Solo Practitioner Pays $100,000 Settlement to the Office of Civil Rights (OCR) for Self-Reported HIPAA Breach

OCR began investigating the solo practitioner after his medical practice (the “Practice”) filed a breach report with OCR related to the Practice’s dispute with its electronic health record (EHR) provider. The Practice’s breach report alleged that the EHR provider was blocking access to the Practice’s medical records, until the Practice paid the EHR provider $50,000.

Upon receipt of the breach report, OCR initiated a compliance review of the Practice and found that the Practice demonstrated significant noncompliance with the HIPAA rules. Specifically, the OCR investigation determined that the Practice had never conducted a risk analysis at the time of the breach report, and despite significant technical assistance throughout the investigation, had failed to complete an accurate and thorough risk analysis after the breach and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

In addition to the $100,000 settlement, the Practice entered into a Resolution Agreement with OCR and Corrective Action Plan.

OCR issued a press release regarding the settlement stating: “All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.”

The take away “All health care providers, large and small, need to take their HIPAA obligations seriously,” and maybe the age old wisdom, people in glass houses should not throw stones.


A recent whistleblower case led to the filing of a false claims act complaint against Community Health Network (CHN) by the United States of America Department of Justice on January 7, 2020. The complaint, filed in the U.S. District Court for the Southern District of Indiana, alleges that CHN compensated providers significantly over fair market value (FMV) in order to roll up referrals from the provider’s practices in violation of the Stark Law, which prohibits a hospital from billing Medicare for services referred by a physician with whom the hospital has a financial relationship that does not meet any statutory or regulatory exception.

In its complaint, the government alleges that CHN had employment relationships with numerous physicians that did not meet any Stark Law exception, because the compensation paid to the providers by CHN was well above FMV. In addition to the excessive compensation allegation, the complaint alleges that CHN conditioned the physician’s incentive or bonus compensation based on the physician meeting a target of hospital downstream revenue specific to the physician.

According to the complaint, CHN wanted to tie physicians with existing business in lucrative specialties to CHN. A number of the recruited physicians already had medical staff privileges at CHN hospitals and were already referring patients to CHN hospitals. The government complaint states that the physician integration strategy was defensive in nature meaning that CHN recruited and employed the providers to secure their referrals and out of concern that referrals would otherwise leak to CHN’s competition.

The whistleblower provided information to the government suggesting that CHN knew the compensation exceeded FMV and had withheld details of the proposed compensation from FMV consultants in order to obtain a more favorable FMV analysis. The whistleblower also claimed to have documentation showing that CHN executives calculated the provider’s excessive compensation based on the value of expected referrals. The January 6, 2020 amended complaint claims that CHN ignored the consultant’s warnings that the proposed compensation was in excess of FMV.

While the Stark law strictly prohibits a hospital from paying a physician in excess of FMV, the calculation of FMV is subjective and influenced by a wide variety of factors. There can be good reasons for paying a physician in excess of what other doctors are paid. The rationale for paying a physician in excess of what other doctors are paid should be objective, legitimate and well documented.

Hospitals should obtain a FMV analysis of physician compensation arrangements, make sure that the valuator has the necessary information and understands any unique circumstances. Hospitals should consider obtaining the FMV analysis in draft form under attorney-client privilege, in case the valuator failed to consider a relevant factor and meet with the valuator to discuss the valuation, before the analysis is finalized. Finally, it is imperative that hospitals consult with legal counsel throughout the valuation process to assure compliance with legal and regulatory requirements.


As physician practices, health care entities, private equity and venture capital firms consider physician practice investments and acquisitions, the players need to address the unique nature of physicians and physician practices in order to assure a successful deal. Peter Drucker is quoted as saying that “Only three things happen naturally in organizations: friction, confusion and underperformance. Everything else requires leadership.” With respect to physician practice investments and acquisitions, communication is key to the ultimate success of the transaction.

Understanding The Deal: Case Study One

Effective communication is absolutely essential. Too often, physician practices view a practice merger or acquisition as easy access to cash, without understanding that the cash comes with a price.

A physician group was selling their practice to a publically traded company. A few members of the group believed that each physician would walk away with a substantial amount of cash with no strings attached. Those physicians told the rest of the group not to worry about the written agreements, as the agreements were just words put on paper by lawyers who did not understand the “real deal”. The “real deal” as described by those physicians was that the non-compete was not enforceable and that there would be no changes to the group or the way the group practiced medicine, despite the written agreement.

Legal counsel, who continuously tried to get the group to focus on the terms of the agreement, was viewed as an obstacle to the cash prize. The group’s legal counsel repeatedly told the group that the buyer would not spend millions of dollars to purchase the practice and then not enforce the non-compete and furthermore, according to the written agreements, there would be changes to the group and the way the group practiced medicine.

The deal makers for the buyer were soft-pedaling the non-compete and the proposed changes in order to make the deal and purchase the practice. Finally, at the urging of the group’s legal counsel, the buyer’s legal counsel stepped in and made it clear to the group that the non-compete would be enforced and that there would be changes.

Once the group understood that the deal on paper was the “real deal”, the physician group negotiated a higher sales price, the physicians who opposed the sale of the practice were provided with a pre-closing exit plan option and the transaction closed. Years later, the practice continues to be successful, because the sellers and the buyers understood the deal and had a meeting of the minds.

What Not To Do: Case Study Two

A health system hospital acquired a large multi-specialty practice. The practice was responsible for the majority of admissions to the hospital. However, the practice had a number of underperforming physicians. Day one after the acquisition, based on the advice of a recent business school graduate, the health system sent 120-day contract termination notices to every one of the practice’s physicians and advised the physicians to reapply for their jobs. The termination notice stated that the physicians were not guaranteed employment and that individual physicians would be notified within 90 days, if they were being rehired. The notice also stated that the terms and conditions of employment, including compensation, would likely be substantially different.

What happened next should not have been a surprise. Many of the physicians immediately began looking for new positions outside the health system. Many physicians, including the entire OB/GYN practice, ended up at a nearby hospital, owned by a competing health system. The acquiring health system went to court seeking an injunction to enforce the non-compete and the providers and their patients went to the media and the court of public opinion. At the preliminary injunction hearing, several pregnant women testified that enforcement of the non-compete would cause irreparable harm to them and furthermore the hospital no longer had the capacity to care for the pregnant women as all of the OB/GYN providers had been terminated by the health system.

In order to avoid an adverse decision, the health system withdrew their preliminary injunction complaint and ceased efforts to enforce the non-compete. While a few physicians stayed with the health system, most went elsewhere and took their patients with them. The physician group disintegrated. The health system lost money and suffered substantial collateral damage from the public outcry.

“The most important thing in communication is to hear what isn’t being said.” Peter Drucker. The health system never shared their plan to terminate all physicians and then selectively rehire physicians post-closing and the physicians assumed that it would be business as usual post-closing. Both the health system and the practice failed to communicate and that failure to communicate quickly doomed the practice acquisition.

The Dog And The Tail: Case Study Three

A large orthopedic practice that owned a specialty hospital, received an unsolicited proposal from a health system to purchase a minority interest in the hospital. The physicians entered into negotiations with the health system. The physicians were in the driver’s seat with respect to negotiations, because the health system wanted the transaction and the physicians did not need the cash. The physicians and their attorney were tough negotiators. At one point, the health system CEO was exasperated and declared that the health system was not going to let the tail wag the dog. The physician’s attorney tried not to laugh-out-loud, but the CEO observed the attorney’s amusement and repeated that the tail was not going to wag the dog. The attorney agreed, but pointed out that while the health system’s CEO was accustomed to being the dog, in this case, the health system was the tail and the physician group was the dog. The transaction closed on the physician’s terms.

The Take Away

Ideally in physician practice investments and acquisitions, neither party feels like the dog or the tail. All parties to the transaction must understand the deal and effectively communicate and agree on plans for the future. Post-closing with respect to physician practice investment and acquisition, the buyer and the seller will continue to work together. Effective communication will minimize the risk of friction, confusion and underperformance.

Unclaimed Property and Record Management

As healthcare providers and entities merge, consolidate or close their doors, record management and unclaimed property obligations are among the concerns that must be addressed.

In our experience, many healthcare providers engage in a mild to severe form of hoarding, addressing unclaimed property and record management matters on a regular basis will make the merger, consolidation or practice closure process much easier.

Unclaimed Property

Unclaimed or abandoned property refers to money or property held by the healthcare provider or entity that has generated no activity or had no contact with the owner of the money or property for one year or longer. Common forms of unclaimed property for health care providers include uncashed payroll checks, patient refunds and overpayments, and insurance payments or refunds. State laws require businesses to perform due diligence regarding unclaimed property. Businesses must contact the presumed owner of the unclaimed property and if the owner fails to step forward, the business must turn the unclaimed property over to the state each year.

Unclaimed property is often overlooked or deposited in the provider or healthcare entity’s bank accounts and only comes to the forefront when entities merge, are acquired, stop doing business or when the state exercises its unclaimed or abandoned property audit rights. States have audit rights pertaining to unclaimed or abandoned property and there can be stiff penalties for failing to relinquish unclaimed property. As states look for additional revenue, expect unclaimed property to be increasingly on the radar.

Healthcare providers should routinely examine their books and records and identify unclaimed or abandoned property. Once the unclaimed or abandoned property is identified, the provider should consult legal counsel and follow the state law requirements with regard to the unclaimed or abandoned property. Unclaimed or abandoned property does not belong to the healthcare provider or business and must be returned to the rightful owner or relinquished to the state.

Record Management

Every business needs a records management process. At a minimum, the process should: identify the records to be maintained; specify who is responsible for management of the records; clarify the record retention schedule; address record storage; and address records disposal. Record management should be part of everyday life for healthcare providers and entities. When providers and entities, merge, consolidate or close, record management becomes a front and center concern, particularly if records have not been consistently managed previously.

An interesting related question was recently posted on the American Association of Healthcare Lawyers list serve regarding the liability and responsibility of a business associate (BA) to a patient and/or other third parties as it relates to access to electronic patient records when a covered entity is no longer in existence. The post queried 1) whether the BA was required to keep the records in accordance with the state statute of limitations; 2) whether the BA agreement controlled; and 3) what would happen if the BA was the only entity still in existence with access to the PHI.

My initial thought is that the business associated agreement (BAA) contract terminates when the BA is no longer performing services for or on behalf of the covered entity, so when the covered entity closes, the BA automatically terminates. Standard BAA language generally states, “Upon termination of this Agreement for any reason, business associate shall return to covered entity [or, if agreed to by covered entity, destroy] all protected health information received from covered entity, or created, maintained, or received by business associate on behalf of covered entity, that the business associate still maintains in any form. Business associate shall retain no copies of the protected health information.”

Make sure if you are a BA that the covered entity agrees in the BAA to the destruction of all protected health information received by the covered entity if the covered entity ceases to do business for any reason.

Governance Board Terms

Recently, I have been asked by clients and boards that I am a member of about term limits for board members. While there are no legal requirements for term limits organizations, many governance experts believe that term limits for board members are best practice. Term limits create space for new members and facilitate diversification efforts; bring new members with fresh perspectives; offer a democratic way to refresh the board; make it easier to transition unproductive or disruptive members off the board; allow board members to step down gracefully; facilitate succession planning with a mix of board veterans and newcomers; and deter stagnation and procrastination.

Term limits have value, but so do former board members. When considering term limits, organizations need to consider: (1) the length of terms; (2) the number of consecutive terms permitted; and (3) options for board members to stay involved, such as advisory boards and committee work. In order to ensure that former board members stay engaged, some organizations form advisory boards to address the negative aspects of term limits. Advisory board membership allows former board members to continue to contribute to the organization. The purpose and function of an advisory board depends on the needs of the organization and should be set forth in an advisory board charter. Typically, advisory board members assist with fundraising and share their experience, knowledge and expertise with the board and provide advice and counsel, when requested to assist the board.

Each organization must determine what is best for the organization based on the organization’s current needs, taking into consideration recommendations for best practices. Because an organization’s needs can change over time, boards should periodically review the organization’s bylaws and term limits to ensure that the bylaws and term limits continue to meet the organization’s needs.


Last year I did a series of blogs with my good friend, Karen Zupko of Karen Zupko and Associates, on physician contracting issues. I loved blogging with Karen. We used the blogs to educate our hospital and physician clients on common issues with respect to physician contracts. My favorite blog in the physician contracting blog series was the indemnification blog. Anyone who has worked with me on contracts knows that I have concerns about indemnification provisions in contracts. One of my proudest blogging moments was when a client said “now I get it” after I sent the indemnification blog to him. I sent the same blog to opposing counsel and we were able to successfully negotiate the indemnification language.

This year I am planning a series of blogs on governance and leadership in the context of healthcare mergers and acquisitions. This is blog 1 for 2019. Here is this year’s plan. The series will touch on strategic considerations in mergers and acquisitions, special issues for non-profits, governance dilemmas, deal breakers and exit plans. I’ll talk about lessons learned, bumps in the road, and next time, I’ll tell some funny stories and some not so funny stories, so stay tuned. The prevailing theme for the blog series will be thoughtful civility in mergers and acquisitions. If you have thoughts to share on the topic, email me at The Duane Morris blog format does not permit comments to be added to the blogs.

Documentary Film Expensive for Hospitals

Three teaching hospitals allowed a documentary to be filmed at their hospitals to provide viewers with information regarding the care that academic medical centers deliver. Despite the fact that the hospitals received no patient complaints regarding the filming, and the hospitals took steps to avoid violating HIPAA by having the film producers get written permission from patients to participate in the film and the hospitals required the film crews to have HIPAA training, the hospitals paid nearly $1 million to the federal Health and Human Services Office for Civil Rights (OCR) for alleged HIPAA violations. The hospitals are also required to follow corrective action plans and be monitored by the OCR .

This is the second time that OCR has gone after hospitals for alleged HIPAA violations associated with medical documentary filming.

Apparently, according to the OCR, the hospitals, not the producers, should have gotten the patients’ authorizations before allowing the producers to film on site and that mistake cost the hospitals a total of $999,000.

Tolerating Bad Behavior by Medical Staff Members Proves Costly

On September 7, 2018, a jury awarded more than $10 million to seven healthcare professionals based on allegations that the hospital failed to protect the women from two male doctors with troubling histories. According to the news reports, neither of the physicians were employed by the hospital, although both doctors were members of the medical staff and had clinical privileges at the hospital.

The bulk of the award, more than $7 million in punitive damages, went to a female anesthesiologist who was allegedly choked and pushed up against the wall in a locker room by a surgeon. The attack was witnessed by other hospital staff and patients, according to the complaint. The anesthesiologist reported the incident to hospital leadership and was asked to consider dropping the matter. The surgeon was reported as having a long history of workplace violence that was known to the hospital and the chief of the surgery department. While the chief met with the surgeon after each incident, according to the anesthesiologist’s attorney, no formal disciplinary action was ever taken.

Shortly after the alleged choking incident in the locker room, six female nurses and technicians who used the locker room were unlawfully recorded by a different doctor, as they used the restroom and changed their clothes. Criminal charges were brought against the doctor for the secret videotaping, but according to the complaint, the hospital delayed in suspending the doctor’s medical staff privileges. The remainder of the jury award went to the six nurses and technicians who were secretly videotaped.

The take away – juries are willing to find hospitals responsible for the acts of their non-employed medical staff members. Hospitals need to take prompt and appropriate action at the first sign of inappropriate behavior. While this case involved medical staff members, prompt and appropriate action is also required at the first sign of inappropriate behavior by anyone on the hospital’s premises.

Payer Audits and False Claims Actions Challenging Medical Necessary on the Rise

We’re seeing a substantial increase in payer audits and false claims causes of action based on allegations that procedures and charges were not medically necessary.

Historically, courts have been deferential to a physician’s medical judgment in false claims causes of action. However, a federal appeals court recently found that a physician’s medical judgment could be false or fraudulent leading to a cause of action under the False Claims Act. The appellate court ruling overturned a lower court decision which had granted the physician’s motion to dismiss, finding that treatment decisions based on medical judgment could not be considered false under the False Claims Act. This shift in deferential treatment with respect to a physician’s medical judgment could dramatically increase false claims causes of action against physicians.

In addition, clinical laboratories are getting more and more requests for medical records and facing an increasing number of payment denials based on lack of medical necessity. Prepayment review is more common than ever. The combination of having to respond to medical record requests, payer audits and prepayment reviews on each and every lab test can be cost prohibitive. There is no easy fix.

I recently spoke at a webinar hosted by Karen Zupko and Associates on preparing for a payment audit and tactical strategies for defense. My best advice on tactical strategies for defending a payment audit is to be prepared. Have a compliance program in place and conduct regular self- audits. If a concern is identified during a self- audit, get experienced health care legal counsel involved immediately to preserve privilege and get guidance. A link to the webinar I did with Karen is attached.



Courts Continue to Erode Peer Review Privilege

The Pennsylvania Supreme Court recently ruled that a state law, establishing confidentiality for medical provider peer review proceedings, did not apply to a contractor staffing a hospital’s emergency department.   The hospital, the contractor and the physician face a lawsuit from the patient and her husband, alleging that the physician failed to diagnose an emergent, underlying heart problem during an emergency room visit and that the patient suffered a heart attack just days after she was discharged without treatment. In the course of litigation discovery the patient was seeking the physician’s performance review, which the contractor and the hospital argued was protected from discovery under the Pennsylvania Peer Review Protection Act (the “Act”). In a 4-3 decision, the Supreme Court affirmed a finding by the state’s Superior Court that the Act did not shield the hospital or the contractor staffing the hospital’s emergency department from discovery of the physician’s performance reviews.

The Supreme Court confirmed the Superior Court’s conclusion that the document was not entitled to protection under the Act because the performance review had been drafted by the physician’s supervisor, and not by an employee of the hospital itself. The Court also found that a business entity, like the contractor emergency medicine group, was not contemplated under the peer review protection statutes and therefore could not claim the privilege itself.

In another recent case eroding peer review privilege, an Illinois hospital claimed that certain of its documents were confidential and that the court should not have ordered the hospital to produce the records during discovery in a civil case. The hospital argued that the Illinois Medical Studies Act protects those documents from disclosure. Specifically, the hospital contended that its peer-review policy provides that, if certain indicators are met (such as the death of a patient and a concern raised about that death), then an investigation begins. The hospital insisted that because the peer-review policy authorized the investigation, everything that was discovered through that investigation is privileged under the Medical Studies Act. However, the appellate court agreed with the trial court and said that all of the documents at issue should be produced stating that the Medical Studies Act does not protect against disclosure of information generated before the peer-review process began and that the hospital’s argument was contrary to over 20 years of precedent establishing that the Medical Studies Act cannot be used to conceal relevant evidence that was created before a quality-assurance committee or its designee authorized an investigation into a specific incident.

The takeaway here is that courts are strictly construing peer review protection statutes. Providers cannot be assured that their peer review records are protected unless the peer review records are created in full compliance with legal and regulatory requirements.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress