Author: Lindsey Welfley

By Keely E. Duke and Elizabeth D. Sonnichsen

The Wolf, a brilliant four-part advertising campaign by Hewlett-Packard, depicts Christian Slater hacking into a business by targeting an unsuspecting employee who is enticed to print a counterfeit spa gift card on her birthday.[i] This seemingly innocent act results in unfettered access to details of a major acquisition through an unsecured printer.

https://www.youtube.com/watch?v=ZUP4ib5FzGs

Once granted access to these documents, Slater looks deadpan at the camera and states: “First, I got control of their printers, then I got control of their network, then I got control of their data. And now, this. All the juicy details of a major acquisition. These guys are in for a really bad day.”

Instances of these “really bad days” are on the rise across the nation, with the healthcare industry ranking as the highest targeted industry in 2018, accounting for 25% of the total industries affected.[ii] One area of particular concern is telehealth, a subsection of the healthcare industry using technological advances for both patient and provider use.

Telehealth is increasing substantially, especially in rural areas, with the number of users growing as quickly as 643% nationally. [iii] It is a perfect target for these attacks. To guard against these attacks, it is important to understand why telehealth is a target for cyberattacks, how the Government is responding, what litigation is occurring in the telehealth realm, and what steps telehealth providers and healthcare litigators can take to protect patients’ information.

Telehealth: An Enticing Target

Cyberattacks are prevalent in telehealth because health information is often accessed via applications on smartphones and tablets, which are easily lost or stolen, making the data stored on the devices particularly susceptible to risk. Nationwide, more than 80% of physicians use mobile technology to provide patient care and more than 25% of commercially insured patients use mobile applications to manage their health.[iv] This mobility has many benefits, including increasing patient access to healthcare and specialists, timely communication of test results and care plans, and improving continuity of care.

This is particularly true in rural Idaho. Recognizing the many benefits of telehealth, the Idaho Telehealth Council developed and passed the Idaho Telehealth Access Act in 2015, which allows for patient-provider relationships to be established without an in-person visit using two-way audio and video communication and allows prescription drug orders to be issued using telehealth services.[v]

While such access has many positives, the risks associated with data hacks of such communications and data exchanges are prevalent.  For example, in 2015 alone, 113 million healthcare records were maliciously accessed through either a breach in hospital systems or through hacking into telemedicine systems.[vi] Idaho, with its growing population and massive rural areas, is a target for such telehealth cyberattacks.

Hospital data security breaches can cost a single hospital as much as $7 million in fines, litigation, and damaged reputation.[vii] The healthcare industry lags behind other industries in securing data often because of the considerable capital necessary to protect hospital systems. Hospitals vary significantly in their prioritization of cybersecurity—70% of hospital boards include cybersecurity in their risk management oversight while only 37% of hospitals perform annual incident response exercises.[viii]

As such, cybercriminals are highly active in targeting healthcare organizations, especially when electronic records can be sold online for $10-$50 each—about 10 to 20 times the value of a U.S. credit card number—making them an easy and profitable target for hackers.[ix] Furthermore, by targeting telehealth as opposed to bank records or email, a cybercriminal’s use of healthcare records upends the feeling of safety that a user of telehealth may have.

Telehealth Cybersecurity Litigation

Not surprisingly, the case law related to cybersecurity and fraud connected to it is in its infancy.  Across the nation, in cases examining situations where a party’s information is fraudulently obtained by a hacker, the evolving case law suggests that the party in the best position to avoid the fraud bears the loss.[x] That said, the causes of action related to a data breach have deep roots in state law – negligence and gross negligence, among others, and the potential for punitive damages if the telehealth provider or hospital willfully and recklessly failed to put certain safeguards into place.

When a telehealth provider acts reasonably using the suggested safeguards, a plaintiff may face a difficult hurdle in meeting her burden. In addition to the question of standing, she must also present facts that the telehealth provider’s actions were outside the standard of care—a constantly moving target.

In Attias v. CareFirst, Inc., the United States Supreme Court was presented with the opportunity establish precedent regarding a plaintiff’s burden as to harm suffered from a data breach.[xi]  Instead, the Court denied Maryland-based CareFirst Blue Cross Blue Shield’s request to review the D.C. Circuit’s ruling that despite not suffering any actual harm from a data breach, the customers affected could pursue a class action lawsuit against the insurer based on their personal information being exposed.

To date, there is no clear precedent as to whether an individual who pleads that her data is exposed in a breach may maintain a lawsuit against a company when there is no actual harm.  In absence of a precedent at the federal level, states must take the lead in applying cybersecurity laws as they relate to data security statutes, breach notification statutes, and statutory developments.

The Government’s Response to “The Wolf”

In 2015, Congress enacted The Cybersecurity Act of 2015, which has three healthcare-specific provisions. These provisions include the development of (1) a plan within each division of the Department of Health and Human Services spelling out responsibilities for addressing cyberthreats in the healthcare sector; (2) a Health and Human Services industry task force to examine, among other things, the cyber challenges facing the healthcare sector, as well as lessons the sector can learn from other industries; and (3) a common set of voluntary consensus-based guidelines, best practices, and methodologies to help healthcare organizations better address cyberthreats.[xii]

In addition, developers and manufacturers of mobile health applications and devices that support telehealth services must comply with multiple privacy and security regulations promulgated by various federal agencies, which are as follows:

• The Food and Drug Administration has established regulations regarding the safety and effectiveness of hardware and software of telehealth devices and mobile medical applications.[xiii]
• The Federal Communications Commission is working to raise awareness about the value of broadband in healthcare sectors through its Connect2Health Task Force. The task force identifies regulatory barriers and incentives to build stronger partnerships with public and private stakeholders in the areas of telehealth, mobile applications, and telemedicine to accelerate the adoption of advanced healthcare technologies.[xiv] The task force promotes effective policy and regulatory solutions and works to strengthen the nation’s telehealth infrastructure through its Rural Health Care Program and other initiatives.
• The Federal Trade Commission has established regulations regarding disclosures about the collection and use of consumer data to avoid false, misleading, and deceptive trade practices and provided a privacy-by-design framework for protecting mobile privacy and is currently examining healthcare competition, including regulatory barriers that prevented telehealth across state lines.[xv]
• The Office of National Coordinator for Health Information Technology established regulations to adopt standards and certification criteria for health information technology.[xvi]

While the Cybersecurity Act and these various regulations are a significant step in the right direction to preventing and addressing cyberattacks in healthcare, these regulations are often conflicting and fall short of enacting actual change for procedural safeguards against such attacks.  In addition, regardless of the regulations, cyberthreats are very difficult to prevent given that telehealth applications remain capable of connecting to other medical devices, the internet or other networks, or portable media vulnerable to cybersecurity threats.  Cybersecurity breaches continue to rise, with the top five causes consisting of phishing, network intrusion, inadvertent disclosure, stolen devices, and system misconfiguration, respectively.[xvii]

Defending Against “The Wolf”

From our clients’ perspectives, the FDA recommends telehealth application developers provide security controls to maintain the confidentiality, integrity, and viability of information stored in telehealth apps.[xviii] Telehealth providers should create an infrastructure that provides for secure communications between providers and patients, allowing for remote communication without reducing the amount of security.  HIPPA suggests the following for securing telehealth on mobile devices connecting to a network:

• Performing regular risk assessments to ensure continued protection;
• Conducting regular staff training on data privacy, security, and the latest threats, to develop a “risk aware” culture;
• Tracking data to allow for a quick and easy forensic analysis after a cybersecurity attack;
• Permitting network access to only those devices certified as having appropriate security controls;
• Segregating personal and work data on bring your own devices, permitting the easy deletion of protected data without erasing personal files and contacts;
• Considering data encryption for all data stored on mobile devices;
• Disallowing the use of SMS messages to communicate Protected Health Information at work;
• Allowing remote data erasure from a centrally controlled system;
• Implementing and enforcing password policies on password length, composition, and validity period; and
• Regularly scanning device security before any device is allowed to connect to a healthcare data network.[i]

Regardless of these measures, however, one of the biggest hurdles for protecting healthcare information from hackers are the patients themselves.  While patients should know that certain standard practices—such as having antivirus protection, using secure passwords, not visiting unprotected websites, and not opening links from unknown or suspicious senders—are crucial to preventing illegal access to their information, many patients do not take these precautions, rendering their data vulnerable.  A handout reminding patients of these basic safeguards may help insulate the healthcare provider from the patient’s failure to protect his or her data.

As practitioners who represent patients, doctors, hospitals, or telehealth providers, we owe a duty not only to our clients but to all involved parties to ensure that when we receive records in litigation, we utilize the same safeguards we expect of our clients. The nature of our work allows us to accumulate highly sensitive information and, just like our clients, we are vulnerable to potential breaches. We should follow recommended practices when it comes to cloud computing and storage, email, WiFi, network security, physical security, mobile device management, and privacy notices and policies. These recommended practices include:

• Implementing the data storage guidelines drafted by the Health Information Technology for Economic and Clinical Health Act;[i]
• Never clicking on unknown links in emails, even if the email is legitimate;
• Never opening attachments from an unknown third-party;
• Not giving out personal information over email unless it is completely secure;
• Setting secure passwords and avoiding use of common words, phrases, or personal information as part of the passwords;
• Updating passwords every 90 days;
• Using encrypted cites—never email—to transfer protected health information;
• Keeping your operating system, browser, anti-virus and other critical software up to date; and
• Turning off the option to automatically download attachments in email.[ii]

As a final note, there are cyber insurance policies available for attorneys and law firms and now is the time to add that insurance to provide coverage if “The Wolf” strikes.

Conclusion

“The Wolf” will always be after our clients’ data, but if our clients and our firms continue to take steps to improve security practices, we can keep him at bay. The opportunities that telehealth provides for members of our communities as well as for our clients is incentive enough to work through the regulations and potential threats of litigation. These efforts will limit the “really bad days” and promote important access to healthcare across all of Idaho.

---

---

[i] Acord, Lance. “The Wolf.” https://vimeo.com/223119985

[ii] Hoffman, Craig, Managing Enterprise Risks in a Digital World, Privacy, Cybersecurity, and Compliance Collide, BakerHostetler 2019 Data Security Incident Report

[iii] Kent, Jessica, Research Shows Telehealth Service Use, Availability on the Rise, mHealth Intelligence, (Mar. 26, 2018), https://mhealthintelligence.com/news/research-shows-telehealth-service-use-availability-on-the-rise

[iv] Press Release, Healthcare Info. & Mgmt. Sys. Soc’y Analytics, HIMSS Analytics 2013 Mobile Technology Survey Examines mHealth Landscape (Feb. 26, 2014), http://bit.ly/1uBlbFa; Matt Mattox, 10 Key Statistics about mHealth (Jan. 15, 2013), http://bit.ly/1lwaaFr.

[v] I.C. § 54-5700, et seq.

[vi] HIPPA Journal, OCR Issues Crosswalk Between NIST Cybersecurity Framework and HIPAA Security Rule, http://www.hipaajournal.com/ocr-issues-crosswalk-between-nist-cybersecurity-framework-and-hipaa-security-rule-832

[vii] Berg, Nate, Hackers Have Figured Out How Easy it is to Take Down a Hospital, Splinter (Mar. 10, 2016), http://splinternews.com/hackers-have-figured-out-how-easy-it-is-to-take-down-a-1793855277

[viii] Jalali, Mohammad S., PhD. And Jessica P. Kaiser, Cybersecurity in Hospitals: A Systematic, Organizational Perspective, Journal of Medical Internet Research. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5996174/

[ix] Humer, C. & Finkle, J. Your Medical Record is Worth More to Hackers (Sept. 24, 2014) http://www.reuters.com/article/us-cybersecurty-hospitals-idUSKCN-0HJ2I20140924

[x] See, e.g., Arrow Truck Sales, Inc. v. Top Quality Truck & Equip., Inc., 8:14-CV-2052-T-30-TGW, 2015 WL 4936272 at 3 (M.D. Fla. Aug. 18, 2015); Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc., 17-4177, 208 WL 6181643 at *5 (6th Cir. Nov. 28, 2018); Bile v. RREMC, LLC, 3:15CV051, 2016 WL 4487864 at *10 (E.D. Va. Aug. 24, 2016).

[xi] Attias v. Carefirst, Inc., 865 F.3d 620, 623, 431 U.S.App.D.C. 273, 276 (C.A.D.C., 2017).

[xii] Kolbasuk McGee, Marianne, Analysis: Cybersecurity Law’s Impact on Healthcare: HIMSS Legislative Expert Outlines Key Provisions and Their Implications, GovInfoSecurity (Dec. 22, 2015), http://www.govinfosecurity.com/interviews/analysis-cybersecurity-laws-impact-on-healthcare-i-3027.

[xiii] Policy for Device Software Functions and Mobile Medical Applications – Guidance for Industry and Food and Drug Administration Staff, (Sept. 20, 2019), https://www.fda.gov/media/80958/download

[xiv] Telehealth, Telemedicine and Telecare: What’s What?, Connect2Health FCC Consumer Tips https://transition.fcc.gov/cgb/c2health/c2h-telemedicine-telehealth-telecare-tipsheet.pdf

[xv] Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Business and Policy Makers, FTC Report, March 2012, https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf

[xvi] 81 FR 72404

[xvii] Hoffman, Craig, Managing Enterprise Risks in a Digital World, Privacy, Cybersecurity, and Compliance Collide, (Apr. 5, 2019), https://www.lexology.com/library/detail.aspx?g=5d04c72c-0e7a-479e-9db4-861840c6a224

[xviii] Klein, Sharon, Esq. and Jee-Young Kim, Esq. Telemedicine and Mobile Health Innovations Amid Increasing Regulatory Oversight, https://www.aamc.org/system/files/c/2/386042-telemedicineandmobilehealthinnovationsamidincreasingregulatoryi.pdf

[xix] HIPPA Guidelines on Telemedicine, HIPPA Journal, https://www.hipaajournal.com/hipaa-guidelines-on-telemedicine/

[xx] 45 CFR Part 160; HIPPA Administrative Simplification: Enforcement

[xxi] Department of Homeland Security, Protect Myself from Cyber Attacks, (Sept. 20, 2019) https://www.dhs.gov/how-do-i/protect-myself-cyber-attacks

[i] HIPPA Guidelines on Telemedicine, HIPPA Journal, https://www.hipaajournal.com/hipaa-guidelines-on-telemedicine/

[i] 45 CFR Part 160; HIPPA Administrative Simplification: Enforcement

[ii] Department of Homeland Security, Protect Myself from Cyber Attacks, (Sept. 20, 2019) https://www.dhs.gov/how-do-i/protect-myself-cyber-attacks

By Kim C. Stanger

Attorneys risk substantial fines, malpractice claims, and even jail time for violating any of several laws implicated in even simple healthcare transactions.  Federal and state healthcare laws potentially affect any financial transaction involving healthcare providers, including employment or service contracts, group compensation structures, investment interests and joint ventures, leases for space or equipment, marketing programs, and patient billing practices.  Failure to comply may result in significant fines and penalties for clients as well as malpractice claims—or worse—against their lawyers.  This article describes several statutes and regulations that can be traps for the unwary in healthcare transactions.

Federal Anti-Kickback Statute (“AKS”)

The federal AKS prohibits anyone from knowingly and willfully soliciting, offering, receiving, or paying any form of remuneration to induce referrals for any items or services for which payment may be made by any federal healthcare program unless the transaction is structured to fit within a regulatory exception.[i]  An AKS violation is a felony punishable by up to 10 years in prison, a $100,000 criminal penalty, a $100,000+ civil penalty, treble damages, and exclusion from participating in the Medicare or Medicaid programs.[ii]  An AKS violation is also a per se violation of the federal False Claims Act,[iii] which exposes defendants to mandatory self-reports and repayments, additional civil penalties of $11,000+ to $22,000+ per claim, treble damages, private qui tam lawsuits, and costs of suit.[iv]

The AKS is very broad: it applies to any form of remuneration, including compensation, kickbacks, items or services for which fair market value is not paid, business opportunities, perks, or anything else of value offered in exchange for referrals.  Consequently, it potentially affects any transaction between healthcare providers and any other potential referral source, including but not limited to their patients, employers, partners, or other providers.  It applies to persons on both sides of the transaction:  those who offer, solicit, pay, or receive the prohibited remuneration, including healthcare providers, managers, patients, vendors, and their attorneys.[v]

Despite its breadth, the AKS does have limitations.  First, it only applies to referrals for items or services payable by government healthcare programs such as Medicare or Medicaid.  If the parties to the arrangement do not participate in government programs or are not in a position to make referrals relating to government programs, then the statute should not apply.  Second, the statute does not apply if the transaction fits within specified statutory or regulatory “safe harbors.”[vi]  For example, exceptions apply to employment or personal services contracts, space or equipment leases, investment interests, and certain other relationships so long as those transactions are structured to satisfy each of the requirements relevant to the safe harbor.[vii]

Because the AKS is an intent-based statute, a violation might not occur even if the parties do not fit within a regulatory safe harbor; however, in that case, the test becomes whether “one purpose” of the remuneration is to induce referrals—a difficult standard to defend against.[viii]  If the parties cannot fit within a regulatory safe harbor, they may obtain an advisory opinion from the Office of Inspector General (“OIG”) concerning the proposed transaction.  Past advisory opinions are published on the OIG’s website, https://www.oig.hhs.gov/compliance/advisory-opinions/index.asp, and may provide guidance for others seeking to structure a similar transaction.

Eliminating Kickbacks in Recovery Act (“EKRA”)

EKRA was recently passed in response to the opioid epidemic and generally prohibits soliciting, receiving paying or offering any remuneration in return for referring a patient to a laboratory, recovery home, or clinical treatment facility unless the arrangement fits within limited regulatory exceptions.[ix]  Violations are punishable by up to 10 years in prison and a $200,000 criminal fine.[x]  Unlike the AKS, EKRA applies to claims payable by private as well as government payers.

Idaho Anti-Kickback Statute

Idaho has its own anti-kickback statute which prohibits paying or receiving a payment in exchange for referrals for healthcare services, or providing services with the knowledge that the patient was referred in exchange for a payment.[xi]  Violations may result in a $5,000 civil penalty.[xii]  Significantly, the Idaho AKS is broader than the federal statute:  it extends to payments to induce referrals for any healthcare services, not just those payable by federal programs.  And unlike the federal AKS, the Idaho AKS does not come with any regulatory safe harbors.  Fortunately, however, there do not appear to be any reported cases in which the Idaho AKS has been enforced.

Idaho Fee Splitting Statutes

Idaho professional licensing acts may also prohibit fee splitting or other conduct relevant to transactions.  For example, the Idaho Medical Practices Act prohibits “[d]ividing fees or gifts or agreeing to split or divide fees or gifts received for professional services with any person, institution or corporation in exchange for referral.”[xiii]  Depending on how broadly the relevant licensing board decides to interpret the statute, it may prohibit certain remunerative relationships as well as investment interests in provider practices.  Violations may result in adverse licensure action.

Ethics in Patient Referrals Act (“Stark”)

The federal Stark[xiv] law prohibits physicians[xv] from referring patients for certain designated health services (“DHS”)[xvi] payable by Medicare to entities with which the physician (or a member of the physician’s family) has a financial relationship unless the transaction fits within a regulatory safe harbor.[xvii]  Unlike the AKS, Stark is exclusively a civil statute: violations may result in civil fines ranging up to $25,000+ per violation and up to $170,000+ per scheme in addition to self-reporting and repayment of amounts received for services rendered per improper referrals.[xviii]  Repayments can easily run into thousands or millions of dollars.  In addition, Stark law violations result in False Claims Act violations, thereby triggering the additional penalties and threat of qui tam suits discussed previously.

Unlike the AKS, Stark is a strict liability statute; it does not require intent, and there is no “good faith” compliance.  If triggered, Stark applies to any type of direct or indirect financial relationship between physicians or their family members and a potential provider of DHS, including any ownership, investment, or compensation relationship.[xix]  Thus, the statute applies to everything from ownership or investment interests to compensation among group members to contracts, leases, joint ventures, waivers, discounts, professional courtesies, medical staff benefits, or any other transaction in which anything of value is shared with referring physicians or their family members.

Like the AKS, Stark contains numerous safe harbors applicable to many common financial relationships;[xx] the parties must carefully structure their arrangements to fit within an applicable safe harbor if there are to be DHS referrals from the physician.  And like Stark, parties contemplating a suspect transaction may seek an advisory opinion from the Center for Medicare and Medicaid Services (“CMS”).  The CMS advisory opinions are published at https://www.cms.gov/Medicare/Fraud-and-Abuse/PhysicianSelfReferral/advisory_opinions/.

Idaho Stark Law?

Idaho does not have a statute similar to Stark, but Idaho Medicaid regulations allow the Department of Health and Welfare to “deny payment for any and all claims it determines are for items or services … provided as a result of a prohibited physician referral under [Stark,] 42 CFR Part 411, Subpart J.”[xxi]  The net effect is that a Stark law violation may result in penalties and repayments under Idaho regulations as well as federal law.

Civil Monetary Penalties Law (“CMPL”)

The federal CMPL is a broad statute that, among other things, prohibits certain transactions that have the effect of increasing utilization or costs to federally funded healthcare programs or improperly minimizing services to beneficiaries.[xxii]  For example, the CMPL prohibits offering or providing inducements to a Medicare or Medicaid beneficiary that are likely to influence the beneficiary to order or receive items or services payable by federal healthcare programs, including free or discounted items or services, waivers of copays or deductibles, etc.[xxiii]  This law may affect healthcare provider marketing programs as well as contracts or payment terms with Medicare or Medicaid patients.[xxiv]

The CMPL also prohibits hospitals from making payments to physicians to induce the physicians to reduce or limit medically necessary services covered by Medicare.[xxv]  Thus, the CMPL usually prohibits so-called “gainsharing” programs in which hospitals split cost-savings with physicians.[xxvi]  Finally, the CMP prohibits submitting claims for federal healthcare programs based on items or services provided by persons excluded from healthcare programs.[xxvii]  As a practical matter, the statute prohibits healthcare providers from employing or contracting with persons or entities who have been excluded from participating in federal healthcare programs.[xxviii]  Violations of the CMPL may result in administrative penalties ranging from $5,000+ to $100,000+ per violation depending on the conduct involved.[xxix]

HIPAA[xxx] Privacy and Security Rules

The HIPAA privacy rules prohibit most healthcare providers, health plans (including employee group health plans that are administered by third parties or have more than 50 participants), and their “business associates”[xxxi] from using, disclosing, or selling protected health information (“PHI”) without the patient’s authorization unless certain exceptions apply.[xxxii]  The HIPAA security rule requires covered entities and business associates (including lawyers who receive PHI from or on behalf of their healthcare client) to implement certain administrative, technical and physical safeguards to protect electronic PHI.[xxxiii]  HIPAA violations may result in fines of $119+ to $59,000+ per violation; violations involving “willful neglect” are subject to a mandatory fine of $11,000+ to $59,000+ per violation.[xxxiv]

A separate violation exists for each individual affected by the violation and/or each day that the covered entity or business associate fails to satisfy a required standard[xxxv]; accordingly, penalties can rack up very quickly.  To make matters worse, covered entities and business associates must voluntarily self-report breaches of unsecured PHI to affected individuals and the government, thereby increasing the potential for HIPAA sanctions.[xxxvi]

If you are handling a transaction involving covered entities and/or their business associates (e.g., services contracts, sales contracts, practice acquisitions, etc.), chances are you will need to consider and address HIPAA requirements in your transaction.  Among other things, covered entities must execute business associate agreements (“BAAs”) with their business associates that require the business associate to comply with HIPAA conditions; the BAAs themselves must contain required terms.[xxxvii]

Similarly, business associates must execute BAAs with their subcontractors.[xxxviii]  Accordingly, BAAs have become ubiquitous in the healthcare industry.  They even apply to lawyers who receive PHI in the course of providing services for clients.  Failure to properly structure BAAs or other PHI-related transactions exposes your clients—and you—to unanticipated HIPAA liability.

Medicare Reimbursement Rules

The Centers for Medicare & Medicaid Services (“CMS”) has promulgated volumes of rules and manuals governing reimbursement for services provided under federal healthcare programs.  The rules govern such items as when a healthcare provider may bill for services provided by another entity, supervision required for such services, and the location in which such services may be performed to be reimbursable.

In addition, the amount of government reimbursement may differ depending on how the transaction is structured, e.g., whether it is provided through an arrangement with a hospital or by a separate clinic or physician practice.  The rules concerning reimbursement and reassignment should be considered in structuring healthcare transactions if the entities intend to bill government programs for services or maximize their reimbursement under such programs.

Conclusion

The foregoing is only a brief summary of some of the more significant laws and regulations that may affect common healthcare transactions.  As in all cases, the devil is in the details (as well as the Code of Federal Regulations and CMS Medicare Manuals).  Attorneys who represent healthcare providers should review the relevant laws and regulations whenever structuring a healthcare transaction, especially if that transaction involves potential referral sources or implicates federal healthcare programs.

---

---

[i] 42 U.S.C. § 1320a-7b(b).

[ii] 42 U.S.C. §§ 1320a-7 and 1320a-7b(b)(2)(B); 42 C.F.R. §§ 1003.300 and 1003.310.  The civil penalty is subject to an annual inflation-related increase.  45 C.F.R. § 102.3.

[iii] 42 U.S.C. § 1320a-7b(g); 31 U.S.C. § 3729.

[iv] 31 U.S.C. §§ 3729 and 3730; 42 U.S.C. §§ 1320a-7a and 1320a-7k(d); 28 C.F.R. §§ 85.5 and 1003.200(a) and (b)(k). The civil penalties are subject to inflation-related increases.  28 C.F.R. § 85.5.

[v] United States v. Anderson, 55 F. Supp. 2d 1163 (D. Kan. 1999).

[vi] 42 U.S.C. § 1320a-7b(3); 42 C.F.R. § 1001.952.

[vii] 42 U.S.C. § 1320a-7b(3); 42 C.F.R. § 1001.952.

[viii] United States v. Kats, 871 F.2d 105 (9th Cir. 1989); United States v. Greber, 760 F.2d 68 (3d Cir.), cert. denied, 474 U.S. 988 (1985).

[ix] 18 U.S.C. § 220(a).

[x] 18 U.S.C. § 220(a).

[xi] I.C. § 41-348.

[xii] I.C. § 41-327.

[xiii] I.C. § 54-1814(8).

[xiv] The Stark law is named for its congressional sponsor, United States Representative Fortney H. “Pete” Stark.  U.S. ex rel. Thompson v. Columbia/HCA Healthcare Corp., 125 F.3d 899, 900–901 (5th Cir. 1997).

[xv] “Physician” is defined as “a doctor of medicine or osteopathy, a doctor of dental surgery or dental medicine, a doctor of podiatric medicine, a doctor of optometry, or a chiropractor.”  42 C.F.R. § 411.351.

[xvi] “Designated health services” include clinical laboratory services; physical therapy, occupational therapy and speech-language pathology services; radiology and other imaging services; radiation therapy; durable medical equipment and supplies; prosthetics, orthotics, prosthetic devices and supplies; home health services; outpatient prescription drugs; inpatient and outpatient hospital services; and parenteral and enteral nutrients.  42 C.F.R. § 411.351.

[xvii] 42 U.S.C. § 1395nn; 42 C.F.R. § 411.353.

[xviii] 42 U.S.C. § 1395nn(g); 42 C.F.R. §§ 1003.300 and 1003.310.  The civil penalties are subject to an annual inflation adjustment.  45 C.F.R. § 102.3.

[xix] 42 C.F.R. §§ 411.351, 411.353, and 411.354.

[xx] 42 C.F.R. §§ 411.355 to 411.357.

[xxi] IDAPA 16.05.07.200.01.d.

[xxii] 42 U.S.C. § 1320a-7a.

[xxiii] 42 U.S.C. § 1320a-7a(a)(5); 42 C.F.R. § 1003.100(a).

[xxiv] See OIG Special Advisory Bulletin, “Offering Gifts and Other Inducements to Beneficiaries” (August 2002); OIG Special Fraud Alert, “Routine Waiver of Part B Co-Payments/Deductibles” (May 1991).

[xxv] 42 U.S.C. § 1320a-7a(b).

[xxvi] See, e.g., OIG Special Fraud Alert, “Gainsharing Arrangements and CMPs for Hospital Payments to Physicians to Reduce or Limit Services to Beneficiaries” (July 1999).

[xxvii] 42 U.S.C. § 1320a-7a(a)(1)(C) and (2).

[xxviii] OIG Special Advisory Bulletin, “The Effect of Exclusion from Participation in Federal Healthcare Programs” (Sept. 1999).

[xxix] 42 U.S.C. § 1320a-7a; 42 C.F.R. part 1003.  Many of the civil penalties are subject to annual inflation adjustments.  45 C.F.R. § 102.3.

[xxx] Health Insurance Portability and Accountability Act of 1996.

[xxxi] “Business associates” are generally those entities who create, maintain, use, access or transmit protected health information on behalf of a covered entity.  45 C.F.R. § 160.103.

[xxxii] 45 C.F.R. § 164.500 et seq.

[xxxiii] 45 C.F.R. § 164.300 et seq.

[xxxiv] 45 C.F.R. § 160.400 et seq.

[xxxv] 45 C.F.R. § 160.406.

[xxxvi] 45 C.F.R. § 164.400 et seq.

[xxxvii] 45 C.F.R. §§ 164.502(e) and 164.504(e).

[xxxviii] Id.

By Gabriel Hamilton

In 2016, the Idaho Board of Medicine abandoned its position that Idaho law prohibits physicians from being employed by non-physicians. The Board’s new position removes obstacles to non-physician investments in medical practices and other transactions that previously were prohibited by the Board’s enforcement of an antiquated rule known as the corporate practice of medicine doctrine (“COPM”).

COPM is enshrined in the laws of several states and prohibits a licensed physician from being employed by a person other than another licensed physician or a professional entity that is owned by other licensed physicians. This doctrine has, at best, scant support in Idaho law, and has historically been enforced solely by the Idaho Board of Medicine against physicians licensed in Idaho. The doctrine in Idaho was declared to be at death’s door in 2011 in an article in the Idaho Law Review by Michelle Gustavson and Nicholas Taylor.[i] In March 2016, the Idaho Board of Medicine ceased enforcing COPM.[ii] With this change in policy, the COPM doctrine no longer appears to have any relevance under Idaho law.

This article briefly reviews the history of COPM, the legal arguments the Board historically made to support COPM in Idaho, and the current state of the law following the Board’s 2016 decision.

History of the COPM Doctrine

The COPM doctrine’s history is tied to the development of organized medicine in the 19^th and early 20^th centuries.[iii] In particular, COPM is one of the principles that the American Medical Association advanced to organize licensed physicians and protect them from competition.[iv] COPM is sometimes defended as a rule to preserve the integrity of the physician-patient relationship or the integrity of the physician’s medical judgment. But from the outset, the COPM was primarily a rule intended to protect the physician’s pocket book and only secondarily about protecting patients.[v]

Over time, some states have expressly incorporated COPM into their medical licensing statutes.[vi] Idaho statutes, however, do not codify COPM. Indeed, Idaho’s Medical Practice Act expressly prohibits natural persons from engaging in the unlicensed practice of medicine.[vii] The statute says nothing about whether the person practicing medicine is employed, nor does it state that a corporate employer of a physician is engaged in the unlicensed practice of medicine.[viii]

Worlton v. Davis

The pre-2016 Board of Medicine and other proponents of COPM have essentially relied on a single statement in a single Idaho Supreme Court case from 1952 as the foundation for asserting that COPM has a place in Idaho law. That case, Worlton v. Davis,[ix] held as follows: “[n]o unlicensed person or entity may engage in the practice of the medical profession through licensed employees; nor may a licensed physician practice as an employee of an unlicensed person or entity. Such practices are contrary to public policy.”[x]

The precedential value of Worlton, however, is suspect. First, the case involves facts under which a non-physician owner of a clinic exerted control via contract over the licensed physicians’ practice of medicine.[xi] The Worlton court found the contract in question as void against public policy without reference to the Idaho Medical Practice Act.[xii] Second, the Idaho Medical Practice Act has been amended and recodified substantially since the date of the Worlton decision with the current statute dating from 1977.[xiii] Third, subsequently enacted Idaho statutes expressly allow several types of corporate entities to employ physicians including hospitals, managed care organizations, public health districts, and home health agencies.[xiv]

These newer statutes appear to demonstrate that Idaho has no overriding public policy against the employment of physicians. Indeed, the concerns of the Worlton court regarding a non-physician influence over a physician’s medical judgment are better addressed through the Medical Practice Act’s prohibitions on the unlicensed practice of medicine and common contract provisions that preserve the independent medical judgment of physicians.[xv]

The Practice of Medicine Since Worlton

The world has changed since 1952. First, a 1975 case in the Second Circuit invalidated the AMA ethical standards that provided the basis for the adoption of COPM earlier in the century. [xvi] Second, many states have rescinded or ceased to enforce COPM.[xvii] Third, the practice of medicine by independent, physician-owned medical groups is increasingly rare. Many physicians are now directly employed by hospitals or managed care organizations or by medical groups that are wholly owned by a hospital or managed organization. Fourth, the industry long ago developed a means to effectively evade COPM by placing a medical group’s hard assets and non-clinical staff, including business management, into one legal entity and the physicians into a second legal entity that contracts with the first entity for management services.

COPM does not bar non-physicians from owning shares of the management company, and such a bifurcated structure permits all of the revenue from the practice—net of physician’s salaries—to flow into the management company and out to the non-physician owners. The success of these structures over the decades amply demonstrates the irrelevance of COPM. In such arrangements, the contractual provisions serve to protect the physician’s independence and to ensure compliance with the Idaho Medical Practice Act and professional ethics.

2016 BOM Decision

The Idaho Board of Medicine’s decision in 2016 to abandon COPM was a much-anticipated development, and is consistent with the trend in other states towards the derogation or outright abrogation of COPM. COPM is an antiquated doctrine that has no sound basis in public policy, no firm basis in Idaho law, and has been widely repudiated by other states. If COPM was at death’s door when Gustavson and Taylor wrote their article in 2011, the Idaho Board of Medicine’s 2016 decision appears to have finished it off.

No new Idaho case law or legislation has appeared since 2016 that formally rescinds COPM for all purposes under Idaho law, but the consensus appears to be that the effect of any such legislation or case law would be merely to pound the final nail in the coffin.[xviii] As a practical matter, the Idaho Board of Medicine’s abandonment of COPM has opened the door in Idaho for non-physicians to invest in medical practices and for physicians to accept direct employment with any kind of employer.[xix]

---

---

[i] Michelle Gustavson and Nick Taylor, At Death’s Door—Idaho’s Corporate Practice of Medicine Doctrine, 47 IDAHO L. REV. 480 (2011).

[ii] Kim Stanger, Idaho Board of Medicine Disavows the Corporate Practice of Medicine Doctrine (Sept. 23, 2016) https://www.hollandhart.com/idaho-board-of-medicine-disavows-the-corporate-practice-of-medicine-doctrine.

[iii] See, generally, Gustavson, note 2.

[iv] See Gustavson note 2 at 490–91.

[v] See id. at 492–3.

[vi] See id. at 498; see, e.g., Col. Rev. Stat. Section 12-240-138.

[vii] Idaho Code § 54-1803.

[viii] See also Gustavson, note 2 at 504-505 (refuting arguments that the Idaho Medical Practice Act somehow adopts COPM by “negative inference”).

[ix] 73 Idaho 217 (1952).

[x] Id. at 221.

[xi] Id. at 222.

[xii] Id. at 221.

[xiii] Idaho Medical Practice Act, ch. 199, 1977 Idaho Sess. Laws 536.

[xiv] See Gustavson, note 2, 511–17.

[xv] See also Gustavson, note 2, 509–10.

[xvi] Am. Med. Ass’n v. Federal Trade Comm’n, 638 F.2d 443 (2nd Cir. 1980); see Gustavson, supra note 2, 496–98.

[xvii] See Gustavson, note 2, 498–501.

[xviii] Kim Stanger, Non-Physicians Owning or Investing in Medical Practices in Idaho (Nov. 8, 2017) https://www.hhhealthlawblog.com/2017/11/non-physicians-owning-or-investing-in-medical-practices-in-idaho.html.

[xix] See id.

By Lisa M. Carlson

Having a laptop or smartphone stolen makes for a very bad day.  Now imagine having to pay the federal government a seven-figure fine because that device contained protected health information (“PHI”) and was not encrypted. If your practice includes having access to health information, you may be subject to the stringent data protections imposed by the Health Insurance Portability & Accountability Act (“HIPAA”). With over $100 million in fines collected for HIPAA violations since 2003, the cost of non-compliance is demonstrably steep.[1] This article will discuss the components of HIPAA that lawyers are likely to encounter and provide an action plan to assist lawyers in remaining HIPAA-compliant.

Protecting PHI under HIPAA

Most people recognize that HIPAA requires a covered entity to safeguard protected health information.[2] However, obligations under HIPAA also extend to business associates of a covered entity. A business associate is generally defined as any person or entity who “creates, receives, maintains, or transmits” protected health information in the course of performing services on behalf of a covered entity.[3] Additionally, a subcontractor of a business associate that has access to PHI in performing services on behalf of a business associate will also be deemed a business associate for purposes of HIPAA compliance.[4]  This means that an attorney performing legal services for a covered entity or as a subcontractor of a business associate, where the legal services involve the access, use, or disclosure of PHI by the covered entity or business associate, will be deemed a business associate and must comply with HIPAA.

Penalties for HIPAA violations

HIPAA violations can lead to civil fines imposed by the U.S. Department of Health and Human Services, Office for Civil Rights, or even criminal penalties.[5] An attorney business associate’s non-compliance with HIPAA can not only lead to enforcement actions and fines imposed against the covered entity but can also subject the attorney to direct liability.[6] Fines can range anywhere from $119 to $58,000 per violation.[7]

Where a HIPAA violation stems from willful neglect, defined as “conscious, intentional failure or reckless indifference to the obligation to comply” with HIPAA, the Office of Civil Rights is obligated to impose monetary penalties on the offending individual or entity in an amount between $11,000 and $58,000 per violation.[8] A single misstep can result in multiple violations.[9] For example, loss of a laptop with the records of 500 individuals may constitute 500 violations. Similarly, if the violation is based upon the failure to implement a required policy or safeguard, each day of non-compliance may constitute a separate violation.

To avoid subjecting themselves or their clients to civil or criminal penalties for HIPAA violations, attorneys who handle PHI for covered entities or business associates should take the following steps to ensure compliance and safeguard against claims of willful neglect.

Execute a BAA with the covered entity

Covered entities are required to obtain written satisfactory assurances from any business associate wherein the business associate agrees to appropriately safeguard the PHI it receives or creates on behalf of the covered entity.[10] These written satisfactory assurances between a covered entity and business associate are referred to as a business associate agreement (“BAA”).

HIPAA specifies the minimum requirements that must be contained within a BAA.[11] At a minimum, HIPAA requires the business associate to maintain the privacy of PHI, limit the business associate’s use or disclosure of PHI to those purposes authorized by the covered entity, and require the business associate to assist the covered entity in responding to individual requests concerning their PHI.

An attorney business associate should watch for provisions in the BAA where the covered entity shifts the responsibility for responding to PHI requests to the attorney. For example, a covered entity may require the business associate to respond directly to an individual requesting access to their PHI or for an accounting of disclosures. This contractually assigned obligation can lead to direct liability imposed by the Office of Civil Rights if the attorney fails to comply with the individual’s request.[12] Arguably, an attorney’s compliance with this requirement could violate the attorney’s obligation to maintain client confidentiality.[13]

Some covered entities may also include additional provisions in their BAAs beyond those required by HIPAA. For example, a covered entity may require a business associate to have specific insurance limits or types (e.g., cyber insurance), indemnify and defend the covered entity for HIPAA violations, or pay for and provide notice of privacy breaches or security incidents to affected individuals. While these provisions are generally negotiable, an attorney business associate should consider whether BAA negotiations with a client create a professional conflict wherein the interests of the attorney are adverse to those of the client.[14]

Execute a BAA with subcontractors

A business associate is required to obtain a BAA from any subcontractor the business associate utilizes to assist with performing services on behalf of a covered entity that will have access to PHI.[15] Therefore, if an attorney business associate enlists a person or entity, such as a jury expert or investigator, or even a cloud-based service provider, to assist with performing services on behalf of the covered entity, the attorney must execute a BAA with that subcontractor to ensure the subcontractor will also comply with HIPAA. The subcontractor then becomes a business associate themselves.[16]

Significantly, an attorney business associate can be liable for the HIPAA violations of their subcontractor if the attorney is aware of a pattern or practice of violations by the subcontractor and fails to act, or if the subcontractor is an agent (and not an independent contractor) of the attorney.[17] Therefore, an attorney business associate should take reasonable steps to remedy any known non-compliance by subcontractors.

Comply with Privacy & Security Rules

HIPAA’s Privacy and Security Rules set the standards for when PHI may be used and disclosed as well as those requirements that covered entities and business associates must implement to protect the confidentiality, integrity, and availability of electronic PHI.[18] Most of HIPAA’s Privacy Rule provisions do not apply directly to business associates, but instead apply indirectly, as a business associate is not permitted to use or disclose PHI in a manner that would violate HIPAA if done by the covered entity itself.[19] Generally, HIPAA prohibits a covered entity from using, accessing, or disclosing PHI without the individual’s valid, HIPAA-compliant authorization unless the use or disclosure fits within an exception.[20]

The Security Rule, on the other hand, expressly applies to business associates. It requires them to protect electronically stored PHI through implementation of specific administrative, physical, and technical safeguards.[21] Because the Office of Civil Rights can impose penalties on a business associate for non-compliance with the requirements of the Security Rule, it is important for attorney business associates to understand the obligations imposed by the Security Rule and to ensure strict compliance.[22]

With regard to obligations under the Privacy and Security Rules, attorney business associates often overlook the general processes they use to store and share client information, and how those processes should be adapted when the client information includes PHI. For example, a law firm may ordinarily store client data on a shared network drive, cloud service, or an unencrypted portable memory device. Additionally, they may utilize an unencrypted email service to transmit information within or outside the firm. While these general processes may be appropriate under general confidentiality standards applicable to attorneys, they may not comply with heightened obligations for safeguarding PHI under HIPAA. Understanding and adapting to risks associated with data and technology is also required by an attorney’s duty to provide competent representation.[23]

Respond to and report violations

A business associate must timely respond to or report HIPAA violations or data breaches to the covered entity.[24] These obligations are required to be set forth in the BAA between the covered entity and business associate.[25] A business associate will also generally be required to report to the covered entity any security incidents, which are defined to include the “attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI or interference with system operations in a PHI system.”[26] The covered entity is then obligated to make any necessary reports to individuals, the Department of Health and Human Services, or the media.[27] Significantly, the Office of Civil Rights has authority to impose penalties on a business associate for non-compliance with these notification requirements.[28]

An attorney business associate who is faced with a real or potential HIPAA violation, breach, or security incident should take prompt action to minimize the risk of data compromise. This will include timely notification to the covered entity, timely remediation of any remaining vulnerability (e.g., remote wiping of lost devices and recovery of improperly disclosed records), and compliance with other obligations pursuant to the BAA.

Cooperate with compliance investigations

HIPAA requires a business associate to comply with the federal government’s efforts to investigate complaints and ensure compliance. A business associate must permit the Office of Civil Rights to access “its facilities, books, records, accounts, and other sources of information, including protected health information, that are pertinent to ascertaining compliance.”[29] For an attorney business associate, this broad right to access by the Office of Civil Rights to documentation maintained by the firm can be problematic under the attorney’s duty of confidentiality owed to clients.[30] Attorneys may want to evaluate whether a prospective waiver from the client is necessary to protect against conflict between the obligation to cooperate with the Department of Health and Human Services and the professional obligation to safeguard information.

Additional considerations

The obligations imposed upon business associates are numerous and the consequences for non-compliance are significant. Before agreeing to be bound by a BAA and corresponding HIPAA requirements, attorneys should confirm they fit within the statutory definition as a business associate. While some covered entities and vendors take an ultra-conservative approach to HIPAA compliance by requiring all service providers to enter into a BAA, attorneys should exercise caution against subjecting themselves to HIPAA compliance unnecessarily.

If an attorney does qualify as a business associate under HIPAA, it is important to conduct a thorough risk analysis and determine those measures that will be necessary to ensure compliance not only with HIPAA, but also the attorney’s professional responsibilities in representing a covered entity and business associate clients. Finally, before executing a BAA, an attorney may want to confirm that their malpractice insurance carrier will provide appropriate coverage for any assumed obligations under the BAA.

---

---

[1] Dep’t of Health & Human Servs., Enforcement Results as of Dec. 31, 2019, , https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html.

[2] A covered entity is generally defined to include health plans, health care clearinghouses, and health care providers. 45 C.F.R. § 160.103 (2013).

[3] Id. (defining “business associate”).

[4] Id. § 164.502(e).

[5] Id. § 160.400 et seq.; 42 U.S.C. § 1320d-6.

[6] DEP’T OF HEALTH & HUMAN SERVS., Direct Liability of Business Associates (May 24, 2019) https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html.

[7] 45 C.F.R. § 160.404. These numbers are adjusted annually and listed in the table found at 45 C.F.R. § 102.3.

[8] Id. §§ 160.401, 164.404, 102.3.

[9] Id. § 160.406.

[10] Id. §§ 164.308(b), 164.502(e).

[11] Id. § 164.504(e).

[12] See Id. § 164.502(a)(4)(ii).

[13] See Idaho Rule of Professional Conduct (I.R.P.C.) 1.6.

[14] See I.R.P.C. 1.8(h).

[15] 45 C.F.R. §§ 164.308(b)(2), 164.314(a)(2).

[16] Id. § 160.103.

[17] Id. § 164.504(e)(1).

[18] 45 C.F.R. §§ 160, 164.

[19] Id. § 164.502.

[20] Id.

[21] Id. § 164.300 et seq.

[22] 42 U.S.C. § 17931. See also note 6.

[23] See I.R.P.C. 1.1, cmt. 8.

[24] 45 C.F.R. §§ 154.410, 164.504(e)(2).

[25] Id.

[26] Id. § 164.304.

[27] Id. §§ 164.404, 164.406, 164.408.

[28] Id. § 164.410. See also note 6.

[29] 45 C.F.R. § 160.310(c)(1).

[30] See I.R.P.C. 1.6.