Reinventing the Wheel
Physicians have long been employees of hospital systems and have long been independent contractors with hospital systems. Doctor practice groups exist now and have for some time providing contracted specialty work to hospitals.
The newest name for this long standing practice is “group practice subsidiary” or “GPS.” In these cases, the hospital creates yet another subsidiary and has that subsidiary contract with the physicians. Sometimes the GPS will have its own tax ID number, its own budget and its own governance whether a board of directors or merely all the members.
The purpose of this is to allow the physicians to ‘feel’ they are not employees. There is no co-mingling of revenue and the physicians have substantial control over their own practice. The hospital on the other hand “owns” the GPS but generally does not directly subsidize it and the physicians gain or lose based upon the GPS bottom line. The hospital often provides hospital employment benefits to the physicians and provides its technology platform for EHR, etc.
These can be good for already successful physician practices and we have worked with our physicians to enter into independent contractor arrangements of various kinds, with or without a GPS for many years. You should be aware of the “GPS” model of the regular independent contractor agreement if your practice or group practice is involved with negotiations with hospitals.
The Cloud Exposed
Patient Home Monitoring (PHM) performs home blood testing for patients. PHM used an Amazon cloud repository to store the medical data for 150,000 patients. A security firm indicated more than 316,000 PDFs containing PHI for PHM customers was available on the Amazon cloud. The data has now been secured and apparently is no longer publicly accessible. There is no indication yet whether in fact the PHI data was accessed and breached. It remains to be seen exactly what violations may have occurred with regard to the HIPAA security rule and the lack of detection by PHM.
I Didn’t Mean To
A report by Beazley Group (a cyber liability insurer) indicates that more than 40% of healthcare data breaches to date in 2017 were due to unintended disclosures. Second was hacking or malware at 19% and 15% involved a practice insider.
Unintended disclosure can happen any number of ways. Like above for PHM, a cloud server can be misconfigured and be left open to the public, or your office can send PHI to the wrong phone number, the wrong fax or the wrong email account. An unintended disclosure could also describe responding to spear phishing in which someone imitates a trusted recipient. Your employee believing the requester to be someone authorized to receive PHI may send one or many files containing PHI to the spear phisher only later to discover what appeared to be an inquiry from a trusted recipient was in fact a spear phishing attack.
How to limit unintended disclosure:
Periodically test any cloud based files to make sure access configuration is correct. Do this particularly after setting up a new cloud repository.
- Periodically test any cloud based files to make sure access configuration is correct. Do this particularly after setting up a new cloud repository.
- Have a fixed list of email recipients to whom PHI containing files may be sent. If your employees are asked to send it to an email address which is not on your fixed and approved list, have a supervisor review before sending or responding.
- Confirm fax numbers, confirm email addresses, etc. by sending a test message and requiring the person requesting a PHI containing file confirm their email and that you have the proper recipient.
- Encrypt all PHI files.
Horse Follows Cart with EHR
CMS probably had good intentions in requiring MIPS eligible providers to attest they have made a “good faith effort to implement and use EHR technology that supports the timely exchange of healthcare information.” This means providers will complete a “prevention of information blocking attestation” in order to receive scores required under the Merit-Based Incentive Payment System “MIPS.”
While I understand CMS’s requirement that providers not interfere with EHR operability, it is difficult to imagine a situation in which a clinical provider would have either the knowledge or the opportunity to routinely interfere with EHR interoperability. Rather, it is much more likely the maker of the system, the vendor or the hospital system would have the ability or the interest in blocking patient data. CMS should direct its attention to the vendors of EHR and the large scale users of EHR and require each of them, through their CEO, CFO and CIO to make personal attestations that either their software, in the case of the EHR system makers, or their users, in the case of large scale provider systems or hospitals, certify compliance.
I have yet to speak with individual physicians or small group practice administrators that had the time, interest or capability of stopping inoperability of bi-directional exchanges of information in an EHR system.
This newsletter is edited by Paul Wallace of Jones • Wallace, LLC, a member of the American Bar Association Healthcare Law Section and the American Health Lawyers Association who has been representing physicians and healthcare practices for over 25 years. Mr. Wallace assists physicians, practices and hospitals in contract items, federal legal compliance, practice entity creation, estate and wealth planning and similar issues. Please feel free to call if you have any questions on this newsletter or legal matters at (812) 402-1600 or firstname.lastname@example.org.