Critical Steps to Help Avoid Cybersecurity Attacks

hipaa securityBy: Gary Salman, Guest Contributor

Ransomware attacks are impacting the healthcare community’s HIPAA security at a staggering rate. If a practice has data stolen from their network and they did not report the breach to The Office of Civil Rights (OCR), they could be subject to massive fines for the lack of reporting. Specific steps must be followed to determine if ePHI (electronic protected health information) was compromised. This often involves hiring a forensics company and working with a Cybersecurity company to harden the practice’s infrastructure. When you are the victim of an attack once, you will mostly likely be a victim again because of vulnerabilities in your network that enabled the attack vector (or payload) to infiltrate your system. You cannot simply restore your data and hope for the best.Continue reading

The Case Against Cloning (Medical Records)

medical records cloning

medical records cloningBy: Jacqueline Bain

The transition from paper medical records to electronic medical records has brought with it many conveniences and some unintended consequences. One example of an unintended consequence is cloning in the medical record. Cloning is copying and pasting previously recorded information from a prior patient note into a new patient note.

Providing quality medical care is only one part of the job. Appropriately documenting that care in order to be paid for your efforts is another. And while medical professionals are trained at length to provide care, hardly any are aware of the potential pitfalls associated with improper documentation.

In late 2015, CMS advised that cloning “is a problem in health care institutions that is not broadly addressed.” CMS specified that cloning records may indicate fraud, waste and abuse in inquiries and audits and that each part of a “medical record must contain documentation showing the differences and the needs of the patient for each visit or encounter.”Continue reading

ACO Challenges Are Formidable

Final-ACO-RulesHanging this nation’s cost cutting/quality enhancing hopes on Accountable Care Organizations (ACOs) is bound to be frustrating and disappointing.  The ACO model seriously lacks sufficient real world grounding and is no magic pill.  Things like resources, operational capability and alignment (of financial incentives and direction) seem to have been overlooked or undervalued.

The ACO model is based on one fundamental assumption:  an expanded role of primary care physicians can slow cost increases and ensure better coordination of care.  That assumption is flawed for two reasons:  first, there is a large and growing primary care shortage; and second, the financial incentives in healthcare have driven a system based on acute, episodic interactions, leading to enormously fragmented clinical training and care.

We not only have inadequate resources to drive change away from acute, fee for services based care, but rather we lack resources that drive wellness. As one physician with a large hospital system recently said:  “We physicians are not trained to provide healthcare.  We’re trained to intervene when things go bad.”  Asking healthcare professionals and facilities to drive a model based on outcomes and resource consumption is theoretically possible, but a remarkable leap of faith (and training) is required, given they have made their livings off of sick people for so long.  That’s not to say that changing financial incentives from acuity to wellness and outcomes won’t work.  It’s just going to require training and proof that the players can make money with the new mandates.

As far as operations go, those with the greatest access to management, capital, IT and such are also the most expensive—hospitals.  It makes sense that the core objective of healthcare reform is to “squeeze the toothpaste tube” backwards from hospital to specialist to primary care physicians, but it’s a great leap of faith to expect that hospitals will or even can control costs.  In a healthcare system where providers admittedly are rewarded for doing more with more expensive things, the sharp turn required by the new law will require more than just a new law.  With all the current hospital-driven physician acquisitions, the increasing role of hospitals on the ACO issue looks at times more like turf guarding than any real cost-saving, quality enhancing move.

At the end of the day, all players have to answer the question “Did they reduce cost and enhance quality?”  It seems convincing that moving away from the fee for service model will change behavior.  We just need to make sure (1) there are sufficient resources to implement the change, and (2) financial and clinical issues are well balanced.  Time will tell, but meanwhile the current irony is that the most expensive link in the chain is best situated to actually operationalize the ACO concept.

Alignment is critical.  Financial alignment will require the players to believe they can all thrive in the new ACO model, yet physicians are historically leery of any hospital driven system.  In fact, given that hospitals are driving the ACO bus at the moment, the biggest fear among physicians is that they will be left out.  Even among physician-driven ACOs, the tension between primary care physicians and specialists is intense.  How much of any savings will go to primaries vs. specialists is no less divisive than the issue of the hospital/physician split of the shared savings.

Even more critical is the apparent lack of consideration given to the need for patient participation.  Where is the financial incentive for healthy patient choices and the disincentive for unhealthy patient choices?  Moreover, in a culture where more is more, why would anyone want to receive care from an organization that gets more by giving less?  Given further the ability of patients to wander in and out of ACOs and yet charge their ACO with the costs of non-ACO providers (who arguably have no stake at all in reducing expenses), the forecast for patient alignment is gloomy, but their buy in is critical.  It is difficult to see where patients have any stake in this change and would even be inclined to choose to be served by an ACO.  Many noted theorists have drilled on the glaring lack of patient alignment.  Rama Juturu and recent Wall Street Journal editorialists/economist Clayton Christensen have been outspoken about the need to enlist patients in the drive from intervention to prevention.  Patients that flock to ACOs (or whatever) will only do so if they see what’s in it for them.  The only thing an ACO can sell is results, outcomes.  And that’s gonna take time to measure and to sell.

At the end of the day, the threat of ACOs (and any vehicle to control healthcare costs more effectively) isn’t that they won’t work.  It’s that cost concerns will outstrip clinical ones.  While it can be argued that the employment of physicians by traditionally adverse players (like hospitals) will likely reduce the tension between them, it is precisely that tension that has always held the threat of “money over quality” at bay.  What will happen as hospitals and other healthcare players employ more and more physicians?  One can only hope that it is not silence and that, as found in some well established systems in the Midwest and West, respect for the different and necessary roles of ensuring both quality and economic survival will balance out, regardless of the healthcare delivery model that emerges.

Perceived Risk Outweighs Actual Harm in Assessing $1.5M HIPAA Fine

The Office of Civil Rights’ recent assessment of a $1.5 million fine for HIPAA violations should be a shrill wakeup call to all health care organizations that use (or allow their physicians to use) portable devices containing patient identifiable information.  The sanction stems from a physician’s lost laptop computer containing protected health information (ePHI).

Importantly, the OCR’s investigation could not establish whether ePHI was used or even accessed, partly because the device was lost in a foreign country.  However, it was not necessary to definitively conclude if any data had been compromised; the OCR was more concerned that the offending provider had not implemented appropriate measures mandated by the HIPAA Security Rule which could have reduced, mitigated or eliminated the risk altogether.  For the OCR, the heart of the matter was the fact that the covered entity failed to fully assess and evaluate the risk to the confidentiality and security of ePHI on portable devices used by its physicians in their personal activities, and failed to have a process to address when such devices are lost.  In this case, it was the incident itself that caused the organization to formalize and take responsive measures.  The barn door was closed after the horse got out.  To the OCR, the covered entity’s reactive, rather than proactive approach, was totally at odds with HIPAA Security Rule concerns and the mandated obligations of covered entities.

The facts are fairly simple.  A research physician from a Massachusetts specialty hospital facility was traveling to South Korea to give a lecture when he misplaced his backpack in a public area.  A personal laptop, containing health information of several thousand patients, was in the backpack.  The computer was eventually “detected” a few weeks later when it was connected to the internet, and its hard drive was later remotely “wiped”, however, the device was not recovered.  The incident was then reported to the OCR in accordance with the breach notification requirements of the HIPAA Security Rule.

This is an instructive case for a number of reasons.  For one, it is important to recognize that the OCR’s investigation was prompted by the obligatory “breach notification” it received from the provider.  The OCR’s inevitable investigation in turn revealed that there was significant noncompliance with multiple aspects of the Security Rule.  Notably, the OCR determined that the covered entity had lax control over, and little knowledge concerning its own physicians’ use of laptops issued to them by the organization.  Physicians were permitted unfettered access to the entity’s information, took their devices off-site where they were used for personal activities, and could remotely download information and install applications freely to these personal devices.  Further, while the laptop in question was password protected and had “LoJak” tracking and wiping software, encryption was not employed.  Further, many weeks passed before a hard drive wipe was effectuated and only after it was determined that the device had been connected to the internet.  In short, the OCR concluded that the entity had neither conducted an adequate security assessment nor established necessary policies or procedures addressing laptop use, and had not promulgated an appropriate response procedure.  Instead, it reacted to the lost laptop in a scramble of ad hoc activity and only instituted organization-wide changes as a result of this episode.

The most significant issue for the OCR in assessing a $1.5 million fine was not whether the incident caused actual harm to any patient, but the degree of risk of potential harm and whether reasonable steps and safeguards should have been in place to mitigate any data breach.  In short, the entity should have anticipated laptops would be lost and it should have addressed the attendant risks through a deliberate process and in a manner that is “situationally” appropriate for the organization.  Here, the organization abrogated such a duty, thus prompting a fine that may be disproportional to the perceived harm.  This outcome should prompt providers to seriously regard the HIPAA Security Rule, and the OCR’s enforcement efforts, and to abandon any “no harm, no foul” notions they might apply when security breaches occur and must be reported

The Florida Healthcare Law Firm Goes National

Followers & Friends – BIG Announcement coming out today! If you haven’t seen our new NATIONAL platform, check it out here at www.nationalhealthcarelawfirm.com and stay tuned for our #healthcare #legal news at 2pm EST !!!

Supreme Court upholds Obama health care law

Via @USAToday

The Supreme Court upheld President Obama’s health care law today in a splintered, complex opinion that gives Obama a major election-year victory.

Basically. the justices said that the individual mandate — the requirement that most Americans buy health insurance or pay a fine — is constitutional as a tax.

Chief Justice John Roberts — a conservative appointed by President George W. Bush — provided the key vote to preserve the landmark health care law, which figures to be a major issue in Obama’s re-election bid against Republican opponent Mitt Romney.

The government had argued that Congress had the authority to pass the individual mandate as part of its power to regulate interstate commerce; the court disagreed with that analysis, but preserved the mandate because the fine amounts to a tax that is within Congress’ constitutional taxing powers.

The announcement will have a major impact on the nation’s health care system, the actions of both federal and state governments, and the course of the November presidential and congressional elections.

A key question for the high court: The law’s individual mandate, the requirement that nearly all Americans buy health insurance, or pay a penalty.

Critics call the requirement an unconstitutional overreach by Congress and the Obama administration; supporters say it is necessary to finance the health care plan, and well within the government’s powers under the Commerce Clause of the U.S. Constitution.

While the individual mandate remained 18 months away from implementation, many other provisions already have gone into effect, such as free wellness exams for seniors and allowing children up to age 26 to remain on their parents’ health insurance policies. Some of those provisions are likely to be retained by some insurance companies.

Other impacts will sort themselves out, once the court rules:

— Health care millions of Americans will be affected – coverage for some, premiums for others. Doctors, hospitals, drug makers, insurers, and employers large and small all will feel the impact.

— States — some of which have moved ahead with the health care overhaul while others have held back — now have decisions to make. A deeply divided Congress could decide to re-enter the debate with legislation.

— The presidential race between Obama and Republican challenger Mitt Romney is sure to feel the repercussions. Obama’s health care law has proven to be slightly more unpopular than popular among Americans.

Full Story Here: http://content.usatoday.com/communities/theoval/post/2012/06/Supreme-Court-rules-on-Obama-health-care-plan-718037/1#.T-xqPhd5F9E

The Florida Healthcare Law Firm Announces National Expansion

(Delray Beach, FL) June 21st, 2012 – The Florida Healthcare Law Firm, one of Florida’s leading healthcare law firms, today announced a major increase in their legal practice capabilities with the official launch of the National Healthcare Law Firm, a d/b/a and new portal of the firm. The expansion to a national platform providing healthcare legal services to physicians and healthcare businesses is one that significantly increases resources for clients who lack qualified local healthcare counsel. While the Florida Healthcare Law Firm has for years assisted clients outside the state of Florida*, this new development further cements the firm’s commitment to providing ethical legal counsel in the healthcare industry.

“We are very excited about it. The fact that we serve clients all over the country has been a small secret for a while but we realized there’s a huge demand and decided to just go for it,” said Jeffrey L. Cohen, Esq. Founder and President of Florida Healthcare Law Firm.

According to Cohen, “It’s just a strange area of the law.  Nearly everything in healthcare business is regulated; leases, employment agreements, compensation.  Things you wouldn’t think are regulated are strongly regulated.  And there are large fines and criminal penalties for getting it wrong!  Our clients understand that healthcare business of any kind has serious legal risks and that they need uniquely qualified help.”

To request a service list or for any other firm information, call Autumn Piccolo at 888-455-7702 or visit the firm’s website at www.nationalhealthcarelawfirm.com or www.floridahealthcarelawfirm.com

*     *     *

Acknowledged throughout the country for its service and excellence, Florida Healthcare Law Firm is one of the nation’s leading providers of healthcare legal services. Founded by Jeffrey L. Cohen, Esq and headquartered in South Florida, FHLF provides legal services to physicians and healthcare businesses with the right pricing responsiveness and ethics. From healthcare clinic regulation, home health agency representation and physician contracting to medical practice formation/representation and federal and state compliance matters, the Florida Healthcare Law Firm is committed to bringing knowledge and experience to a diverse group of clients.

Super Group Doctors Beware of Departure Provisions

 Super groups are in vogue as physicians do their best to reduce costs and enhance revenues.  A “super group” is essentially a collection of previously separate competitors who have joined a single legal entity in order to achieve certain advantages.  Those advantages tend to be (1) reducing overhead expense associated with economies of scale.  Buying insurance for a group of 100 doctors should be far less expensive per doctor than a group of three doctors; (2) gaining leverage in managed care contracting.  20 groups of five physicians each cannot contract with a payer with “one voice” due to the antitrust restrictions, but a single group of 100 doctors can; and (3) finding new revenue sources.  Small groups and solo practices cannot afford revenue producing services like surgery centers, imaging services and such.   When practices combine, they have a greater patient base, which makes the development of new revenue sources feasible.

Physicians join super groups with terrific promise and hope.  They are clearly a good idea, especially if they have solid operations.  That said, physicians who rush to form them rarely consider the risks associated with a physician departing the group.  They need to!

When a doctor joins a super group, she stops billing through her old practice (the “P.A.”) and starts billing through a new group (the “LLC”).  The LLC has a tax ID number and a Medicare group number.  And the LLC enters into lots of managed care payer agreements.  Simply put, the doctor puts all of her eggs in the LLC basket.  So what’s the risk?

When physicians depart super groups, they have to confront difficult facts, like:

  1. It will take months to get a new Medicare provider number.  If they haven’t billed through their “old entity” for a while, that number is gone.  And getting a new number for the departing physician takes time, during which revenues associated with Medicare patients are lost (until the number is obtained);
  1. It takes even longer to get on insurance plans.  If the LLC is contracted (they usually are), how long will it take to get the P.A. fired back up?  It can take as long as six months (and sometimes even more)?  That means the departed doctor is out of network with all the plans!  This exposes her patients to higher costs and may affect referral patterns.  This alone can be crippling to a physician who has left the super group.
  1. Leaving can also mean ending access to patient scheduling and electronic medical records.  Many super groups do not ensure access to patient scheduling or billing to enable a departing physician to get back on their feet; and this can be devastating.
  1. Noncompetes can play a big role in how a departing physician gets back on her feet.  Ideally she will know that being solo is not as good as being part of a larger practice.  But what if the super group imposes a restriction on the departing physician that prevents her from being part of another group?  This is common and often very harmful, since some physicians who depart super groups have no effective options but to join other groups.

Super groups exist to benefit physicians.  It makes no sense that they would be used to harm them, which is precisely what can happen (and sometimes does happen) if physicians do not pay good attention to the “back end” as well as they do to the “front.”  That means things like—

  1. Making sure that, wherever possible, the departing physician is afforded enough time to get back on her feet professionally.  She will need time to get a new practice formed, to get a new Medicare provider number and to get back on insurance plans;
  1. Ensuring the departing physician has adequate access to medical and scheduling records;
  1. Carefully considering whether or not noncompetes make any sense.  Some may say that it is important to protect the new practice (like the old one), but these are different sorts of practices.  They are not built from the ground up.  They are built because successful competitors who have been in business for years decided essentially to “loan” their practices to the super group in order to obtain certain unique advantages.

Super group arrangements continue to grow.  Some of them even develop into fully integrated and sophisticated businesses.  Physicians who join them have to consider all “angles,” not just how good it will be or can be when they join.

CMS Issues Final Rule on E-Prescribing

By Emily P. Walker, Washington Correspondent, MedPage Today
Published: September 06, 2011 WASHINGTON — Doctors now have an extra month to apply for a hardship waiver to avoid being penalized for not adopting electronic prescribing in their practices, according to a final rule issued by the Centers for Medicare and Medicaid Services (CMS).

Physicians who use a qualified e-prescribing system are eligible for an additional 1% in Medicare Part B payments in 2011 and 2012, and a 0.5% increase in 2013. Providers who fail to complete at least 10 paperless prescriptions using a qualified e-prescribing system between Jan. 1 and June 30, 2011, will receive a 1% cut in Medicare reimbursements in 2012, a 1.5% cut in 2013, and a 2% cut in 2014.

In a proposed rule from May, CMS said doctors who are unable to e-prescribe should apply for a “hardship exemption” before Oct. 1. In the final rule issued Sept. 1, CMS announced doctors now have until Nov. 1 to apply for an exemption.

Continue reading