The 21st Century Cures Act of 2016 (Cures Act) mandated the Department of Health and Human Services (HHS) to simplify the authorization process for individuals who want to release Protected Health Information (PHI) for research purposes. Individual authorization is necessary if the information will be utilized or shared in any format other than aggregate (without patient identifiers, details specific to individual patient).

In June 2018, The HHS Office of Civil Rights (OCR) published the following guidance.

  • Purpose of the Use and/or Disclosure for Future Research Authorizations
    Purpose must be documented in a manner in which it is understood the individual is consenting to release PHI for “future” research (even if “future” studies not determined at the time of authorization).
  • Expiration of Authorizations
    Do not need to provide a specific date. It is sufficient to document “none”, “when research ends” or “when I revoke”.
  • Right to Revoke Authorization
    Authorization forms to release information for research purposes must contain
    documentation pertinent to individual’s “right to revoke” and descriptions of how to invoke the “right to revoke”. Covered entities must provide individuals with a copy of the signed authorization for future reference pertinent to revocation authorization. (Some covered entities also notify individuals of this right on a consistent basis for the reason stated below).
  • Caveat
    It is imperative that the “revocation” be received by all parties who may receive/release the research information to avoid improper disclosure. For example, an individual may send notice of revocation to researcher. Researcher obtains PHI from hospital. Hospital will continue to release PHI unless researcher shares the revocation. The researcher is not obligated to notify the hospital of the revocation and/or may think the same revocation was submitted to the hospital.

See the full law here: Cures Act (Public Law No:114-255(12/13/2016)

For more information on the Cures Act, please contact Linda at 781-272-8001.


Generally speaking, HIPAA does not afford an individual the right to sue for a HIPAA violation. HIPAA does not create a private cause of action for an individual. This means that the government can file an adversary claim against a covered entity (CE) for non-compliance and seek penalties, but an individual cannot use HIPAA as a basis under the federal regulations to sue. However, an individual may seek damages from a CE under state regulations as a “civil action” for negligence (also known as a tort), and state courts may look to HIPPA as the standard by which a negligence cause of action may prevail.

For example, when a state court looks to HIPAA, it will allow the breach of privacy under the HIPAA regulation to be used to show the underlying basis for a breach of duty in a negligence claim for public disclosure of private facts. And duty is one of the four elements required to be shown by the plaintiff, along with the three other elements which are:

  • Breach of duty,
  • Causation, and
  • Damages.

But the analysis does not stop there. Duty of care is pivotal in these types of cases because in order to show there was a duty owed, the plaintiff must show that the incident was foreseeable. Foreseeability is a tricky area and not always completely clear. In addition to public disclosure of private facts, Massachusetts has three other invasion of privacy torts which include:

  1. Intrusion on physical seclusion,
  2. False light, and
  3. Impersonation of the likeness of another for benefit.

A recent case was decided in Connecticut where a HIPAA violation was allowed to show a breach of the duty of care. This was a case where a physician office released records without the proper authorization or order, and the court found that, because it was shown that HIPAA was violated, the case could go forward in state court under a privacy claim. See Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 327 Conn. 540. The facts of the case relate to a physician’s release of medical records in response to a subpoena without first obtaining the patient’s consent, identify footnotes obtaining a protective order, or notifying the patient in accordance with the regulatory procedures under HIPAA.

For more information on HIPAA litigation, please contact Linda at 718-272-8001.


There are principles of full disclosure under civil procedure that do not exist in criminal procedure. In the civil setting, the defendant is entitled to notice of the plaintiff’s case, which gives the defendant a stronger opportunity to formulate a defense and win at dismissal. The goal is to maintain even-handedness, so in the civil context, the plaintiff must “plead with particularity” and the defendant must respond to the allegations, and admit or deny each one while setting forth its specific defenses.

In contrast, the criminal context is much different. Only under very limited constitutional circumstances must the prosecutor disclose information about his particular allegations against the defendant. Although the defendant’s defenses are protected, the defendant is equally disadvantaged by not knowing the specific details of the prosecutions allegations. What’s more, the criminal verdict may be used against the defendant whereby sanctions can automatically be attached to felony convictions.(1) For example, let’s look at a defendant who finds herself facing criminal charges in an anti-kick-back suit, where there are both civil and criminal provisions.

Common sense dictates that it would not be beneficial for the defendant to disclose details to the prosecutor that may be used against her and the law protects the information that must be provided by the prosecution. Thus, a criminal case is tried with both parties in the “dark.” One can’t help but wonder about the fairness of this when considering loss of liberty may be at stake.

On the one hand, it seems absurd that a civil defendant with only financial concern would have more notice of the allegations against him than the criminal defendant whose civil liberties are at stake. It seems to be that the law overprotects civil defendants and under protects criminal defendants. So perhaps it goes without saying that the goal of even-handedness is more analogous to a trial by ambush when you really consider the rules. But advocates of restricted discovery in the criminal context contend that the “beyond a reasonable doubt” standard of proof in criminal proceedings would be impossible to reach if the prosecutors were to disclose their information to defendants up front.

It is quite the conundrum. One might argue that it is only fair to ensure that all defendants be provided with the same information as a civil defendant to ensure justice is served.

Footnote 1. A crime that provides a possible incarceration of a year or more in the federal system is a felony, regardless of actual jail time.

For more information on healthcare fraud litigation, please contact Linda at 781-272-8001.


How to respond to patient information requests

A common scene: Law enforcement has entered your building and is demanding lab records on your patient. Common question: Do you release or not release? This issue can come up in just about any healthcare setting. Each situation is so fact specific that simple guidelines do not necessarily apply, but don’t just hand over records to law enforcement. Procedural due process requirements exist that must be met, and law enforcement must show they have the authority to obtain the records. Still, it is not uncommon for a healthcare worker to be threatened with immediate arrest for failure to comply.

Whether you are a covered entity (CE), or a business associate (BA), a clear understanding of when to release and when to deny or require patient consent or a court order is crucial.  This issue continues to be misunderstood by law enforcement agents and can be intimidating to providers despite governing Health Information Portability and Accountability Act of 1996 (“HIPAA”), Federal (alcohol/drug abuse) and State (Mental Health) laws.

Law enforcement’s mission to “investigate/solve” a crime can often cause confusion and obscure the hospital’s need to protect a patient’s protected health information (PHI). Disclosure in these circumstances is hard to contain because the law enforcement agent may go directly to a patient care area and ask the unit staff for access, bypassing health information management staff who know the laws, thereby exposing the organization to an unauthorized disclosure and HIPAA breach.

Under 45 CFR 164.512(f) of the HIPAA Privacy Rule, disclosure to law enforcement agents (police, probation/parole officer, detective) require written patient consent or a court order issued by a judicial officer for access to PHI, except in the following circumstances:

  • A valid court order, warrant, subpoena, or administrative process. (45 CFR § 164.512(f)(1)(ii)).
  • To avert imminent harm that threatens the health or safety of an individual or the public (45 CFR § 164.512(j)(1)(i)).
  • As required by law such as reporting child or adult abuse or neglect, injuries from gunshots or criminal activity, etc. (45 CFR § 164.512(a), (f)(1)(i); see also § 164.512(b)(1)(ii) (child abuse) and § 164.512(c) (adult/elder abuse)).
  • To identify a person to help identify or locate a suspect, fugitive, material witness or missing person, but may only disclose limited information (45 CFR § 164.512(f)(2)). The disclosure must be in response to a request from law enforcement, which may include a response to a “wanted” poster or bulletin.
  • Victim of a crime (45 CFR § 164.512(f)(3)).
  • Death resulting from a crime (45 CFR 164.512(f)(4)).
  • Crime on premises (45 CFR § 164.512(f)(5)).
  • Crime away from Premises (45 CFR § 164.512(f)(6)).
  • Report by victim (45 CFR § 164.502(j)(2)).
  • Admission of violent crime (45 CFR § 164.512(j)(1)(ii)(A), (j)(2)-(3)).
  • To locate a known fugitive (45 CFR § 164.512(j)(1)(ii)(B)).
  • Prisoners (45 CFR § 164.512(k)(5)).
  • Medical examiners and coroners (45 CFR § 164.512(g)(1)).

The PHI that may be disclosed in each of these circumstances is limited to the minimum necessary (name/address, DOB, SS#, blood type, type of injury, date/time of treatment or death, description of distinguishing physical characteristics) to address the issue.

The health care entity must exercise due diligence in ensuring both the officer and the request for information are legitimate, and file a copy of all paperwork provided to document all actions taken in compliance with the request in the patient’s medical record. As a best practice, refer such requests for internal legal review to validate proper procedure to follow. Finally, the nuances of this particular issue speak to the need for CEs to provide continuous education for all hospital workers specific to the process for releasing of PHI.

Common requests for PHI without patient consent or court order:
  • Blood/alcohol level
    • (No-need a court order-no material harm to case).
  • Detective brings a subpoena issued/signed by the police chief for access to “alleged perpetrator’s” medical record.
    • Do not release without an order issued by a judicial/court officer or the patient’s consent.
  • State Police want to review behavioral health medical record of patient to determine if the patient was competent at the time of the “alleged” crime before charging for the crime.
    • Do not release – this is a “material issue” that must be decided by the MD and courts (unless a “competent” patient provides consent).

Footnote 1. A CE providing emergency health care in response to a medical emergency, other than such emergency on the premises of the CE, may disclose protected health information to law enforcement if necessary to alert law enforcement to the commission and nature of a crime, the location of such crime or of the victim(s) of such crime and the identity, description, and location of the perpetrator of such crime

For more information on protected health information, please contact Linda at 781-272-8001.


Where do personal health information and biometric facial recognition technology intersect? At first blush, there is no obvious connection between biometric facial recognition (FR) and personal health information (PHI). So aside from the run of the mill individual privacy concerns, it seems a stretch to consider an image of our face with FR as a potential threat to the privacy of our PHI. Let’s be honest, the benefits abound with FR. It can help law enforcement fight crime, locate a criminal in public, and even find missing children, in turn providing us all with a better sense of safety, right?

But there is another up and coming technology that is capable of taking FR to the next level called Artificial Intelligence (AI). The intersection of FR and AI represent a real threat to PHI because it does not stop at individual privacy concerns but creeps into the healthcare realm by collecting biometric data about our personalities, personal preferences, locations, patterns and behaviors and matching it to our simple facial images thereby inferring our characteristics and behaviors. Over time, this technology can learn our habits, age, address and even our diseases.

In the US, this technology is evolving faster than the law. Unlike Europe, which is regulated by the General Data Protection Regulation (GDPR) enacted in May 2018, federal law in the US falls short of seeing any sort of legislation on the horizon in the near future. Consequently, it is up to the states to enact their own regulatory policy and there are only three with existing laws; Illinois, Texas and Washington.

We are in the midst of the next technological revolution, and biometric FR is one technology that is likely to spark a great deal of attention from consumers, advocates, legislators and corporations to reframe privacy laws in the US and address this threat to privacy. Over the course of the next half-decade, there will surely be much more state level regulation. At this stage, only four other states are considering adopting regulations similar to Illinois, Texas and Washington including Alaska, Connecticut, Montana and New Hampshire.

Let us know where you see technology evolving faster than the law. For more information artificial intelligence and privacy, please contact Linda at 781-272-8001.

Read our disclaimer


Issues RFI Regarding the Anti-Kickback Statute and Beneficiary Inducements

On August 20, 2018, Inspector General Daniel R. Levinson, from the Office of Inspector General (OIG), HHS issued a request for information (RFI) seeking input from the public on how to address any regulatory provisions that may act as barriers to coordinated care or value-based care.

The OIG is seeking to identify ways in which it might modify safe harbors to the anti-kickback statute and exceptions to the beneficiary inducements civil monetary penalty (CMP) definition of remuneration to support arrangements promoting care coordination, advance the delivery of value-based care, and protect against harms caused by fraud and abuse. The RFI reports that the OIG has identified the broad reach of the anti-kickback statute and beneficiary inducements CMP as a potential impediment to beneficial arrangements that would advance coordinated care.

In particular, the OIG has issued a detailed RFI which includes specific questions in several areas such as Value-Based Care arrangements, Safe harbors to the anti-kickback statute or exceptions to the definition of “remuneration” under the beneficiary inducements CMP may be necessary to protect such arrangements and how “value” should be defined and used in a safe harbor or exception such that OIG could evaluate “value” within an arrangement to determine compliance with the safe harbor or exception, among others.

Comments must be submitted no later than 5 p.m. on October 26, 2018, and must refer to file code OIG-0803-N. Comments may be submitted in one of three ways:

1. Electronically. You may submit electronic comments on this regulation to http:// Follow the “Submit a comment” instructions.

2. By regular, express, or overnight mail. You may send written comments to the following address: Susan Edwards, Office of Inspector General, Department of Health and Human Services, Attention: OIG-0803-N, Room 5513, Cohen Building, 330 Independence Avenue SW, Washington, DC 20201.

3. By hand or courier. If you prefer, you may deliver your written comments by hand or courier before the close of the comment period to: Susan Edwards, Office of Inspector General, Department of Health and Human Services, Attention: OIG-0803-N, Room 5513, Cohen Building, 330 Independence Avenue SW, Washington, DC 20201.

For more information on Medicare issues, please contact Linda at 781-272-8001.

Proposed Policy, Payment, and Quality Provisions Changes to the Medicare Physician Fee Schedule for Calendar Year 2019

In line with its commitment to the Patients Over Paperwork initiative, The Centers for Medicare & Medicaid Services (CMS) is committed to increasing the amount of time a provider spends with a patient by eliminating and/or streamlining some of the E/M documentation and coding requirements. Specifically, CMS proposes the following:

  • Providers may assign a level of service based on “time” or “decision making” rather than the traditional requirements mandated by the 1995 or 1997 E/M Documentation

    • Under this option, “time” is not driven by “counseling” or “coordination of care” (none even has to occur). Rather, the level is determined by the actual amount of time the physician spends with the patient for any service(s).
    • Providers may determine the level of service based upon the medical decision required to perform the service. To date, under this option, CMS does not mandate the use of criteria to determine the level of medical decision making but providers will likely rely on the criteria available in the 95 and 97 guidelines. If not, the provider must document the method/reason for the level assignment and be consistent in the use of the criteria. CMS and other regulators will want to see consistent application to justify levels of services upon reimbursement audits.
  • Streamline documentation of the exam and physical by allowing providers to “authenticate” information that hasn’t changed on a previous report or a report written by ancillary staff or the patient (after conducting a current patient examination and documentation review). Currently, the provider must re-write the documentation.
    • This will require focused documentation reviews to ensure current data is documented (signed and dated) and readily available (easy to locate) for continued patient care and coding.

For more information on E/M documentation, contact Linda Mancini at 781-272-8001.

The Centers for Medicare & Medicaid Services (CMS) is proposing a “lower level” E/M code to be used for reimbursement for physician virtual visits and reviews of pre-recorded images (which would reimburse for a provider’s asynchronous review of “recorded video and/or images captured by a patient) in order to evaluate the patient’s condition” and determine whether or not an office visit is necessary. Video or image reviews are referred to as “store-and-forward” communication technology. The reasons for this proposal include quicker responses to patients, elimination of unnecessary, costly patient office visits and incorporation of technological resources that are available.

Reimbursement for these services is limited to “established” patients who have not been treated by the billing physician or another qualified health care professional within seven days before or after the service provided. The Virtual Visit or Review of Pre-Recorded Images fees will be bundled into the previous/later E/M code for those patients seen within the seven-day windows. In addition, the reimbursement will not be offered for the discussion of test results ordered by the physician or other health care professional.

CMS anticipates many questions pertinent to the proposal such as how to document the service, what is best technology, should pre-recorded imaging be expanded to new patient, patient consent, and limitation on number of times it can be used. It is unclear how clinician will determine that a patient was seen seven days before or after the virtual visit by “another qualified healthcare professional”. Clearly, the physician office and or health care facility would need the capability and resources to maintain such vigilance.

Input/Comments are due by 5p.m. on September 10, 2018: CMS is soliciting comments on the proposed rule until 5 p.m. September 10, 2018. Anyone may submit comments – anonymously or otherwise – via electronic submission, or via regular or express overnight mail to Centers for Medicare & Medicaid Services, Department of Health and Human Services, Attention: CMS-1693-P, P.O. Box 8016, Baltimore, MD 21244-8016 (for regular mail); or Centers for Medicare & Medicaid Services, Department of Health and Human Services, Attention: CMS-1693-P, Mail Stop C4-26-05, 7500 Security Boulevard, Baltimore, MD 21244-1850 (for express overnight mail).

On June 20, 2018, The Centers for Medicare & Medicaid Services (CMS) issued a request for information (RFI) inviting comments and input regarding the physician self-referral law (the “Stark Law”). CMS has advised that it welcomes comments in order to assist with CMS’ “efforts to assess and address the impact and burden of the physician self-referral law, including whether and, if so, how it may prevent or inhibit care coordination.”

The RFI contains twenty (20) specific areas in which CMS is seeking public input, including comments regarding alternative payment arrangement models, the integration and coordination of care arrangements, the exceptions for risk-sharing arrangements, physician incentive plans, remuneration unrelated to DHS and certain existing concepts/definitions already contained in the Stark Law.

In addition, CMS has asked for comments regarding studies that would assess the effect of the Stark Law on the healthcare industry, the compliance costs for parties regulated by the Stark Law, and whether CMS should measure the effectiveness of the physician self-referral law in preventing unnecessary utilization and other forms of program abuse relative to the cost burden.

The deadline for comments is no later than 5 p.m. on August 24, 2018.

Please contact Linda Mancini with questions or concerns related to the Stark Law and other compliance issues.

A recent Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules ruling in Houston, Texas, against MD Anderson Cancer Center underscores the importance of not just developing, but following established rules, policies and procedures. The lack of policies and procedures is always problematic but often, the failure to follow existing ones can lead to higher penalties or even worse, a pretext for inference of misconduct. (See: Norris v. City of Millbrook, Case No. 2:11-cv-051-MEF (WO)).

In Norris, the court found a reasonable juror could conclude that that an employer’s failure to abide by its own misconduct policies and procedures could demonstrate pretext for misconduct, and the court found the employer liable for discrimination on this basis.

In MD Anderson, the judge ruled in favor of the Office of Civil Rights (OCR), requiring the cancer center to pay $4.3 million in penalties for violating HIPAA Privacy and Security Rules. The judgement was a result of the theft of an unencrypted laptop from the home of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing unencrypted protected health information (PHI) of over 33,500 individuals in 2012 and 2013 respectively. MD Anderson had policies in place requiring device encryption, and prohibiting employees from removing devices from the facility unless they are encrypted. But before MD Anderson completed the encryption process, a theft of three unencrypted devices containing PHI occurred after being transported off of the premises by an employee. Although the employee failed to follow policy, the outcome of these data losses would likely have been much different if the MD Anderson hadn’t failed to follow through on its own policy to encrypt their devices.

The judge stated in his decision, “…failure by Respondent to take the security measures that it had identified as necessary renders irrelevant the issue of whether employees were playing by the rules, because that failure created a risk whether or not Respondent’s employees did so.” OCR investigated and found that MD Anderson had encryption policies in place but failed to follow their own policies. Despite the P&P, it took another five years for MD Anderson to adopt an enterprise-wide solution to implement encryption of electronic PHI, and even then it failed to implement encryption technology within all of its vulnerable devices.

The $4.3 million reflects penalties for each day of MD Anderson’s non-compliance with HIPAA and for each record of individuals breached. This is the fourth highest ruling in history in OCRs favor.

For more information on HIPAA, contact Linda at 781-272-8001.