PRICE OF NONCOMPLIANCE
Despite continuing enforcement pressures and publicity for HIPAA, some medical practices and hospitals fail to implement basic HIPAA security procedures. Recently AvMed, a Florida based insurer reported the theft of two unencrypted laptops with PHI affecting more than one million customers. As part of the settlement in this case, AvMed agrees:
- To implement data security measures AvMed should have previously implemented such as password protocols, laptops with laptop security system, facility security upgrades and security awareness training.
- AvMed also agreed that it would pay damages that equal the costs it didn’t incur for data security by failing to take the steps listed above. This is an interesting concept since the plaintiffs argued that part of the premiums they paid as customers of AvMed presumably would have been to pay for HIPAA security protocols and procedures which AvMed never implemented. I suggest that this will be a very useful? dangerous? theory for class actions both inside and outside the HIPAA medical world.
The takeaway here is that hospitals and practices will likely end up paying for HIPAA either as part of a well thought out and well trained security system, or in damages after the fact.
EMAIL PHI AND HIPAA
Patients want to receive their healthcare information as quickly and efficiently as possible. HIPAA wants to protect PHI and physicians want to avoid violating HIPAA.
The common suggestion for dealing with this conundrum is encryption, but more thought is needed if you decide to offer email dissemination of PHI to patients. Have them sign a separate consent form with appropriate disclaimers and waivers.
If you wish to achieve above stage I meaningful use for EHR, you will need to determine how to use email for your patients.
QUI TAM NEWS
Qui Tam cases, where a former employee informs on their employer in return for part of the damages recovered, are generally dramatic and high dollar cases. These cases are often brought under anti-kickback or false claim statutes. The Qui Tam aspect encourages employees to make internal complaints about acts or omissions of the companies they often work for, and then, if no action is taken, to file suit to recover pieces of often multimillion dollar claims. One case, merely an example, involves EndoGastric Solutions, Inc. This recently unsealed complaint is based on the claim of a former employee that EndoGastric caused the up coding of surgical procedures to ~~induce hospitals and physicians to purchase products from EndoGastric. The former employee also claims that EndoGastric had “co-marketing” agreements with physicians causing them to perform surgical procedures using EndoGastric products, an anti-kickback statute violation. EndoGastric developed an incision less procedure in order to treat certain conditions, but then, according to the former employee, coded the procedure as an open or laparoscopic procedure, and other similar items to continue to up code and seek higher reimbursement. Settlement documents indicate that there may be a settlement pending in this case for $5.25 Million plus a corporate integrity agreement. Note that the former employee would receive nearly $1 Million for having turned his former employer in.
Few businesses have the number of complex transactions that healthcare, billing and coding generate. The number of transactions and the dollars involved make the healthcare industry particularly attractive to these Qui Tam/false claim cases. Medical practices and hospitals must: (1) use professional and accurate billing and coding services; (2) perform periodic internal audits which need to identify and focus upon high risk billing areas such as the ones that are often indicated in these Qui Tam cases; (3) every employee complaint regarding the legitimacy of procedures or billing for those procedures needs to be carefully investigated. Employees often are not only the companies’ worst fear under these Qui Tam cases, but also often are the best and most reliable canaries in the mine giving early warning of matters that can be addressed before they become expensive litigation.
I KNOW WHAT YOU MAKE
CMS plans, today, to begin publishing information about the number and type of healthcare services by physicians in 2012, and how much Medicare paid them. After decades of prohibition against publishing this information, a court recently overturned a 1979 injunction that now allows this information to be revealed. Expect the following:
- A short lived media frenzy with patients and others becoming very aware of the differences between Medicare rates, insurer rates and private pay rates. It may be much more difficult to maintain those different levels as this Medicare information become widely available.
- While it is likely that physician payors have already known this information, now you can be sure that Anthem and others will have this information, and will use it to your detriment in price negotiations.
- Analysis of this information will likely generate significant debate in the near future regarding the nation’s single biggest purchaser of health care.
This newsletter is edited by Paul Wallace of Jones • Wallace, LLC, a member of the American Bar Association Healthcare Law Section and the American Health Lawyers Association who has been representing physicians and healthcare practices for over 25 years. Mr. Wallace assists physicians in health practices in contract items, federal legal compliance, creation of practice entities, estate and wealth planning and similar issues. Please feel free to call if you have any questions on this newsletter or legal matters at (812) 402-1600 or email@example.com.