The Gramm Leach Bliley Act (GLBA) of 1999 (Pub. L 106-102, 113 Stat.1338) has two parts.

The first allows for the consolidation/merger of financial institutions such as banks, insurance companies and investment/security firms.

The second regulates the use, disclosure (sharing) and security of the massive amounts of personal information (which includes health records) that will result from these mergers/consolidations by mandating adherence to the following three rules.

  1. Financial Privacy
    • Enforced by Federal Trade Commission,
    • Privacy Agreements (signed by both parties, lists use of, types of, parties who will receive/share personal information), and
    • Opt Out Clauses to include details as to when a consumer may and may not opt out.
  2. Safeguard
    • Written security plan for all personal information,
    • Plan must be “managed” by at least one “dedicated” employee, and
    • Plan must be continuously monitored for “future” threats.
  3. Pretexting Provisions
    • Financial institutions must monitor and prevent disclosure of personal information to unauthorized parties (i.e. unauthorized individual attempts to access by phone, text, email and personal appearance).

While GLBA expands consumer protections pertinent to the security of health information, it does not invoke HIPAA privacy regulations pertinent to entities who may/may not receive health information.  Instead, the consumer must do through “opt out” provisions.  This is of concern because the average consumer may not be aware of HIPAA purpose/protections (i.e. minimum necessary) and the potential ramifications if not followed.

For more information on Gramm Leach Bliley’s impact on healthcare law, please contact Linda Mancini at 781-272-8001.

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, (Public Law 111-203), contains a “sweeping series of core provisions” to reform federal oversight of the financial services industry. The Act includes amendments to exiting consumer protection, banking, derivatives and securities industries.

Dodd-Frank was not written with the healthcare sector in mind and does not contain any general provisions applicable to healthcare. However, there may be a “spillover” effect.

This Act was a “one of a kind sweeping endeavor” by Congress to “fix” a facet of an industry that appeared to be broken. Can the same argument be made for the healthcare industry? If yes, Congress may decide to make the same type of sweeping changes to healthcare especially in the not for profit sector which faces similar risk and transparency issues.

In fact, the following four provisions of the Act may be readily transferred to the not for profit healthcare industry at a moment’s notice.

  1. Enterprise Risk Management (ERM) – Regulate systemic risk; establish risk monitoring committees with independent directors (Financial Stability Oversight Councils), adoption of board-level ERM activity towards “best practices” level.
  2. Corporate Governance – Regulations promulgated by federal government (traditionally purview of state), promote board independence and decrease conflicts of interest with increased public disclosure; consider views of community and constituent groups on executive salaries (i.e. role similar to shareholders).
  3. Corporate Compliance – Increased emphasis on whistleblowers and protections (increased rewards, can sue in federal court without having to exhaust available administrative remedies).
  4. Executive Compensation – Need to consider feedback from compensation committees/ independent advisors/community/constituents and to, publicly, report the “ratio of the total compensation of the CEO to the median employee compensation

Please refer to the law for details pertinent to the four provisions cited.

For more information on the Dodd-Frank Act’s application to healthcare, please contact Linda Mancini at (781) 272-8001.

The Sarbanes-Oxley (SOX) Act of 2002 (Public Law 107-204) was designed to protect the interests of investors and enhance corporate oversight and accountability of public traded companies.  Specifically, SOX mandates auditing, quality control, ethics, detailed/timely disclosures and independent /informed authentication of all financial statements.

To date, there are only two provisions of SOX that apply directly to HealthCare (Non-Profit) Organizations — whistleblower protections and retention of all documentation pertinent to an investigation. However, the healthcare legal industry is advising hospitals to look at SOX as “best practice” and adhere to as many provisions as possible.

This advice is based on increasing challenges to the tax exempt status and increased regulations passed by state legislatures and Attorneys General. Currently, 20 states are involved in class action suits claiming that hospitals haven’t provided enough “charity care” to justify tax exempt statuses.  In addition, many state legislatures have passed healthcare financial accountability legislation that is stricter than SOX.

For more information on the Sarbanes-Oxley Act’s relevance to healthcare, please contact Linda Mancini at (781) 272-8001.

What is an expectation to privacy?  The Fourth Amendment provides this constitutional right. An expectation of privacy is related to, but is not the same as, a right to privacy, a much broader concept which is found in many privacy laws. In general, one cannot have a reasonable expectation of privacy in things held out to the public. But, what about email and other electronic communications/information?

The Stored Communications Act (SCA) was enacted in 1986 to provide “Fourth-Amendment” like privacy protection (search warrant, probable cause) to email and other digital communications stored on the internet. The Fourth Amendment to the U.S. Constitution protects the people’s rights to “be secure in their persons, houses, papers and effects, against unreasonable searches and seizures.” It is seen as a right that extends to people only and not places. In many cases, the Fourth Amendment doctrine has held that users relinquish “any expectation of privacy” when they entrust the security of online information to a third-party Internet Service Provider (IPS).

The SCA holds that ISPs will be criminally liable for disclosure of the contents of any communication which is carried or maintained on its service to any person or entity without proper authorization or a search warrant and court order. ISPs are allowed to share non-content information such as log data and name/address of email recipient to anyone other than a governmental entity.

The SCA is a starting point for any questions we may receive in our AMS capacities pertinent to “non-patient care” email/electronic communication privacy.

For more information on the Stored Communications Act, please contact Linda Mancini at (781) 272-8001.

The March 18, 2019 post of Legal Topics in Healthcare provided a definition of Cooperation Credit when undergoing a False Claims Act (FCA), HIPAA Investigation or the like.  In 2015, Deputy Attorney General Yates issued a memorandum detailing a policy on “individual accountability”.  The memo, Individual Accountability for Corporate Wrongdoing, is known as the “Yates Memo.”

This memo essentially limited the availability of cooperation credit to only those organizations that provide the Department of Justice (DOJ) all relevant facts relating the individuals responsible for the misconduct. Individual accountability addresses DOJ concern that too many individuals evaded punishment for wrongdoing related to the financial crisis, but this policy has significant implications for healthcare providers and their employees.  Prior to the Yates Memo, cooperation credit was potentially available under DOJ policy even if an organization failed to disclose basic facts about its employee(s) involvement in criminal misconduct.

For more information on the Yates Memo, please contact Linda Mancini at (781) 272-8001.

On August 17, 2018, the Centers for Medicare and Medicaid Services (CMS) announced that it is adding a sub-section (3.2) into Chapter 3 of its Medicare Program Integrity Manual (MPIM, Publication 100-08) entitled “Verifying Potential Errors and Taking Corrective Actions,” The new section references Medicare’s Targeted Probe and Educate (TPE) Program, first initiated as a pilot in 2016. The initial pilot focused only on nursing home and inpatient claims. The pilot has now been expanded to a permanent program which encompasses all claim types and can occur as either a pre-payment or a post-payment audit.

TPE audits subject providers and suppliers to up to three rounds of medical reviews. Claims are selected through data analysis. MPIM, Subsection 3.2 states:

“MACs shall target providers/suppliers who have historically high claim denial rates, who have billing practices that vary from their peers, or when evidence suggests that there is a potential risk to the Medicare Trust Fund.”

The MACs have the discretion to select target areas because of:

  • High volume of services;
  • High cost;
  • Dramatic change in frequency of use;
  • High risk problem-prone areas; and/or,
  • Recovery Auditor, CERT, Office of Inspector General (OIG) or Government Accounting Office (GAO) data demonstrating vulnerability. Probe reviews are not required when targeted areas are based on data from these entities.

Claims determined to be in error result in a provider’s notice of adverse determination and education from their MAC prior to the initiation of the next round of the TPE audit. Providers may, at their discretion, appeal TPE audit results, and this process mimics the standard Medicare appeals process.

Continued claims errors after three (3) rounds of TPE audit may be referred to CMS for further disciplinary actions. Subsection 3.2 also states:

“The MAC shall refer providers/suppliers for potential escalation to CMS at their discretion after three rounds of TPE review. Referrals shall include details regarding the reason the provider/supplier was selected for TPE review, TPE review results, any education provided (or offered and refused), and any other relevant information that may be helpful in determining appropriate next steps. The MAC shall refer suspected fraudulent providers to the Unified Program Integrity Contractor (UPIC) at any time during the TPE process.”

Given the potential impact of escalation outcome, and burden on providers with this programs continued emphasis, it is vital that providers carefully weigh the value of appealing adverse determinations when there is a valid justification to do so.  Personnel responsible for the review and response to adverse determinations must take immediate action by way of either internal education and corrective action or appeal the findings without delay. Regardless of which step a provider takes, immediate action will ensure that the provider is being paid the right services in an amount which it is legally entitled to receive every time.

For more information on the Targeted Probe and Educate Program, please contact Linda Mancini at (781) 272-8001.

Qui Tam lawsuits are what we also refer to as whistleblower suits, whereby a private individual assists the government with the prosecution of illegal activities and can receive all or part of any penalty imposed.

In healthcare, these usually involve False Claims Act (FCA) allegations directly against a provider. But the provider is not always at the center of these types of Qui Tam suits. One of the longest running Qui Tam cases that still lurks in the federal court system, initially filed in 2003 against a pharmaceutical company is United States ex rel. King v. Solvay Pharmaceuticals, Inc.

In this case, two former Solvay employees alleged that Solvay had been engaging in misleading marketing ploys to encourage providers to prescribe their drugs for off-label use. Off-label use means that the FDA has not approved the drug for a prescribed diagnosis, and submission of a claim for this drug would violate the FCA. Solvay spent millions to promote these drugs for off-label uses. Salespersons visited doctors, urging them to consider Solvay’s drugs for off-label indications. Solvay also paid physicians to attend lavish dinners and speaker events about its drugs, and paid physicians who prescribed its drugs, which in turn could implicate the Anti-Kickback Statute (AKS). The final outcome of this case is still pending as there have been a series of appeals that are still ongoing.

Are providers insulated in these type of cases where inducement is involved? Not so much. Of particular significance is that providers have a responsibility in the pharma-physician relationship to recognize when they are at risk of a violation of the AKS. A Qui Tam case against a manufacturer could give rise to an FCA action, placing the provider front and center under the microscope.

For more information on Qui Tam or whistleblower situations, please contact Linda Mancini at 781-272-8001.

Nearly every aspect of modern life has a virtual or electronic component.  Today, most of us choose every day to share information online at the click of a button. And for many consumers, sharing health care information is no exception. This alone underscores how significantly things have changed since over the past decade.

We live in an interconnected world of technology and privacy, and nothing about concern over the lack of respecting boundaries is unexpected.  The European Union (EU) enacted the General Data Protection Regulations (GDPR) in 2016 which became effective in May 2018, miles ahead of the US in this space.  The US has yet to enact any over-arching data protection regulations perhaps because of backlash from large companies objecting to complicated mandates or from concern that such regulation would suppress innovation during a time when we are making tremendous strides in research and a positive impact on the delivery of health care as a whole. The GDPR set forth that personal data protection is a “fundamental right”.

Either way, this shift is impacting healthcare in more ways than one. Our traditional notions of how we deliver and receive care, research and predict outcomes is becoming more, and more aligned with technologies such as artificial intelligence and cloud computing.  What’s driving this shift is the realization that by embracing advances in technology, we can improve the quality of care we deliver in areas such as telemedicine and the use of machine learning, predictive analytics, and prescriptive analytics in research to cure and prevent diseases such as cancer. Of course, the Health Insurance Portability and Accountability Act (HIPAA) protections apply in this context. But what about the consumer market where companies not covered by HIPAA are developing products that collect personal information?

Today, companies are developing products for the consumer market that would have been unimaginable just a few years ago. Microsoft filed over 70 patents related to healthcare in the last 5 years. During this time, there has been an explosion of consumer products, apps and devices to which HIPAA protections do not apply, collecting health information (such as fitness and health monitoring devices).  Apple recently launched the Apple Records feature, allowing users to store their medical records on their smart phones. And then there’s Amazon who has impacted the supply chain by offering lower cost medical supplies to hospitals and clinics, and also entered into an agreement to acquire the on-line pharmacy “pill-pack” in June.

These apps, services and connected devices collect, transmit, store, and potentially share vast amounts of consumer data, some of it is highly personal raising new concerns about the nature of privacy and the means by which individual privacy might be compromised or protected.  We’ve entered into a whole new world intersecting the regulated Protected Health Information (PHI) world with non-regulated PHI world. Data from these devices should not be usable by insurers to set health, life, car, or other premiums, impact employment decisions, credit decisions, housing decisions, or other areas of public life. California recently passed a strict data protection regulation and it is anticipated that other states will follow suit and tighten up their rules on data protection as well.

We are in the midst of the fourth Industrial Revolution, a profound shift which is fundamentally altering the way we live, interact, and perform our jobs every day, at a pace far more furious than revolutions of the past, and there doesn’t appear to be any Federal mandate similar to GDPR in the US on the horizon. Unlike the EUs GDPR, the US has fallen short of committing to a similar Federal mandate since the Obama administration.

For more information on health care privacy issues, contact Linda Mancini at 781-272-8001.


In 2017, President Trump issued a call to action that led to the declaration of a nationwide public health emergency regarding the opioid crisis. In response, the Office for Civil Rights (OCR) issued guidance on how HIPAA allows information sharing to address the opioid crisis.

OCR’s guidance, released in October 2017, addresses when and how healthcare providers can share a patient’s health information with his or her family members, friends, and legal personal representatives when that patient may be in crisis and incapacitated, such as during an opioid overdose. The guidance supplements existing guidance on when and how healthcare providers can share a patient’s health information with his or her family members, friends, and legal personal representatives as a general rule. For example, current HIPAA regulations allow healthcare providers to share information with a patient’s loved ones in certain emergency or dangerous situations. This includes informing persons in a position to prevent or lessen a serious and imminent threat to a patient’s health or safety.

Sorting out the nuances of the HIPAA privacy rules can be tricky, especially amidst this opioid epidemic. But when an emergency is in progress with a patient in crisis, it becomes vital to ensure that barriers to family support are not created due to misunderstandings about HIPAA.

Healthcare providers must understand when and how they can share information with patients’ family members and friends without violating the HIPAA Privacy Rule.

For more information on HIPAA issues, contact Linda at 781-272-8001.


A brief guide to legal healthcare documents

Guardianship: Appointed when a person becomes incapacitated, the guardian has authority to make decisions pertinent to person’s support, care, education, and healthcare treatment decisions.

Conservatorship: Appointed when a person becomes incapacitated, a conservator has authority to manage real and personal property of an individual.

Healthcare Proxy (HCP): Created before a person becomes incapacitated, it gives authority to a make healthcare treatment decisions. It is invoked upon an individual’s incapacitation.

Durable Power of Attorney (DPOA): Created before a person becomes incapacitated, it grants authority to manage regard to real and personal property of an individual. A durable POA may continue to be in effect after the individual becomes incapacitated. Some DPOA’s include medical care (MDPOA).

Generally speaking, a guardianship is sought when there is no healthcare proxy or medical durable power of attorney in place. Healthcare providers are often in the position of petitioning the court for guardianship when there is no other responsible or willing person available to obtain the guardianship. The need for guardianship must be supported by a licensed clinician or clinical team report that certifies incompetency.

In contrast, a conservatorship is sought when there is no durable power of attorney in place before the individual became incapacitated. Conservatorship requires proof of bond(1) as well as a medical certificate (to certify incapacity) signed by a licensed clinician or clinical team report. In Massachusetts, the medical certificate is a seven page form available on the website.

healthcare proxy

When a healthcare proxy is in place, it trumps a guardianship, so it is important to know whether one exists before seeking a guardianship. If a medical durable power of attorney is in place it will trump any healthcare proxy and a medical durable power of attorney trumps a conservatorship. However, a durable power of attorney and/or HCP can be revoked upon a showing of exceptional circumstances such as fraud or other significant circumstance such as death of proxies.

Footnote 1. A conservatorship bond is a type of court bond that ensures the court-appointed individual will fulfill their obligations. The cost is usually equal to all of the assets of the patient, plus one year of their income. Once the court established the conservatorship, the court typically will reimburse the conservator from the assets of the patient.

For more information on guardianships, contact Linda at 781-272-8001.