Tag Archives: Health Care Law

New Rule Allows for Electronic Transmission of Controlled Substance Prescriptions

Controlled Substance PrescriptionsA new Drug Enforcement Agency (DEA) rule could substantially impact the way prescriptions for controlled substances can be transmitted from a physician to a pharmacy.

As physicians and pharmacies seek to cut costs and maximize efficiency, electronic record keeping and prescription filing has become more commonplace.

In response, the DEA has relaxed previous restrictions on electronically filing controlled substance prescriptions. However, recognizing the high risks posed by abusing or forging controlled substance prescriptions, the DEA has created a system of requirements which must be met before a physician is able to take advantage of the new rule.

The DEA defines controlled substances as drugs and other substances that have a potential for abuse and psychological and physical dependence; these include opioids, stimulants, depressants, hallucinogens, anabolic steroids, and drugs that are immediate precursors of these classes of substances.

Once classified as a controlled substance, drugs are then broken down into one of five categories depending on the potential for abuse and risk of dependance. Today, controlled substances account for between 11% and 12% of prescriptions written in the United States.

Under the previous rule, physicians were prohibited from electronically sending prescriptions for schedule II-V controlled substances to pharmacies. However, under the current rule, which was published March 31, 2010 in the Federal Register, physicians who meet certain requirements will be permitted to e-file those prescriptions beginning June 1, 2010.

To be eligible to e-file controlled substance prescriptions, physicians must meet two of three factors. The “two-factor authentication protocol,” which seek to guard against fraudulent prescription filings by confirming the prescribers true identity includes:

  • A password or PIN number
  • biometric data- either a fingerprint or iris scan, or
  • a “hard token”- a secured device separate from a computer that can provide a password to a physician at the time of e-filing.

To be eligible to e-file controlled substance prescriptions, physicians must validate their identity with a designated agency. When applying for the proper credentials to utilize e-filing programs, physicians must supply verifiable information such as government issued identification or financial account information.

Currently, Michigan laws vaguely address the current state of e-filing prescriptions for controlled substances. MCL 333.7333(7) states that physicians may electronically transmit prescriptions as long as they do not conflict with federal law.

The law does not differentiate between controlled substance and non-controlled substance prescriptions. As a result, we may see future clarification from the Michigan legislature or the Board of Pharmacy regarding this issue.

Importantly, physicians and pharmacies that currently possess the technology to e-file prescriptions must ensure that their systems comply with the new DEA “two-factor authentication protocol” requirements for controlled substances.

Licensed physicians who cannot afford to implement the required technology or simply wish to opt out of the program are still able to produce physical prescriptions which can be presented at a pharmacy.


Read more

Where HIPAA and FERPA Meet: Student Health Records and Disclosure Requirements

Family Educational Rights and Privacy ActThe Departments of Education and Health and Human Services have issued joint guidance on how the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) apply to student health records. The guidance also addresses certain disclosures that are allowed without consent or authorization under both laws, especially those related to health and safety emergency situations.

FERPA is a federal law that generally prohibits an institution from disclosing the education records or personally identifiable information from education records, without a parent or eligible student’s written consent. An eligible student is one who is over 18 years of age or who attends a post-secondary institution at any age. FERPA applies to institutions that receive funds pursuant to any program administered by the U.S. Department of Education, including medical and other professional schools. Please note that if an institution receives funds in this manner, FERPA applies to the recipient as a whole, including all its components, such as a department within a university.

“Education records” are broadly defined to include records that are directly related to a student and that are maintained by an educational institution or by a party acting for the institution. At the elementary and secondary levels, this can include student health records. In post-secondary institutions, medical and psychological treatment records of eligible students are excluded from the definition of “education records” if they are made, maintained, and used only in connection with treatment of the student and disclosed only to individuals providing the treatment. If the disclose is for purposes other than treatment, the records are then subject to FERPA’s requirements and can only be disclosed with the student’s written consent or under one of several enumerated exceptions to written consent.

HIPAA requires covered entities (health plans, health care clearinghouses and health care providers) to implement appropriate safeguards to protect the privacy of patients’ identifiable health information and to set limits and conditions on the uses and disclosures that may be made of such information without patient authorization. HIPAA also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

Whether FERPA or HIPAA apply to a particular set of records first depends on the record holder’s status as a FERPA or HIPAA covered entity. In some situations, an entity may be both. For example, when a school provides health care to students in the normal course of business, such as through its health clinic, it is both a “health provider” under HIPAA and subject to FERPA’s requirement. The analysis then hinges on whether the records meet FERPA’s “education” or “treatment” records definitions. If the records are education or treatment records under FERPA, HIPAA does not apply because HIPAA specifically excludes these records from coverage. For example, if a school is a HIPAA covered entity, and the only health records maintained by the school are education or treatment records under FERPA, the school does not have to comply with the HIPAA Privacy or Security Rules because these records are specifically excluded from coverage.

Other examples of arrangements where either HIPAA or FERPA apply:

  • If a person such as a school nurse acts on behalf of a school subject to FERPA, and maintains student health records, these records are education records under FERPA, just as if the school maintained them directly, even if the health care is provided to students off-site. HIPAA would not apply to these records.
  • FERPA applies to most post-secondary institutions. Student records at post-secondary campus health clinics are either education records or treatment records under FERPA, even if the school is a HIPAA covered entity. If the student health clinic is open to the public or school staff or both, the protected health information of the clinic’s non-student patients is still subject to HIPAA Privacy and Security Rules.
  • Patient records maintained by a hospital affiliated with a university that is subject to FERPA are not typically education records or treatment records under FERPA because university hospitals generally do not provide health care services to students on behalf of the educational institution. If the hospital runs the student health clinic, clinic records of students would be subject to FERPA as education records or treatment records and not HIPAA.

There is a never-ending array of possible situations that may arise when considering the interplay between FERPA and HIPAA. Consult legal counsel when presented with a request for disclosure of student health information to avoid inappropriate disclosures or denials for information.


Read more

Employee Free Choice Act — What’s in a Name?

 employee free choice actAlthough union membership overall continues to be weak, particularly in the private sector, there may be some changes on the horizon. Recent press accounts state that the overall percentage of union membership has increased for the second year in a row. While still well below peak levels of approximately 35 percent in the 1950’s, the number of union members rose from 311,000 in 2007 to 428,000 in 2008. In addition, the change in the political landscape in Washington makes it more likely that legislation friendly to organized labor will pass and become law.

Most notable of these pro-labor legislative proposals is the ironically named “Employee Free Choice Act”. Throughout the history of the National Labor Relations Act, the heart of the unionization process has been the right of employees to decide if they wanted a union through a secret ballot election conducted by the National Labor Relations Board (NLRB). If passed, the Employee Free Choice Act will eliminate those elections.

Under current law, a union must provide evidence to the National Labor Relations Board that at least 30 percent of the employees want to be represented by a union. This “showing of interest” is usually accomplished by getting employees to sign an “authorization card” saying they want the union. The cards are then presented to the NLRB (the employer never sees them). If at least 30 percent of the employees have signed the cards, the NLRB schedules a secret ballot election. If a majority of the employees voting by secret ballot want unionization, then the union is certified as the representative of the employees.

The so-called “free choice” legislation eliminates the election portion of the process and requires that if a majority of employees sign a card, then the union is certified. No election is held. While these cards have been used for years for the “showing of interest”, they are considered to be notoriously unreliable as a true indicator of the employees’ wishes. The card signing process is not private and significant pressure can be brought to bear on employees to sign the cards. Under the proposed legislation, these cards will be the sole basis for certifying a union as the employees’ representative.

In addition to the “card check” portion of the proposed legislation, the bill will require employers to begin negotiations within 10 days of the first “written request for collective bargaining” by a newly certified union. If agreement on a contract is not reached after 90 days, then either party can request mediation. If there still is no contract after 30 days of mediation, the dispute will be referred to “an arbitration board”. This board will be able to impose a contract on the parties for a two year term. In other words, wages, benefits, terms and condition of employment for two years will be set by an outside arbitration panel.

The bill also calls for triple backpay to employees who are terminated in violation of the National Labor Relations Act while a union is attempting to organize the employer and during negotiations of the first agreement. The NLRB will also be able to seek an injunction forcing reinstatement of a terminated employee before there is a ruling on the appropriateness of the termination. In some cases, there can be $20,000 in civil penalties for each violation of the statute. Violations of the statute by unions do not increase penalties.

The Employee Free Choice Act has widespread support among Democratic members of Congress and President Obama has stated that he will sign the bill if it is passed. Business groups are strongly opposed to the bill and battle lines have been drawn. We will watch to see if it passes the Senate and becomes law.

Read more

Hospital Disclosures of Financial Relationships with Physicians

Hospital Disclosures of FinancialWhen the physician self-referral statute (the Stark Law) was first enacted in 1989, it contained a financial relationship reporting requirement.

Although the initial regulations issued in 1991 contained information and details on that reporting requirement (42 CFR 411.361), CMS never initiated or implemented the requirement …. until now.

CMS first began to hint at its intention to begin to ask for disclosure of information on hospital/physician financial relationships in 2007 and, in its FY 2009 IPPS proposed rule suggested that it planned to send a formal information collection instrument known as the “Disclosure of Financial Relationships Report” (DFRR) to 500 hospitals (both acute care and specialty hospitals).

CMS suggests that the purpose for collecting this information is to: (1) identify arrangements that potentially may not be in compliance with the Stark Law; and (2) identify practices that may assist CMS in future rule making regarding the Stark Law.

Although CMS originally estimated that the effort associated with providing it with the information required on the DFRR would be minimal, it now acknowledges that hospitals may need to work with accounting and legal advisers in order to complete the DFRR.

Still CMS has indicated in the final IPPS rule for FY 2009 that each hospital who receives a DFRR will have only 60 days to complete the Report.  In implementing this reporting requirement, CMS believes that the information it is requesting is that which a hospital should be keeping in the normal course of its business activities.  CMS also hopes that hospitals who receive the DFRR will elect to submit their responsive information electronically, but hospitals will be able to submit information, including supporting documentation in a paper copy.

Fortunately, at least for now, CMS has determined that the DFRR will be used only in a one-time collection effort … at least for now.  A final PRA notices will be published in the Federal Register in the near future that will include a revised DFRR, including revised instructions for completion.  Following a 30 day comment period, CMS will then be in a position to begin formal distribution of the DFRR to a randomly selected group of 500 hospitals across the country.

Read more