manufacturers by requiring manufacturers to report to CMS in three broad categories of payments or transfers of value:

(A) payments for meals, travel reimbursement, and consulting fees

(B) ownership and investment interests in manufacturers held by physicians and their immediate family members

(C) research payments, including any payment made for participation in preclinical research, clinical trials, or other product development activities

While these categories cover a wide range of relationships, certain transactions and transfers are exempt from disclosure. Manufacturers are not required to report on any payments under $10 (unless those individual payments total more than $100 annually), on educational materials intended solely for patients, or on product samples. After undergoing a verification process, any data reported under the three categories listed above, will be published annually in a publicly searchable database.

These reports inform patients of any incentive their physician may have for recommending a certain medical device or drug and allows them to make an informed decision on whether to follow the physician’s recommendation or not.

In addition, the PPSA imposes penalties for failure to comply with these reporting requirements. For each payment that a manufacturer or GPO fails to report, a penalty of $1,000 to $10,000 may be applied. The maximum annual penalty for failure to report is $150,000. However, the penalties are more severe in cases where the manufacturer or GPO knowingly fails to report, in which case the penalties range from $10,000-$100,000 per payment, up to a maximum penalty of $1 million. Individual physicians are not required to report, but physicians are encouraged to monitor the manufacturers’ reports for inaccuracies.

The PPSA is not the only federal statute that governs financial relationships between physicians and medical product manufacturers but it is unique in that it creates a report of such relationships.

In order to determine if a payment made by a manufacturer to a physician needs to be reported in compliance with the PPSA, please consult a healthcare attorney.

Author Scott Chase is a health law and corporate attorney at Farrow-Gillespie Heath Witter LLP. Scott has been named to the lists of Best Lawyers in America, Texas Super Lawyers, and Best Lawyers in Dallas in every year for more than a decade.

Tahlia Clement is a clerk at FGHW. Ms. Clement is a 2019 candidate for a Juris Doctor at SMU Dedman School of Law, where she is the Editor-in-Chief for SMU’s Science and Technology Law Review. She holds a B.A. in journalism and mass communications from Arizona State University.

The Expansion (Finally) of Telemedicine in Texas: A Brief History and Future Applications and Considerations for Healthcare Providers

May 22, 2018/in Health Law/by Katie Ackels

If you are a healthcare provider in Texas looking to supplement, or even transition, your practice into telemedicine, now is your time. Texas has always been a prime candidate for the benefits of telemedicine. It is an expansive state, with a large rural population that is often distant from medical care.

Thus, Texas residents are uniquely situated to take advantage of the outcome improvements and cost savings that telemedicine can provide.

Nevertheless, Texas was the last state to welcome telemedicine into its borders, in that it was the last state to abolish the requirement that a telemedicine provider first establish a patient-physician relationship via an in-patient visit. Now, after a lengthy court battle, this requirement has been eliminated, and providers are free to initiate patient-physician relationships in the telemedicine realm. While there was an immediate reaction by key players in the healthcare landscape to expand telemedicine in Texas, there remain a lot of unknowns that Texas healthcare providers should be aware of as they enter the world of telemedicine.

The Genesis and Outcome of Teladoc, Inc. v. Texas Medical Board

Teladoc, Inc. (“Teladoc”), one of the largest telemedicine providers in the United States, is based in Dallas and had been operating in Texas since 2005. Following amendments by the Texas Medical Board (“TMB”) to the state’s telemedicine regulatory scheme, Teladoc was forced to cease its telemedicine operations.

Eventually, Teladoc filed suit in federal court, alleging the TMB’s actions violated federal antitrust laws and the Commerce Clause of the Constitution. The parties then agreed to stay the proceedings to pursue settlement negotiations. These negotiations culminated in Texas Senate Bill 1107 (“SB 1107”), which was signed into law on May 27, 2017. Senate Bill 1107 abolished the requirement of an in-patient visit prior to utilizing telemedicine services. The new legislation applies across all telemedicine platforms.

Expansion Plans for Texas Telemedicine and Beyond

On September 22, 2017, the DWC announced “New 28 Texas Administrative Code § 133.30, Telemedicine Services” (the “Proposed Rule”). The Proposed Rule’s stated purpose is to “expand the accessibility of telemedicine services in the Texas workers’ compensation system by allowing health care providers to bill and be reimbursed for telemedicine services regardless of where the injured employee is located at the time the services are delivered.”

To reach this goal, the Proposed Rule included the removal of a Medicare-based reimbursement restriction that services be provided to injured employees at an originating site located in an area where there is a shortage of healthcare professionals. In other words, the Proposed Rule now allows a provider to bill and be reimbursed for telemedicine services no matter where the injured employee is located at the time the services are delivered.

Similarly, federal lawmakers are taking heed of the benefits of telemedicine. On November 7, 2017, the U.S. House of Representatives passed The Veterans E-Health and Telemedicine Support Act of 2017 (“VETS Act”). Much like the Proposed Rule issued by the DWC, the VETS Act eases geographic restrictions on telemedicine provided to veterans and aims to ensure that veterans, rural and disabled veterans in particular, can receive care across state lines.

The U.S. Senate passed its version of the VETS Act on January 4, 2018, which is slightly different than the House’s version, in that it bars individual states from taking disciplinary action against physicians who practice telemedicine across state lines.

Private employers are also noticing the benefits of telemedicine, and there has been a sharp increase in the number of large employers who see telemedicine services as a way to optimize how health care is accessed and delivered, while offsetting overall healthcare costs. More specifically, the Large Employers’ 2018 Health Care Strategy and Plan Design Survey found that 96 percent of large employers intend to make telemedicine services available to their employees at some point in calendar year 2018.

Considerations for the Telemedicine Provider

Whether a provider has been offering telemedicine services for some time or is just now getting in the game, there are some important issues to consider in updating or implementing telemedicine policies and procedures:

Telemedicine is a moving target – As of now, there is no uniformity across state lines in the regulation of telemedicine. From state-to-state, many crucial statutory definitions vary significantly. It is unclear how federal legislation like the VETS Act will resolve these discrepancies, if at all. Therefore, providers licensed in different states or providing services across state lines should comply with the rules and regulations of every state they encounter, including formal, regulatory schemes and the practice requirements set forth by the state’s medical board.
Data breach and cybersecurity risks – The provision of telemedicine exposes patients to increased cyber, privacy, and data security risks. Before launching a telemedicine practice, providers should conduct a thorough risk analysis aiming to implement policies and procedures that, at a minimum, comply with the HIPAA Security Rule and set forth an incident response plan that incorporates all applicable regulatory requirements.
The battle for universal reimbursement – One of the major barriers to a provider’s implementation of a robust telemedicine practice is the lack of universal reimbursement, both from Medicare and private payers. Providers should consider this issue in building their telemedicine business models, as ultimately, the telemedicine industry needs universal reimbursement to become widespread and economically sustainable.

Katie M. Ackels is a ligation attorney with broad experience for a diverse client base. Ms. Ackels primary practice areas are business litigation, employment litigation defense, personal injury litigation defense, and healthcare litigation. She graduated magna cum laude from Texas Tech University School of Law.

The 5 Most Important Decisions in a Physician Employment Agreement

February 6, 2018/in Corporate Law, Health Law/by Scott Chase

Over the years, physician employment agreements have become very standardized. However, there are several provisions in such agreements that the to-be-employed physician must review carefully with his/her attorney. The following is a brief summary of what I consider to be the 5 most important provisions for a physician to understand and negotiate with the employer.

1. Compensation

First and foremost, the compensation needs to be clearly written and understood. Many compensation models are based on “Work Relative Value Units (WRVUs),” which are calculated by independent third parties and can be a trap for the unwary. For example, the calculation of WRVUs can change from year to year and the employment contract usually provides for the current WRVU value to be the compensation model. What happens if the WRVU value decreases substantially in a given year? Answer: The physician’s pay could decrease substantially as well. Careful negotiation of the compensation provision could ameliorate that occurrence.

Additionally, compensation usually includes employee benefits, e.g., vacation, health insurance, and those can sometimes be negotiated as well. Attention should also be paid to the reimbursement of expenses such as CME, credentialing fees and professional society fees.

2. Non-Compete

Texas has a statute specifically addressing physician non-competes, i.e., restrictions on where and when a physician can practice his/her specialty after termination of the employment agreement. However, the statute does not mandate the time period, extent of the restricted area, or the exact type of physician actions that would constitute a violation of the non-compete. Furthermore,
certain termination circumstances could be negotiated that would render the non-compete unenforceable or inapplicable. Thus, the non-compete should be negotiated in that it provides ample opportunities to advocate for favorable terms on the physician’s behalf.

3. Outside Activities

Most physician employment agreements require the employed physician to work full-time and often provide that any outside fees earned, e.g., expert witness fees, belong to the practice. However, many physicians have pre-existing consulting arrangements, charitable activities or other professional endeavors that should be excepted from the restrictions on outside activities and ownership of fees. Again, this is a provision that can and should be negotiated.

4. Working Facilities and Staff

An employed physician needs adequate facilities, equipment, supplies and staff to fulfill his/her responsibilities. Yet, most employment agreements do not contain a provision that requires the employer to provide those items.

The adequacy of staff could also affect compensation. Consider a scenario in which the employed physician is on a bonus system that relies on collections of his bills by the practice. The contract should contain a provision that the employer will have adequate billing and collection services.

5. Liability Insurance

The employment agreement will generally contain a provision for the employee/doctor to purchase “tail” insurance in case the agreement is terminated. Tail coverage can be a substantial cost and, thus, the contract should be written to ensure the employee is not responsible for that coverage in all circumstances, e.g., in case of termination for cause by the physician. This provision is also one that can and should be negotiated.

Physician employment contracts are one of the most important financial undertakings in a doctor’s life. While tedious, provisions should be reviewed, understood, and negotiated to the fullest. The entire contract should be carefully reviewed but the above items should receive the most attention.

Scott Chase has practiced health law, corporate law, and intellectual property law for over 35 years. Mr. Chase is Board Certified in Health Law by the Texas Board of Legal Specialization.

Scott’s primary practice focus is business transactions for physicians and healthcare facilities, as well as healthcare regulatory issues such as the Affordable Care Act, HIPAA and peer review. Mr. Chase handles general corporate matters and trademark/copyright issues for physicians and also for a variety of non-healthcare clients.

Health Law | Farrow-Gillespie & Heath LLP | Dallas, Texas

$2.5M Settlement Shows that not Understanding HIPAA requirements Creates Financial Risk

June 4, 2017/in Corporate Law, Health Law/by Scott Chase

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), recently announced a Health Insurance Portability and Accountability Act (HIPAA) settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI). In 2012, CardioNet, a company that remotely monitors patients at risk for cardiac arrhythmias, reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. The settlement was not reached until 2017, indicating the length of time that some HIPAA investigations can take, with its attendant costs.

CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan. This settlement is the first involving a wireless health services provider, based, in part, on CardioNet’s failure to comply with basic HIPAA rules that are applicable to all “covered entities” and “business associates”. Thus, the compliance steps outlined below for mobile devices are applicable to any device used to store PHI or ePHI.

OCR’s investigation into the impermissible disclosure revealed that CardioNet had insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. Further, the organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

HHS and OCR have published a very helpful 5-step guideline for establishing compliance with HIPAA. While the following actions relate specifically to mobile devices, these five steps are applicable to all PHI.

Decide

Decide whether mobile devices will be used to access, receive, transmit, or store patients’ health information or used as part of your organization’s internal networks or systems (e.g., your EHR system).

Understand the risks to your organization before you decide to allow the use of mobile devices. Risks (threats and vulnerabilities) can vary based on the mobile device and its use. Some risks may be:

A lost or stolen mobile device
Inadvertent downloading of viruses or other malware
Unintentional disclosure to unauthorized users when sharing mobile devices with friends, family and/or coworkers
Use of an unsecured Wi-Fi network.

Assess

Assess how mobile devices affect the risks (threats and vulnerabilities) to the PHI your organization holds.

Conduct a risk analysis to identify the risks to your organization. If you are a solo provider, you may conduct this risk analysis yourself. If you work in a larger organization, the organization may conduct the risk analysis.

A risk analysis will help determine the safeguards, policies, and procedures your organization needs. It should include reviewing risks created by all mobile devices used to communicate with your internal networks or systems, regardless whether the devices are personally owned or provided by the organization.

Perform a risk analysis periodically and whenever there is a new mobile device, a lost or stolen device, or suspected compromised health information.

After conducting a risk analysis, document, in writing:

Which mobile devices are being used to communicate with your organization’s internal networks or system (g., the EHR system or Health Information Exchange (HIE)), and
What information is accessed, received, stored, and transmitted by or with the mobile device.

Identify

Identify your organization’s mobile device risk management strategy, including privacy and security safeguards.

The purpose of a mobile device risk management strategy is to develop and implement mobile device safeguards to reduce risks (threats and vulnerabilities) identified in the risk analysis. The risk management strategy should include evaluation and maintenance of the mobile device safeguards you put in place.

Develop, Document, and Implement

Develop, document, and implement the organization’s mobile device policies and procedures to safeguard health information.

Organizations should develop and implement reasonable and appropriate policies and procedures to safeguard health information, including those specific to mobile devices. Here are some topics and questions to consider when developing mobile device policies and procedures:

Has the organization identified all the mobile devices that are being used in the organization? How is the organization keeping track of them?
Should the organization let providers and professionals use their personally owned mobile devices within the organization?
Should providers and professionals be able to connect to the organization’s internal network or system with their personally owned mobile devices, either remotely or on site?
Does the organization restrict how providers and professionals can use mobile devices?
Will the organization institute standard configuration and technical controls on all mobile devices used to access internal networks or systems, such as an EHR?
Are there restrictions on the type of information providers and professionals can store on mobile devices?
Does the organization have written procedures for addressing misuse of mobile devices?
Does the organization have procedures to wipe or disable a mobile device that is lost or stolen or when providers and professionals end their employment or association with the organization?
How is the organization training its workforce (management, doctors, nurses, and staff) on policies and procedures and holding them accountable?

Train

Train and conduct mobile device privacy and security awareness and training for providers and professionals.

Providers and professionals who use mobile devices must have privacy and security awareness and training, on an annual basis, to avoid costly mistakes that can result in loss of patient trust.

Privacy and security awareness and training should include a discussion of the following topics:

How to assess risks (threats and vulnerabilities) when using mobile devices for work;
How to secure mobile devices;
How to protect and secure health information;
How to avoid mistakes when using mobile devices.

Finally, the organization should train its workforce so that they understand the organization’s mobile device policies and procedures and how to follow them.

Jennifer Snow practices in the areas of health care law and business litigation. She is the author of numerous articles on health care law. Jennifer represents physicians and physician groups in health law matters, and she represents companies and executives in business litigation.

Ms. Snow has been named to the list of “Rising Stars” by Texas Monthly Magazine and Texas Super Lawyers (a Thomson Reuters service) in every year since 2014.

Scott Chase has practiced health law, corporate law, and intellectual property law for over 35 years. Mr. Chase is Board Certified in Health Law by the Texas Board of Legal Specialization.

Scott’s primary practice focus is business transactions for physicians and healthcare facilities, as well as healthcare regulatory issues such as the Affordable Care Act, HIPAA and peer review. Mr. Chase handles general corporate matters and trademark/copyright issues for physicians and also for a variety of non-healthcare clients.

ObamaCare | Farrow-Gillespie & Heath | Dallas, TX

What is the Status of ObamaCare, and Why Should I Care?

April 26, 2017/in Health Law/by Scott Chase

Regardless of your position on the Affordable Care Act, otherwise known as ObamaCare (“ACA”), you should neither panic nor rejoice just yet over the actions and inactions of the United States government regarding this healthcare insurance law. You have probably read about the various options, i.e., “repeal and replace,” “repeal and delay,” or simply “repeal” the ACA. What Congress is figuring out is that it is difficult to keep “good” provisions, e.g., the one related to “pre-existing conditions” (which over 70% of Americans like) but to do away with “bad” provisions, e.g., the individual mandate (which 70% of Americans do not like) and still keep an actuarial pool that doesn’t adversely affect insurance premiums in a substantial way. Conventional wisdom is that, without the individual mandate, premiums would increase, probably at a faster rate than is current under the ACA.

Countries that have provide universal access to healthcare for its citizens have determined that everyone needs to be covered in order to spread the cost of insurance over the total population. As someone who has studied the ways in which Western countries have instituted universal access to healthcare (e.g., Germany in the 1870’s) and who has lectured extensively on the ACA, I am not surprised at Congress’s inability to come up with a plan that would cover everyone, not require everyone to carry insurance, and keep insurance premiums down. Add in the fact that any new Congressional plan will affect over 20 million citizens who have already obtained health insurance through the ACA and you can see the possibility of throwing insurance markets into chaos.

Of course, there are lots of other ideas, e.g., more incentives for health savings accounts (“HSA’s”), altering the “minimum essential benefits” list, use of high risk pools, etc., and each of these has a different effect, both on the economics of healthcare and on the hotly-debated issue of universal access to healthcare.

But something is likely to happen in the next 3 months and my recommendations for the immediate future are as follows:

If you have insurance, don’t drop it or let it lapse.
If you lose employer-based insurance, be sure to review your COBRA options.
If you lose your job and COBRA is not attractive, you have the option of utilizing the ACA marketplace because losing your job is “qualifying life event” that allows you to access the marketplace outside of the annual “open enrollment period.”

Please feel free to contact Scott Chase or Jennifer Snow at our firm if you have any questions about the ACA.

Jennifer Snow practices in the areas of health care law and business litigation. She is the author of numerous articles on health care law. Jennifer represents physicians and physician groups in health law matters, and she represents companies and executives in business litigation.

Ms. Snow has been named to the list of “Rising Stars” by Texas Monthly Magazine and Texas Super Lawyers (a Thomson Reuters service) in every year since 2014.

Scott Chase has practiced health law, corporate law, and intellectual property law for over 35 years. Mr. Chase is Board Certified in Health Law by the Texas Board of Legal Specialization.

Scott’s primary practice focus is business transactions for physicians and healthcare facilities, as well as healthcare regulatory issues such as the Affordable Care Act, HIPAA and peer review. Mr. Chase handles general corporate matters and trademark/copyright issues for physicians and also for a variety of non-healthcare clients.

Health Care Law | Farrow-Gillespie & Heaht LLP

Healthcare Providers’ Risk of Data Breach

March 11, 2017/in Health Law/by Catherine Parsley

By Scott Chase and Catherine Parsley

Healthcare providers receive, collect, and store vast quantities of sensitive personal health information (“PHI”) from their patients. However, only half of providers responding to a recent survey said that they are prepared to respond to cyber-attacks. Attacks and other security breaches can have far-reaching effects for providers and their patients.

Electronic Medical Records

Healthcare providers have many vulnerabilities that are unique to their field. Most providers are adopting or have adopted electronic medical records (EMRs), but those programs are often clunky and can be inadequately secured. The new EMR systems make sharing PHI easy. Easy sharing is great for internal use but poses an increased risk of external leakage compared to old-fashioned paper records. Many providers’ network systems have been pieced together over time, leaving vulnerabilities and inconsistencies. At the same time, online attackers are getting increasingly complex and sophisticated. Another problem created by piece-meal network systems is that many providers either cannot or do not know how to detect in real time if their network system is being compromised.

HIPAA Violation

These factors leave healthcare providers open to higher risk of attacks and data loss. Any data loss can constitute a breach of the Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA). If a provider loses PHI, or even puts PHI at risk of exposure to unauthorized individuals, the provider can be held to have breached HIPAA, even if no loss or theft actually occurs. One hospital was recently fined over three million dollars after it did not comply with HIPAA-required protective measures. It had several violations, including storing PHI on unencrypted devices, allowing such devices to be accessed by individuals who were not HIPAA-authorized, and failing to implement recommended risk management plans.

It is also important to note that the HIPAA, pursuant to its security rule, requires a risk assessment for PHI vulnerability whenever the following occurs:

In response to environmental and operational changes, such as implementation of new technology or changed office operations
Any security breach or security incident that indicates vulnerability.

Fines have been levied on providers that have not performed such assessments, even if no HIPAA breach was found. While healthcare providers are not targeted as frequently as some other types of organizations, such as banking and financial institutions, the wealth of data that healthcare providers own makes them a highly-sought out target. The data can be used for various fraudulent purposes by the attacker, and any loss or possible loss can be a HIPAA violation. In addition to having appropriate corporate policies in place, providers should also review the various types of insurance coverage available to reduce losses.

Farrow-Gillespie Heath Witter LLP can help healthcare providers deal with security threats. Our attorneys can work with clients to put policies in place before problems arise, or help clients deal with regulatory or operational issues after a breach occurs. For more information on the available services, contact board-certified health care attorney Scott Chase.

Physician “Anti-Kickback” Statute

January 17, 2016/in Health Law/by Jennifer Snow

Physicians and health care other providers face numerous prohibitions against self-referrals and against making referrals in exchange for remuneration. The federal Anti-Kickback Statute is a criminal law that prohibits the knowing and willful payment of remuneration in exchange for referrals of services payable by federal health programs, which include health care services for Medicare or Medicaid patients. The law prohibits any person from offering, paying, soliciting, or receiving anything of value—whether it is money or something less obvious, such as free product, tickets, hotel vouchers, speaking fees, or lowered rent payments. This law creates restrictions on virtually all business dealings involving physicians, including dealings with landlords, drug companies, device manufacturers, physical therapy clinics, hospitals, or other physicians.

Anti-kickback violations must be knowing and willful for criminal liability to attach; successful prosecution can lead to fines of up to $25,000 per violation and prison time. Further, any doctor who submits false Medicare or Medicaid claims, whether knowingly or with reckless disregard for their truth or falsity, also faces civil liability under the False Claims Act.

The parameters of anti-kickback law include specific carve-outs that allow medical providers to enter mutually-beneficial transactions with impunity. These carve-outs are known as “safe harbors” and are detailed and complex. To avoid potential violations, health care providers should review all transactions carefully with the aid of experienced counsel.

Employment Law | Farrow-Gillespie & Heath LLP

Affordable Care Act Information for Employers

January 17, 2016/in Employment Law, Health Law/by Julie Heath

The Affordable Care Act is a federal statute that creates new responsibilities for employers. Employers who have fewer than 25 “full-time equivalent” employees can qualify for a small business health care tax credit if they pay at least 50% of the employees’ health insurance premium costs and offer coverage through the Small Business Health Options Program (“SHOP”) Marketplace. Larger employers face new requirements to insure their employees—and steep penalties, should they fail to comply with the requirements. In 2015, employers with 100 or more full-time equivalent (“FTE”) employees must offer coverage to 70% of those employees and their dependents. And beginning in 2016, all employers with 50 or more FTE employees must offer coverage to 95% of those employees and their dependents.

For an employer to determine whether it comes within these new requirements, the employer must first calculate its number of full-time equivalent (“FTE”) employees. Each employee who works 30 hours or more per week, over at least 120 days per year, is a full-time employee. But hours worked by part-time employees also add to the FTE number; if, for example, five part-time employees work a total of 60 hours per week, their employer would need to add two FTE employees to its total. Notably, affiliated companies may be treated as a single employer under the Act. As a result, three companies each having 20 FTE employees could either: 1) qualify for small business health care tax credits, if they are treated as three separate employers; or 2) be subject to the employer coverage mandate, if they are sufficiently connected to be treated as a single employer. It is therefore particularly important that companies who share ownership or control, or who otherwise coordinate their business activities, consult with counsel to determine their employer status under the ACA.

Once an employer confirms that it is subject to the employer mandate, it has more decisions to make. For each year that the employer does not offer any insurance coverage to its employees, it will face a $2,000 penalty per FTE, minus the first 30 employees (or, in 2015, minus the first 80 employees). To avoid such penalties, the employer should offer its employees an “affordable” plan that provides “minimum value” under the ACA. These calculations are complex. Generally, “minimum value” requires that the employer pays at least 60% of the plan’s costs, and “affordable” requires that an employee’s premiums cost no more than 9.5% of his or her household income. If the employer’s plan is deemed to not provide minimum value, or to not be affordable, the employer will be fined $3,000 for any full-time employees who receive federal premium subsidies for marketplace coverage. Some employers may, nevertheless, opt for “skinny plans” that may not meet the required minimum essential coverage under the Act, but which will avoid the $2,000-per-employee penalty and reduce coverage costs.

For more information about how the Affordable Care Act may affect your business, please contact board-certified health care attorney Scott Chase or employment lawyer Julie Heath.

Health Law | Farrow-Gillespie & Heath LLP

HIPAA Violation May Spark Lawsuit

January 17, 2016/in Health Law/by Jennifer Snow

While HIPAA does not in and of itself create a private cause of action, a growing body of cases in both federal and state courts outside of Texas suggests that a HIPAA violation causing clear harm to a plaintiff may support a lawsuit by providing grounds for some other private claim. Plaintiffs who have shown intentional breaches or especially private disclosures have had recent notable success in persuading courts to treat their health care providers’ HIPAA-based duties as an applicable standard of care to support their claims.

At least two such claims were recognized in November 2014 alone. In Byrne v. Avery Center for Obstetrics and Gynecology, the Connecticut Supreme Court held that a plaintiff’s negligence claims were not preempted by HIPAA and that HIPAA may inform the standard of care for a common-law negligence claim. There, the plaintiff’s claim was based on her obstetrician’s having produced her medical records to her ex-boyfriend in response to a subpoena. Despite the plaintiff’s having expressly instructed the obstetrician not to share her records, the obstetrician responded to the subpoena without notifying the plaintiff, filing a motion to quash, or objecting. The plaintiff sued the obstetrician for breach of contract, based on the violation of its privacy policy; negligence in failing to use proper care in protecting her medical file, including violations of its own regulations implementing HIPAA; negligent misrepresentation; and negligent infliction of emotional distress. On appeal, the court overturned the lower court’s preemption holding and found that HIPAA could inform the applicable standard of care.

An Indiana court of appeals also recognized a claim factually predicated on a HIPAA violation in Hinchy v. Walgreen Co. There, the court did not expressly discuss whether HIPAA violations can give rise to other private claims; instead, the court admonished the defendant’s pharmacist employee for breaching “one of her most sacred duties” by purposefully divulging the plaintiff’s birth control prescription records to her husband, the plaintiff’s ex-boyfriend. The court affirmed a $1.8 million award to the plaintiff, whose claims against Walgreens included negligent retention and supervision as well as Indiana statutory claims of negligence by professional malpractice and public disclosure of private facts.

These cases differ significantly from the more typical data security breach. They illustrate, however, that courts may be increasingly willing to use HIPAA violations to support common law or state statutory claims, at least where the violation and harm to a plaintiff are clear.

Balance Billing and Texas Healthcare Law

November 2, 2015/in Health Law/by Scott Chase

Balance billing occurs when doctors, hospitals, or other health care providers who are not contracted with a patient’s HMO or preferred provider benefit plan (PPO) bill the patient for the difference between the amount the health plan pays and the amount the provider believes to be the adequate cost of a service.

For example, a patient may visit the emergency room at a hospital that is contracted with her health plan, but the emergency room doctor who treats her is not contracted with that health plan. The emergency room doctor and the hospital each bill $1,000 for their services, and the health plan pays them each $400. The hospital, which is contracted with the patient’s health plan, may bill the patient only for the copayments, deductibles, and coinsurance amounts under her plan. It may not bill the patient for the additional amount not paid by her health plan. However, the emergency room doctor, who is not contracted with the patient’s health plan, may bill her for the $600 that her health plan didn’t pay, as well as any copayments, deductibles, and coinsurance that she owes.

Texas law gives patients the right to request, in advance, estimates of charges from providers and facilities and estimated payments from health plans. Doctors, other providers, and health plans have 10 days to give patients the estimates, so they won’t be able to get them in advance in cases of emergencies. Some providers and health plans also have cost information on their websites.

Texas law does not give consumers many rights when they are surprised by a “balance billing.” However, in some cases, patients can require providers and carriers to attend mediation to try to work out the claim. For details on how to determine if you’re eligible for mediation, visit www.tdi.texas.gov/consumer/cpmmediation.htm.

What is the Stark Law?

January 21, 2015/in Health Law/by Scott Chase

Federal Stark law applies alongside anti-kickback law to create strict civil penalties for any physician who makes a “self-referral.” Specifically, the law bars a physician from referring a Medicare or Medicaid patient to receive any designated health care service from any person or entity with which the physician has a financial relationship. This relationship could be an ownership interest, investment interest, or structure compensation agreement.

Unlike anti-kickback laws, Stark is a strict-liability statute, meaning that any violation, whether intentional or not, leads to liability.

The parameters of the Stark law include specific carve-outs that allow medical providers to enter mutually-beneficial transactions with impunity. These carve-outs are known as “safe harbors” and are detailed and complex. To avoid potential violations, health care providers should review all transactions carefully with the aid of experienced counsel.

What is HIPAA?

January 21, 2015/in Health Law/by Scott Chase

HIPAA, HITECH, and state laws all impact the responsibilities of health care providers and their business associates regarding the treatment and disclosure of confidential medical and health records.

The HIPAA Security Rule, in particular, requires that covered entities must keep electronically-stored protected health information in a manner that maintains the records’ confidentiality, integrity, and availability. Covered health care providers must carefully identify potential risks and vulnerabilities and protect against reasonably-anticipated threats or hazards to the security of confidential information. They must protect against reasonably anticipated impermissible uses or disclosures and ensure compliance by their employees. The Security Rule requires covered entities to provide access to usable electronically-stored protected health information to authorized persons on demand. Business associates of HIPAA-covered entities, who are not covered entities themselves, also face increased responsibility under the HITECH Act of 2009 to securely maintain and handle protected health information. To avoid steep fines and the growing possibility of civil liability, covered entities and their business associates should be informed and proactive regarding their evolving responsibilities with respect to protected health information.

The Security Rule does not dictate specific protection measures, but instead allows each covered entity to develop its own measures considering its size, complexity, and capabilities; its technical infrastructure; costs; and the likelihood and possible impact of inadvertent disclosures of protected health information. Entities must properly document their chosen safety measure. Importantly, however, it is not enough for an entity to adopt security standards; instead, those standards must actually be assessed, implemented, and followed. The Security Rule requires that security measures be updated and documented “as needed.” While the Rule does not state how frequently risk analysis must be performed, regular review and modification of security measures is undoubtedly key in ensuring HIPAA compliance. Security assessments and training should take place on an ongoing basis, and legal audits in compliance are advisable on a periodic basis or when an entity has experienced a security incident, a change in ownership, or a turnover in key staff, or when the entity is planning to incorporate new technology.

For more information, contact board-certified health care attorney Scott Chase.

Scott Chase | Farrow-Gillespie & Heath LLP | Dallas, TX

Corporate Practice of Medicine

January 21, 2015/in Health Law/by Scott Chase

Texas law generally prohibits the practice of medicine by any corporation, entity, or non-physician individual. The “corporate practice of medicine” doctrine forbids a physician from entering into an agreement with a non-physician under which the non-physician would in any way control the physician’s medical practice. Based on this doctrine, non-physician individuals and entities generally cannot employ physicians.

There are, of course, exceptions to this general rule. For example, a nonprofit certified by the Texas Medical Board under Section 162.001(b) of the Texas Occupations Code– often called a “5.01(a) corporation” after the section of the Texas Medical Practice Act under which they were originally formed—may employ a physician if certain requirements are met. The directors of such a corporation must all be licensed by the Texas State Board of Medical Examiners and must retain the sole authority to direct all medical, professional, and ethical aspects of the practice of medicine within the corporation. Additional requirements must be met in case of any non-physician members of the corporation. Further, a 5.01(a) corporation, like any Texas non-profit corporation, may not pay dividends to its members, so any profits must be paid through management agreements or as compensation.

In 2011, the Texas Legislature enacted laws designed to allow specific types of hospitals and hospital districts to hire physicians and to allow physicians to form certain ownership-sharing agreements with physician assistants. Critical access hospitals, sole community hospitals, and hospitals in counties of 50,000 or fewer people may now employ physicians if certain protections are in place. Physicians may also form corporations, partnerships, professional associations, and professional limited liability companies together with physician assistants, provided that statutory ownership and control requirements are met.

Physician Non-competition Agreements

January 21, 2015/in Health Law/by Jennifer Snow

Many people erroneously believe that non-competes are not enforceable against physicians in Texas. To the contrary, non-competes that are ancillary to or part of otherwise enforceable contracts generally are enforceable, provided that they meet certain statutory requirements. For example, these covenants must contain reasonable limitations as to time, geographical area, and scope of activity to be restrained. They also must not deny a doctor access to his patient list, must provide access to medical records upon patient authorization, and must provide for a buy-out of the covenant at a reasonable price. A physician may not be prohibited by a non-compete provision from providing continuing care to a patient during the course of an acute illness.

In addition to imposing an undesirable non-competition clause, a poorly reviewed employment contract can expose a doctor to many other unanticipated risks as well, including call coverage and payback obligations.

For more information on review and negotiation of physician employment contracts, please contact board-certified health care law attorney Scott Chase.

$150,000 Penalty for HIPAA Violation

January 15, 2015/in Health Law/by Scott Chase

The U.S. Department of Health and Human Services, Office for Civil Rights (HHS-OCR), has recently entered into another HIPAA settlement, emphasizing yet again the government’s focus on the HIPAA Security Rule. The settlement highlights that health care entities cannot merely adopt HIPAA policies but that they must actually implement and follow those policies in practice on an ongoing basis. In early December 2014, HHS-OCR confirmed that Anchorage Community Mental Health Services (ACMHS), a nonprofit organization providing behavioral health care services, had agreed to pay a $150,000 fine and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program and to report to HHS-OCR on the state of its compliance for two years. The settlement was based on a HHS-OCR investigation regarding ACMHS’s breach of unsecured electronic protected health information (ePHI). The breach was the result of a malware that compromised the security of ACMHS’ information technology (IT) resources and affected 2,743 individuals.

During its investigation, OCR-HHS found that ACMHS had adopted sample HIPAA Security Rule policies and procedures in 2005, but these policies and procedures were not followed and/or updated. Thus, ACMHS could have avoided the breach (and not be subject to the settlement agreement), if it had followed its own policies and procedures and regularly assessed and updated its IT resources with available patches. The settlement with ACMHS is just one of several recent settlements arising from an HHS-OCR investigation, either because an organization self-reported a breach of ePHI or because HHS-OCR investigated an organization’s HIPAA compliance program after receiving a complaint or as part of its annual audit protocol. No matter how the investigation begins, HHS-OCR will expect an organization to have fully implemented and updated its HIPAA compliance program and/or policies and procedures. Compliance with the HIPAA Security Rule requires organizations (among other things) to assess risks to ePHI on a regular basis, including whenever new software, e.g., a patient portal, is implemented. Organizations cannot simply adopt HIPAA policies and procedures, conduct training and then ignore HIPAA. All organizations subject to HIPAA, both “covered entities” and “business associates” (regardless of size), must devote ongoing resources to protect personal health information from security threats.

Most of the activities that HHS-OCR found lacking in ACMHS are ones that can be efficiently developed, implemented or sustained with timely planning by health care providers.

For more information, please contact board-certified health law attorney Scott Chase.

Jennifer Snow | Farrow-Gillespie & Heath | Dallas, TX

HIPAA Law and Business Associates

January 15, 2015/in Health Law/by Jennifer Snow

HIPAA-covered entities and their business associates are facing increased obligations to securely maintain and handle protected health information. A health care entity subject to HIPAA rules must ensure that its contracts with a business associate that may receive protected health information include statutorily required assurances that the business associate will appropriately safeguard the information. That is, in a vendor contract, staffing contract, or services contract in which data provided to a party includes protected health information of any person, the contract that governs that transaction or relationship must include language of HIPAA compliance.

For more information, contact board-certified healthcare attorney Scott Chase.

Changes in Medicare Reimbursement

Federal Enforcement Actions in Telemedicine/Telehealth

Federal Safe Harbors for Telemedicine Ventures

Are Digital Health Devices “Telemedicine” or “Telehealth”?

Senate Bill 1264

AdvaMed Code: New Sections

AdvaMed Code: Consolidations and Clarifications

Next Steps

Legal Assistance

The Genesis and Outcome of Teladoc, Inc. v. Texas Medical Board

Expansion Plans for Texas Telemedicine and Beyond

Considerations for the Telemedicine Provider

1. Compensation

2. Non-Compete

3. Outside Activities

4. Working Facilities and Staff

5. Liability Insurance

Decide

Assess

Identify

Develop, Document, and Implement

Train

Electronic Medical Records

HIPAA Violation

Read More