healthcare – Farrow-Gillespie Heath Witter LLP

Tag Archive for: healthcare

The HIPAA Safe Harbor Bill: A New Incentive for Organizations to Prioritize Security

February 12, 2021/in Health Law/by Tahlia Clement

On January 5, 2021, the President signed H.R. 7898, The HIPAA Safe Harbor Bill, into law. This new legislation amends the HITECH act to require the Department of Health and Human Services (HHS) to incentivize best-practice cybersecurity for meeting HIPAA requirements.

Previously, organizations that experienced cyberattacks were subject to HIPAA enforcement actions that included severe penalties and fines despite such organization’s cybersecurity practices. Now, H.R. 7898 specifically requires that HHS evaluate whether the organization is using recognized security practices by reviewing the previous 12 months when calculating fines or penalties based on a cyberattack. However, the law also expressly states that it does not give HHS the authority to increase fines or even the extent of an audit when an organization is found to be out of compliance with recognized security practices.

According to the law, “the Term ‘recognized security practices’ means the standards, guidelines, best practices, methodologies, procedures, and processes developed under…the NIST Act, the approaches promulgated under… the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”

This new law is important since the healthcare industry continues to be the most impacted sector when it comes to cyberattacks. The healthcare industry accounted for 79 percent of all reported data breaches from January to November 2020, and attacks against healthcare organizations increased overall by 45 percent between November 2020 and January 2021. In addition, HIPAA violation fines can range from $100 per violation all the way up to $59,522 per violation. Since these fines are calculated on a “per violation” basis, in 2020 the fines imposed ranged from $3,500 to $6,850,000, with multiple fines imposed totaling over $1,000,000.

A recent example is when University of Texas M.D. Anderson Cancer Center was fined $4,300,000 for violations of the HIPAA and HITECH Act. However, on January 14, 2021 the United States Court of Appeals for the Fifth Circuit vacated the fine stating that it was “arbitrary, capricious, and otherwise unlawful.” The Court held that HIPAA does not require entities to use “bulletproof protection” and instead held that M.D. Anderson had adopted sufficient security practices. This case shows that even courts are now looking at security practices when determining if a HIPAA violation fine is reasonable.

For more information about your entity’s cybersecurity risks and HIPAA compliance, reach out to one of FGHW’s healthcare attorneys. Our attorneys have extensive experience with reviewing and analyzing HIPAA and cybersecurity practices to determine if they comply with recognized security practices under the new law. If your cybersecurity practices are not up to the new standards, FGHW’s attorneys can assist in implementing practices that are compliant.

Tahlia Clement’s primary practice areas are marketing, advertising and promotions law, health law, internet law, and general business transactions. Tahlia graduated from SMU Dedman School of Law and holds a B.A. in journalism and mass communications from Arizona State University.

2019 Update on Balance Billing and Texas Health Insurance Law

June 19, 2019/in Health Law/by Scott Chase

This article updates the prior article, “Balance billing and Texas healthcare law.”

“Balance billing” occurs when doctors, hospitals, or other health care providers who are not contracted with a patient’s health maintenance organization (HMO) or preferred provider benefit plan (PPO) bill the patient for the difference between the amount the health plan pays and the amount the provider believes to be the adequate cost of a service.

For example, a patient may visit the emergency room at a hospital that is contracted with her health plan, but the emergency room doctor who treats her is not contracted with that health plan. The emergency room doctor and the hospital each bill $1,000 for their services, and the health plan pays them each $400. The hospital, which is contracted with the patient’s health plan, may bill the patient only for the copayments, deductibles, and coinsurance amounts under her plan. However, the emergency room doctor, who is not contracted with the patient’s health plan, may bill her for the $600 that her health plan didn’t pay, as well as any copayments, deductibles, and coinsurance that she owes.

Some providers and health plans display cost information on their websites. Texas law also gives patients the right to request, in advance, estimates of charges from providers and facilities and estimated payments from health plans. However, the law allows doctors, other providers, and health plans up to 10 days to provide patients the estimates. As a result, patients cannot obtain advance notice of possible balance billing costs in emergent situations.

Senate Bill 1264

To combat this issue, the Texas Legislature recently passed Senate Bill 1264 (“SB 1264”), which makes balance billing illegal for emergency services but is limited to Texas regulated health plans. SB 1264 contains an exemption if the provider provides written disclosure to the patient informing them:

that their health plan does not cover the provider,
the projected cost the patient could be responsible for, and
under what circumstances the patient will be responsible for those amounts.

Before SB 1264, Texas law did not give consumers many rights with regard to disputing a balance billing they were surprised to receive. SB 1264 significantly improves the dispute resolution process for consumers by removing the patient from the process altogether.

Instead, the onus is on the health plan to initiate mediation or arbitration because the excess charges cannot be passed down to the patient.

Mediation is conducted for health plans and facility providers, i.e., hospitals, but is only applicable if the patient cannot be billed, and the charges are for emergency services, diagnostic imaging, or laboratory services. Arbitration will be for health plans and providers that are not facilities, i.e., individual physicians. While arbitration is binding, the arbitrator may only determine reasonable cost of the medical services rendered.

While the remedies of SB 1264 are still being implemented, including the mediation and arbitration processes, it is a great first step in protecting Texas consumers from inequitable balance billing practices.

Scott Chase | Farrow-Gillespie & Heath LLP

Attorney Scott Chase is a health law and corporate attorney at Farrow-Gillespie Heath Witter LLP. Mr. Chase has been named to the lists of Best Lawyers in America (U.S. News & World Report), Texas Super Lawyers (a Thomson Reuters service), and Best Lawyers in Dallas (D Magazine) in every year for more than a decade.

Mr. Chase thanks intern Stephen Chance for his contributions to the article. Stephen Chance is a 2019 summer intern with Farrow-Gillespie Heath Witter and a law student at SMU Dedman School of Law.

The Revised AdvaMed Code of Ethics on Commercial Interactions with U.S. Health Care Professionals

April 22, 2019/in Health Law/by Scott Chase

Advanced Medical Technology Association (AdvaMed) is a trade association for companies producing medical devices, diagnostic products, and health information systems. Relationships between AdvaMed member companies and Health Care Professionals (HCPs) are vital to the development of medical technologies, their safe and effective use, and medical research and education. However, these relationships can also create risk under state and federal laws. To avoid such risks, AdvaMed created the AdvaMed Code of Ethics on Interactions with U.S. Health Care Professionals (AdvaMed Code) in 1993. Recently, AdvaMed has announced revisions to its code to clarify and refine its discussion of interactions between HCPs and AdvaMed member companies. Revisions become effective January 1, 2020.

AdvaMed Code: New Sections

Jointly Conducted Education and Marketing Programs: Companies who partner with HCPs to conduct joint education and marketing programs, which must be designed to highlight medical technology and an HCP’s ability to diagnose or treat medical conditions, should comply with the following guidelines:

A legitimate need must exist for the company to engage in the activity for its own educational or marketing benefit;
Companies should establish controls to ensure that the decisions to engage in such arrangements are not an unlawful inducement;
Jointly conducted education and marketing programs should be balanced and should promote all parties;
All parties should make equitable contributions towards the activity and costs of the program; and
The arrangement should be documented in a written agreement.

Communicating Information for the Safe and Effective Use of Medical Technology: Communicating information about unapproved or uncleared (off-label) uses for approved or cleared products should be in accordance with the code’s established principles. These principles recognize the industry’s responsibility to communicate medical and scientific information to achieve positive patient outcomes and to support public health. The code’s off-label communication guidelines reflect recent judicial opinions affirming First Amendment protections for truthful and non-misleading off-label speech. Industry appropriate communications can include:

Proper dissemination of peer-reviewed scientific and medical journal articles, reference texts, and clinical practice guidelines;
Presentations at education and medical meetings; and
Discussions with consultants and HCPs to obtain advice or feedback.

Companies should evaluate and implement these guidelines in light of existing FDA laws and the HHS/OIG instruction on off-label communications.

Company Representatives Providing Technical Support in the Clinical Setting: Company representatives may play an important role in the clinical setting by providing technical support on the safe and effective use of medical technology. For company representatives providing technical support, representatives should . . .

Be present in the clinical setting only at the request of and with supervision by an HCP;
Be transparent that they are acting on behalf of the company in a technical support capacity;
Not interfere with an HCP’s independent clinical decision-making;
Comply with applicable hospital or facility policies and requirements; and
Not eliminate an expense that the HCP should otherwise incur while providing patient care.

AdvaMed Code: Consolidations and Clarifications

Cornerstone Values: Innovation, education, integrity, respect, responsibility, and transparency form the basis of the updated AdvaMed Code. It directs medical technology companies to review all interactions with HCPs in light of these values and to avoid interactions designed to circumvent the code.

Scope and Applicability: The updated AdvaMed Code applies to all interactions regardless whether an interaction occurs outside the United States (such as at a conference or other event). The updated code clarifies that for companies with multiple lines of business, the code applies only to the company’s interactions linked to medical technology, including all interactions related to combination products that include a medical technological component (i.e., combination of biologic devices and drug products).

Consulting: Although the content regarding consulting remains mostly unchanged, the updated AdvaMed Code adds clarifying language defining what constitutes a “legitimate need” for the consultation. According to the code, a legitimate need arises when a company requires the services of an HCP to achieve a proper business objective. However, engaging an HCP for the purpose of generating business directly from such HCP (or health care provider affiliated with the HCP) is not a proper business objective.

The AdvaMed Code also explains how a company can establish “fair market value.” A third party may assist in developing an approach to assess fair market value, but in all instances, a company should incorporate objective and verifiable criteria. Companies are encouraged to document their methods to evaluate whether compensation reflects the fair market value of the services provided.

Consolidations: The AdvaMed Code consolidates the following sections:

Industry conducted training, education, and other business meetings into a comprehensive section that provides parameters for all industry-conducted programs;
Third-party education, charitable, and research programs into a comprehensive section regarding grants, donations, and commercial sponsorships; and
Meals, travel, lodging and venue sections into a comprehensive section that encourages companies to avoid selecting a setting because of its entertainment or recreational facilities, as well as encouraging companies to develop meal policies and review benchmarking information.

Next Steps

The updated AdvaMed Code notes that it does not replace any state laws, regulations, or codes that contain stricter requirements. Certain states, including California, Connecticut, and Nevada, have made the code’s provisions mandatory. Alleged violations of the federal Anti-Kickback Statute may provide a basis for whistleblowers or the government to file cases alleging that AdvaMed Code noncompliance is evidence of improper conduct. To reduce compliance risks, medical technology companies and HCPs should consider whether the updates to the AdvaMed Code warrant changes to their policies, procedures and practices, and contracts regarding interactions with one another. The delayed effective date of the new Code is intended to provide time to conduct this review.

Legal Assistance

Medical companies and Health Care Providers are well-advised to seek legal counsel to conduct a review of the paperwork governing their interactions. The health law attorneys at Farrow-Gillespie Heath Witter LLP can assist in that review.

Scott Chase | Farrow-Gillespie & Heath LLP | Health Law

Author Scott Chase is a health law and corporate attorney at Farrow-Gillespie Heath Witter LLP. Mr. Chase has been named to the lists of Best Lawyers in America (U.S. News & World Report), Texas Super Lawyers (a Thomson Reuters service), and Best Lawyers in Dallas (D Magazine) in every year for more than a decade.

The Expansion (Finally) of Telemedicine in Texas: A Brief History and Future Applications and Considerations for Healthcare Providers

May 22, 2018/in Health Law/by Katie Ackels

If you are a healthcare provider in Texas looking to supplement, or even transition, your practice into telemedicine, now is your time. Texas has always been a prime candidate for the benefits of telemedicine. It is an expansive state, with a large rural population that is often distant from medical care.

Thus, Texas residents are uniquely situated to take advantage of the outcome improvements and cost savings that telemedicine can provide.

Nevertheless, Texas was the last state to welcome telemedicine into its borders, in that it was the last state to abolish the requirement that a telemedicine provider first establish a patient-physician relationship via an in-patient visit. Now, after a lengthy court battle, this requirement has been eliminated, and providers are free to initiate patient-physician relationships in the telemedicine realm. While there was an immediate reaction by key players in the healthcare landscape to expand telemedicine in Texas, there remain a lot of unknowns that Texas healthcare providers should be aware of as they enter the world of telemedicine.

The Genesis and Outcome of Teladoc, Inc. v. Texas Medical Board

Teladoc, Inc. (“Teladoc”), one of the largest telemedicine providers in the United States, is based in Dallas and had been operating in Texas since 2005. Following amendments by the Texas Medical Board (“TMB”) to the state’s telemedicine regulatory scheme, Teladoc was forced to cease its telemedicine operations.

Eventually, Teladoc filed suit in federal court, alleging the TMB’s actions violated federal antitrust laws and the Commerce Clause of the Constitution. The parties then agreed to stay the proceedings to pursue settlement negotiations. These negotiations culminated in Texas Senate Bill 1107 (“SB 1107”), which was signed into law on May 27, 2017. Senate Bill 1107 abolished the requirement of an in-patient visit prior to utilizing telemedicine services. The new legislation applies across all telemedicine platforms.

Expansion Plans for Texas Telemedicine and Beyond

On September 22, 2017, the DWC announced “New 28 Texas Administrative Code § 133.30, Telemedicine Services” (the “Proposed Rule”). The Proposed Rule’s stated purpose is to “expand the accessibility of telemedicine services in the Texas workers’ compensation system by allowing health care providers to bill and be reimbursed for telemedicine services regardless of where the injured employee is located at the time the services are delivered.”

To reach this goal, the Proposed Rule included the removal of a Medicare-based reimbursement restriction that services be provided to injured employees at an originating site located in an area where there is a shortage of healthcare professionals. In other words, the Proposed Rule now allows a provider to bill and be reimbursed for telemedicine services no matter where the injured employee is located at the time the services are delivered.

Similarly, federal lawmakers are taking heed of the benefits of telemedicine. On November 7, 2017, the U.S. House of Representatives passed The Veterans E-Health and Telemedicine Support Act of 2017 (“VETS Act”). Much like the Proposed Rule issued by the DWC, the VETS Act eases geographic restrictions on telemedicine provided to veterans and aims to ensure that veterans, rural and disabled veterans in particular, can receive care across state lines.

The U.S. Senate passed its version of the VETS Act on January 4, 2018, which is slightly different than the House’s version, in that it bars individual states from taking disciplinary action against physicians who practice telemedicine across state lines.

Private employers are also noticing the benefits of telemedicine, and there has been a sharp increase in the number of large employers who see telemedicine services as a way to optimize how health care is accessed and delivered, while offsetting overall healthcare costs. More specifically, the Large Employers’ 2018 Health Care Strategy and Plan Design Survey found that 96 percent of large employers intend to make telemedicine services available to their employees at some point in calendar year 2018.

Considerations for the Telemedicine Provider

Whether a provider has been offering telemedicine services for some time or is just now getting in the game, there are some important issues to consider in updating or implementing telemedicine policies and procedures:

Telemedicine is a moving target – As of now, there is no uniformity across state lines in the regulation of telemedicine. From state-to-state, many crucial statutory definitions vary significantly. It is unclear how federal legislation like the VETS Act will resolve these discrepancies, if at all. Therefore, providers licensed in different states or providing services across state lines should comply with the rules and regulations of every state they encounter, including formal, regulatory schemes and the practice requirements set forth by the state’s medical board.
Data breach and cybersecurity risks – The provision of telemedicine exposes patients to increased cyber, privacy, and data security risks. Before launching a telemedicine practice, providers should conduct a thorough risk analysis aiming to implement policies and procedures that, at a minimum, comply with the HIPAA Security Rule and set forth an incident response plan that incorporates all applicable regulatory requirements.
The battle for universal reimbursement – One of the major barriers to a provider’s implementation of a robust telemedicine practice is the lack of universal reimbursement, both from Medicare and private payers. Providers should consider this issue in building their telemedicine business models, as ultimately, the telemedicine industry needs universal reimbursement to become widespread and economically sustainable.

Katie M. Ackels is a ligation attorney with broad experience for a diverse client base. Ms. Ackels primary practice areas are business litigation, employment litigation defense, personal injury litigation defense, and healthcare litigation. She graduated magna cum laude from Texas Tech University School of Law.

ObamaCare | Farrow-Gillespie & Heath | Dallas, TX

What is the Status of ObamaCare, and Why Should I Care?

April 26, 2017/in Health Law/by Scott Chase

Regardless of your position on the Affordable Care Act, otherwise known as ObamaCare (“ACA”), you should neither panic nor rejoice just yet over the actions and inactions of the United States government regarding this healthcare insurance law. You have probably read about the various options, i.e., “repeal and replace,” “repeal and delay,” or simply “repeal” the ACA. What Congress is figuring out is that it is difficult to keep “good” provisions, e.g., the one related to “pre-existing conditions” (which over 70% of Americans like) but to do away with “bad” provisions, e.g., the individual mandate (which 70% of Americans do not like) and still keep an actuarial pool that doesn’t adversely affect insurance premiums in a substantial way. Conventional wisdom is that, without the individual mandate, premiums would increase, probably at a faster rate than is current under the ACA.

Countries that have provide universal access to healthcare for its citizens have determined that everyone needs to be covered in order to spread the cost of insurance over the total population. As someone who has studied the ways in which Western countries have instituted universal access to healthcare (e.g., Germany in the 1870’s) and who has lectured extensively on the ACA, I am not surprised at Congress’s inability to come up with a plan that would cover everyone, not require everyone to carry insurance, and keep insurance premiums down. Add in the fact that any new Congressional plan will affect over 20 million citizens who have already obtained health insurance through the ACA and you can see the possibility of throwing insurance markets into chaos.

Of course, there are lots of other ideas, e.g., more incentives for health savings accounts (“HSA’s”), altering the “minimum essential benefits” list, use of high risk pools, etc., and each of these has a different effect, both on the economics of healthcare and on the hotly-debated issue of universal access to healthcare.

But something is likely to happen in the next 3 months and my recommendations for the immediate future are as follows:

If you have insurance, don’t drop it or let it lapse.
If you lose employer-based insurance, be sure to review your COBRA options.
If you lose your job and COBRA is not attractive, you have the option of utilizing the ACA marketplace because losing your job is “qualifying life event” that allows you to access the marketplace outside of the annual “open enrollment period.”

Please feel free to contact Scott Chase or Jennifer Snow at our firm if you have any questions about the ACA.

Jennifer Snow practices in the areas of health care law and business litigation. She is the author of numerous articles on health care law. Jennifer represents physicians and physician groups in health law matters, and she represents companies and executives in business litigation.

Ms. Snow has been named to the list of “Rising Stars” by Texas Monthly Magazine and Texas Super Lawyers (a Thomson Reuters service) in every year since 2014.

Scott Chase has practiced health law, corporate law, and intellectual property law for over 35 years. Mr. Chase is Board Certified in Health Law by the Texas Board of Legal Specialization.

Scott’s primary practice focus is business transactions for physicians and healthcare facilities, as well as healthcare regulatory issues such as the Affordable Care Act, HIPAA and peer review. Mr. Chase handles general corporate matters and trademark/copyright issues for physicians and also for a variety of non-healthcare clients.

Health Care Law | Farrow-Gillespie & Heaht LLP

Healthcare Providers’ Risk of Data Breach

March 11, 2017/in Health Law/by Catherine Parsley

By Scott Chase and Catherine Parsley

Healthcare providers receive, collect, and store vast quantities of sensitive personal health information (“PHI”) from their patients. However, only half of providers responding to a recent survey said that they are prepared to respond to cyber-attacks. Attacks and other security breaches can have far-reaching effects for providers and their patients.

Electronic Medical Records

Healthcare providers have many vulnerabilities that are unique to their field. Most providers are adopting or have adopted electronic medical records (EMRs), but those programs are often clunky and can be inadequately secured. The new EMR systems make sharing PHI easy. Easy sharing is great for internal use but poses an increased risk of external leakage compared to old-fashioned paper records. Many providers’ network systems have been pieced together over time, leaving vulnerabilities and inconsistencies. At the same time, online attackers are getting increasingly complex and sophisticated. Another problem created by piece-meal network systems is that many providers either cannot or do not know how to detect in real time if their network system is being compromised.

HIPAA Violation

These factors leave healthcare providers open to higher risk of attacks and data loss. Any data loss can constitute a breach of the Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA). If a provider loses PHI, or even puts PHI at risk of exposure to unauthorized individuals, the provider can be held to have breached HIPAA, even if no loss or theft actually occurs. One hospital was recently fined over three million dollars after it did not comply with HIPAA-required protective measures. It had several violations, including storing PHI on unencrypted devices, allowing such devices to be accessed by individuals who were not HIPAA-authorized, and failing to implement recommended risk management plans.

It is also important to note that the HIPAA, pursuant to its security rule, requires a risk assessment for PHI vulnerability whenever the following occurs:

In response to environmental and operational changes, such as implementation of new technology or changed office operations
Any security breach or security incident that indicates vulnerability.

Fines have been levied on providers that have not performed such assessments, even if no HIPAA breach was found. While healthcare providers are not targeted as frequently as some other types of organizations, such as banking and financial institutions, the wealth of data that healthcare providers own makes them a highly-sought out target. The data can be used for various fraudulent purposes by the attacker, and any loss or possible loss can be a HIPAA violation. In addition to having appropriate corporate policies in place, providers should also review the various types of insurance coverage available to reduce losses.

Farrow-Gillespie Heath Witter LLP can help healthcare providers deal with security threats. Our attorneys can work with clients to put policies in place before problems arise, or help clients deal with regulatory or operational issues after a breach occurs. For more information on the available services, contact board-certified health care attorney Scott Chase.

Health Care and Cyber Security: Increasing Threats Require Increased Capabilities, KPMG LLP (2015)
Cyber Attacks on Healthcare Organizations, KPMG Survey, KPMG LLP (Dec. 2015)
Heather Landi, OCR Fines Children’s Medical Center of Dallas $3.2M Due to HIPAA Non-Compliance, Healthcare Informatics (Feb. 1, 2017)

Scott Chase is a Dallas health law attorney, certified by the Board of Texas Legal Specialization. Mr. Chase has been named for many years to the list of Texas Super Lawyers (a Thomson Reuters service), Best Lawyers in America (U.S. News & World Report), and Best Lawyers in Dallas (D Magazine).

Physician “Anti-Kickback” Statute

January 17, 2016/in Health Law/by Jennifer Snow

Physicians and health care other providers face numerous prohibitions against self-referrals and against making referrals in exchange for remuneration. The federal Anti-Kickback Statute is a criminal law that prohibits the knowing and willful payment of remuneration in exchange for referrals of services payable by federal health programs, which include health care services for Medicare or Medicaid patients. The law prohibits any person from offering, paying, soliciting, or receiving anything of value—whether it is money or something less obvious, such as free product, tickets, hotel vouchers, speaking fees, or lowered rent payments. This law creates restrictions on virtually all business dealings involving physicians, including dealings with landlords, drug companies, device manufacturers, physical therapy clinics, hospitals, or other physicians.

Anti-kickback violations must be knowing and willful for criminal liability to attach; successful prosecution can lead to fines of up to $25,000 per violation and prison time. Further, any doctor who submits false Medicare or Medicaid claims, whether knowingly or with reckless disregard for their truth or falsity, also faces civil liability under the False Claims Act.

The parameters of anti-kickback law include specific carve-outs that allow medical providers to enter mutually-beneficial transactions with impunity. These carve-outs are known as “safe harbors” and are detailed and complex. To avoid potential violations, health care providers should review all transactions carefully with the aid of experienced counsel.