1 / 35

California Clinical Laboratory Association 2011 ANNUAL CONFERENCE 

California Clinical Laboratory Association 2011 ANNUAL CONFERENCE . Legal Roundtable David Gee, Esq. Garvey Schubert Barer dgee@gsblaw.com. Introduction. David Gee is an Owner at the Garvey Schubert Barer in Seattle.

oppenheim
Télécharger la présentation

California Clinical Laboratory Association 2011 ANNUAL CONFERENCE 

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. California Clinical Laboratory Association2011 ANNUAL CONFERENCE  Legal Roundtable David Gee, Esq. Garvey Schubert Barer dgee@gsblaw.com

  2. Introduction • David Gee is an Owner at the Garvey Schubert Barer in Seattle. • As a member of the firm’s full-service health law practice, David represents laboratories across the country. • David has advised clinical labs since 1991, in private practice and as in-house legal counsel to Unilab, Quest Diagnostics, LabCorp and National Health Laboratories.

  3. HIPAA TURNS 15!! Health Insurance Portability and Accountability Act Prohibits health care providers and payors from improper or inappropriate use of Protected Health Information (PHI) • - Requires health care providers to ensure that PHI is kept secure • - Provides for standardized electronic formats for all health care transactions 3

  4. And It’s Bigger Than Ever…

  5. Administrative Simplification??? Title I Title II Title III Title IV Title V Administrative Simplification Insurance Portability Fraud and AbuseMedical Liability Reform Tax RelatedHealth Provision Group Health Plan Requirements RevenueOff-sets Privacy EDI Security Transactions CodeSets Identifiers HIPAA Health Insurance Portability and Accountability Act of 1996

  6. HITECH (2009) Increased Civil Monetary Penalties Based on nature of violation: Unknowing (least severe)Willful Neglect (most severe) • Per Violation per Person: • $100; $1,000; $10,000 and $50,000 • Annual maximum: • $25,000; $100,000; $250,000; and $1.5 million

  7. $1 Million HIPAA Settlement: Massachusetts General Hospital (2/11) • Violation: Lack of safeguards in taking PHI off premises. Manager of infectious disease dept left documents containing PHI of 192 patients on subway. • Lessons: • Don’t let employees take PHI home/off-site • Encrypt data • Mistakes can lead to big penalties  $1 million = $5200 per violation! • One incident yet 192 violations • OCR concerns may be heightened by sensitive PHI (HIV, AIDS) • OCR very concerned about off-site PHI • Further Guidance:2007 CMS Guidance on Laptops & Remote Access http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf

  8. Flagrant: First HIPAA Civil Monetary Penalty: $4.3 Million: Cignet Health (2/11) • $1.3 Million CMP for repeated failure (for over 1 year) to provide copies of medical records requested by 41 patients ($100/patient/day).The HIPAA Privacy Rule requires CE to provide a patients a copy of their medical records within 30 (not more than 60) days of request. Patients filed complaints with OCR. • $3 Million CMP for failure to cooperate with OCR--”Willful Neglect” $50,000/day/patient–maximum penalty: • Ignored requests and a subpoena from the OCR for over a year. • Finally produced the records pursuant to a court order • But also produced medical records for another 4,500 patients whose records had not been requested. • Made no efforts to resolve the matter with the OCR. • Lessons: Don’t be stupid.

  9. $865,500 HIPAA Settlement: UCLA Health System: (7/11) • Violation: • Complaints by 2 celebrity patients that employees looked at their PHI (and others) repeatedly and without permissible reason. • OCR investigation confirmed that from 2005-2008, unauthorized employees repeatedly looked at PHI. • Corrective plan requires UCLAHS to implement approved security/privacy procedures; conduct “regular and robust” employee training. • Lessons: • Effective employee training is critical. Labs will be held accountable for employees who access PHI to satisfy their own personal curiosity • Labs must reasonably restrict access to PHI to only those employees with a valid reason to view the PHI • Lab must discipline any employees who violate those policies

  10. Criminal Convictions for Employees

  11. PHI Breaches Affect 11.6+ Million People • HHS reports that during past 2 years, over 300 Major Breaches (>500 people) affecting 11+ million people in 44 states • Major breaches include stolen laptops, hacked networks, unencrypted records, misdirected mailings, missing files and wayward emails • 75% of breaches involve electronic media, 25% hard copy, approx18% involve a BA • 31,000 breaches affecting <500 per breach (only reported to HHS annually)

  12. Top 5 Major Breaches Reported Since September 2009 • TRICARE (9/14 /11): 4.9 million patients (San Antonio)—theft of backup tapes from car of BA • Health Net (1/11): 1.9 million individuals--9 server drives lost from data center managed by BA (IBM) • New York City Health and Hospitals Corp.(12/10): 1.7 million individuals—theft of computer backup tapes from BA's truck en route to secure storage location • AvMed Health Plans (12/09): 1.2 million current and former members--theft of unencrypted laptop • BlueCross BlueShield of Tennessee (10/09): 1 million individuals—theft of 57 unencrypted hard drives during relocation of a call center

  13. Major Breach: Stanford Hospital & Clinics--20,000 E.R. Patients [9/11] • Violation: • Stanford Hospital & Clinics reports that medical records for 20,000 E.R. patients had been posted for almost 1 year to commercial homework assistance website • Data went to the website from a Stanford billing contractor • Response: Hospital immediately suspended its relationship with the contractor and received written certification that previous files would be destroyed or returned securely • Lesson:You will be held responsible for breaches by your BA • Class Action Lawsuit for violation of CA COMIA law

  14. Breach (6/11): California Dept of Public Health9000 Patients (Do as we say…not as we do.) • Violation: CDPH announced breach affecting 9000 current/former state employees. Employee improperly copied and removed private hard drive from state offices • Delayed Report: CDPH began investigating breach on April 5, did not report breach until 3 months later. When asked to explain delay, CDPH said the incident required a “thorough investigation.” • Outcome: • CDPH “will undertake some internal safeguards” and put “policies or practices in place to prevent” such incidents from occurring again • CDPH will offer credit-monitoring services and free telephone hotline to affected persons • Not the First Time: Dec. 2010 – CDPH announced breach affecting ~2,550 SNF residents/employees in So Cal

  15. HIPAA Breach Notification Rule Breach = (1) impermissible use or disclosure of PHI that (2) compromises security or privacy of the PHI, and (3) “poses a significant risk of financial, reputational, or other harm to the affected individual.”

  16. Reporting Obligation: Unsecured PHI No reporting obligation if PHI is “secured” Encrypted under NIST standards Destroyed in one of the following ways: Non-electronic media is shredded or destroyed so PHI can’t be read or otherwise reconstructed Electronic media cleared, purged, or destroyed so that PHI cannot be retrieved, according to NIST standards

  17. Exceptions to Breach Notification Requirements 1) Unintentional access/use of the PHI by authorized workforce member or BA (within the scope of employment or workforce duties; no further disclosure) 2) Inadvertent Disclosure (From one person who has authority to access PHI to another person who has authority to access PHI; no further disclosure) 3) “Unauthorized” Person—EOBs sent to wrong addresses, and many are returned unopened as undeliverable--can reasonably conclude that improper addressees could not have reasonably retained the PHI

  18. Risk Assessment— Must demonstrate, thru risk assessment, that no breach has occurred because the impermissible use or disclosure did not pose a “significant risk of harm” to the individual Fact-based evaluation Thoroughly document your risk assessment

  19. HITECH Breach Notification Requirements Without unreasonable delay: no later than 60 calendar days: • Contact affected individuals in writing or electronically (with individual’s permission)—other means of notice • Post on website if 10 or more individuals have outdated contact information and no reasonable way to notify them • If more than 500 people affected (Major Breach) • Provide Notice to prominent media outlets • Send Notice to HHS immediately

  20. Proposed Accounting of Disclosures Rule (5/31/11 NPRM) • If you maintain PHI in electronic format, you must account to patients for PHI disclosures made for purposes of treatment, payment, and healthcare operations—previously exempt • Not all PHI---just Designated Record Set (medical and billing records kept as part of services for a specific patient) • 2 separate rights for individuals: (1) the right to an accounting of disclosures and (2) the right to a report on access. • Must report “uses” and “disclosures”…whenever any person accesses electronic DRS • CEs must account for disclosures by their BAs or require the BAs to make their own accounting.

  21. CLIA/HIPAA - Patients’ Access to Test Reports (9/14/11 NPRM) • HIPAA Privacy Rule generally allows patients “right of access” to copies of their PHI that is part of their DRS. You are required to have policies and procedures concerning right of access. • CLIA labs have been exempt from right of access requirement because CLIA permits results to be released only to persons “authorized” by state law (varies by state). • The Proposed Rule will revise CLIA and HIPAA: • CLIA to permit labs to provide patients access to “completed test results.” • HIPAA Privacy Rule so that CLIA labs have the same “right of access” obligations as other CEs. • Effectively preempts state law. • Will need to revise policies and procedures and (re)train employees

  22. States Too: • State Breach Notification Laws. 45 states have their own. Some stricter than HIPAA. • State HIPAA Enforcement Actions. HITECH permits state AGs to file HIPAA enforcement actions on behalf of people of their state, to protect their interests, and to seek injunctive relief and/or money damages.  • OCR training offered to all State AGs in 2011 • In-person training at 4 sites • Computer based training to follow Per Se Negligence. HIPAA does not create a private right of action under federal law, but recent decision by a federal district court in Missouri held that HIPAA may form a basis for a state law “negligence per se” claim.

  23. HIPAA Audits June 20, 2011--HHS has engaged KPMG to provide HIPAA audit services mandated by HITECH. • KPMG to develop methodology/audits • 150 HIPAA audits by the end of 2012 • Audits of entities to vary in size and scope • Not yet decided how organizations will be selected for audits • A breach or violation won’t be necessary to trigger an audit • Not yet decided whether OCR will make audit reports public or publish summary of audit results as a “lessons learned” document • OCR has not ruled out enforcement actions in response toaudit results

  24. Stark Law Reminders

  25. Stark Law Enforcement Action—Non-Monetary Compensation December 2010, Detroit Medical Center – $30 million Settlement • “business courtesies” in excess of the Stark limit including tickets to sporting events, education events, charitable dinner events, and meals and entertainment   • leases to physicians without written and executed leases • personal services arrangements without written and executed contracts • compensation, lease, or other financial arrangements above fair market value and/or not commercially reasonable 

  26. Non-Monetary Compensation • Limited to $359 (2011, adjusted for inflation) per physician annually • NO cash or cash equivalents (gift cards) • Gifts must be tracked • Not solicited by the physician, practice group or staff • Not based on volume or value of referrals from the physician • You may not violate the Anti-Kickback Statute

  27. Key Stark Exceptions—Non-Monetary Compensation (Cont’d) Gifts should not be given to a group practice—CMS has said: The exception for non-monetary compensation …only protects gifts to individual physicians. [G]ifts given to a group practice would not qualify for this exception [and the exception does] not apply to gifts, such as holiday parties or office equipment or supplies, that are valued at not more than [the annual limit] per physician in the group, but are, in effect, given or used as a group gift.

  28. Certain Lab Supplies Not Permitted—Specula CMS Advisory Opinion 2010-01: • disposable, single-use specula costing $.30 and $1.68 • “not often used when a specimen is not collected” • The lab monitored the number of specimens and specula Because the specula are not used by the physicians solely to collect, transport, process, or store specimens referred to the [laboratory], the provision of specula to the Referring Physicians constitutes remuneration. Pap smear specimens are typically collected as part of an extensive gynecological examination of the patient. Such examination requires the use of a speculum, regardless of whether a Pap smear specimen is collected.

  29. Supplies/Equipment Used Solelyfor the Lab • Test under the Stark law is not whether the supply or equipment in question is necessary for the referring physician to collect, transport, process, or store specimens to be sent to the laboratory • Test is whether the supply or equipment is used solely for these purposes, even if the requested lab tests cannot be performed or reported without it

  30. 2001CCLA Guidance—Supplies Prohibited by Stark:

  31. OIG Roadmap for New Physicians Avoiding Medicare and Medicaid Fraud and Abuse Fraud and Abuse Laws Physician Relationship With Payors Physician Relationships With Fellow Providers Physician Relationship With Vendors Compliance Programs for Physicians Where To Go for Help What To Do If You Think You Have a Problem What To Do If You Have Information About Fraud and Abuse Against Federal Healthcare Programs 31

  32. OIG Roadmap for New Physicians The Stark law is a strict liability statute, which means proof of specific intent to violate the law is not required. The Stark law prohibits the submission, or causing the submission, of claims in violation of the law’s restrictions on referrals. Penalties for physicians who violate the Stark law include fines as well as exclusion from participation in the Federal health care programs. 32

  33. Questions?

  34. THANK YOU David Gee (206) 816-1351 dgee@gsblaw.com

  35. DISCLAIMER • These materials are provided for educational purposes only, and are not legal advice or intended to be substituted for legal advice. Parties affected by the issues discussed in these materials should consult with their legal counsel as the specific facts of any given case will greatly influence the legal advice given. • It is important to note that these materials address an area of the law that is volatile and expected to have significant changes in the very near future which may completely alter the applicability of these materials to any situation.

More Related