16 May · Thu 2013
Increased Spotlight on Emergency Department Facility Coding by CMS, HHS and DOJ
03 May · Fri 2013
Attention mHealth, HIT and Telemedicine App Developers: Privacy and Security By Design Is Critical
Mobile health (“mHealth”) medical app developers, including health information technology (“HIT”) and telemedicine app developers, tend to focus on FDA requirements. Indeed since many of these apps may be categorized as medical devices, and the FDA approval process is lengthy, developers are wise to focus on whether an app is regulated by the FDA. But a successful developer should also build privacy protections (e.g., privacy policies) and security protections (e.g., disaster recovery) into its product from the earliest stages. The Federal Trade Commission (“FTC”) calls this “Privacy By Design.” “Security By Design” is the corollary. The idea is to design the product service with privacy and security protections in place, to avoid major modifications down the road and regulatory hurdles. Many developers say, “Of course I’ll take care of privacy and security - the data is encrypted.” That’s great but it’s not enough. If HIPAA applies, there are a long list of privacy and security standards to address. If HIPAA does not apply, the FTC and other agencies may step in with their own requirements. The goal of Privacy and Security By Design is to avoid the avoidable – a privacy or security violation or breach that slows down and even stops the success of a product on the market. It’s competitive out there for mHealth, HIT and telemedicine app developers, and the edge is important.
29 Apr · Mon 2013
Electronic Health Records and Health Information Exchanges/Organizations: The Changing Landscape
The meaningful use (MU) regulations provide incentive monies for hospitals and physicians that establish electronic health records systems (EHRs) and satisfy other criteria, such as providing new forms of ‘patient engagement’ like technologically-enabled patient-provider communications. The advantages of a wireless record-sharing are enormous – quicker diagnoses, better quality tracking, and seamless payment systems. But there are lots of steps and decisions required in setting up EHRs and developing broader data exchange systems like health information organizations/exchanges (HIOs or HIEs). Last week, the Department of Health and Human Services’ Office of the National Coordinator denied certification for two small EHRs and promised ongoing rigorous enforcement of EHRs. Those engaged in developing of EHRs and HIEs must address a range of operational and legal issues, including picking and monitoring vendors; figuring out patient consent issues, particularly with respect to sensitive psychiatric, substance abuse and other data; determining governance issues; figuring out how to finance the HIE; and assessing other potential risks, such as if the HIE fails to link a record to the right patient or the HIE is hacked or accessed by an unauthorized person. Many are studying these challenges and seeking solutions. The College of Healthcare Information Management Executives recently sent a comment letter to ONC suggesting the development of a single set of standards for certification. Based on the need, common approaches and product designs will emerge out of solutions developed in the field today by hospitals, health systems, physicians, vendors and others--sooner rather than later.
19 Apr · Fri 2013
HIPAA Marketing and Sale Provisions: Legal Potholes for Providers, Payors, Advertisers, Data Aggregators, Market Researchers and Others
The 2013 HIPAA Amendments directly apply to healthcare providers, plans and clearinghouses as "covered entities," as well as their subcontractors and vendors as "business associates" (including their downstream subcontractors and agents). However, it is not just covered entities and business associates that need to understand the 2013 Amendments. Advertisers, data aggregators, market researchers and others that want access to PHI, even data that appear to be de-identified, will be impacted.[Read More]
03 Apr · Wed 2013
Increased Government Scrutiny of Physician-Owned Device Distributorships
On March 26, 2013, the Office of Inspector General of the U.S. Department of Health and Human Services (OIG) increased its scrutiny of and pressure on physician-owned entities (particularly medical device distributorships) by issuance of a Special Fraud Alert. Although there is nothing specifically new or different from positions taken previously by the OIG regarding physician-owned distributorships (PODs), the Special Fraud Alert clarifies that the “OIG is concerned about the proliferation of PODs.” In other words, the position previously adopted by the OIG has not prevented physicians and medical device companies from designing arrangements that trouble the OIG.[Read More]
13 Mar · Wed 2013
What the New HIPAA Rules Say About Health Information Technology for Users, Developers and Investors
12 Mar · Tue 2013
Correcting Some Misconceptions About the Affordable Care Act ("ACA")
Last week, I addressed a group of small business leaders regarding the ACA. In taking questions from the audience, I discovered certain misconceptions among this group concerning the ACA, including the following:
Misconception: Muslims are exempt from the ACA’s individual mandate requiring nearly all Americans to have health insurance by 2014.
Correction: While certain religious sects are exempt from the individual mandate, only those currently recognized by the Social Security Administration as being exempt from Social Security requirements are eligible for an exemption from the individual mandate. These sects consist mainly of the Amish and certain other Mennonite sects. Because Muslims are not exempt from participating in Social Security, they are not exempt from the individual mandate requirement. Those seeking a religious exemption from the individual mandate requirement must apply for such an exemption through a health insurance exchange to be established by the individual states or the federal government.
Misconception: The ACA encourages rationing of care and will interfere with the relationship between physicians and their patients.
Correction: The ACA has created the Patient Centered Outcomes Research Institute (“PCORI”), a private, non-profit entity. PCORI is designed to benefit physicians and their patients by providing information on which treatments are most effective, and expressly prohibits the rationing of care. While some believe PCORI is modeled after the United Kingdom’s National Institute for Health and Clinical Excellence (“NICE”), such is not the case. Unlike NICE, any findings generated by PCORI may not be used to promulgate practice guidelines or make coverage decisions. Further, the ACA includes patient safeguards so as to ensure that coverage decisions made by the U.S. Department of Health and Human Services (“HHS”) are not based on age, terminal illness, or a patient’s quality of life preference. Therefore, PCORI will not interfere with the physician-patient relationship.
Misconception: The ACA does nothing to address medical professional liability reforms.
Correction: While the ACA does not include any liability reform provisions, such as caps on the non-economic (i.e., pain and suffering) portions of medical malpractice awards, the ACA establishes a competitive grant program for states to develop, evaluate, and implement innovative professional liability reforms. This program is in addition to the $25 million medical liability reform alternative grant program the Obama administration rolled out in September 2009—one being implemented by the Agency for Healthcare Research and Quality.
Misconception: Employers have until December 31, 2014 to impose a $2,500 employee contribution limit on employer-offered healthcare flexible spending accounts (“FSAs”).
Correction: Employers have until the end of 2014 to amend their FSAs to reflect such $2,500 employee contribution limit, but all such FSAs must be operated beginning this year in accordance with this new limit. Also, if an employee works for two or more separate companies (i.e., ones that are not controlled by the same owner(s)) and participates in more than one FSA, he or she may contribute up to the $2,500 limit to each FSA. In addition, there is no limit on employer contributions to FSAs; and the $2,500 employee contribution limit does not apply to other employee-funded plans such as a dependent care FSA or a Health Savings Account. Further, there shall be inflation adjustments that shall serve to increase the $2,500 employee contribution limit in future years.
Misconception: Employers are liable for any additional Medicare tax they fail to withhold and that their employees subsequently pay.
Correction: Under the ACA, employers are obligated to withhold an additional Medicare tax of 0.9% (i.e., an increase from 1.45% to 2.35%) on taxpayers with earned income in excess of certain threshold amounts (i.e., $200,000 for an employee who is single; $250,000 if the employee is married and filing jointly; or $125,000 if the employee is married and filing separately). However, an employer is not liable for any additional Medicare tax it fails to withhold and that the employee later pays. But employers will be liable for any penalties resulting from their failure to withhold. In addition, employers are not required to match the extra Medicare tax payment as they are required to do for the basic Medicare tax – they need only pay 1.45% on all earnings – so there is no extra cost to the employer for the additional Medicare tax other than administrative expenses; and an employer must withhold such extra Medicare tax on compensation in excess of the applicable threshold, even if the employee is ultimately not liable for it (e.g., a married employee whose wages, together with his or her spouse, do not exceed the $250,000 threshold for couples that are married and filing jointly). Further, employers have no duty to inquire about the earned income of an employee’s spouse.
06 Mar · Wed 2013
Research-Related Payments and the Physician Payment Sunshine Act: How Reporting Works and What Applicable Manufacturers Should Consider
25 Feb · Mon 2013
New HIPAA Rules Regarding Genetic Information Affect Employers, Group Health Plans, Health Insurers and Healthcare Providers
22 Feb · Fri 2013
Employers Take Note: Final HIPAA Rules Mandate New Obligations for Group Health Plans
11 Feb · Mon 2013
HIPAA Minimum Necessary Standard Should Be Key Component of Policies and Procedures, Now More Than Ever
The HIPAA Rules require that when a HIPAA-covered entity (a provider, plan or clearinghouse) or a business associate of a covered entity uses or discloses protected health information ("PHI"), or when it requests PHI from another covered entity or business associate, the covered entity or business associate must make "reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request."[Read More]
08 Feb · Fri 2013
Duane Morris Partner Susan Kayser Is Quoted in McKnight's Long-Term Care News & Assisted Living Article
31 Jan · Thu 2013
Overview of 2013 Amendments to HIPAA Privacy, Security, Breach Notification and Enforcement Rules
The 2013 Amendments include a number of sweeping changes to the HIPAA Rules, including the expansion of the definition of a business associate to include their subcontractors that handle protected health information ("PHI"); a lower threshold for determining whether a breach has occurred for reporting purposes; and restrictions on "marketing" activities and the "sale" of PHI.[Read More]
29 Jan · Tue 2013
Deadline Looming (March 23, 2013) for Nursing Facilities to Have "In Operation" an "Effective Compliance and Ethics Program"
25 Jan · Fri 2013
New HIPAA Breach Notification Rule May Prove Costly for HIPAA-Covered Entities