Month: September 2014

Business Associates and Subcontractors Now Subject to New HIPAA Regulations

In January of 2013, the United States Department of Health and Human Services (HHS) released a set of “omnibus regulations” under the Health Insurance Portability and Accountability Act (HIPAA), which amended the requirements for compliant business associate agreements and implemented various provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH), as it pertains to the electronic communication of protected health information (PHI).[1] The initial publication of the omnibus regulations went into effect in September of 2013, and provided a one-year grandfathering period for then-compliant entities.  Accordingly, as of September 22, 2014, the new omnibus requirements for business associates and subcontractors are in full force.  Among the numerous new and amended provisions of the omnibus regulations, two areas are most-prominently highlighted: the addition of subcontractors (non-employed delegates of services) to the HIPAA framework, and the expansion of regulations pertaining to electronic-PHI.

Under the new framework, HIPAA-compliant business associate agreements must be in place not only between covered entities and their business associates, but also between covered entities and their subcontractors, and between business associates and their subcontractors.  There is not currently an independent requirement that covered entities enter into business associate agreements with their business associates’ subcontractors.  The expansion of HIPAA business associate requirements to include subcontractors is accompanied by numerous HHS warnings that subcontractor breaches of HIPAA provisions are attributable to covered entities, even if only indirectly associated with the covered entity by way of a business associate.

In addition to the establishment of business associate agreements among subcontractors, the new omnibus regulations also require HIPAA-compliant agreements to include sufficient, specific protocols with respect to the creation, transmission, and maintenance of electronic PHI, as well as a framework for effective and immediate reporting of suspected HIPAA breaches by covered entities, business associates, and subcontractors, irrespective of whether electronic PHI is a routine part of each entity’s involvement or tasks.


Department of Health and Human Services Issues Special Fraud Alert toward Physician-Laboratory Relationships

Recently, the U.S. Department of Health and Human Services, Office of the Inspector General (OIG), issued a Special Fraud Alert[1] pertaining to potential improper relationships between laboratories, and referring physicians and physician group practices.   This Alert was a follow-up publication to a number of advisory opinions issued over the past decade, emphasizing the impropriety of providing referring physicians with above-fair-market compensation for the referral of laboratory services.  Specifically, and among other trepidations, the OIG has expressed concern that physicians and physician groups are receiving prohibited “kick-backs,” in the form of inflated compensation from laboratories for physician and physician groups’ services in collecting, packaging, storing, and processing the specimens which are eventually forwarded to the paying laboratory for evaluation.

According to the OIG’s publication, some of these “blood-specimen collection, processing, and packaging arrangements” are being inappropriately compensated at an above fair-market value, on a volume-dependent basis, and on an inappropriate per-specimen or per-action basis.  Additionally, the OIG notes that the fees and remuneration paid for some of these services are being paid to physicians and groups, even when a third-party phlebotomist was the party who actually obtained, processed, and transported the specimen at issue.  These arrangements, according to the OIG, are a clear violation of the Anti-Kickback statutes, and are ripe grounds for disciplinary action against both physicians, and laboratories.

In lieu of the foregoing arrangements, the OIG directs physicians and physician groups to the Medicare Claims Processing Manual[2] for guidance regarding the appropriate parameters for physician billing, and notes that only one collection fee, per patient encounter, regardless of the number of specimens collected or the effort put into processing and maintaining those specimens, is proper and compensable under the Medicare guidelines.   Consequently, when billing and receiving payment from laboratories for the collection, maintenance, packaging, and distribution of patient specimens, physicians and physician groups should take extra care to ensure that such payments are fair-market value and appropriate.

[1] A copy of this publication is available at: oratory_Payments_06252014.pdf

[2] A copy of this publication, and the associated fee schedules, are available at:


Encrypting Digital Information is Crucial for Texas Physicians

Written by:  Nicolas M. Lund

It’s no secret: computers, tablets, smartphones, and other digital devices are both commonplace, and important in the modern practice of medicine.   Technological developments in health care have enabled providers to connect quickly and easily with information, resources, colleagues, and patients, and have provided mobility and ease-of-access for busy practices.  When using these devices, though, practitioners must be careful to take adequate precautions to encrypt and protect sensitive patient information.  Without these safeguards, practitioners could face liability and administrative sanctions in the event of a misplaced, or stolen device.

Recently, for example, two U.S. Department of Health and Human Service actions were launched against entities who had been the victim of stolen laptop computers, resulting in cumulative fines of $1,975,220.    In both cases, one against Concentra, and the other against QCA Health Plan, Inc. of Arkansas, the Department of Health and Human Services Office for Civil Rights determined that the HIPAA-covered entities had failed to adequately protect patients’ protected health information from compromise through the use of encrypted computer access.   Both entities were fined substantially, and were required to distribute notification letters and provide identity-theft monitoring for affected patients.

The process of “encryption” sounds daunting, and technical, but the security measures can be as simple as password-protecting digital devices, utilizing firewalls and anti-virus software, appropriately storing and tracking mobile devices, and providing an automatic log-off feature.  These simple tools, and more, can help prevent an unfortunate issue of property loss from snow-balling into a reportable, sanctionable HIPAA breach.