Where do personal health information and biometric facial recognition technology intersect? At first blush, there is no obvious connection between biometric facial recognition (FR) and personal health information (PHI). So aside from the run of the mill individual privacy concerns, it seems a stretch to consider an image of our face with FR as a potential threat to the privacy of our PHI. Let’s be honest, the benefits abound with FR. It can help law enforcement fight crime, locate a criminal in public, and even find missing children, in turn providing us all with a better sense of safety, right?

But there is another up and coming technology that is capable of taking FR to the next level called Artificial Intelligence (AI). The intersection of FR and AI represent a real threat to PHI because it does not stop at individual privacy concerns but creeps into the healthcare realm by collecting biometric data about our personalities, personal preferences, locations, patterns and behaviors and matching it to our simple facial images thereby inferring our characteristics and behaviors. Over time, this technology can learn our habits, age, address and even our diseases.

In the US, this technology is evolving faster than the law. Unlike Europe, which is regulated by the General Data Protection Regulation (GDPR) enacted in May 2018, federal law in the US falls short of seeing any sort of legislation on the horizon in the near future. Consequently, it is up to the states to enact their own regulatory policy and there are only three with existing laws; Illinois, Texas and Washington.

We are in the midst of the next technological revolution, and biometric FR is one technology that is likely to spark a great deal of attention from consumers, advocates, legislators and corporations to reframe privacy laws in the US and address this threat to privacy. Over the course of the next half-decade, there will surely be much more state level regulation. At this stage, only four other states are considering adopting regulations similar to Illinois, Texas and Washington including Alaska, Connecticut, Montana and New Hampshire.

Let us know where you see technology evolving faster than the law. For more information artificial intelligence and privacy, please contact Linda at 781-272-8001.

Read our disclaimer

(073118)

Issues RFI Regarding the Anti-Kickback Statute and Beneficiary Inducements

On August 20, 2018, Inspector General Daniel R. Levinson, from the Office of Inspector General (OIG), HHS issued a request for information (RFI) seeking input from the public on how to address any regulatory provisions that may act as barriers to coordinated care or value-based care.

The OIG is seeking to identify ways in which it might modify safe harbors to the anti-kickback statute and exceptions to the beneficiary inducements civil monetary penalty (CMP) definition of remuneration to support arrangements promoting care coordination, advance the delivery of value-based care, and protect against harms caused by fraud and abuse. The RFI reports that the OIG has identified the broad reach of the anti-kickback statute and beneficiary inducements CMP as a potential impediment to beneficial arrangements that would advance coordinated care.

In particular, the OIG has issued a detailed RFI which includes specific questions in several areas such as Value-Based Care arrangements, Safe harbors to the anti-kickback statute or exceptions to the definition of “remuneration” under the beneficiary inducements CMP may be necessary to protect such arrangements and how “value” should be defined and used in a safe harbor or exception such that OIG could evaluate “value” within an arrangement to determine compliance with the safe harbor or exception, among others.

Comments must be submitted no later than 5 p.m. on October 26, 2018, and must refer to file code OIG-0803-N. Comments may be submitted in one of three ways:

1. Electronically. You may submit electronic comments on this regulation to http://
www.regulations.gov. Follow the “Submit a comment” instructions.

2. By regular, express, or overnight mail. You may send written comments to the following address: Susan Edwards, Office of Inspector General, Department of Health and Human Services, Attention: OIG-0803-N, Room 5513, Cohen Building, 330 Independence Avenue SW, Washington, DC 20201.

3. By hand or courier. If you prefer, you may deliver your written comments by hand or courier before the close of the comment period to: Susan Edwards, Office of Inspector General, Department of Health and Human Services, Attention: OIG-0803-N, Room 5513, Cohen Building, 330 Independence Avenue SW, Washington, DC 20201.

For more information on Medicare issues, please contact Linda at 781-272-8001.

Proposed Policy, Payment, and Quality Provisions Changes to the Medicare Physician Fee Schedule for Calendar Year 2019

In line with its commitment to the Patients Over Paperwork initiative, The Centers for Medicare & Medicaid Services (CMS) is committed to increasing the amount of time a provider spends with a patient by eliminating and/or streamlining some of the E/M documentation and coding requirements. Specifically, CMS proposes the following:

  • Providers may assign a level of service based on “time” or “decision making” rather than the traditional requirements mandated by the 1995 or 1997 E/M Documentation
    Guidelines.

    • Under this option, “time” is not driven by “counseling” or “coordination of care” (none even has to occur). Rather, the level is determined by the actual amount of time the physician spends with the patient for any service(s).
    • Providers may determine the level of service based upon the medical decision required to perform the service. To date, under this option, CMS does not mandate the use of criteria to determine the level of medical decision making but providers will likely rely on the criteria available in the 95 and 97 guidelines. If not, the provider must document the method/reason for the level assignment and be consistent in the use of the criteria. CMS and other regulators will want to see consistent application to justify levels of services upon reimbursement audits.
  • Streamline documentation of the exam and physical by allowing providers to “authenticate” information that hasn’t changed on a previous report or a report written by ancillary staff or the patient (after conducting a current patient examination and documentation review). Currently, the provider must re-write the documentation.
    • This will require focused documentation reviews to ensure current data is documented (signed and dated) and readily available (easy to locate) for continued patient care and coding.

For more information on E/M documentation, contact Linda Mancini at 781-272-8001.

The Centers for Medicare & Medicaid Services (CMS) is proposing a “lower level” E/M code to be used for reimbursement for physician virtual visits and reviews of pre-recorded images (which would reimburse for a provider’s asynchronous review of “recorded video and/or images captured by a patient) in order to evaluate the patient’s condition” and determine whether or not an office visit is necessary. Video or image reviews are referred to as “store-and-forward” communication technology. The reasons for this proposal include quicker responses to patients, elimination of unnecessary, costly patient office visits and incorporation of technological resources that are available.

Reimbursement for these services is limited to “established” patients who have not been treated by the billing physician or another qualified health care professional within seven days before or after the service provided. The Virtual Visit or Review of Pre-Recorded Images fees will be bundled into the previous/later E/M code for those patients seen within the seven-day windows. In addition, the reimbursement will not be offered for the discussion of test results ordered by the physician or other health care professional.

CMS anticipates many questions pertinent to the proposal such as how to document the service, what is best technology, should pre-recorded imaging be expanded to new patient, patient consent, and limitation on number of times it can be used. It is unclear how clinician will determine that a patient was seen seven days before or after the virtual visit by “another qualified healthcare professional”. Clearly, the physician office and or health care facility would need the capability and resources to maintain such vigilance.

Input/Comments are due by 5p.m. on September 10, 2018: CMS is soliciting comments on the proposed rule until 5 p.m. September 10, 2018. Anyone may submit comments – anonymously or otherwise – via electronic submission, or via regular or express overnight mail to Centers for Medicare & Medicaid Services, Department of Health and Human Services, Attention: CMS-1693-P, P.O. Box 8016, Baltimore, MD 21244-8016 (for regular mail); or Centers for Medicare & Medicaid Services, Department of Health and Human Services, Attention: CMS-1693-P, Mail Stop C4-26-05, 7500 Security Boulevard, Baltimore, MD 21244-1850 (for express overnight mail).

On June 20, 2018, The Centers for Medicare & Medicaid Services (CMS) issued a request for information (RFI) inviting comments and input regarding the physician self-referral law (the “Stark Law”). CMS has advised that it welcomes comments in order to assist with CMS’ “efforts to assess and address the impact and burden of the physician self-referral law, including whether and, if so, how it may prevent or inhibit care coordination.”

The RFI contains twenty (20) specific areas in which CMS is seeking public input, including comments regarding alternative payment arrangement models, the integration and coordination of care arrangements, the exceptions for risk-sharing arrangements, physician incentive plans, remuneration unrelated to DHS and certain existing concepts/definitions already contained in the Stark Law.

In addition, CMS has asked for comments regarding studies that would assess the effect of the Stark Law on the healthcare industry, the compliance costs for parties regulated by the Stark Law, and whether CMS should measure the effectiveness of the physician self-referral law in preventing unnecessary utilization and other forms of program abuse relative to the cost burden.

The deadline for comments is no later than 5 p.m. on August 24, 2018.

Please contact Linda Mancini with questions or concerns related to the Stark Law and other compliance issues.

A recent Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules ruling in Houston, Texas, against MD Anderson Cancer Center underscores the importance of not just developing, but following established rules, policies and procedures. The lack of policies and procedures is always problematic but often, the failure to follow existing ones can lead to higher penalties or even worse, a pretext for inference of misconduct. (See: Norris v. City of Millbrook, Case No. 2:11-cv-051-MEF (WO)).

In Norris, the court found a reasonable juror could conclude that that an employer’s failure to abide by its own misconduct policies and procedures could demonstrate pretext for misconduct, and the court found the employer liable for discrimination on this basis.

In MD Anderson, the judge ruled in favor of the Office of Civil Rights (OCR), requiring the cancer center to pay $4.3 million in penalties for violating HIPAA Privacy and Security Rules. The judgement was a result of the theft of an unencrypted laptop from the home of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing unencrypted protected health information (PHI) of over 33,500 individuals in 2012 and 2013 respectively. MD Anderson had policies in place requiring device encryption, and prohibiting employees from removing devices from the facility unless they are encrypted. But before MD Anderson completed the encryption process, a theft of three unencrypted devices containing PHI occurred after being transported off of the premises by an employee. Although the employee failed to follow policy, the outcome of these data losses would likely have been much different if the MD Anderson hadn’t failed to follow through on its own policy to encrypt their devices.

The judge stated in his decision, “…failure by Respondent to take the security measures that it had identified as necessary renders irrelevant the issue of whether employees were playing by the rules, because that failure created a risk whether or not Respondent’s employees did so.” OCR investigated and found that MD Anderson had encryption policies in place but failed to follow their own policies. Despite the P&P, it took another five years for MD Anderson to adopt an enterprise-wide solution to implement encryption of electronic PHI, and even then it failed to implement encryption technology within all of its vulnerable devices.

The $4.3 million reflects penalties for each day of MD Anderson’s non-compliance with HIPAA and for each record of individuals breached. This is the fourth highest ruling in history in OCRs favor.

For more information on HIPAA, contact Linda at 781-272-8001.

A Massachusetts Rogers Order, more formally known as Rogers Guardianship Order is an order issued by the court allowing a healthcare provider to treat a mental health patient with extraordinary treatment. Extraordinary medical treatment includes the administration of antipsychotic medication, sterilization, abortion, electroconvulsive therapy, psychosurgery and removal of artificial maintenance of nutrition or hydration, as well as some other treatments and procedures. But the most common Rogers Order is issued for the administration of antipsychotic medications.

The order issued by the court is referred to as substituted judgement. Many view court intervention and the substituted judgement process as a form of forced treatment. But the judicial view and intent of this process is that it is more about informed consent than forced treatment.

Factors that the court considers include:

  1. Previous express statements from the patient about what they would want in this situation if it ever arose. A health care proxy would fit into this category;
  2. Religious convictions;
  3. Financial burden;
  4. Adverse effects of the medication;
  5. Impact of the decision on the person’s family;
  6. Prognosis for the person with and without treatment;
  7. Other issues such as a patient who has a concurrent criminal action and wants to testify without being on these medications.

Rogers Orders originated out of the case Rogers v. Commissioner of the Department of Mental Health, 390 Mass. 489 (1983), which put specific rules in place to ensure that each patient’s rights were fully considered with a heightened preponderance of the evidence standard. In order for the court to issue the order, it must first be shown that the patient is in fact incompetent. Since an incompetent person cannot legally give informed consent, the court steps in and makes the decision in that persons place. In doing so, the court takes into consideration the “totality of the circumstances” and decides based upon whether the patient would make such a decision to take a medication to alleviate personal illness if they were mentally competent to make the decision his/ herself.

For more information on Rogers orders, contact Linda at 781-272-8001.

How compliant is your organization on a Scale of 1 to 5?

The Office of Civil Rights (OCR) has been conducting Desk audits using a compliance rating tool on a scale of one to five, whereby 1 equals good; 3 equals fail; 5 equals Epic fail on compliance.

In 2016, two thirds of covered entities (CEs) and business associates (BAs) received a failing score following desk audits conducted by the Office of Civil Rights (OCR). Ninety percent of these CEs were found to lack an adequate risk analysis. Even worse, 94 percent were found to lack a privacy and security risk management program that was adequate. And, investigators are going to use the desk audit protocol for the next round of investigations.

The audit protocol was a performance based tool causing tremendous variance between 2012-2016. (2012 was good). In 2016, CEs and BAs weren’t prepared to provide the documentation required by auditors. OCR was not very objective in approach, whereby they were reported as being rigid rather than reasonable and appropriate based on the size and complexity of organizations audited. Results were not helpful in demonstrating how CEs and BAs were or were not adhering to the rule but sanctions were issued nonetheless.

One organization did provide the HIPAA-related documents that OCR requested, but the documentation did not prove that they had safeguards to adequately protect PHI.

OCR presented the following after reviewing this practice’s documentation:

  • Did not provide an analysis of currently implemented security measures.
  • Did not provide adequate evidence that it has conducted accurate and thorough
    assessments of the potential risks and vulnerabilities to PHI.
  • Did not demonstrate that the results were made available to those individuals with Risk Analysis responsibilities.
  • Did not provide policies and procedures that demonstrate it has a Risk Management process sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
  • Did not identify what is considered an acceptable level of risk based on management approval.
  • Does not specifically address the workforce members’ roles in the Risk Management process.
  • Did not provide evidence that its policies were in place and enforced six years ago.

In summary, the OCR stated:

“Failure to fully implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level could leave electronic protected health information susceptible to unauthorized use and/or disclosure.”

For more information on HIPAA audits, contact Linda at 781-272-8001.

Under which type of disaster can HIPAA privacy rule be waived?

In the wake of the Las Vegas Massacre, you may expect that the department of Health and Human Service (HHS) would waive Health Insurance Portability and Accountability Act (HIPAA) privacy rule requirements like they did during the hurricanes. Not so much this time.

Primarily because this is a “man-made” disaster. Why the distinction? Because the HIPAA privacy rule already allows information disclosure in certain cases, such as when public safety is threatened; because there has been no declaration of a public health emergency, HIPAA waivers have not been necessary in this case.

What about law enforcement? Do keep in mind that disclosures to law enforcement during ongoing investigations are permitted but only under some narrowly defined circumstances. Be sure to be hyper vigilant when disclosing protected patient information (PHI), because HIPAA privacy notices are still required, as is the due care in responding to requests for patient information from family, friends, and media, etc.

For more information on HIPAA privacy waivers, contact Linda at 781-272-8001.

In preparation for severe disasters, the Secretary of HHS declares a public safety emergency and issues a limited waiver of Health Insurance Portability and Accountability Act (“HIPAA”) sanctions and penalties), enabling hospitals to share information to assist in disaster relief efforts and ensure that patients receive the care they need.

A waiver of this type only applies:

  1. in the emergency area and for the emergency period identified in the public health emergency declaration;
  2. to hospitals that have instituted a disaster protocol; and
  3. for up to 72 hours from the time the hospital implements its disaster protocol.

Following the President’s disaster declaration in response to Hurricane Harvey’s approach, the Secretary exempted covered hospitals from incurring sanctions and penalties if they violate certain provisions of the HIPAA Privacy Rule. Upon termination of the declaration of emergency, the waiver lapses and hospitals must adhere to strict compliance of all HIPAA requirements for all patients still under care, even if 72 hours have not passed. In addition to natural disasters, there are other specific conditions under which hospitals may be allowed to share patient information. Covered entities must continue to protect patient information during emergency situations and must make reasonable efforts to limit the information they share to the “minimum necessary” to accomplish the purpose sought.

For more information on HIPAA privacy waivers, contact Linda at 781-272-8001.