Monday, May 22, 2017

Practicing Telemedicine Across State Borders: New Expedited Licenses Permit Physicians to Expand Practice

By: Marki Stewart

In a watershed moment for the expansion of telemedicine, the Interstate Medical Licensure Compact Commission is now processing applications to allow physicians to practice telemedicine across state lines with greater ease.  Nineteen states have passed legislation to adopt the Interstate Medical Licensure Compact, which allows physicians to obtain a license to practice medicine in any Compact state through a simplified application process.  Under the new system, participating state medical boards retain their licensing and disciplinary authority, but agree to share information essential to licensing, creating a streamlined process.

The Federation of State Medical Boards’ President and CEO, Humayun Chaudhry, DO, MACP, called the Compact a “milestone” for medical regulation in the United States.  “The launch of the Compact will empower interested and eligible physicians to deliver high-quality care across state lines to reach more patients in rural and underserved communities. This is a major win for patient safety and an achievement that will lessen the burden being felt nationwide as a result of our country’s physician shortage.”

States currently participating in the Compact are Idaho, Montana, Wyoming, Nevada, Arizona, Utah, Colorado, South Dakota, Kansas, Minnesota, Iowa, Wisconsin, Illinois, Mississippi, Alabama, West Virginia, Pennsylvania, New Hampshire, and Nebraska.  Seven additional states have proposed legislation to adopt the Compact, including Washington, D.C.

Most states require a physician to obtain a license to practice medicine in each state where the patient is located at the time of the physician-patient encounter.  Prior to adoption of the Compact, obtaining licensure in a given state was an oppressive task, requiring the physician to complete lengthy applications, submit required documentation, pay fees, and pass examinations.  This proved to be a burdensome restriction for physicians practicing telemedicine, where patients may be located in any state at the time of the physician-patient encounter.  Licensing requirements were identified as a significant barrier to the expansion of telemedicine, prompting introduction of the Compact.

Physicians are eligible to apply for the Compact license if they possess a full and unrestricted license to practice medicine in a Compact state and have not been disciplined by any state medical board, among other requirements.  To apply, the physician must designate a Compact state as the “state of principal licensure” and select the other Compact states in which they would like to become licensed.  The state of principal licensure will verify the physician’s eligibility and provide credential information to the Interstate Commission.  The Interstate Commission then collects applicable fees and transmits the physician’s information to the additional states, where the licenses will then be granted.

Participation in the Compact creates another pathway for licensure, but does not otherwise change a state’s existing Medical Practice Act.  Physicians located in a state that has not adopted the Compact may still obtain licensure in other states through the ordinary licensure process.

Marki Stewart is an attorney at Dickinson Wright, LLP, in the Las Vegas office, specializing in health care law.  Marki’s practice focuses on representing physician groups, hospitals, and other health care providers and suppliers with a variety of regulatory issues, including fraud and abuse laws, reimbursement, and the unique legal issues surrounding telemedicine.  Marki may be reached at 602-889-5334. 

This blog was originally posted May 11th, The University of Arizona; Arizona Telemedicine Program.

Monday, May 15, 2017

Wireless Healthcare Services Provider’s $2.5m Settlement Demonstrates Why Understanding HIPAA Requirements Is a Must

By:  Sara Jodka

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced a $2.5 million Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement with CardioNet, which is a company that provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias. The settlement is based on CardioNet’s impermissible disclosure of unsecured electronic protected health information (ePHI).  

This settlement is noteworthy for two reasons. First, the monetary size of the settlement figure, which is $2.5 million, is staggering. Second, it is the first settlement involving a wireless healthcare services provider. 

The circumstances that led to the settlement are that in January 2012, CardioNet reported to OCR that an employee’s laptop, which contained the electronic protected health information (ePHI) of individuals, was stolen from the employee’s car. OCR’s investigation showed that CardioNet had insufficient risk analysis and risk management processes in place when the ePHI was stolen. The investigation also revealed that CardioNet’s policies and procedures designed to meet the standards of the HIPAA Security Rule had not been implemented at the time of the theft and were only in draft form. CardioNet was also unable to show OCR it had adopted any final policies or procedures regarding the implementation of safeguards for ePHI, including any for mobile devices. 

As we have written about before, mobile devices and healthcare employees that telecommute remain two areas in the healthcare industry that are particularly vulnerable to loss. A business’ failure to implement mobile device security makes sensitive ePHI easy for the taking and a company’s disregard for or failure to follow HIPAA’s rules can lead to significant fines and brand reputation distrust.  Applies whether or not healthcare services are provided at a facility or not.
Please feel free to contact Sara Jodka (Of Counsel) in our Columbus office at 614-744-2943.


Monday, May 8, 2017

Settlement Highlights Need for HIPAA-Covered Entities to Have Business Associate Agreements in Place with PHI Vendors

By:   Sara Jodka

The Department of Health and Human Services’ Office for Civil Rights (ORC) announced an agreement to settle possible Health Insurance Portability and Accountability Act (HIPAA) violations with The Center for Children’s Digestive Health (CCDH). 

This settlement is worth noting is because it highlights the need for HIPAA-covered entities to obtain signed HIPAA-compliant business associate agreements (BAA) with all vendors prior to disclosing any protected health information. 

The settlement stemmed from an August 13, 2015 HIPAA compliance review of CCDH following an investigation of FileFax Inc., which was a vendor CCDH contracted with to store CCDH’s inactive patient records. The FileFax investigation revealed that it had not signed a business associate agreement with CCDH before CCDH turned over its patients’ protected health information (PHI). OCR’s subsequent compliance review of CCDH confirmed the same thing – no pre-PHI-disclosure vendor agreement between CCDH and FileFax. As a result, CCDH had impermissibly disclosed paper records relating to 10,728 patients to FileFax without officially advising FileFax, by means of a BAA, of its responsibilities to safeguard patient data in violation of HIPAA Rules. 

CCDH also failed to receive from FileFax any HIPAA-compliant assurances indicating that FileFax had implemented appropriate safeguards to ensure the confidentiality, integrity, and availability of PHI prior to CCDH’s disclosure.–is this correct–what did CCDH disclose? 

The investigation revealed that FileFax had been storing CCDH’s PHI since 2003, but the earliest BAA was dated October 2015. The issue: HIPAA-covered entities are only permitted to disclose the PHI of patients to business associates via an agreement ensuring proper protection of the PHI. In particular, any BAA must explain the business associate’s responsibilities to ensure PHI is secured and safeguards are implemented to prevent unauthorized disclosures. The business associate must also be advised of the allowable uses and disclosures of PHI and must agree not to use or disclose any PHI unless required to do so under the terms of the BAA or as required by law. 

The business associate must also notify the covered entity in the event that any PHI is accessed or disclosed along within the deadline time for doing so. The BAA must advise the covered entity that the failure to comply with HIPAA Rules can result in financial penalties being issued.

As part of the settlement, CCDH agreed to pay OCR $31,000 to resolve the potential HIPAA violations and to adopt a corrective action plan that includes updating policies and procedures, conducting staff training on those policies and procedures and ensuring employees are responsible for obtaining HIPAA-compliant BAAs from all business associates.
Please feel free to contact Sara Jodka (Of Counsel) in our Columbus office at 614-744-2943.

Thursday, April 27, 2017

Caution as to Compensation Paid by Professional Corporations

By: Ralph Levy
Of Counsel, Nashville

Two recent Tax Court cases raise caution flags as to the deductibility of shareholder
compensation by medical, dental and other professional practice groups organized as professional corporations (PCs) or professional associations (PAs) that are taxed as “C” corporations for federal tax purposes.  In each case, on audit, the IRS sought to disallow deductions for a portion of the compensation paid to the corporation’s shareholders and asserted that the payments should be treated by the payor “C” corporation as nondeductible dividends. 

In Brinks Gilson & Lione P.C. v Comm’r, T.C. Memo 2016-20, the Tax Court upheld accuracy-related penalties against an incorporated law firm taxed as a “C” corporation that had deducted all of its yearend bonuses paid to its attorney shareholders. As part of resolution of an audit prior to the initiation of an audit prior to the initiation of the Tax Court case, the law firm had agreed that a portion of the bonuses were not deductible. However, the audit resolution did not address whether accuracy-related penalties should be assessed against the law firm.
To read more of this interesting article that  is published in April's Healthcare Michigan April 26, 2017 - page 6, please click here, then scroll down to articles, then click on the pdf readable version, Caution as to Compensation Paid by Professional Corporations,  published in Healthcare Michigan, April 26, 2017.