Recent HIPAA Settlement Illustrates the Importance of Performing Risk Assessments.

Last month, the Department of Health and Human Services (HHS) entered into a resolution agreement with Idaho State University (ISU) to settle HIPAA violations related to ISU’s electronic health records system.  Under the agreement, ISU agreed to pay $400,000 to HHS to settle the claims. ISU’s HIPAA violations resulted from its failure to detect disabled firewalls in its electronic system.  The disabled firewalls left the health information of over 17,000 patients unsecured for ten months.

After investigating ISU’s security policies and procedures, HHS discovered multiple HIPAA violations in addition to the disabled firewalls, including the following:

  • From 2007 to 2012, ISU failed to conduct any risk assessments related to its electronic health information;
  • From 2007 to 2012, ISU failed to implement any measures to address vulnerabilities in its health information security; and
  • From 2007 to 2012, ISU failed to implement policies and procedures to review activity on its electronic health records system to discover any improper access.

The ISU case illustrates the importance of closely following the HIPAA Security Rule’s requirements to safeguard electronic health information.  Perhaps the most important of these requirements is the obligation to conduct a thorough risk assessment.  If ISU had performed a proper self-analysis of its health information security risks, it is possible that it could have detected and addressed the risks from a disabled firewall before the incident occurred.

To learn more about HIPAA or for assistance on conducting HIPAA risk assessments please contact Casey Moriarty.

The HITECH Act Final Rule’s GINA-Related Modifications to HIPAA

The Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits health insurers and health plans from discriminating against beneficiaries on the basis of genetic information.  The HITECH Act Final Rule makes some important GINA-related changes to HIPAA.

In general, the changes related to genetic information are solely of interest to health insurers and health plans.  With that said, the Final Rule’s amendment to the definition of “health information” to include genetic information is relevant to all covered entities.  Under this new definition, all HIPAA covered entities must ensure that the following information is protected and secured under the HIPAA Privacy and Security Rules:

1. Any information related to genetic tests of an individual.

2. The genetic tests of family members of an individual.

3. The manifestation of a disease or disorder in family members of an individual. “Manifestation” means a disease, disorder, or pathological condition that an individual has been or could reasonably be diagnosed with by a health care professional with appropriate training and expertise in the field of medicine involved.

4. Any request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by an individual or any family member of the individual.

Additional GINA-related changes to HIPAA under the Final Rule include an explicit prohibition on the use or disclosure of genetic information for a health insurer’s or health plan’s underwriting purposes. There is an exception for underwriting performed by issuers of long-term care policies.

The Final Rule also requires a health plan or health insurer to include a statement in its notice of privacy practices that it will not use or disclose genetic information of an individual for underwriting purposes. Again, there is an exception for issuers of long-term care policies.

If you would like more information about the Final Rule’s GINA-related modifications to HIPAA, please contact Casey Moriarty.

Proposal Would Extend EHR Donation Rules

The U.S. Department of Health and Human Services (HHS) has released proposed rules to amend the electronic health record (EHR) donation exception and safe harbor under the Stark Law and Anti-Kickback Statute.  The exception and safe harbor permit certain entities to share costs associated with EHR-related items and services with other entities.   Under the regulations, the receiving party must pay at least 15 percent of the donor’s cost for the items and services.

The current language of the regulations has a “sunset” provision that requires a donor to transfer EHR items and services on or before December 31, 2013.  Under the proposed rules, HHS would extend the sunset provision three years to December 31, 2016.

Without the rule change, existing donation arrangements would have to convert to a “fair market value” model for shared services and technology.  The existing sunset provisions also provide a significant barrier to the development of new arrangements. 

The rules also include the following proposed revisions to the regulations: (1) changes to the requirements for when EHR software is deemed “interoperable, (2) removal of the requirement related to electronic prescribing capability, and (3) limits on the types of entities that are allowed to make EHR donations.

HHS also seeks suggestions on how to achieve the following goals under the exception and safe harbor: (1) preventing the misuse of donated EHR technology in a way that results in data and referral lock-in, and (2) encouraging the free exchange of data created by donated software.

You can view the proposed rule for the Anti-Kickback Statute here and the proposed rule for the Stark Law here.

HHS will accept comments to the proposed rules until June 10, 2013.

If you have any questions about donating EHR technology under the Anti-Kickback Statute and Stark Law, please contact David Schoolcraft or Casey Moriarty.

The HITECH Act Final Rule’s Requirements for Using Health Information for Fundraising Purposes

With the HITECH Act Final Rule’s required revisions to business associate agreements, notices of privacy practices, and breach notification policies, it is easy to miss the Final Rule’s changes to the requirements for the use or disclosure of protected health information (PHI) for fundraising purposes.  The new fundraising requirements under HIPAA and the HITECH Act are a mixed bag for covered entities.  Some of the changes increase the ability for covered entities to use PHI for fundraising, while other changes impose more restrictions on covered entities.

One of the benefits of the Final Rule for covered entities is the expansion of the types of PHI that can be disclosed to a business associate or institutionally-related foundation for fundraising purposes.  This list now includes:

1. Demographic information, including name, address, other contact information, age, gender, and date of birth;

2. Dates of healthcare provided to an individual;

3. Department of service information (e.g., cardiology, oncology, pediatrics, etc.);

4. Treating physician;

5. Outcome information (including death or sub-optimal treatment); and

6. Health insurance status.

Additionally, although a covered entity may not send fundraising communications to patients who have opted out of receiving such communications (as explained below), a covered entity may give patients the opportunity to opt back in to receiving such communications.   For example, a covered entity could include, as a part of a routine newsletter sent to all patients, a phone number that patients can call to be put on a fundraising list.

While these changes could be beneficial for covered entities, the Final Rule also has a number of increased requirements relating to fundraising communications, including:

1. Notice of Privacy Practices: The Final Rule requires a covered entity to have an explicit statement in its notice of privacy practices that an individual can opt out of receiving fundraising communications.

2. Opt Out Notice: With each fundraising communication made to patient, a covered entity must include a “clear and conspicuous” opportunity for the patient to opt out of receiving future fundraising materials.  The opt out method must not cause the individual to incur an “undue burden or more than nominal cost”.  Examples of a valid opt out methods include a toll-free number, or the provision of pre-paid, pre-printed postcards.  If an individual opts out of fundraising communications, it is a HIPAA violation for a covered entity to send such a communication to the individual in the future (unless the individual later opts back in to receiving fundraising communications).

3. Conditioning Payment or Treatment: The Final Rule makes it clear that covered entities may not condition treatment or payment on a patient’s decision to receive fundraising communications.

Please contact Casey Moriarty if you have any questions about the use of PHI for fundraising purposes under the HITECH Act Final Rule.

New Court of Appeals Decision Provides Guidance on Medicaid Spenddown Requirements

The recent appellate decision in Multicare v. State of Washington Department of Social and Health Services (DSHS) sheds light on how hospitals should use a patient’s “spenddown” in the billing process for the Medicaid Medically Needy (MN) program.

The MN program assists low-income families with medical costs.  A family can qualify for the MN program if its income is less than a certain amount during a specific base period.  A family that exceeds the maximum income level can still qualify for the program if it pays medical expenses in an amount equal to or over the excess income.  For example, if a family’s income is $500 over the maximum level, it can still qualify for the MN program if it spends $500 on medical expenses.  This process of using excess income is called the “spenddown.”

In the Multicare case, DSHS alleged that the hospital billed the MN program without deducting the spenddown liability of patients.  According to DSHS, this billing practice resulted in overpayments to the hospital. The hospital argued that the spenddown requirements were an enrollment qualification, not a deduction from DSHS’s payments.  The Washington State Court of Appeals, however, sided with DSHS and found that hospitals must factor in a patient’s spenddown to determine DSHS’s payment obligations.

The Court provided examples of how to use a patient’s spenddown, including the following:  A patient has a spenddown liability of $500 and total hospital charges of $450.  The total charges would apply to the spenddown liability, resulting in a new spenddown of $50.  Since a spenddown remains, the patient is not enrolled in the MN program and DSHS has no payment obligations for the services provided by the hospital.  Instead, the patient would owe the Hospital the $450.

Hospitals should review their Medicaid billing policies to ensure compliance with the Multicare decision.  You can view the decision here.  If you have questions or would like to follow-up, please contact Don Black or Casey Moriarty.

OIG Approves Gift Card Program for Medicaid Patients

According to a new advisory opinion issued by the U.S. Department of Health & Human Services’ Office of Inspector General, healthcare providers may be able to use free gift cards to encourage patients in capitated Medicaid managed care plans to receive clinical services.

In the opinion, a federally qualified health center (FQHC) asked the OIG whether it could offer free grocery store gift cards to certain patients in capitated Medicaid managed care plans.  The goal of the gift card program was to incentivize patients to receive health screenings and other clinical services at the FQHC.

The OIG stated that, in general, the Anti-Kickback Statute prohibits Medicare and Medicaid providers from providing “giveaways” to patients in order to induce them to receive clinical services.  However, the OIG approved this specific gift card program because the only eligible patients were enrolled in capitated Medicaid plans.  Under these plans, the FQHC’s reimbursement would not be based on the nature or number of services that the FQHC provides to the patients. Thus, the gift card program would not result in increased costs to the Medicaid program.

The opinion represents an interesting exception to the general rule that providers should not provide free goods and services to patients to  incentivize them to receive clinical services.  View the full opinion.