Cooperation is a mitigating factor by which a corporation (such as a healthcare organization) can receive credit in a case that is otherwise appropriate for indictment and prosecution. Depending on various factors, an organization might gain cooperation credit when a self-report is made.

The credit itself may be in the form of reduced charges or penalties, deferred prosecution agreements or non-prosecution agreements and even an opportunity to modify certain terms of a settlement agreement. The extent of the cooperation credit earned will depend on all the various factors that have traditionally applied in making this assessment, such as the timeliness of the organization’s cooperation, the diligence, thoroughness and speed of the internal investigation, and the proactive nature of the cooperation.

Source: USAM (U.S. Attorneys’ Manual) 9-28.000 – Principles of Federal Prosecution of Business Organizations.

For more information on cooperation credit, contact Linda at 781-272-8001.


A recent Legal Topics in Healthcare post described the CMS “Patients Over Paperwork” Initiative. One area of documentation impacted by this initiative lessens teaching-physician burden with student documentation that supports a patient’s E/M services.

In February 2018, CMS published CR10412, which allows a teaching physician to simply verify a student’s E/M visit notes rather than re-document components of the E/M services. This is a major change to the requirements prior to CR10412, where a physician was not allowed to refer to the student’s documentation of physical exam findings or medical decision making. In other words, the teaching physician was previously required to re-document E/M services already documented in the medical record by the student. This documentation included the history of present illness, physical exam, and medical decision making activities of the E/M service.

This change was effective February 2, 2018 in an effort to simplify the administrative burden on practitioners under CMS’ paperwork initiative. For more information, please refer to the official instruction, CR10412, issued to MACs regarding this change.

For more information on E/M documentation, please contact Linda at 781-272-8001.


In February 2018, the Centers for Medicare and Medicaid Services (CMS) implemented the Patients Over Paperwork (POP) initiative. This proposal set out to reform certain documentation requirements used currently to support Medicare billing. The goal is to reduce time spent on documentation, thereby increasing the amount of time clinicians spend with their patients, and in turn improve the quality of patient care while continuing to document clinically meaningful information only. The proposal also addresses quality reporting requirements focusing on measures that most significantly impact health outcomes and support interoperability and information sharing among health care providers electronically.

In July 2018, CMS sought comment through a Request for Information asking whether providers and suppliers can and should be required to inform patients about charge and payment information for health care services and out-of-pocket costs, what data elements would be most useful to promote price shopping, and what other changes are needed to empower health care consumers (Proposed Rule).

For more information on Medicare documentation issues, please contact Linda at 781-272-8001.


The 21st Century Cures Act of 2016 (Cures Act) mandated the Department of Health and Human Services (HHS) to simplify the authorization process for individuals who want to release Protected Health Information (PHI) for research purposes. Individual authorization is necessary if the information will be utilized or shared in any format other than aggregate (without patient identifiers, details specific to individual patient).

In June 2018, The HHS Office of Civil Rights (OCR) published the following guidance.

  • Purpose of the Use and/or Disclosure for Future Research Authorizations
    Purpose must be documented in a manner in which it is understood the individual is consenting to release PHI for “future” research (even if “future” studies not determined at the time of authorization).
  • Expiration of Authorizations
    Do not need to provide a specific date. It is sufficient to document “none”, “when research ends” or “when I revoke”.
  • Right to Revoke Authorization
    Authorization forms to release information for research purposes must contain
    documentation pertinent to individual’s “right to revoke” and descriptions of how to invoke the “right to revoke”. Covered entities must provide individuals with a copy of the signed authorization for future reference pertinent to revocation authorization. (Some covered entities also notify individuals of this right on a consistent basis for the reason stated below).
  • Caveat
    It is imperative that the “revocation” be received by all parties who may receive/release the research information to avoid improper disclosure. For example, an individual may send notice of revocation to researcher. Researcher obtains PHI from hospital. Hospital will continue to release PHI unless researcher shares the revocation. The researcher is not obligated to notify the hospital of the revocation and/or may think the same revocation was submitted to the hospital.

See the full law here: Cures Act (Public Law No:114-255(12/13/2016)

For more information on the Cures Act, please contact Linda at 781-272-8001.


Generally speaking, HIPAA does not afford an individual the right to sue for a HIPAA violation. HIPAA does not create a private cause of action for an individual. This means that the government can file an adversary claim against a covered entity (CE) for non-compliance and seek penalties, but an individual cannot use HIPAA as a basis under the federal regulations to sue. However, an individual may seek damages from a CE under state regulations as a “civil action” for negligence (also known as a tort), and state courts may look to HIPPA as the standard by which a negligence cause of action may prevail.

For example, when a state court looks to HIPAA, it will allow the breach of privacy under the HIPAA regulation to be used to show the underlying basis for a breach of duty in a negligence claim for public disclosure of private facts. And duty is one of the four elements required to be shown by the plaintiff, along with the three other elements which are:

  • Breach of duty,
  • Causation, and
  • Damages.

But the analysis does not stop there. Duty of care is pivotal in these types of cases because in order to show there was a duty owed, the plaintiff must show that the incident was foreseeable. Foreseeability is a tricky area and not always completely clear. In addition to public disclosure of private facts, Massachusetts has three other invasion of privacy torts which include:

  1. Intrusion on physical seclusion,
  2. False light, and
  3. Impersonation of the likeness of another for benefit.

A recent case was decided in Connecticut where a HIPAA violation was allowed to show a breach of the duty of care. This was a case where a physician office released records without the proper authorization or order, and the court found that, because it was shown that HIPAA was violated, the case could go forward in state court under a privacy claim. See Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 327 Conn. 540. The facts of the case relate to a physician’s release of medical records in response to a subpoena without first obtaining the patient’s consent, identify footnotes obtaining a protective order, or notifying the patient in accordance with the regulatory procedures under HIPAA.

For more information on HIPAA litigation, please contact Linda at 718-272-8001.


There are principles of full disclosure under civil procedure that do not exist in criminal procedure. In the civil setting, the defendant is entitled to notice of the plaintiff’s case, which gives the defendant a stronger opportunity to formulate a defense and win at dismissal. The goal is to maintain even-handedness, so in the civil context, the plaintiff must “plead with particularity” and the defendant must respond to the allegations, and admit or deny each one while setting forth its specific defenses.

In contrast, the criminal context is much different. Only under very limited constitutional circumstances must the prosecutor disclose information about his particular allegations against the defendant. Although the defendant’s defenses are protected, the defendant is equally disadvantaged by not knowing the specific details of the prosecutions allegations. What’s more, the criminal verdict may be used against the defendant whereby sanctions can automatically be attached to felony convictions.(1) For example, let’s look at a defendant who finds herself facing criminal charges in an anti-kick-back suit, where there are both civil and criminal provisions.

Common sense dictates that it would not be beneficial for the defendant to disclose details to the prosecutor that may be used against her and the law protects the information that must be provided by the prosecution. Thus, a criminal case is tried with both parties in the “dark.” One can’t help but wonder about the fairness of this when considering loss of liberty may be at stake.

On the one hand, it seems absurd that a civil defendant with only financial concern would have more notice of the allegations against him than the criminal defendant whose civil liberties are at stake. It seems to be that the law overprotects civil defendants and under protects criminal defendants. So perhaps it goes without saying that the goal of even-handedness is more analogous to a trial by ambush when you really consider the rules. But advocates of restricted discovery in the criminal context contend that the “beyond a reasonable doubt” standard of proof in criminal proceedings would be impossible to reach if the prosecutors were to disclose their information to defendants up front.

It is quite the conundrum. One might argue that it is only fair to ensure that all defendants be provided with the same information as a civil defendant to ensure justice is served.

Footnote 1. A crime that provides a possible incarceration of a year or more in the federal system is a felony, regardless of actual jail time.

For more information on healthcare fraud litigation, please contact Linda at 781-272-8001.


How to respond to patient information requests

A common scene: Law enforcement has entered your building and is demanding lab records on your patient. Common question: Do you release or not release? This issue can come up in just about any healthcare setting. Each situation is so fact specific that simple guidelines do not necessarily apply, but don’t just hand over records to law enforcement. Procedural due process requirements exist that must be met, and law enforcement must show they have the authority to obtain the records. Still, it is not uncommon for a healthcare worker to be threatened with immediate arrest for failure to comply.

Whether you are a covered entity (CE), or a business associate (BA), a clear understanding of when to release and when to deny or require patient consent or a court order is crucial.  This issue continues to be misunderstood by law enforcement agents and can be intimidating to providers despite governing Health Information Portability and Accountability Act of 1996 (“HIPAA”), Federal (alcohol/drug abuse) and State (Mental Health) laws.

Law enforcement’s mission to “investigate/solve” a crime can often cause confusion and obscure the hospital’s need to protect a patient’s protected health information (PHI). Disclosure in these circumstances is hard to contain because the law enforcement agent may go directly to a patient care area and ask the unit staff for access, bypassing health information management staff who know the laws, thereby exposing the organization to an unauthorized disclosure and HIPAA breach.

Under 45 CFR 164.512(f) of the HIPAA Privacy Rule, disclosure to law enforcement agents (police, probation/parole officer, detective) require written patient consent or a court order issued by a judicial officer for access to PHI, except in the following circumstances:

  • A valid court order, warrant, subpoena, or administrative process. (45 CFR § 164.512(f)(1)(ii)).
  • To avert imminent harm that threatens the health or safety of an individual or the public (45 CFR § 164.512(j)(1)(i)).
  • As required by law such as reporting child or adult abuse or neglect, injuries from gunshots or criminal activity, etc. (45 CFR § 164.512(a), (f)(1)(i); see also § 164.512(b)(1)(ii) (child abuse) and § 164.512(c) (adult/elder abuse)).
  • To identify a person to help identify or locate a suspect, fugitive, material witness or missing person, but may only disclose limited information (45 CFR § 164.512(f)(2)). The disclosure must be in response to a request from law enforcement, which may include a response to a “wanted” poster or bulletin.
  • Victim of a crime (45 CFR § 164.512(f)(3)).
  • Death resulting from a crime (45 CFR 164.512(f)(4)).
  • Crime on premises (45 CFR § 164.512(f)(5)).
  • Crime away from Premises (45 CFR § 164.512(f)(6)).
  • Report by victim (45 CFR § 164.502(j)(2)).
  • Admission of violent crime (45 CFR § 164.512(j)(1)(ii)(A), (j)(2)-(3)).
  • To locate a known fugitive (45 CFR § 164.512(j)(1)(ii)(B)).
  • Prisoners (45 CFR § 164.512(k)(5)).
  • Medical examiners and coroners (45 CFR § 164.512(g)(1)).

The PHI that may be disclosed in each of these circumstances is limited to the minimum necessary (name/address, DOB, SS#, blood type, type of injury, date/time of treatment or death, description of distinguishing physical characteristics) to address the issue.

The health care entity must exercise due diligence in ensuring both the officer and the request for information are legitimate, and file a copy of all paperwork provided to document all actions taken in compliance with the request in the patient’s medical record. As a best practice, refer such requests for internal legal review to validate proper procedure to follow. Finally, the nuances of this particular issue speak to the need for CEs to provide continuous education for all hospital workers specific to the process for releasing of PHI.

Common requests for PHI without patient consent or court order:
  • Blood/alcohol level
    • (No-need a court order-no material harm to case).
  • Detective brings a subpoena issued/signed by the police chief for access to “alleged perpetrator’s” medical record.
    • Do not release without an order issued by a judicial/court officer or the patient’s consent.
  • State Police want to review behavioral health medical record of patient to determine if the patient was competent at the time of the “alleged” crime before charging for the crime.
    • Do not release – this is a “material issue” that must be decided by the MD and courts (unless a “competent” patient provides consent).

Footnote 1. A CE providing emergency health care in response to a medical emergency, other than such emergency on the premises of the CE, may disclose protected health information to law enforcement if necessary to alert law enforcement to the commission and nature of a crime, the location of such crime or of the victim(s) of such crime and the identity, description, and location of the perpetrator of such crime

For more information on protected health information, please contact Linda at 781-272-8001.


Where do personal health information and biometric facial recognition technology intersect? At first blush, there is no obvious connection between biometric facial recognition (FR) and personal health information (PHI). So aside from the run of the mill individual privacy concerns, it seems a stretch to consider an image of our face with FR as a potential threat to the privacy of our PHI. Let’s be honest, the benefits abound with FR. It can help law enforcement fight crime, locate a criminal in public, and even find missing children, in turn providing us all with a better sense of safety, right?

But there is another up and coming technology that is capable of taking FR to the next level called Artificial Intelligence (AI). The intersection of FR and AI represent a real threat to PHI because it does not stop at individual privacy concerns but creeps into the healthcare realm by collecting biometric data about our personalities, personal preferences, locations, patterns and behaviors and matching it to our simple facial images thereby inferring our characteristics and behaviors. Over time, this technology can learn our habits, age, address and even our diseases.

In the US, this technology is evolving faster than the law. Unlike Europe, which is regulated by the General Data Protection Regulation (GDPR) enacted in May 2018, federal law in the US falls short of seeing any sort of legislation on the horizon in the near future. Consequently, it is up to the states to enact their own regulatory policy and there are only three with existing laws; Illinois, Texas and Washington.

We are in the midst of the next technological revolution, and biometric FR is one technology that is likely to spark a great deal of attention from consumers, advocates, legislators and corporations to reframe privacy laws in the US and address this threat to privacy. Over the course of the next half-decade, there will surely be much more state level regulation. At this stage, only four other states are considering adopting regulations similar to Illinois, Texas and Washington including Alaska, Connecticut, Montana and New Hampshire.

Let us know where you see technology evolving faster than the law. For more information artificial intelligence and privacy, please contact Linda at 781-272-8001.

Read our disclaimer


Issues RFI Regarding the Anti-Kickback Statute and Beneficiary Inducements

On August 20, 2018, Inspector General Daniel R. Levinson, from the Office of Inspector General (OIG), HHS issued a request for information (RFI) seeking input from the public on how to address any regulatory provisions that may act as barriers to coordinated care or value-based care.

The OIG is seeking to identify ways in which it might modify safe harbors to the anti-kickback statute and exceptions to the beneficiary inducements civil monetary penalty (CMP) definition of remuneration to support arrangements promoting care coordination, advance the delivery of value-based care, and protect against harms caused by fraud and abuse. The RFI reports that the OIG has identified the broad reach of the anti-kickback statute and beneficiary inducements CMP as a potential impediment to beneficial arrangements that would advance coordinated care.

In particular, the OIG has issued a detailed RFI which includes specific questions in several areas such as Value-Based Care arrangements, Safe harbors to the anti-kickback statute or exceptions to the definition of “remuneration” under the beneficiary inducements CMP may be necessary to protect such arrangements and how “value” should be defined and used in a safe harbor or exception such that OIG could evaluate “value” within an arrangement to determine compliance with the safe harbor or exception, among others.

Comments must be submitted no later than 5 p.m. on October 26, 2018, and must refer to file code OIG-0803-N. Comments may be submitted in one of three ways:

1. Electronically. You may submit electronic comments on this regulation to http:// Follow the “Submit a comment” instructions.

2. By regular, express, or overnight mail. You may send written comments to the following address: Susan Edwards, Office of Inspector General, Department of Health and Human Services, Attention: OIG-0803-N, Room 5513, Cohen Building, 330 Independence Avenue SW, Washington, DC 20201.

3. By hand or courier. If you prefer, you may deliver your written comments by hand or courier before the close of the comment period to: Susan Edwards, Office of Inspector General, Department of Health and Human Services, Attention: OIG-0803-N, Room 5513, Cohen Building, 330 Independence Avenue SW, Washington, DC 20201.

For more information on Medicare issues, please contact Linda at 781-272-8001.

Proposed Policy, Payment, and Quality Provisions Changes to the Medicare Physician Fee Schedule for Calendar Year 2019

In line with its commitment to the Patients Over Paperwork initiative, The Centers for Medicare & Medicaid Services (CMS) is committed to increasing the amount of time a provider spends with a patient by eliminating and/or streamlining some of the E/M documentation and coding requirements. Specifically, CMS proposes the following:

  • Providers may assign a level of service based on “time” or “decision making” rather than the traditional requirements mandated by the 1995 or 1997 E/M Documentation

    • Under this option, “time” is not driven by “counseling” or “coordination of care” (none even has to occur). Rather, the level is determined by the actual amount of time the physician spends with the patient for any service(s).
    • Providers may determine the level of service based upon the medical decision required to perform the service. To date, under this option, CMS does not mandate the use of criteria to determine the level of medical decision making but providers will likely rely on the criteria available in the 95 and 97 guidelines. If not, the provider must document the method/reason for the level assignment and be consistent in the use of the criteria. CMS and other regulators will want to see consistent application to justify levels of services upon reimbursement audits.
  • Streamline documentation of the exam and physical by allowing providers to “authenticate” information that hasn’t changed on a previous report or a report written by ancillary staff or the patient (after conducting a current patient examination and documentation review). Currently, the provider must re-write the documentation.
    • This will require focused documentation reviews to ensure current data is documented (signed and dated) and readily available (easy to locate) for continued patient care and coding.

For more information on E/M documentation, contact Linda Mancini at 781-272-8001.