Medical Residents Considered Employees, Not Students, Under Federal Tax Law

Medical Residents Considered Employees, Not Students, Under Federal Tax LawOn January 11, 2011, the United States Supreme Court, in an unanimous opinion authored by Chief Justice Roberts, upheld a Treasury Department rule that established that medical residents are full-time employees, not students, for purposes of federal income taxation and Social Security coverage.

The case considered a federal law, namely the Federal Insurance Contributions Act (FICA), which exempts students from paying Social Security taxes. In 2004, the Treasury Department issued a rule that essentially stated medical residents were not students and therefore that their wages were taxable under FICA.

Petitioner Mayo Foundation for Medical Education and Research argued that this was an improper rule, and that medical residents should be treated as students under the plain language of the statute. In announcing the decision, the Court focused on the question of whether residents were “workers who study or students who work.”

The Court held that the Department’s regulation was a permissible interpretation of an ambiguous statute, and therefore that medical residents would be treated as employees for purposes of federal taxation and Social Security coverage under FICA. Chief Justice Roberts wrote, “The department certainly did not act irrationally in concluding that these doctors… are the kind of workers that Congress intended to both contribute to and benefit from the Social Security system.”…

Read more

Michigan Court of Appeals Rules State Law on Patient Privacy Trumps HIPAA In Certain Circumstances

HIPAA CompliantA new published health law opinion from the Michigan Court of Appeals could have some far reaching effects on HIPAA litigation.

In the case of Isidore Steiner, DPM, PC v Marc Bonanni, Dr. Bonanni was employed by Isadore Steiner, DPM, PC and his contract included a non-competition and non-solicitation provision. After Dr. Bonanni left his employment with them, Isidore Steiner, DPM, PC sued him for allegedly violating the non-solicitation provision of the contract and stealing their patients. In order to prove their allegations, Isidore Steiner, DPM, PC sought Dr. Bonanni’s patient list during the discovery portion of the case.

The Michigan Court of Appeals found that the patient list was not discoverable as it was privileged under Michigan law. The Michigan Court of Appeals held on April 7, 2011 that Michigan law protects the very fact of the physician-patient relationship from disclosure, absent patient consent; this means that the name, address, and contact information is protected from disclosure in litigation. The Court found that HIPAA (which would have allowed for disclosure) does not preempt state law on this matter because state law is more stringent.

Generally, HIPAA requires patient consent for the disclosure of protected health information, just as Michigan state law does. In litigation, however, HIPAA has special provisions that allow for the disclosure of protected health information in response to a subpoena or court order if the provider receives adequate assurances that notice was provided to the patient or that reasonable efforts were made to secure a QPO. However, Michigan law does not have such an exception and requires the patient’s consent to reveal private patient information. Thus, it would seem that non-solicitation provisions in employment contracts may potentially lose some of their weight unless a violation can be proven without reference to patient information. If an ex-employee violates this contractual provision, the employer does not have access to the ex-employee’s patient list to prove its allegations of violation of the employment contract under this latest Michigan Court of Appeals ruling.…

Read more

HHS Publishes HITCH Breach Notification Interim Final Rule

HHSOn August 24th, 2009 we finally saw the publication of interim final regulations implementing the security breach notification provisions of the Health Information Technology for Economic and Clinical Health Act (“HITECH”).

While the regulations appear to parallel the statutory provisions of HITECH, the process covered entities must follow before notifying a patient of certain breaches of their protected health information (PHI) is not as strict as initially feared.

For instance, under the new regulations, covered entities will still engage in a very subjective and fact specific risk assessment before determining when to notify a patient of a breach. The regulations also provide guidance to covered entities and their business associates (BAs) relative to their mutual obligations under the new rules.

Summarized below are some key points and issues we perceive to be relevant to covered entities and business associates under the new regulations.

The Breach Rules Only Apply To “Unsecured” PHI.

Unsecured PHI is defined as PHI that has not been secured through the use of a technology or methodology specified by HHS. According to HHS guidance released in April 2009, encryption and destruction are the only two ways to secure PHI and avoid breach notification under the Act.

Click here for a link to HHS’ April 2009 “Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements”.

Fact Specific Risk Assessment.

The Regulations define a “breach” as the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that “compromises the security or privacy” of the PHI.” A use or disclosure compromises privacy or security only if it creates “a significant risk harm to the individual as a result of the impermissible use or disclosure.” The regulations identify a number of factors covered entities or business associates may consider during this assessment, including:

who impermissibly used or to whom the information was impermissibly disclosed;
steps taken to mitigate an impermissible use or disclosure (i.e. lost or stolen laptop is returned and forensic analysis reveals that its information was not opened, altered, transferred or otherwise compromised);
The Type And Amount Of PHI Involved.

In the event a notification is deemed necessary based on the facts all notification to individuals and HHS and must be given without “unreasonable delay,” but no later than 60 days after discovery.”

Exceptions to Breach Rule.

There are also key exceptions relative to the breach rule in situations where there is:

an unintentional acquisition, access or use of PHI;
inadvertent disclosure; or
disclosure of PHI to person not reasonably able to retain such information.

Business Associates.

Under the new regulations, BAs must comply with the privacy and security regulations, just like covered entities. BAs must have policies and procedures documenting compliance with the privacy rule’s use and disclosure provisions and the security rule’s administrative, physical and technical safeguards requirements.

An interesting issue is raised relative to when BAs acting as “agents” of a covered entity versus BAs acting as “independent contractors” and the breach notification time frames requirements under both scenarios. If a business associate is acting as an agent of a covered entity then the business associate’s discovery of the breach will be imputed to the covered entity. Accordingly, the covered entity will have to provide notifications to the patient and HHS based on the time the business associate discovers the breach, not from the time the business associate notifies the covered entity. Conversely, if the business associate is an independent contractor of the covered entity (i.e., not an agent), then the covered entity must provide notification based on the time the business associate notifies the covered entity of the breach.

Among Other Issues, BA Agreements May Need To Be Amended To:

clearly address the agent versus independent contractor status of the BA; and
the timing of BA notification to a covered entity following a breach.

Grace Period, Enforcement And Penalties.

Finally, the regulations account for a grace period allowance before HHS expects to begin enforcement. The regulations took effect on September 23, 2009, but HHS has delayed seeking sanctions until February 22, 2010.

The caveat to this allowance period, however, is that the regulations significantly broaden the enforcement and penalties associated with a violation. Under the new system, HHS will employ a tiered penalty system based on the mental state of the offender.

Additionally, HHS has also delegated some of the enforcement mechanisms to state Attorney General offices. Effective February 18, 2009, the Michigan Attorney General can bring actions under HIPAA independently of HHS. Finally, the regulations allow for penalties to be shared with those harmed by the disclosure (though, we have not seen regulations or guidance from HHS on the definition of the “harm” necessary to share in penalties).…

Read more

Health Care Employers feel the Pain of H1N1 Vaccination Policies

H1N1 Vaccination PoliciesMany Hospitals and other employers in the health care industry are discussing the benefit of H1N1 vaccinations for their employees. Some are even considering mandating that employees receive the vaccination. After all, if your employees are “at will,” then you can impose new conditions of employment on them at any time.

On many levels, mandating the vaccine for health care workers makes sense. After all, OSHA mandates that employers provide their employees with a safe place to work. Doesn’t a mandatory vaccination ensure a safer place for employees to work? A healthy workforce also means less absenteeism. And, the idea of mandatory vaccinations isn’t totally foreign to health care: think TB vaccinations. I also compare a mandated vaccination to drug testing: somewhat invasive, but for the common good.

On the other hand, mandatory vaccinations raise many legal issues. For instance, if your workforce is unionized, then this would require negotiations with the union before implementation, as it affects the terms and conditions of employment. If you are non-unionized and have many employees opposed to the mandatory vaccination, a mandate may be what pushes employees to organize. Another consideration is that some have asserted that the vaccination is untested and potentially dangerous. If an employee is vaccinated over his/her objection, that may create liability for the employer if the employee experiences an injury or serious side effects from the vaccine.

While there are many good reasons to mandate the H1N1 vaccine, an employer who moves in this direction is definitely treading onto unsettled legal grounds.…

Read more

OIG Work Plan – FY 2009

health care lawLast week, the Office of Inspector General (OIG) published its “Work Plan” for federal fiscal year 2009. Many health care providers use the annual OIG Work Plan as a road map to guide their annual compliance efforts and this has always been a strategy that I have supported.

Although I usually suggest that compliance officers and the health care providers they represent look not just at the current year’s Work Plan but the past two or three years Work Plans, collectively, I think it is very important for health care providers to be aware of what the OIG thinks it should pay attention to, in any particular year. Its also noteworthy to understand how the OIG’s focus changes from year to year and over time.

Of particular note in this year’s Work Plan is the continuation of some significant reviews and the initiation of others that are in areas where health care providers often struggle.

They include OIG’s review of:

Provider-Based Status for Inpatient and Outpatient Facilities
Hospital Owned Physician Practices Billed as Outpatient Services
Provider Bad Debt Allocations
Medicare Secondary Payer Compliance
Diagnostic X-rays Performed in Hospital Emergency Departments
EMTALA Compliance
Never Events
Physician Services Performed by Non-Physicians
Medicare Payments for Sleep Services
Services Performed by Clinical Social Workers
Outpatient Physical Therapy Provided by Independent Therapists
Payments for Colonoscopy Services

Given some of the questions that I have received from clients in the past six months, I see EMTALA Compliance and Medicare Payments for Sleep Studies as particularly interesting and suggestive of the fact that OIG and CMS think that providers are not doing things correctly in these areas.

Your compliance committee should take the time to review the new OIG Work Plan and modify its compliance focus accordingly.…

Read more

FTC Red Flag Rules – Regulation From A New Direction

healthcare law infoIt never ceases to amaze me the number of varying directions from which hospitals and health care providers get regulated!

The most recent federal agency to jump on the health care regulation bandwagon appears to be the Federal Trade Commission (FTC). On November 9, 2007, the FTC, in conjunction with federal bank regulators, issued a set of regulations intended to combat identity theft. These regulations are commonly referred to as the “Red Flag Rules.” The Red Flag Rules require financial institutions and other “creditors” to implement a program designed to detect, prevent and mitigate identity theft in connection with the creation and maintenance of “covered accounts.”

Many hospitals and health care providers began to pay attention to these regulations a few months ago when word started to “eek out” that the Red Flag Rules might apply to hospitals and other health care providers. While the application of these rules to any specific transaction will depend upon the specifics of the transaction at issue, what does seem pretty clear at this point is that if you are affiliated with a health care provider that periodically allows patients to pay for their medical services through a series of payments, over time, that health care provider is likely a “creditor” and needs to comply with the Red Flag Rules. Health care providers should, with very limited exception, expect to comply with the Red Flag Rules as of November 1, 2008.

Compliance with the Red Flag Rules is, in many ways, tied to your HIPAA compliance program and the policies and procedures health care providers already have in place. Similar to the HIPAA Security and Privacy Regulations, the Red Flag Rules deal with access to information in patient medical records and billing account records and the extent to which those records may be accessed and used to commit identity fraud.

To begin your compliance efforts, look to identify points of access or entry into patient records or accounts that might lend itself to identify theft. Form a committee or task force made up of representatives from: HIM, HIPAA privacy and security, patient accounts, patient registration, pharmacy and the emergency department. Ask this group to brainstorm the points of access to relevant patient information and to analyze specific examples and experiences with patient identity theft to begin to develop a sense of where your identify theft risk lies.

Next, look at your existing privacy and security policies developed as part of your HIPAA compliance efforts and then evaluate what changes or additions need to be made to those policies in order to minimize your identity theft risk. In addition, you may need to revise policies or add new policies that will alert you to identity theft when it occurs and guide your response to patient identity theft.

Other things you will need to do over time as you build your Red Flag Rules compliance program will include demonstrating Board approval and oversight of your program and amending your existing business associate agreements so that your business associates are contractually obligated to be your partners in this effort.

In addition to resources being developed by the American Health Lawyers Association, the AHA and other organizations, your compliance counsel should be available to assist with the development of a Red Flag Rules compliance program.…

Read more

New Michigan Law Related to Billing Sexual Assault Survivors for Costs of Forensic Exam

Billing Sexual Assault Survivors for Costs of Forensic ExamHealth care providers may no longer seek payment directly from sexual assault survivors for any portion of the costs of a sexual assault medical forensic examination, including any insurance deductible, co-pay, denial of claim or other out-of-pocket expenses, if the survivors do not have insurance, or if they refuse to have the claim submitted to their insurance carrier. Instead, effective December 29, 2008, health care providers are eligible to seek reimbursement for these costs directly from the state Crime Victims Services Commission (formerly the Crime Victims Compensation Board).

Prior to seeking reimbursement from the Crime Victims Services Commission, health care providers must advise the patient, either orally or in writing, that a claim will not be submitted to their insurance carrier without their express written consent and that they may decline to consent if they believe that submitting the claim would substantially interfere with their personal privacy or safety. If the patient declines to have the claim submitted to his or her insurance carrier or if the patient is uninsured, the provider may then seek reimbursement from the Crime Victims Services Commission. The provider may not bill the patient directly.

If the patient consents to have the claim submitted to his or her insurance carrier, the health care provider must submit the claim to the patient’s insurance carrier, including Medicare or Medicaid. If reimbursement cannot be obtained from the patient’s insurance carrier, the health care provider may then submit the claim for reimbursement to the Crime Victims Services Commission. If reimbursed by the patient’s insurance carrier for any portion of the claim, the health care provider may not also seek reimbursement from the Crime Victims Services Commission or the patient for the balance of the claim.

In order to be eligible for reimbursement, the examination must include all of the following: collection of a medical history, a general medical examination, a detailed oral, anal, or genital examination, and administration of a sexual assault evidence kit and related medical procedures and laboratory and pharmacological services.

The Crime Victims Services Commission will not pay more than $600 for the cost of performing a sexual assault medical forensic examination. This includes payments up to $400 for the use of an emergency room, clinic, or examination room and the sexual assault medical forensic examination, up to $125 for laboratory services, and up to $75 for dispensing pharmaceutical items related to the sexual assault.…

Read more

OCR Contemplates Electronic Medical Record Networks

health law careIn case you missed it, on December 15, 2008, the Office of Civil Rights published information that suggests it is thinking about how HIPAA applies to the electronic exchange of health information in a networked environment. If you want to review the materials for yourself, they are located here.

In summary, so long as the primary purpose for and function of an electronic network is treatment oriented, HIPAA should not be a barrier to the development of an effective network. OCR’s focus in its comments was on setting up electronic exchange networks so as to create a level of trust between patients and the covered entities participating in these networks. OCR recommends that patients be advised, either in the Notice of Privacy Practices or in some other document, that their health information will be used and disclosed for treatment purposes through an electronic network.

Some of the other points made by OCR in this guidance includes the following:

While covered entities are not required to agree to allow patients to restrict otherwise permissible uses and disclosures of their information, a covered entity must have policies in place to deal with the issue and if a covered entity does agree to allow certain restrictions, the covered entity must abide by that agreement, except in an emergency situation;
OCR acknowledges that HIPAA does not require a covered entity to allow patients to “opt-in” or “opt-out” of an electronic network but suggests that the ability to afford patients that kind of choice will help build trust between patients and providers who use electronic networks;
Minimum necessary concepts apply to the electronic networks and the access of health information for payment and health care operations purposes through such networks;
Regardless of the scope or purpose of an electronic health information exchange network, any disclosures of health information by a covered entity through the network must comply with the Privacy Rule and, in addition must also be in compliance with any more stringent State law requirements;
Even in an electronic exchange environment, the HIPAA Privacy Rule requirements that patients consent to the disclosure of psychotherapy notes still applies;
Covered entities who set up electronic health information exchange networks must implement appropriate administrative, technical and physical safeguards to protect the privacy of the protected health information; and
Covered entities that participate in an electronic network need to be aware that whatever information they import into their electronic records via a network become a part of their legal medical record. However, network participation alone does not make all of the information about a patient that is accessible through the network a part of their legal medical record.

Overall, given the clients that I have worked with who are setting up, trying to set up, or thinking about setting up these kinds of electronic exchange networks, the OCR guidance is not overly enlightening but still helpful in that it confirms that there is a right way and a wrong way to set up such a network and that if you have the right goal — facilitating better access to information for treatment purposes — you should be able to get where you are trying to go.…

Read more

EMTALA – Covering Emergency Call Through Community Plans

Centers for Medicare and Medicaid ServicesOn July 31, 2008, the Centers for Medicare and Medicaid Services (CMS) released its FY 2009 final rule for the Inpatient Prospective Payment System. Included with in the manyy regulatory changes contained in this final rule are new provisions regarding the requirements of the Emergency Medical Treatment and Active Labor Act (EMTALA). Among these are new rules for hospitals to develop “community on-call plans” as a means of meeting their on-call services obligations under EMTALA.

The new rules allow for two or more hospitals to collaberate to develop a community on-call coverage plan that applies within a specific geographic area and divides the coverage of certain types of services between the participating hospitals at designated times. Specifically, a formal community on-call plan among a group of hospitals needs to include:

A clear delineation of on-call responsibilities for each hospital participating in the plan;
A description of the geographic area covered by the plan;
the signature of an appropriate representative of each participating hospital;
Assurances that local and/or regional EMS protocols include information on any such community on-call arrangements;
A statement from each hospital participating in the plan affirming their respective obligations under EMTALA to perform medical screening and stabilizing treatment within its capacity, and to comply with EMTALA transfer and acceptance of transfer requirements; and
An annual assessment by the participating hospitals of the efficacy of the plan.

Hospitals subject to EMTALA who struggle to maintain adequate ER coverage of key specialty areas including orthopedic surgery, cardiology and neurology should review these new rules and evaluate the potential to work with neighboring health care institutions to take advantage of this new opportunity as a way to better serve their communities and ease the often unweilding burden on specialty staffing caused by the EMTALA requirements.…

Read more