Month: March 2020

By Keely E. Duke and Elizabeth D. Sonnichsen

The Wolf, a brilliant four-part advertising campaign by Hewlett-Packard, depicts Christian Slater hacking into a business by targeting an unsuspecting employee who is enticed to print a counterfeit spa gift card on her birthday.[i] This seemingly innocent act results in unfettered access to details of a major acquisition through an unsecured printer.

https://www.youtube.com/watch?v=ZUP4ib5FzGs

Once granted access to these documents, Slater looks deadpan at the camera and states: “First, I got control of their printers, then I got control of their network, then I got control of their data. And now, this. All the juicy details of a major acquisition. These guys are in for a really bad day.”

Instances of these “really bad days” are on the rise across the nation, with the healthcare industry ranking as the highest targeted industry in 2018, accounting for 25% of the total industries affected.[ii] One area of particular concern is telehealth, a subsection of the healthcare industry using technological advances for both patient and provider use.

Telehealth is increasing substantially, especially in rural areas, with the number of users growing as quickly as 643% nationally. [iii] It is a perfect target for these attacks. To guard against these attacks, it is important to understand why telehealth is a target for cyberattacks, how the Government is responding, what litigation is occurring in the telehealth realm, and what steps telehealth providers and healthcare litigators can take to protect patients’ information.

Telehealth: An Enticing Target

Cyberattacks are prevalent in telehealth because health information is often accessed via applications on smartphones and tablets, which are easily lost or stolen, making the data stored on the devices particularly susceptible to risk. Nationwide, more than 80% of physicians use mobile technology to provide patient care and more than 25% of commercially insured patients use mobile applications to manage their health.[iv] This mobility has many benefits, including increasing patient access to healthcare and specialists, timely communication of test results and care plans, and improving continuity of care.

This is particularly true in rural Idaho. Recognizing the many benefits of telehealth, the Idaho Telehealth Council developed and passed the Idaho Telehealth Access Act in 2015, which allows for patient-provider relationships to be established without an in-person visit using two-way audio and video communication and allows prescription drug orders to be issued using telehealth services.[v]

While such access has many positives, the risks associated with data hacks of such communications and data exchanges are prevalent.  For example, in 2015 alone, 113 million healthcare records were maliciously accessed through either a breach in hospital systems or through hacking into telemedicine systems.[vi] Idaho, with its growing population and massive rural areas, is a target for such telehealth cyberattacks.

Hospital data security breaches can cost a single hospital as much as $7 million in fines, litigation, and damaged reputation.[vii] The healthcare industry lags behind other industries in securing data often because of the considerable capital necessary to protect hospital systems. Hospitals vary significantly in their prioritization of cybersecurity—70% of hospital boards include cybersecurity in their risk management oversight while only 37% of hospitals perform annual incident response exercises.[viii]

As such, cybercriminals are highly active in targeting healthcare organizations, especially when electronic records can be sold online for $10-$50 each—about 10 to 20 times the value of a U.S. credit card number—making them an easy and profitable target for hackers.[ix] Furthermore, by targeting telehealth as opposed to bank records or email, a cybercriminal’s use of healthcare records upends the feeling of safety that a user of telehealth may have.

Telehealth Cybersecurity Litigation

Not surprisingly, the case law related to cybersecurity and fraud connected to it is in its infancy.  Across the nation, in cases examining situations where a party’s information is fraudulently obtained by a hacker, the evolving case law suggests that the party in the best position to avoid the fraud bears the loss.[x] That said, the causes of action related to a data breach have deep roots in state law – negligence and gross negligence, among others, and the potential for punitive damages if the telehealth provider or hospital willfully and recklessly failed to put certain safeguards into place.

When a telehealth provider acts reasonably using the suggested safeguards, a plaintiff may face a difficult hurdle in meeting her burden. In addition to the question of standing, she must also present facts that the telehealth provider’s actions were outside the standard of care—a constantly moving target.

In Attias v. CareFirst, Inc., the United States Supreme Court was presented with the opportunity establish precedent regarding a plaintiff’s burden as to harm suffered from a data breach.[xi]  Instead, the Court denied Maryland-based CareFirst Blue Cross Blue Shield’s request to review the D.C. Circuit’s ruling that despite not suffering any actual harm from a data breach, the customers affected could pursue a class action lawsuit against the insurer based on their personal information being exposed.

To date, there is no clear precedent as to whether an individual who pleads that her data is exposed in a breach may maintain a lawsuit against a company when there is no actual harm.  In absence of a precedent at the federal level, states must take the lead in applying cybersecurity laws as they relate to data security statutes, breach notification statutes, and statutory developments.

The Government’s Response to “The Wolf”

In 2015, Congress enacted The Cybersecurity Act of 2015, which has three healthcare-specific provisions. These provisions include the development of (1) a plan within each division of the Department of Health and Human Services spelling out responsibilities for addressing cyberthreats in the healthcare sector; (2) a Health and Human Services industry task force to examine, among other things, the cyber challenges facing the healthcare sector, as well as lessons the sector can learn from other industries; and (3) a common set of voluntary consensus-based guidelines, best practices, and methodologies to help healthcare organizations better address cyberthreats.[xii]

In addition, developers and manufacturers of mobile health applications and devices that support telehealth services must comply with multiple privacy and security regulations promulgated by various federal agencies, which are as follows:

• The Food and Drug Administration has established regulations regarding the safety and effectiveness of hardware and software of telehealth devices and mobile medical applications.[xiii]
• The Federal Communications Commission is working to raise awareness about the value of broadband in healthcare sectors through its Connect2Health Task Force. The task force identifies regulatory barriers and incentives to build stronger partnerships with public and private stakeholders in the areas of telehealth, mobile applications, and telemedicine to accelerate the adoption of advanced healthcare technologies.[xiv] The task force promotes effective policy and regulatory solutions and works to strengthen the nation’s telehealth infrastructure through its Rural Health Care Program and other initiatives.
• The Federal Trade Commission has established regulations regarding disclosures about the collection and use of consumer data to avoid false, misleading, and deceptive trade practices and provided a privacy-by-design framework for protecting mobile privacy and is currently examining healthcare competition, including regulatory barriers that prevented telehealth across state lines.[xv]
• The Office of National Coordinator for Health Information Technology established regulations to adopt standards and certification criteria for health information technology.[xvi]

While the Cybersecurity Act and these various regulations are a significant step in the right direction to preventing and addressing cyberattacks in healthcare, these regulations are often conflicting and fall short of enacting actual change for procedural safeguards against such attacks.  In addition, regardless of the regulations, cyberthreats are very difficult to prevent given that telehealth applications remain capable of connecting to other medical devices, the internet or other networks, or portable media vulnerable to cybersecurity threats.  Cybersecurity breaches continue to rise, with the top five causes consisting of phishing, network intrusion, inadvertent disclosure, stolen devices, and system misconfiguration, respectively.[xvii]

Defending Against “The Wolf”

From our clients’ perspectives, the FDA recommends telehealth application developers provide security controls to maintain the confidentiality, integrity, and viability of information stored in telehealth apps.[xviii] Telehealth providers should create an infrastructure that provides for secure communications between providers and patients, allowing for remote communication without reducing the amount of security.  HIPPA suggests the following for securing telehealth on mobile devices connecting to a network:

• Performing regular risk assessments to ensure continued protection;
• Conducting regular staff training on data privacy, security, and the latest threats, to develop a “risk aware” culture;
• Tracking data to allow for a quick and easy forensic analysis after a cybersecurity attack;
• Permitting network access to only those devices certified as having appropriate security controls;
• Segregating personal and work data on bring your own devices, permitting the easy deletion of protected data without erasing personal files and contacts;
• Considering data encryption for all data stored on mobile devices;
• Disallowing the use of SMS messages to communicate Protected Health Information at work;
• Allowing remote data erasure from a centrally controlled system;
• Implementing and enforcing password policies on password length, composition, and validity period; and
• Regularly scanning device security before any device is allowed to connect to a healthcare data network.[i]

Regardless of these measures, however, one of the biggest hurdles for protecting healthcare information from hackers are the patients themselves.  While patients should know that certain standard practices—such as having antivirus protection, using secure passwords, not visiting unprotected websites, and not opening links from unknown or suspicious senders—are crucial to preventing illegal access to their information, many patients do not take these precautions, rendering their data vulnerable.  A handout reminding patients of these basic safeguards may help insulate the healthcare provider from the patient’s failure to protect his or her data.

As practitioners who represent patients, doctors, hospitals, or telehealth providers, we owe a duty not only to our clients but to all involved parties to ensure that when we receive records in litigation, we utilize the same safeguards we expect of our clients. The nature of our work allows us to accumulate highly sensitive information and, just like our clients, we are vulnerable to potential breaches. We should follow recommended practices when it comes to cloud computing and storage, email, WiFi, network security, physical security, mobile device management, and privacy notices and policies. These recommended practices include:

• Implementing the data storage guidelines drafted by the Health Information Technology for Economic and Clinical Health Act;[i]
• Never clicking on unknown links in emails, even if the email is legitimate;
• Never opening attachments from an unknown third-party;
• Not giving out personal information over email unless it is completely secure;
• Setting secure passwords and avoiding use of common words, phrases, or personal information as part of the passwords;
• Updating passwords every 90 days;
• Using encrypted cites—never email—to transfer protected health information;
• Keeping your operating system, browser, anti-virus and other critical software up to date; and
• Turning off the option to automatically download attachments in email.[ii]

As a final note, there are cyber insurance policies available for attorneys and law firms and now is the time to add that insurance to provide coverage if “The Wolf” strikes.

Conclusion

“The Wolf” will always be after our clients’ data, but if our clients and our firms continue to take steps to improve security practices, we can keep him at bay. The opportunities that telehealth provides for members of our communities as well as for our clients is incentive enough to work through the regulations and potential threats of litigation. These efforts will limit the “really bad days” and promote important access to healthcare across all of Idaho.

---

---

[i] Acord, Lance. “The Wolf.” https://vimeo.com/223119985

[ii] Hoffman, Craig, Managing Enterprise Risks in a Digital World, Privacy, Cybersecurity, and Compliance Collide, BakerHostetler 2019 Data Security Incident Report

[iii] Kent, Jessica, Research Shows Telehealth Service Use, Availability on the Rise, mHealth Intelligence, (Mar. 26, 2018), https://mhealthintelligence.com/news/research-shows-telehealth-service-use-availability-on-the-rise

[iv] Press Release, Healthcare Info. & Mgmt. Sys. Soc’y Analytics, HIMSS Analytics 2013 Mobile Technology Survey Examines mHealth Landscape (Feb. 26, 2014), http://bit.ly/1uBlbFa; Matt Mattox, 10 Key Statistics about mHealth (Jan. 15, 2013), http://bit.ly/1lwaaFr.

[v] I.C. § 54-5700, et seq.

[vi] HIPPA Journal, OCR Issues Crosswalk Between NIST Cybersecurity Framework and HIPAA Security Rule, http://www.hipaajournal.com/ocr-issues-crosswalk-between-nist-cybersecurity-framework-and-hipaa-security-rule-832

[vii] Berg, Nate, Hackers Have Figured Out How Easy it is to Take Down a Hospital, Splinter (Mar. 10, 2016), http://splinternews.com/hackers-have-figured-out-how-easy-it-is-to-take-down-a-1793855277

[viii] Jalali, Mohammad S., PhD. And Jessica P. Kaiser, Cybersecurity in Hospitals: A Systematic, Organizational Perspective, Journal of Medical Internet Research. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5996174/

[ix] Humer, C. & Finkle, J. Your Medical Record is Worth More to Hackers (Sept. 24, 2014) http://www.reuters.com/article/us-cybersecurty-hospitals-idUSKCN-0HJ2I20140924

[x] See, e.g., Arrow Truck Sales, Inc. v. Top Quality Truck & Equip., Inc., 8:14-CV-2052-T-30-TGW, 2015 WL 4936272 at 3 (M.D. Fla. Aug. 18, 2015); Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc., 17-4177, 208 WL 6181643 at *5 (6th Cir. Nov. 28, 2018); Bile v. RREMC, LLC, 3:15CV051, 2016 WL 4487864 at *10 (E.D. Va. Aug. 24, 2016).

[xi] Attias v. Carefirst, Inc., 865 F.3d 620, 623, 431 U.S.App.D.C. 273, 276 (C.A.D.C., 2017).

[xii] Kolbasuk McGee, Marianne, Analysis: Cybersecurity Law’s Impact on Healthcare: HIMSS Legislative Expert Outlines Key Provisions and Their Implications, GovInfoSecurity (Dec. 22, 2015), http://www.govinfosecurity.com/interviews/analysis-cybersecurity-laws-impact-on-healthcare-i-3027.

[xiii] Policy for Device Software Functions and Mobile Medical Applications – Guidance for Industry and Food and Drug Administration Staff, (Sept. 20, 2019), https://www.fda.gov/media/80958/download

[xiv] Telehealth, Telemedicine and Telecare: What’s What?, Connect2Health FCC Consumer Tips https://transition.fcc.gov/cgb/c2health/c2h-telemedicine-telehealth-telecare-tipsheet.pdf

[xv] Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Business and Policy Makers, FTC Report, March 2012, https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf

[xvi] 81 FR 72404

[xvii] Hoffman, Craig, Managing Enterprise Risks in a Digital World, Privacy, Cybersecurity, and Compliance Collide, (Apr. 5, 2019), https://www.lexology.com/library/detail.aspx?g=5d04c72c-0e7a-479e-9db4-861840c6a224

[xviii] Klein, Sharon, Esq. and Jee-Young Kim, Esq. Telemedicine and Mobile Health Innovations Amid Increasing Regulatory Oversight, https://www.aamc.org/system/files/c/2/386042-telemedicineandmobilehealthinnovationsamidincreasingregulatoryi.pdf

[xix] HIPPA Guidelines on Telemedicine, HIPPA Journal, https://www.hipaajournal.com/hipaa-guidelines-on-telemedicine/

[xx] 45 CFR Part 160; HIPPA Administrative Simplification: Enforcement

[xxi] Department of Homeland Security, Protect Myself from Cyber Attacks, (Sept. 20, 2019) https://www.dhs.gov/how-do-i/protect-myself-cyber-attacks

[i] HIPPA Guidelines on Telemedicine, HIPPA Journal, https://www.hipaajournal.com/hipaa-guidelines-on-telemedicine/

[i] 45 CFR Part 160; HIPPA Administrative Simplification: Enforcement

[ii] Department of Homeland Security, Protect Myself from Cyber Attacks, (Sept. 20, 2019) https://www.dhs.gov/how-do-i/protect-myself-cyber-attacks

By Kim C. Stanger

Attorneys risk substantial fines, malpractice claims, and even jail time for violating any of several laws implicated in even simple healthcare transactions.  Federal and state healthcare laws potentially affect any financial transaction involving healthcare providers, including employment or service contracts, group compensation structures, investment interests and joint ventures, leases for space or equipment, marketing programs, and patient billing practices.  Failure to comply may result in significant fines and penalties for clients as well as malpractice claims—or worse—against their lawyers.  This article describes several statutes and regulations that can be traps for the unwary in healthcare transactions.

Federal Anti-Kickback Statute (“AKS”)

The federal AKS prohibits anyone from knowingly and willfully soliciting, offering, receiving, or paying any form of remuneration to induce referrals for any items or services for which payment may be made by any federal healthcare program unless the transaction is structured to fit within a regulatory exception.[i]  An AKS violation is a felony punishable by up to 10 years in prison, a $100,000 criminal penalty, a $100,000+ civil penalty, treble damages, and exclusion from participating in the Medicare or Medicaid programs.[ii]  An AKS violation is also a per se violation of the federal False Claims Act,[iii] which exposes defendants to mandatory self-reports and repayments, additional civil penalties of $11,000+ to $22,000+ per claim, treble damages, private qui tam lawsuits, and costs of suit.[iv]

The AKS is very broad: it applies to any form of remuneration, including compensation, kickbacks, items or services for which fair market value is not paid, business opportunities, perks, or anything else of value offered in exchange for referrals.  Consequently, it potentially affects any transaction between healthcare providers and any other potential referral source, including but not limited to their patients, employers, partners, or other providers.  It applies to persons on both sides of the transaction:  those who offer, solicit, pay, or receive the prohibited remuneration, including healthcare providers, managers, patients, vendors, and their attorneys.[v]

Despite its breadth, the AKS does have limitations.  First, it only applies to referrals for items or services payable by government healthcare programs such as Medicare or Medicaid.  If the parties to the arrangement do not participate in government programs or are not in a position to make referrals relating to government programs, then the statute should not apply.  Second, the statute does not apply if the transaction fits within specified statutory or regulatory “safe harbors.”[vi]  For example, exceptions apply to employment or personal services contracts, space or equipment leases, investment interests, and certain other relationships so long as those transactions are structured to satisfy each of the requirements relevant to the safe harbor.[vii]

Because the AKS is an intent-based statute, a violation might not occur even if the parties do not fit within a regulatory safe harbor; however, in that case, the test becomes whether “one purpose” of the remuneration is to induce referrals—a difficult standard to defend against.[viii]  If the parties cannot fit within a regulatory safe harbor, they may obtain an advisory opinion from the Office of Inspector General (“OIG”) concerning the proposed transaction.  Past advisory opinions are published on the OIG’s website, https://www.oig.hhs.gov/compliance/advisory-opinions/index.asp, and may provide guidance for others seeking to structure a similar transaction.

Eliminating Kickbacks in Recovery Act (“EKRA”)

EKRA was recently passed in response to the opioid epidemic and generally prohibits soliciting, receiving paying or offering any remuneration in return for referring a patient to a laboratory, recovery home, or clinical treatment facility unless the arrangement fits within limited regulatory exceptions.[ix]  Violations are punishable by up to 10 years in prison and a $200,000 criminal fine.[x]  Unlike the AKS, EKRA applies to claims payable by private as well as government payers.

Idaho Anti-Kickback Statute

Idaho has its own anti-kickback statute which prohibits paying or receiving a payment in exchange for referrals for healthcare services, or providing services with the knowledge that the patient was referred in exchange for a payment.[xi]  Violations may result in a $5,000 civil penalty.[xii]  Significantly, the Idaho AKS is broader than the federal statute:  it extends to payments to induce referrals for any healthcare services, not just those payable by federal programs.  And unlike the federal AKS, the Idaho AKS does not come with any regulatory safe harbors.  Fortunately, however, there do not appear to be any reported cases in which the Idaho AKS has been enforced.

Idaho Fee Splitting Statutes

Idaho professional licensing acts may also prohibit fee splitting or other conduct relevant to transactions.  For example, the Idaho Medical Practices Act prohibits “[d]ividing fees or gifts or agreeing to split or divide fees or gifts received for professional services with any person, institution or corporation in exchange for referral.”[xiii]  Depending on how broadly the relevant licensing board decides to interpret the statute, it may prohibit certain remunerative relationships as well as investment interests in provider practices.  Violations may result in adverse licensure action.

Ethics in Patient Referrals Act (“Stark”)

The federal Stark[xiv] law prohibits physicians[xv] from referring patients for certain designated health services (“DHS”)[xvi] payable by Medicare to entities with which the physician (or a member of the physician’s family) has a financial relationship unless the transaction fits within a regulatory safe harbor.[xvii]  Unlike the AKS, Stark is exclusively a civil statute: violations may result in civil fines ranging up to $25,000+ per violation and up to $170,000+ per scheme in addition to self-reporting and repayment of amounts received for services rendered per improper referrals.[xviii]  Repayments can easily run into thousands or millions of dollars.  In addition, Stark law violations result in False Claims Act violations, thereby triggering the additional penalties and threat of qui tam suits discussed previously.

Unlike the AKS, Stark is a strict liability statute; it does not require intent, and there is no “good faith” compliance.  If triggered, Stark applies to any type of direct or indirect financial relationship between physicians or their family members and a potential provider of DHS, including any ownership, investment, or compensation relationship.[xix]  Thus, the statute applies to everything from ownership or investment interests to compensation among group members to contracts, leases, joint ventures, waivers, discounts, professional courtesies, medical staff benefits, or any other transaction in which anything of value is shared with referring physicians or their family members.

Like the AKS, Stark contains numerous safe harbors applicable to many common financial relationships;[xx] the parties must carefully structure their arrangements to fit within an applicable safe harbor if there are to be DHS referrals from the physician.  And like Stark, parties contemplating a suspect transaction may seek an advisory opinion from the Center for Medicare and Medicaid Services (“CMS”).  The CMS advisory opinions are published at https://www.cms.gov/Medicare/Fraud-and-Abuse/PhysicianSelfReferral/advisory_opinions/.

Idaho Stark Law?

Idaho does not have a statute similar to Stark, but Idaho Medicaid regulations allow the Department of Health and Welfare to “deny payment for any and all claims it determines are for items or services … provided as a result of a prohibited physician referral under [Stark,] 42 CFR Part 411, Subpart J.”[xxi]  The net effect is that a Stark law violation may result in penalties and repayments under Idaho regulations as well as federal law.

Civil Monetary Penalties Law (“CMPL”)

The federal CMPL is a broad statute that, among other things, prohibits certain transactions that have the effect of increasing utilization or costs to federally funded healthcare programs or improperly minimizing services to beneficiaries.[xxii]  For example, the CMPL prohibits offering or providing inducements to a Medicare or Medicaid beneficiary that are likely to influence the beneficiary to order or receive items or services payable by federal healthcare programs, including free or discounted items or services, waivers of copays or deductibles, etc.[xxiii]  This law may affect healthcare provider marketing programs as well as contracts or payment terms with Medicare or Medicaid patients.[xxiv]

The CMPL also prohibits hospitals from making payments to physicians to induce the physicians to reduce or limit medically necessary services covered by Medicare.[xxv]  Thus, the CMPL usually prohibits so-called “gainsharing” programs in which hospitals split cost-savings with physicians.[xxvi]  Finally, the CMP prohibits submitting claims for federal healthcare programs based on items or services provided by persons excluded from healthcare programs.[xxvii]  As a practical matter, the statute prohibits healthcare providers from employing or contracting with persons or entities who have been excluded from participating in federal healthcare programs.[xxviii]  Violations of the CMPL may result in administrative penalties ranging from $5,000+ to $100,000+ per violation depending on the conduct involved.[xxix]

HIPAA[xxx] Privacy and Security Rules

The HIPAA privacy rules prohibit most healthcare providers, health plans (including employee group health plans that are administered by third parties or have more than 50 participants), and their “business associates”[xxxi] from using, disclosing, or selling protected health information (“PHI”) without the patient’s authorization unless certain exceptions apply.[xxxii]  The HIPAA security rule requires covered entities and business associates (including lawyers who receive PHI from or on behalf of their healthcare client) to implement certain administrative, technical and physical safeguards to protect electronic PHI.[xxxiii]  HIPAA violations may result in fines of $119+ to $59,000+ per violation; violations involving “willful neglect” are subject to a mandatory fine of $11,000+ to $59,000+ per violation.[xxxiv]

A separate violation exists for each individual affected by the violation and/or each day that the covered entity or business associate fails to satisfy a required standard[xxxv]; accordingly, penalties can rack up very quickly.  To make matters worse, covered entities and business associates must voluntarily self-report breaches of unsecured PHI to affected individuals and the government, thereby increasing the potential for HIPAA sanctions.[xxxvi]

If you are handling a transaction involving covered entities and/or their business associates (e.g., services contracts, sales contracts, practice acquisitions, etc.), chances are you will need to consider and address HIPAA requirements in your transaction.  Among other things, covered entities must execute business associate agreements (“BAAs”) with their business associates that require the business associate to comply with HIPAA conditions; the BAAs themselves must contain required terms.[xxxvii]

Similarly, business associates must execute BAAs with their subcontractors.[xxxviii]  Accordingly, BAAs have become ubiquitous in the healthcare industry.  They even apply to lawyers who receive PHI in the course of providing services for clients.  Failure to properly structure BAAs or other PHI-related transactions exposes your clients—and you—to unanticipated HIPAA liability.

Medicare Reimbursement Rules

The Centers for Medicare & Medicaid Services (“CMS”) has promulgated volumes of rules and manuals governing reimbursement for services provided under federal healthcare programs.  The rules govern such items as when a healthcare provider may bill for services provided by another entity, supervision required for such services, and the location in which such services may be performed to be reimbursable.

In addition, the amount of government reimbursement may differ depending on how the transaction is structured, e.g., whether it is provided through an arrangement with a hospital or by a separate clinic or physician practice.  The rules concerning reimbursement and reassignment should be considered in structuring healthcare transactions if the entities intend to bill government programs for services or maximize their reimbursement under such programs.

Conclusion

The foregoing is only a brief summary of some of the more significant laws and regulations that may affect common healthcare transactions.  As in all cases, the devil is in the details (as well as the Code of Federal Regulations and CMS Medicare Manuals).  Attorneys who represent healthcare providers should review the relevant laws and regulations whenever structuring a healthcare transaction, especially if that transaction involves potential referral sources or implicates federal healthcare programs.

---

---

[i] 42 U.S.C. § 1320a-7b(b).

[ii] 42 U.S.C. §§ 1320a-7 and 1320a-7b(b)(2)(B); 42 C.F.R. §§ 1003.300 and 1003.310.  The civil penalty is subject to an annual inflation-related increase.  45 C.F.R. § 102.3.

[iii] 42 U.S.C. § 1320a-7b(g); 31 U.S.C. § 3729.

[iv] 31 U.S.C. §§ 3729 and 3730; 42 U.S.C. §§ 1320a-7a and 1320a-7k(d); 28 C.F.R. §§ 85.5 and 1003.200(a) and (b)(k). The civil penalties are subject to inflation-related increases.  28 C.F.R. § 85.5.

[v] United States v. Anderson, 55 F. Supp. 2d 1163 (D. Kan. 1999).

[vi] 42 U.S.C. § 1320a-7b(3); 42 C.F.R. § 1001.952.

[vii] 42 U.S.C. § 1320a-7b(3); 42 C.F.R. § 1001.952.

[viii] United States v. Kats, 871 F.2d 105 (9th Cir. 1989); United States v. Greber, 760 F.2d 68 (3d Cir.), cert. denied, 474 U.S. 988 (1985).

[ix] 18 U.S.C. § 220(a).

[x] 18 U.S.C. § 220(a).

[xi] I.C. § 41-348.

[xii] I.C. § 41-327.

[xiii] I.C. § 54-1814(8).

[xiv] The Stark law is named for its congressional sponsor, United States Representative Fortney H. “Pete” Stark.  U.S. ex rel. Thompson v. Columbia/HCA Healthcare Corp., 125 F.3d 899, 900–901 (5th Cir. 1997).

[xv] “Physician” is defined as “a doctor of medicine or osteopathy, a doctor of dental surgery or dental medicine, a doctor of podiatric medicine, a doctor of optometry, or a chiropractor.”  42 C.F.R. § 411.351.

[xvi] “Designated health services” include clinical laboratory services; physical therapy, occupational therapy and speech-language pathology services; radiology and other imaging services; radiation therapy; durable medical equipment and supplies; prosthetics, orthotics, prosthetic devices and supplies; home health services; outpatient prescription drugs; inpatient and outpatient hospital services; and parenteral and enteral nutrients.  42 C.F.R. § 411.351.

[xvii] 42 U.S.C. § 1395nn; 42 C.F.R. § 411.353.

[xviii] 42 U.S.C. § 1395nn(g); 42 C.F.R. §§ 1003.300 and 1003.310.  The civil penalties are subject to an annual inflation adjustment.  45 C.F.R. § 102.3.

[xix] 42 C.F.R. §§ 411.351, 411.353, and 411.354.

[xx] 42 C.F.R. §§ 411.355 to 411.357.

[xxi] IDAPA 16.05.07.200.01.d.

[xxii] 42 U.S.C. § 1320a-7a.

[xxiii] 42 U.S.C. § 1320a-7a(a)(5); 42 C.F.R. § 1003.100(a).

[xxiv] See OIG Special Advisory Bulletin, “Offering Gifts and Other Inducements to Beneficiaries” (August 2002); OIG Special Fraud Alert, “Routine Waiver of Part B Co-Payments/Deductibles” (May 1991).

[xxv] 42 U.S.C. § 1320a-7a(b).

[xxvi] See, e.g., OIG Special Fraud Alert, “Gainsharing Arrangements and CMPs for Hospital Payments to Physicians to Reduce or Limit Services to Beneficiaries” (July 1999).

[xxvii] 42 U.S.C. § 1320a-7a(a)(1)(C) and (2).

[xxviii] OIG Special Advisory Bulletin, “The Effect of Exclusion from Participation in Federal Healthcare Programs” (Sept. 1999).

[xxix] 42 U.S.C. § 1320a-7a; 42 C.F.R. part 1003.  Many of the civil penalties are subject to annual inflation adjustments.  45 C.F.R. § 102.3.

[xxx] Health Insurance Portability and Accountability Act of 1996.

[xxxi] “Business associates” are generally those entities who create, maintain, use, access or transmit protected health information on behalf of a covered entity.  45 C.F.R. § 160.103.

[xxxii] 45 C.F.R. § 164.500 et seq.

[xxxiii] 45 C.F.R. § 164.300 et seq.

[xxxiv] 45 C.F.R. § 160.400 et seq.

[xxxv] 45 C.F.R. § 160.406.

[xxxvi] 45 C.F.R. § 164.400 et seq.

[xxxvii] 45 C.F.R. §§ 164.502(e) and 164.504(e).

[xxxviii] Id.

By Gabriel Hamilton

In 2016, the Idaho Board of Medicine abandoned its position that Idaho law prohibits physicians from being employed by non-physicians. The Board’s new position removes obstacles to non-physician investments in medical practices and other transactions that previously were prohibited by the Board’s enforcement of an antiquated rule known as the corporate practice of medicine doctrine (“COPM”).

COPM is enshrined in the laws of several states and prohibits a licensed physician from being employed by a person other than another licensed physician or a professional entity that is owned by other licensed physicians. This doctrine has, at best, scant support in Idaho law, and has historically been enforced solely by the Idaho Board of Medicine against physicians licensed in Idaho. The doctrine in Idaho was declared to be at death’s door in 2011 in an article in the Idaho Law Review by Michelle Gustavson and Nicholas Taylor.[i] In March 2016, the Idaho Board of Medicine ceased enforcing COPM.[ii] With this change in policy, the COPM doctrine no longer appears to have any relevance under Idaho law.

This article briefly reviews the history of COPM, the legal arguments the Board historically made to support COPM in Idaho, and the current state of the law following the Board’s 2016 decision.

History of the COPM Doctrine

The COPM doctrine’s history is tied to the development of organized medicine in the 19^th and early 20^th centuries.[iii] In particular, COPM is one of the principles that the American Medical Association advanced to organize licensed physicians and protect them from competition.[iv] COPM is sometimes defended as a rule to preserve the integrity of the physician-patient relationship or the integrity of the physician’s medical judgment. But from the outset, the COPM was primarily a rule intended to protect the physician’s pocket book and only secondarily about protecting patients.[v]

Over time, some states have expressly incorporated COPM into their medical licensing statutes.[vi] Idaho statutes, however, do not codify COPM. Indeed, Idaho’s Medical Practice Act expressly prohibits natural persons from engaging in the unlicensed practice of medicine.[vii] The statute says nothing about whether the person practicing medicine is employed, nor does it state that a corporate employer of a physician is engaged in the unlicensed practice of medicine.[viii]

Worlton v. Davis

The pre-2016 Board of Medicine and other proponents of COPM have essentially relied on a single statement in a single Idaho Supreme Court case from 1952 as the foundation for asserting that COPM has a place in Idaho law. That case, Worlton v. Davis,[ix] held as follows: “[n]o unlicensed person or entity may engage in the practice of the medical profession through licensed employees; nor may a licensed physician practice as an employee of an unlicensed person or entity. Such practices are contrary to public policy.”[x]

The precedential value of Worlton, however, is suspect. First, the case involves facts under which a non-physician owner of a clinic exerted control via contract over the licensed physicians’ practice of medicine.[xi] The Worlton court found the contract in question as void against public policy without reference to the Idaho Medical Practice Act.[xii] Second, the Idaho Medical Practice Act has been amended and recodified substantially since the date of the Worlton decision with the current statute dating from 1977.[xiii] Third, subsequently enacted Idaho statutes expressly allow several types of corporate entities to employ physicians including hospitals, managed care organizations, public health districts, and home health agencies.[xiv]

These newer statutes appear to demonstrate that Idaho has no overriding public policy against the employment of physicians. Indeed, the concerns of the Worlton court regarding a non-physician influence over a physician’s medical judgment are better addressed through the Medical Practice Act’s prohibitions on the unlicensed practice of medicine and common contract provisions that preserve the independent medical judgment of physicians.[xv]

The Practice of Medicine Since Worlton

The world has changed since 1952. First, a 1975 case in the Second Circuit invalidated the AMA ethical standards that provided the basis for the adoption of COPM earlier in the century. [xvi] Second, many states have rescinded or ceased to enforce COPM.[xvii] Third, the practice of medicine by independent, physician-owned medical groups is increasingly rare. Many physicians are now directly employed by hospitals or managed care organizations or by medical groups that are wholly owned by a hospital or managed organization. Fourth, the industry long ago developed a means to effectively evade COPM by placing a medical group’s hard assets and non-clinical staff, including business management, into one legal entity and the physicians into a second legal entity that contracts with the first entity for management services.

COPM does not bar non-physicians from owning shares of the management company, and such a bifurcated structure permits all of the revenue from the practice—net of physician’s salaries—to flow into the management company and out to the non-physician owners. The success of these structures over the decades amply demonstrates the irrelevance of COPM. In such arrangements, the contractual provisions serve to protect the physician’s independence and to ensure compliance with the Idaho Medical Practice Act and professional ethics.

2016 BOM Decision

The Idaho Board of Medicine’s decision in 2016 to abandon COPM was a much-anticipated development, and is consistent with the trend in other states towards the derogation or outright abrogation of COPM. COPM is an antiquated doctrine that has no sound basis in public policy, no firm basis in Idaho law, and has been widely repudiated by other states. If COPM was at death’s door when Gustavson and Taylor wrote their article in 2011, the Idaho Board of Medicine’s 2016 decision appears to have finished it off.

No new Idaho case law or legislation has appeared since 2016 that formally rescinds COPM for all purposes under Idaho law, but the consensus appears to be that the effect of any such legislation or case law would be merely to pound the final nail in the coffin.[xviii] As a practical matter, the Idaho Board of Medicine’s abandonment of COPM has opened the door in Idaho for non-physicians to invest in medical practices and for physicians to accept direct employment with any kind of employer.[xix]

---

---

[i] Michelle Gustavson and Nick Taylor, At Death’s Door—Idaho’s Corporate Practice of Medicine Doctrine, 47 IDAHO L. REV. 480 (2011).

[ii] Kim Stanger, Idaho Board of Medicine Disavows the Corporate Practice of Medicine Doctrine (Sept. 23, 2016) https://www.hollandhart.com/idaho-board-of-medicine-disavows-the-corporate-practice-of-medicine-doctrine.

[iii] See, generally, Gustavson, note 2.

[iv] See Gustavson note 2 at 490–91.

[v] See id. at 492–3.

[vi] See id. at 498; see, e.g., Col. Rev. Stat. Section 12-240-138.

[vii] Idaho Code § 54-1803.

[viii] See also Gustavson, note 2 at 504-505 (refuting arguments that the Idaho Medical Practice Act somehow adopts COPM by “negative inference”).

[ix] 73 Idaho 217 (1952).

[x] Id. at 221.

[xi] Id. at 222.

[xii] Id. at 221.

[xiii] Idaho Medical Practice Act, ch. 199, 1977 Idaho Sess. Laws 536.

[xiv] See Gustavson, note 2, 511–17.

[xv] See also Gustavson, note 2, 509–10.

[xvi] Am. Med. Ass’n v. Federal Trade Comm’n, 638 F.2d 443 (2nd Cir. 1980); see Gustavson, supra note 2, 496–98.

[xvii] See Gustavson, note 2, 498–501.

[xviii] Kim Stanger, Non-Physicians Owning or Investing in Medical Practices in Idaho (Nov. 8, 2017) https://www.hhhealthlawblog.com/2017/11/non-physicians-owning-or-investing-in-medical-practices-in-idaho.html.

[xix] See id.

By Lisa M. Carlson

Having a laptop or smartphone stolen makes for a very bad day.  Now imagine having to pay the federal government a seven-figure fine because that device contained protected health information (“PHI”) and was not encrypted. If your practice includes having access to health information, you may be subject to the stringent data protections imposed by the Health Insurance Portability & Accountability Act (“HIPAA”). With over $100 million in fines collected for HIPAA violations since 2003, the cost of non-compliance is demonstrably steep.[1] This article will discuss the components of HIPAA that lawyers are likely to encounter and provide an action plan to assist lawyers in remaining HIPAA-compliant.

Protecting PHI under HIPAA

Most people recognize that HIPAA requires a covered entity to safeguard protected health information.[2] However, obligations under HIPAA also extend to business associates of a covered entity. A business associate is generally defined as any person or entity who “creates, receives, maintains, or transmits” protected health information in the course of performing services on behalf of a covered entity.[3] Additionally, a subcontractor of a business associate that has access to PHI in performing services on behalf of a business associate will also be deemed a business associate for purposes of HIPAA compliance.[4]  This means that an attorney performing legal services for a covered entity or as a subcontractor of a business associate, where the legal services involve the access, use, or disclosure of PHI by the covered entity or business associate, will be deemed a business associate and must comply with HIPAA.

Penalties for HIPAA violations

HIPAA violations can lead to civil fines imposed by the U.S. Department of Health and Human Services, Office for Civil Rights, or even criminal penalties.[5] An attorney business associate’s non-compliance with HIPAA can not only lead to enforcement actions and fines imposed against the covered entity but can also subject the attorney to direct liability.[6] Fines can range anywhere from $119 to $58,000 per violation.[7]

Where a HIPAA violation stems from willful neglect, defined as “conscious, intentional failure or reckless indifference to the obligation to comply” with HIPAA, the Office of Civil Rights is obligated to impose monetary penalties on the offending individual or entity in an amount between $11,000 and $58,000 per violation.[8] A single misstep can result in multiple violations.[9] For example, loss of a laptop with the records of 500 individuals may constitute 500 violations. Similarly, if the violation is based upon the failure to implement a required policy or safeguard, each day of non-compliance may constitute a separate violation.

To avoid subjecting themselves or their clients to civil or criminal penalties for HIPAA violations, attorneys who handle PHI for covered entities or business associates should take the following steps to ensure compliance and safeguard against claims of willful neglect.

Execute a BAA with the covered entity

Covered entities are required to obtain written satisfactory assurances from any business associate wherein the business associate agrees to appropriately safeguard the PHI it receives or creates on behalf of the covered entity.[10] These written satisfactory assurances between a covered entity and business associate are referred to as a business associate agreement (“BAA”).

HIPAA specifies the minimum requirements that must be contained within a BAA.[11] At a minimum, HIPAA requires the business associate to maintain the privacy of PHI, limit the business associate’s use or disclosure of PHI to those purposes authorized by the covered entity, and require the business associate to assist the covered entity in responding to individual requests concerning their PHI.

An attorney business associate should watch for provisions in the BAA where the covered entity shifts the responsibility for responding to PHI requests to the attorney. For example, a covered entity may require the business associate to respond directly to an individual requesting access to their PHI or for an accounting of disclosures. This contractually assigned obligation can lead to direct liability imposed by the Office of Civil Rights if the attorney fails to comply with the individual’s request.[12] Arguably, an attorney’s compliance with this requirement could violate the attorney’s obligation to maintain client confidentiality.[13]

Some covered entities may also include additional provisions in their BAAs beyond those required by HIPAA. For example, a covered entity may require a business associate to have specific insurance limits or types (e.g., cyber insurance), indemnify and defend the covered entity for HIPAA violations, or pay for and provide notice of privacy breaches or security incidents to affected individuals. While these provisions are generally negotiable, an attorney business associate should consider whether BAA negotiations with a client create a professional conflict wherein the interests of the attorney are adverse to those of the client.[14]

Execute a BAA with subcontractors

A business associate is required to obtain a BAA from any subcontractor the business associate utilizes to assist with performing services on behalf of a covered entity that will have access to PHI.[15] Therefore, if an attorney business associate enlists a person or entity, such as a jury expert or investigator, or even a cloud-based service provider, to assist with performing services on behalf of the covered entity, the attorney must execute a BAA with that subcontractor to ensure the subcontractor will also comply with HIPAA. The subcontractor then becomes a business associate themselves.[16]

Significantly, an attorney business associate can be liable for the HIPAA violations of their subcontractor if the attorney is aware of a pattern or practice of violations by the subcontractor and fails to act, or if the subcontractor is an agent (and not an independent contractor) of the attorney.[17] Therefore, an attorney business associate should take reasonable steps to remedy any known non-compliance by subcontractors.

Comply with Privacy & Security Rules

HIPAA’s Privacy and Security Rules set the standards for when PHI may be used and disclosed as well as those requirements that covered entities and business associates must implement to protect the confidentiality, integrity, and availability of electronic PHI.[18] Most of HIPAA’s Privacy Rule provisions do not apply directly to business associates, but instead apply indirectly, as a business associate is not permitted to use or disclose PHI in a manner that would violate HIPAA if done by the covered entity itself.[19] Generally, HIPAA prohibits a covered entity from using, accessing, or disclosing PHI without the individual’s valid, HIPAA-compliant authorization unless the use or disclosure fits within an exception.[20]

The Security Rule, on the other hand, expressly applies to business associates. It requires them to protect electronically stored PHI through implementation of specific administrative, physical, and technical safeguards.[21] Because the Office of Civil Rights can impose penalties on a business associate for non-compliance with the requirements of the Security Rule, it is important for attorney business associates to understand the obligations imposed by the Security Rule and to ensure strict compliance.[22]

With regard to obligations under the Privacy and Security Rules, attorney business associates often overlook the general processes they use to store and share client information, and how those processes should be adapted when the client information includes PHI. For example, a law firm may ordinarily store client data on a shared network drive, cloud service, or an unencrypted portable memory device. Additionally, they may utilize an unencrypted email service to transmit information within or outside the firm. While these general processes may be appropriate under general confidentiality standards applicable to attorneys, they may not comply with heightened obligations for safeguarding PHI under HIPAA. Understanding and adapting to risks associated with data and technology is also required by an attorney’s duty to provide competent representation.[23]

Respond to and report violations

A business associate must timely respond to or report HIPAA violations or data breaches to the covered entity.[24] These obligations are required to be set forth in the BAA between the covered entity and business associate.[25] A business associate will also generally be required to report to the covered entity any security incidents, which are defined to include the “attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI or interference with system operations in a PHI system.”[26] The covered entity is then obligated to make any necessary reports to individuals, the Department of Health and Human Services, or the media.[27] Significantly, the Office of Civil Rights has authority to impose penalties on a business associate for non-compliance with these notification requirements.[28]

An attorney business associate who is faced with a real or potential HIPAA violation, breach, or security incident should take prompt action to minimize the risk of data compromise. This will include timely notification to the covered entity, timely remediation of any remaining vulnerability (e.g., remote wiping of lost devices and recovery of improperly disclosed records), and compliance with other obligations pursuant to the BAA.

Cooperate with compliance investigations

HIPAA requires a business associate to comply with the federal government’s efforts to investigate complaints and ensure compliance. A business associate must permit the Office of Civil Rights to access “its facilities, books, records, accounts, and other sources of information, including protected health information, that are pertinent to ascertaining compliance.”[29] For an attorney business associate, this broad right to access by the Office of Civil Rights to documentation maintained by the firm can be problematic under the attorney’s duty of confidentiality owed to clients.[30] Attorneys may want to evaluate whether a prospective waiver from the client is necessary to protect against conflict between the obligation to cooperate with the Department of Health and Human Services and the professional obligation to safeguard information.

Additional considerations

The obligations imposed upon business associates are numerous and the consequences for non-compliance are significant. Before agreeing to be bound by a BAA and corresponding HIPAA requirements, attorneys should confirm they fit within the statutory definition as a business associate. While some covered entities and vendors take an ultra-conservative approach to HIPAA compliance by requiring all service providers to enter into a BAA, attorneys should exercise caution against subjecting themselves to HIPAA compliance unnecessarily.

If an attorney does qualify as a business associate under HIPAA, it is important to conduct a thorough risk analysis and determine those measures that will be necessary to ensure compliance not only with HIPAA, but also the attorney’s professional responsibilities in representing a covered entity and business associate clients. Finally, before executing a BAA, an attorney may want to confirm that their malpractice insurance carrier will provide appropriate coverage for any assumed obligations under the BAA.

---

---

[1] Dep’t of Health & Human Servs., Enforcement Results as of Dec. 31, 2019, , https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html.

[2] A covered entity is generally defined to include health plans, health care clearinghouses, and health care providers. 45 C.F.R. § 160.103 (2013).

[3] Id. (defining “business associate”).

[4] Id. § 164.502(e).

[5] Id. § 160.400 et seq.; 42 U.S.C. § 1320d-6.

[6] DEP’T OF HEALTH & HUMAN SERVS., Direct Liability of Business Associates (May 24, 2019) https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html.

[7] 45 C.F.R. § 160.404. These numbers are adjusted annually and listed in the table found at 45 C.F.R. § 102.3.

[8] Id. §§ 160.401, 164.404, 102.3.

[9] Id. § 160.406.

[10] Id. §§ 164.308(b), 164.502(e).

[11] Id. § 164.504(e).

[12] See Id. § 164.502(a)(4)(ii).

[13] See Idaho Rule of Professional Conduct (I.R.P.C.) 1.6.

[14] See I.R.P.C. 1.8(h).

[15] 45 C.F.R. §§ 164.308(b)(2), 164.314(a)(2).

[16] Id. § 160.103.

[17] Id. § 164.504(e)(1).

[18] 45 C.F.R. §§ 160, 164.

[19] Id. § 164.502.

[20] Id.

[21] Id. § 164.300 et seq.

[22] 42 U.S.C. § 17931. See also note 6.

[23] See I.R.P.C. 1.1, cmt. 8.

[24] 45 C.F.R. §§ 154.410, 164.504(e)(2).

[25] Id.

[26] Id. § 164.304.

[27] Id. §§ 164.404, 164.406, 164.408.

[28] Id. § 164.410. See also note 6.

[29] 45 C.F.R. § 160.310(c)(1).

[30] See I.R.P.C. 1.6.

By Marvin K. Smith and Austin T. Strobel

Struggles with serious mental illness can present challenging circumstances for an individual and those around them. When that challenge rises to the level of a grave disability, or rises to the level of a danger that threatens the life of the ill friend or family member or others, it can be difficult to know where to turn for help. Fortunately, the Idaho Legislature has provided a humane and comprehensive means to “press pause” in these types of severe circumstances through the adoption of the involuntary mental health hold process.

This article serves as a primer of sorts on that process, exploring first the basics of Idaho’s statutory scheme, including the different types of mental health holds, the substantive threshold that needs to be met for an involuntary mental health hold to be placed, and the types of individuals capable of placing a patient on an involuntary hold. Next, this article takes a look at the key definitions in the mental health hold statute and a key omission from those definitions. Lastly, this article explores a few difficult scenarios that providers may need to address in the mental health hold context – a context where the decision of whether or not to place an involuntary mental health hold can have significant consequences for both patient and provider alike.

The Idaho Legislature has adopted two types of involuntary mental health holds: the traditional 24-hour mental health hold set forth in Idaho Code § 66-326, and the 72-hour administrative hold set forth in Idaho Code § 66-320. Each is addressed in turn in the following.

Idaho Code § 66-326—24 Hour Mental Health Hold

A 24-hour mental health hold without a court order can be initiated by a peace officer (in this scenario, the patient is taken into custody and placed in the hospital or mental health facility) or by a physician, physician assistant, or advanced practice registered nurse (in this scenario, the patient is already at the hospital).[i] The party initiating the mental health hold must have reason to believe that the person is either gravely disabled due to mental illness or the patient’s continued liberty poses an imminent danger to that person or others as evidenced by a threat of substantial physical harm.[ii] The statute does not specifically require that the detention need occur at a mental health facility, however, the statute specifically lays out that detention must not occur in a non-medical unit used for the detention of individuals charged with or convicted of penal offenses.[iii]

Evidence supporting the claim of grave disability due to mental illness or imminent danger must be presented to a court within 24 hours from the time the individual was placed in custody or detained. If the court finds either grave disability or imminent danger, then the court will enter a temporary custody order and order an examination by a designated examiner of the person in custody to be performed within 24 hours of the temporary order being issued. The designated examiner must then report findings to the court within 24 hours of the examination. If the designated examiner finds either grave disability due to mental illness or imminent danger, then the prosecuting attorney has 24 hours from the time of the examination to file a petition for detention pending commitment proceedings. If the prosecuting attorney makes no filing within 24 hours, the patient can leave the facility.

Idaho Code § 66-320—72 Hour Administrative Hold

In addition to the traditional involuntary hold process described previously, the Idaho Legislature has adopted a 72-hour administrative hold process. A 72-hour administrative hold on a mental health patient is available if: (1) the patient is a voluntary patient under § 66-318 and; (2) the patient is seeking to leave the facility by a request in writing. In that event, if the director of the facility determines that the patient should remain hospitalized, the patient may be detained up to three days (excluding Saturdays, Sundays, and legal holidays) for the purpose of an examination by a designated examiner and filing of an application for continued care and treatment (commitment).[iv]

Though technically available, it is difficult to envision a circumstance – particularly in Idaho’s more populated areas served by hospitals with inpatient mental health capabilities – where a 72-hour administrative hold would be used rather than the traditional 24-hour involuntary mental health hold.  Indeed, it adds weight and credibility to the need for a hold when it is placed by a mental health professional following a psychiatric evaluation of the patient. Moreover, in a circumstance where a mental health professional has already determined that the hold criteria have not been met, it seems unlikely that a facility director would, in essence, “overrule” the judgment of an educated and trained professional and place an administrative hold.

One possible exception is in Idaho’s more rural areas where inpatient mental health services are not always readily available.  In those circumstances, the administrative hold is a useful tool because a facility director’s initial placement of an administrative hold may be needed to allow time for a mental health professional to arrive and perform a psychiatric evaluation of the patient.

Key Definitions and Critical Omission

Any provider (or attorney representing that provider) evaluating a patient for the involuntary mental health hold criteria previously set forth should be familiar with the following key definitions in Idaho’s mental health hold statute:

“Gravely disabled” means the patient is unable to provide for basic personal needs (food, clothing, shelter) or lacks insight into the need for treatment and unwillingness to comply with treatment that is likely to lead to an inability to provide for basic needs.[v]

A “designated examiner” is defined as “a psychiatrist, psychologist, psychiatric nurse, or social worker and such other mental health professionals as may be designated in accordance with rules promulgated pursuant to the provisions of chapter 52, title 67, Idaho Code, by the department of health and welfare. Any person designated by the department director will be specially qualified by training and experience in the diagnosis and treatment of mental or mentally related illnesses or conditions.”[vi]

“Mentally ill” means a person who, as a result of a substantial disorder of thought, mood, perception, orientation, or memory, which grossly impairs judgment, behavior, capacity to recognize and adapt to reality, requires care and treatment at a facility or through outpatient treatment.[vii]

Notably absent from the definitions set forth in the statute is any definition of “imminent” or “imminent danger.” As discussed next, this lack of statutory guidance on this critical element is a problem for both patients and providers alike and raises important questions affecting not only the patient’s health, safety, and autonomy, but public health and safety. Idaho’s appellate case law does not fill this gap, either.

Practical Issues: Difficulties in Certain Cases and Statutory Immunity

One problem a provider may face in determining whether statutory mental health hold criteria have been met is determining whether a patient is an “imminent” danger to themselves or others. As indicated above, Idaho’s involuntary hold statute lacks any definition for “imminent” or “imminent danger” – a key term in evaluating whether statutory hold criteria have been met. As an illustration, say a provider determines that a patient’s current condition does not present a threat to the patient or others in the next 0 to 24 hours, but that days after a patient’s release the patient’s condition deteriorates such that at some point in the next few days or weeks, the patient presents a threat of serious bodily harm to themselves or others. In other words, does a danger rise to the level of “imminent” if the perceived danger is a few days or weeks away? Without further clarification from the legislature, this judgment is left to the provider and can have significant consequences for the patient, provider, and facility.[viii]

Alcohol and substance abuse can also create difficulties for providers evaluating patients with mental illness. In fact, Idaho prohibits the placement of a hold on a patient who is “impaired by chronic alcoholism or drug abuse.”[ix] Based on this language, some Idaho providers mistakenly believe that they are not able to place a hold on intoxicated patients. This interpretation is incorrect, as the statute recognizes that alcoholism and serious mental illness often go hand in hand and clarifies that a hold due to alcoholism is inappropriate “unless in addition to such condition, such person is mentally ill.”[x] Thus, an intoxicated person who is simultaneously gravely disabled or an imminent threat to themselves or others may be appropriately held involuntarily under Idaho’s mental health hold process.

As a backstop safe harbor – likely in light of the inherent difficulties in evaluating and diagnosing mental health issues – the Idaho Legislature has provided for statutory immunity for providers and other individuals placing (or failing to place) involuntary mental health holds, so long as the procedures of the Idaho hold statute were performed “in good faith and without gross negligence.”[xi]

Conclusion

Though minor legislative revisions can be made to improve the real-world application of Idaho’s mental health hold framework, the involuntary mental health hold process is a helpful tool that strikes the appropriate balance between patient autonomy and self-determination and patient (and public) health and safety in a difficult area of health care law.

---

---

[i] I.C. § 66-326(1).

[ii] Id.

[iii] Id.

[iv] I.C. § 66-320.

[v] I.C.§ 66-317(13).

[vi] I.C. § 66-317(5).

[vii] I.C. § 66-317(12).

[viii] Though clarification from the legislature on the definition of “imminent” would be helpful, the Webster’s Dictionary definition of “imminent” is highly suggestive of only a short period of time (hours as opposed to days), indicating that “imminent” means “ready to take place” or “happening soon.” https://www.merriam-webster.com/dictionary/imminent.

[ix] I.C. § 66-329(13)(a).

[x] Id.

[xi] I.C. § 66-341.

By Kurt D. Holzer

“Colleagues are a wonderful thing – but mentors, that’s where the real work gets done.” — Junot Diaz

As I stride toward the well of the court to face the jury and prepare to speak of my client’s cause, I wonder: “These 12 strangers I’ve spent days in front of, do they get it?  That judge whose every ruling seemed the opposite of what I expected, does she get it?  The law clerk in the judge’s ear, does he get it?  Opposing counsel and her client, do they get it? Does my client even understand?”

This moment in trial often leaves me feeling alone.

If they do not get it, I have no one to blame but myself.

I wandered forth from law school ignorant of my ignorance. I only knew that I wanted to try cases.  And the biggest reason I have had any moments of success doing so is other Idaho lawyers.

This article is primarily for you recently, and soon to be, minted attorneys.  I implore you to see in that amazing technological innovation of the 19^th Century, the telephone, the unmatched opportunity it offers for your professional development.

As an aside, thank you to the many lawyers who have responded to my call out of the blue asking for thoughts or insights on challenges I have faced for my clients. The truths I talk to a jury about are truths I have learned to speak with guidance from all of you.

You experienced lawyers keep taking those young lawyer’s calls.  Mentoring comes in many forms. Providing your insight into a discreet question from a young lawyer you have never met or may have met in passing but don’t recall is one.

Of course, as I’ve reached mid- (or maybe late-mid) career, I can see my development that came from seminars, journal articles, and my own experiences.  But the insight and guidance from more experienced practitioners, direct mentoring, that’s the stuff on which legal careers are most solidly built. It’s where the real work was done.

Ultimately, such guidance requires a person to ask for help. I am lucky enough to have lots of wisdom in other lawyers whose office doors are feet away in the hallways of my firm. And that’s one of the true joys of practice. Still though, after nearly 30 years as a trial lawyer, I pick up the phone to call other attorneys to seek advice.

There are lawyers who believe they need no help.  Those lawyers are somehow always certain of the answers they reach on their own, or maybe are just embarrassed to seek the insights of others.  Too frequently, I see the mistakes those lawyers make because they did not use the collective wisdom available to all of us.

Though it feels like it sometimes, losing a case is no sin. And in the non-litigation practice sometimes the preferred outcome is not achieved.  However, losing or failing because you did not take the few moments to supplement your efforts with guidance from a fellow member you believed would have insight – that is a great sin.

Traveling the State with my fellow Commissioners we hear a constant refrain: “This is a great Bar.”   We Idaho attorneys enjoy a level of collegiality and collaboration, even in serious, high-heat conflicts, that at times stuns friends of mine who practice elsewhere.

And those Bar members are at your fingertips.  The telephone on your desk (or in your pocket) provides access to a vast universe of accessible knowledge, experience, and wisdom.

And while it is often more important for newly minted lawyers, those who don’t know what they don’t know, this wisdom is there for all of us.

Whether driven to avoid reliance on others because of hubris, fear, or laziness, the outcome for the lawyers who don’t make the call is the same.   A client left without the best advocate she can have.

I cannot count how many times I have called upon fellow Idaho attorneys with no connection to the matter on which I was working for help.  Grey haired-eminences, mid-career lawyers in the trenches, and more recently minted members all have helped me help clients.

On occasion, my phone rings with another bar member asking me my thoughts on a quandary they face, a legal issue or a procedural matter.  Those conversations tend to be a bright point in my day.   It’s one of the things that make being a member of this profession so dang satisfying.

The wisdom of experience, the wisdom of analysis, the wisdom of insight —you find it all there in our collective. And as members of the Idaho State Bar it is there for the asking.  That person with experience in your area of law who you met at the conference or who is spoken of effusively and always with only accolades, she’ll have insight. And here in Idaho, almost invariably, she will answer your call and offer some direction.

Before the first words of the closing to that jury escape my lips, I find comfort arising from the companionship, camaraderie, and connection we Idaho lawyers experience.  The sense of isolation is lessened by the knowledge that in me is the wisdom of many who helped me be ready to be the voice for my client.  Those many included fellow members of the Idaho State Bar who have been on the other end of that amazing telephone.

---

By Brent T. Wilson

Barring a plea deal, which seems unlikely, Elizabeth Holmes, the founder and CEO of failed blood testing company Theranos, and president/COO Ramesh Balwani are scheduled for trial on multiple counts of criminal fraud in August 2020. If convicted, each faces up to 20 years in prison. This is in addition to actions already taken by the SEC against Theranos and Holmes, as well as class action lawsuits by investors and patients.

The media has reported extensively about Holmes and the downfall of Theranos, which was at one point valued at $9 billion. John Carreyrou’s best seller Bad Blood: Secrets and Lies in a Silicon Valley Startup covers the whole sordid tale. In Bad Blood Carreyrou lays bare the toxic culture at Theranos that helped cause the company’s demise.

This article is not about the gripping tale of deception, manipulation, and intimidation fostered by Holmes and Balwani (and other bizarre facts, such as Holmes communicating in a fake deep voice for years after starting Theranos) – Carreyrou, ABC’s Rebecca Jarvis in the podcast The Dropout, and many other talented journalists have thoroughly covered those topics. The focus here is on Theranos’s board of directors and their failure to govern the compliance function, which ultimately helped contribute to the company’s downfall – and what the board should have done instead. Any statements of fact about Theranos in this article are taken from Carreyrou’s and Jarvis’s reporting.

Background: Theranos and Its Board of Directors

At age 19 and after only two semesters of chemical engineering classes at Stanford, Holmes dropped out to start Theranos, a privately held for-profit entity. Holmes, an aspiring billionaire, claimed she feared needles. The basic idea was to create a miniature laboratory that could perform blood tests using only a drop or two of blood pricked from a finger. Holmes’s grand vision was to revolutionize blood testing and place these miniature labs in homes across the world. Easy access to affordable and reliable blood testing would help with early detection and preventative medicine.

Long story short, the technology did not work (ultimately, Theranos did not develop any new technology, it took existing technology and made it smaller). Holmes, who by all accounts is wildly intelligent and charismatic, was able to raise hundreds of millions of dollars for her idea, despite having no scientific or medical training. Turns out, Holmes sold the company to investors through obfuscation and deception. When it became clear Holmes was willing to endanger patients by using questionable blood testing processes, some employees turned on Holmes and became whistleblowers.

It is important to be clear on a few things about the board’s role in the company’s failure. First, no board member is facing prosecution or even the threat of indictment. None of them participated in the fraud. They, like almost everyone else, were duped. Second, Holmes maintained complete control of the board and did not tolerate dissent. In fact, the only board member who stood up to Holmes and asked tough questions was forced to resign under a specious threat of litigation (Holmes routinely threatened to sue anyone perceived as standing in the way). So it is not clear that additional governance activity by Theranos’s board would have demonstrably prevented the course of events for the company.

There is no indication that any other board member, however, was even interested in asking questions or challenging Holmes. Each Theranos board member was highly accomplished, but none of them had any substantial scientific or health care industry experience. Holmes recruited famous diplomats, statesmen, and political and military leaders with significant connections for a reason, namely to work those connections, raise funds, and gain attention. Theranos’s board was window dressing. From a compliance perspective, Theranos is a good case study.

The Board’s Role in Compliance Oversight and Potential Liability

Directors are responsible for oversight of a company’s compliance function. Foremost, whether in a for-profit or non-profit entity, directors are fiduciaries.[i] As such, directors are responsible for ensuring a company’s activities comply with applicable industry, legal, and regulatory frameworks, the broad protections of the business judgment rule notwithstanding. The Federal Sentencing Guidelines set out the required elements of an effective compliance program, including the board’s role: “the organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.”[ii]

Under the seminal In re Caremark International, Inc. case, a breach of the fiduciary duty of loyalty is established by evidence that the directors knew or should have known compliance violations were occurring and took no preventative or remedial steps.[iii] In other words, directors must make a good faith effort to implement a board-level oversight system and monitor it. Proving such a failure is difficult – e.g., it requires evidence of a sustained or systematic failure to exercise oversight, such as “an utter failure to attempt to assure a reasonable information and reporting system exists.”[iv]

The recent Delaware decision in Marchand v. Barnhill, a case involving Blue Bell Creameries, paints a roadmap for how to establish this type of “utter failure.” Shareholders derivatively sued the board and executives for losses after the company failed to respond to a listeria outbreak in several factories, which caused the deaths of three customers.[v] Plaintiffs survived a motion to dismiss because their complaint included sufficient inferences that the board had not undertaken any effort to ensure it was informed about the compliance issues critical to the company’s operations.

Blue Bell does one thing: it makes ice cream. Blue Bell’s board, however, had no committee to address food safety issues, no processes or protocols for management to update it about food safety practices or risks, no regular schedule for considering food safety risks inherent to the industry, there was no evidence management notified the board of red or yellow flags from regulators about reported listeria problems, and there was a complete lack of any discussions about food safety in board meeting minutes – even during the time of the listeria outbreak.

Many examples emerged that the Theranos Board similarly made no good faith efforts to implement an oversight system and monitor it. Though Holmes advertised Theranos as a Silicon Valley technology startup, at its core Theranos was a blood testing company with a diagnostic laboratory subject to the same regulatory compliance requirements as any other lab. Notwithstanding, Theranos, at Holmes’s or Balwani’s direction, flouted regulatory requirements. The board had no system in place to monitor Theranos’s compliance with laboratory regulations or identify any of these problems.

For example, with regard to its proprietary lab equipment Theranos could not run most blood tests on its miniaturized equipment, so it hacked commercial analyzers, diluted small finger prick samples, and ran them on the hacked commercial machines, which negatively impacted accuracy. Theranos also segregated its proprietary miniature lab equipment from the commercial analyzers it used to run most of its blood tests. When state regulators conducted inspections of the lab, Theranos only showed the inspectors the lab with the conventional commercial analyzers. Finally, Theranos cheated on proficiency testing, a regulatory and accreditation required exercise aimed at identifying inaccurate blood testing, by testing proficiency samples on commercial analyzers rather than on Theranos’s proprietary lab equipment.

In operating its lab, Theranos went months without a director, which violated licensure requirements. When Theranos eventually appointed a lab director, it was a dermatologist who was not actually qualified to run a clinical laboratory and was mostly an absent figurehead. Theranos also set up protocols that allowed unlicensed personnel to conduct quality control procedures and process patient samples in the lab. Balwani regularly fired employees who dared question him. One victim included a microbiologist who pushed for industry standard and regulatory required environmental health and safety protections in the lab.

With regard to regulators, Holmes created an illusion that Theranos cooperated with the FDA and the FDA approved its blood testing processes. In fact, the FDA had approved only a few of Theranos’s tests (Theranos skirted FDA oversight for the most part). When the FDA inspected the lab, it determined that Theranos’s “nanotainer” for collecting blood from finger pricks was an uncleared medical device and prohibited Theranos from using it.

Perhaps most egregiously, Centers for Medicare and Medicaid Services (“CMS”) conducted a surprise inspection of the lab in September 2015 and found serious deficiencies with Theranos’s proprietary lab equipment and lab operations. CMS found that unqualified personnel were allowed to handle patient blood samples, blood was stored at the wrong temperatures, the presence of expired reagents (solutions used for blood testing), and that Theranos failed to notify patients about flawed test results. CMS required Theranos to void almost one million blood test results run on its proprietary equipment. In other words, Theranos’s propriety blood testing equipment was basically useless. In July 2016, CMS banned Holmes and Theranos from running a blood testing lab.

There are additional examples of serious compliance-like concerns the board should have addressed, but did not. For example, not one health care venture capital firm invested in Theranos, but board members never questioned that fact. The board approved hiring Balwani as president and COO despite having no blood testing, laboratory, or medical industry experience (as a salacious aside, Holmes never disclosed to the board that she and Balwani were dating and living together).

In March 2008, two high-level employees approached the board chair with evidence Holmes misled the board about the effectiveness of Theranos’s blood testing technology and revenue projections. Faced with this information, the Board decided to remove Holmes as CEO. Holmes convinced them to change their minds. Less than two weeks later Holmes fired both employees. Not one board member looked into the firing of two high-level employees who only a few weeks earlier provided evidence that had convinced them to remove Holmes.

Similarly, in November 2006 Holmes faked successful results of a blood test on Theranos’s proprietary mini device in a demonstration to a multi-national pharmaceutical company. Holmes did this routinely when demonstrating the devices to potential investors and pharma companies. When Theranos’s CFO learned about this practice and strongly objected, Holmes fired him. No board member seemed concerned a C-suite level employee was suddenly gone, or asked why.

How Can a Board Satisfy its Fiduciary Duty to Oversee Compliance?

The pattern of inaction of the Theranos board is similar to the Blue Bell case. So what should a board of directors do to oversee compliance? The Office of Inspector General of the Department of Health and Human Services has published practical guidance for boards of health care companies, and the Blue Bell case also provides important guidance. [vi] Effective board actions for compliance oversight may include the following.

Establish Board-Level Systems for Oversight. Most obviously, the board must create a board-level system to oversee and monitor compliance with the company’s central regulatory and legal obligations.

Reporting to the Board. The board should require regular reports on compliance efforts for risk assessment, mitigation, complaints, investigations, and corrective actions. Management should report on critical operations issues to the board, particularly on yellow or red flag concerns (e.g., whistleblower complaints, regulator actions). Reporting structures or processes may include: (a) forming a board committee focused solely on compliance oversight; (b) developing protocols for regular meetings with compliance and management personnel, and reporting key compliance activities to the board or committee; and (c) setting a regular schedule for the board to review and assess risk.

Minutes. Board minutes should reflect efforts to establish, implement, and continually monitor key compliance matters, and should include management reports on risks and compliance issues.

Board Education. Provide annual (at least) education to board members on their duties regarding compliance oversight and on the substantive regulatory areas the board is responsible for overseeing. This is especially important in health care, where the regulatory landscape changes quickly and human safety is a risk.

Board Member Expertise. Ensure board composition includes necessary expertise, or the board has access to necessary expertise. This will assist the board with risk identification, assessment, and knowing which questions to ask company management.

Culture Development. The board should put management on notice that it takes compliance seriously and expects compliance accountability across the organization. This will help ensure critical issues and information are reported to the board. Education efforts and properly staffing the board may help foster a strong culture for compliance.

Conclusion

The ultimately $9 billion Theranos fraud demonstrates a corporate board’s vital role in compliance oversight. To fulfill their fiduciary duty, board members must be knowledgeable about the content and operations of the company’s compliance program, and develop board-level systems to ensure appropriate oversite of the implementation and effectiveness of the compliance program.

---

---

[i] See, e.g., Idaho Code §§ 30-29-830, 30-30-618.

[ii] United States Sentencing Commission, Guidelines Manual (“USSG”), §8B2.1(b)(2)(A) (Nov. 2018)

[iii] See In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d 959 (Del. Ch. 1996).

[iv] Id.

[v] Marchand v. Barnhill, 212 A.3d 805 (Del. 2019).

[vi] See Caremark Liability for Regulatory Compliance Oversight, Harvard Law School Forum on Corporate Governance and Financial Regulation, Gail Weinstein, Warren S. de Weid, and Philip Richter (July 8, 2019) (available at https://corpgov.law.harvard.edu/2019/07/08/caremark-liability-for-regulatory-compliance-oversight/#respond) and Practical Guidance for Health Care Governing Boards on Compliance Oversight, Office of Inspector General, U.S. Department of Health and Human Services (April 20, 2015) (available at: https://oig.hhs.gov/compliance/compliance-guidance/docs/Practical-Guidance-for-Health-Care-Boards-on-Compliance-Oversight.pdf).