Welcome to this week's edition of the Health Law Update. Topics covered today include:
We hope you find this information helpful. Please contact any member of BakerHostetler's Healthcare Team with questions.
WHAT COVERED ENTITIES AND BUSINESS ASSOCIATES NEED TO DO TO PREPARE FOR THE NEW HIPAA/HITECH REQUIREMENTS
The U.S. Department of Health and Human Services (HHS) issued, on January 17, 2013, its final omnibus rule modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules as well as the breach notification rules of the Health Information Technology for Economic and Clinical Health Act (HITECH). The healthcare industry has been waiting for the final rule for more than two and a half years--now that it is here, what do Covered Entities (CEs) and Business Associates (BAs) need to do to prepare for compliance?
Incident Response Plans
To the extent you are a CE who has been waiting for the final rule to implement an incident response plan (IRP), now is the time. An IRP helps the breach response team respond to privacy events by providing them with a roadmap so that a determination can be made as to whether or not a breach has occurred. At a minimum, new and existing plans should incorporate the factors outlined by HHS to be considered: (1) the nature and extent of protected health information (PHI) involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether PHI was actually acquired or viewed; (4) the extent to which the risk to PHI has been mitigated (e.g., assurances from trusted third parties that the information was destroyed).
Policies and Procedures
Breach Analysis Forms
CEs have been utilizing forms that reflect the language of the interim final rule where the focus is on the potential harm to the patient. Also, many CEs have utilized breach analysis forms that depend on a risk rating developed by third parties to assess whether there is a significant risk of harm due to impermissible use or disclosure. The standard has changed and so will the required analysis. A breach is presumed unless the CE can show that there is a low possibility of a compromise. Moreover, HHS has outlined at least four factors that must be considered. (The four factors are listed under Incident Response Plans, supra.)
HHS and the Office for Civil Rights (OCR) expect that healthcare organizations will create a culture of compliance. Raising awareness about the importance of privacy issues through education is just one way to achieve this goal. CEs should consider other opportunities to keep privacy at the top of their employees' minds (e.g., posters, newsletters, committee calls). Just as the Federal Trade Commission (FTC) is promoting Privacy by Design, CEs need to consider ways that privacy awareness can be incorporated into every aspect of patient care and healthcare operations.
Vendor Lists and Vendor Contracts
Vendors remain the cause of a large percentage of breaches that occur; more than a third of all breaches are caused by vendors. Even though BAs now are directly liable, the final rule makes it clear that CEs have an obligation related to appropriately selecting and retaining vendors. Review your vendor lists to see if any vendors should be removed because of issues relating to data security and privacy. Review your contracts to see if language needs to be updated to reflect the final rule.
Risk Assessments and Risk Management Plans
HIPAA requires healthcare organizations to conduct periodic risk assessments and then to address the risks identified in a risk management plan. Now is a good time to review and assess your risks to determine if changes can be made to help avoid breaches. Privacy counsel can be a critical member of this exercise. For example, in some instances, outside counsel can retain the vendor and oversee the project to help maintain the attorney-client privilege. The experience of the privacy counsel, however, is also crucial. Organizations should retain counsel experienced in dozens of OCR investigations who can provide guidance around what OCR is asking for during those investigations. That experience translates into the organization's ability to better identify risk mitigation strategies in response to the vulnerabilities found during the risk assessment.
There are many types of cyber policies being sold to healthcare organizations. Whether or not you have purchased cyber insurance for breach notification, consider seriously the scope of your coverage for regulatory violations and defense of class actions. We predict that OCR and state attorneys general are going to be far more aggressive than in the past. Additionally, due to the changed threshold for breach notification, we may see more class action lawsuits, which are expensive to defend.
Experienced outside privacy counsel is critical for full compliance with the breach notification requirements of the final rule. A breach is now presumed, which means that outside counsel is going to need to help document the reasons why an organization concludes that a breach did not occur.
We are not big proponents of retaining forensics companies prior to a breach occurring because, like lawyers, the strengths amongst forensics firms varies. Therefore, if we are dealing with an issue involving a new malware variant, we may find a forensics vendor who has experience with the variant and is better positioned to assist our client. The final rule, however, is a bit of a game changer, and we are now encouraging clients who do not have insurance to interview a few forensics firms, as the new breach notification rules make it clear that a technically sound and understandable forensics report is critical for supporting determinations that a breach did not occur. For those that have insurance, talk to your broker or carrier about the forensics options and seek recommendations from them as to how the coverage will support you with the changes in the regulations.
The final rule becomes effective on March 26, 2013, but enforcement will not commence until September 23, 2013. This does not mean that organizations do not need to be compliant. OCR has made it clear that civil monetary penalties will be on the rise for HIPAA violations. A culture of compliance is expected, not encouraged.
For more information, please contact Theodore J. Kobus at firstname.lastname@example.org or 212.271.1504, or Lynn Sessions at email@example.com or 713.646.1352.
top of page
JUSTICE DEPARTMENT CLEARS NY HOSPITAL ASSOCIATION GAINSHARING PROGRAM
The U.S. Department of Justice (DOJ) has found no antitrust obstacles to a physician gainsharing program that the Greater New York Hospital Association (GNYHA) plans to offer on a voluntary basis to participating hospitals.
The DOJ responded on January 16, 2013, to a request for a business review letter -- a procedure by which parties ask the DOJ for a review of the antitrust implications of a proposed course of action. If the DOJ sees no problems, it states -- as it did to the GNYHA -- that it has "no present intention to challenge" the plan. That may not sound like a Get Out of Jail Free card, but in practice, the DOJ won't take action against the plan if it operates as advertised. (The FTC has a similar procedure.)
Although the details of the program are complex, its essential element is to provide hospitals with a mechanism to reward physicians who perform well when measured by the "Best Practice Norms" that the program will develop. The program will help individual hospitals measure how individual physicians reduce costs while maintaining or improving quality of care. The program will then enable hospitals to make incentive payments that give physicians a portion of the cost savings that they enable their hospitals to achieve.
The DOJ considered two potential antitrust issues connected with the program. First, it found that the program would not coordinate or standardize hospital compensation to physicians. Second, the DOJ concluded that the program would not reduce competition by facilitating anticompetitive information exchanges among participants. The DOJ took into account program features to prevent fraud and abuse, but made clear that it was reviewing the program solely for antitrust issues, not its compliance with fraud and abuse laws and regulations.
For more information, please contact Lee H. Simowitz, firstname.lastname@example.org, or 202.861.1608.
top of page
NLRB UPSETS A GENERATION OF EMPLOYER PRACTICE DEVELOPED TO PREVENT AND REMEDY MISCONDUCT IN THE WORKPLACE
Much has been written about how in 2012 the National Labor Relations Board (NLRB) took aim at employer efforts to address tools of the new millennium - social media such as Facebook and Twitter. Less ink has been spent addressing NLRB decisions over some "old-school" employer policies, such as policies designed to prevent or remedy workplace harassment or violence.
Federal and state laws prohibiting unlawful harassment, and requiring that employers maintain a safe workplace, impose dual obligations on employers: Employers must both remedy and prevent such misconduct. For more than a generation, employers have used workplace policies, typically described in employee handbooks, and workplace investigations to ensure compliance with these obligations. A spate of recent decisions addressing workplace policies prohibiting bullying and harassment and the confidentiality of workplace investigations may cause employers to rethink these practices. Confidentiality protects the privacy rights of employees directly affected by a workplace investigation - both the complaining employees and the subjects of investigations.
Confidentiality also ensures the efficacy of investigations, preventing witnesses from conspiring to make false statements, and protecting cooperating witnesses from coercion. In 2011, the NLRB determined that a practice of administering oral confidentiality admonitions to employees violates their rights to engage in protected concerted activity under Section 7 of the National Labor Relations Act (NLRA). Hyundai America Shipping Agency, Inc., 357 NLRB No. 80.
In the fall of 2012, Administrative Law Judge Clifford Anderson similarly found that language in a handbook telling employees that they are "expected to maintain confidentiality" in workplace investigations also ran afoul of the NLRA. Judge Anderson affirmed that even though an employer may have a legitimate interest in preserving the confidentiality of investigations, this interest must be balanced against employees' rights to discuss their terms and conditions of employment.
Finally, on December 15, 2012, in a decision affecting unionized employers, the NLRB overturned 35 years of established precedent, deciding that witness statements given to employers investigating workplace misconduct are no longer protected from disclosure to the union under a bright line rule. Rather, the employer will need to show that its need for confidentiality outweighs the union's need for the information. American Baptist Homes of the West d/b/a Piedmont Gardens and Service Employees International Union, 359 NLRB No. 46.
Employers seeking to comply with these decisions should revisit language in their handbooks and harassment policies that call for employees to observe confidentiality in all investigations. Employers also may need to make specific findings to support confidentiality admonitions and incorporate them into investigative reports. This likely will add to the scope and length of investigations.
Policies Prohibiting Harassment
Most employers have policies prohibiting harassment and/or bullying, and some employers have adopted a "zero tolerance" stance with respect to this type of behavior in the workplace. In Hispanics United of Buffalo, Inc. and Carlos Ortiz, 359 NLRB No. 37 (Dec. 14, 2012), the NLRB found that an employer violated employee rights under the NLRA when it terminated several employees for violating just such a policy. Of particular note in the NLRB's decision was the statement that the employer could not apply its policy "'without reference to Board law.'" That is, even the legitimate managerial concern - preventing harassment - could not justify a policy that discouraged protected concerted activity when an employee subjectively felt bullied or harassed. Rather, the employer must be able to show objective evidence of harassment or bullying, under NLRB standards, which tend to tolerate more rough and tumble interactions among employees.
In two footnotes, the NLRB attempted to make its decision appear more reasonable. The employer contended that the speech that led to the employees' discipline was not protected. As such, the NLRB observed that it was not required to determine whether employee misconduct, such as threats of physical violence, rendered the speech unprotected. This leaves open the prospect that such an analysis could be part of an employer's defense. The NLRB also found that there was no evidence of discriminatory motive in the employees' allegedly harassing or bullying speech.
The difficulty for most employers, however, is that claims of bullying or harassment do not always present themselves in neat, tidy fact patterns. Evidence of discrimination usually is circumstantial, and whether speech or conduct is threatening may be circumstantial, requiring analysis of the workplace environment, the relationship among the parties and other factors. And having to make objective findings will require consideration of NLRB precedent, which may not always be consistent with federal or state law addressing harassment or workplace violence.
Union and non-union employers alike will need to rethink their policies and practices regarding workplace investigations and remedying and preventing workplace harassment or violence. If you have questions about how these decisions may affect your business, please feel free to contact Ellen J. Shadur at email@example.com or 310.442.8816, or any member of the BakerHostetler Employment & Labor Group.
top of page
HOME NOT-SO-SWEET HOME - ANOTHER MEDICAL REPATRIATION CASE
A recent decision by the court of appeals in Iowa has found that Iowa Methodist Medical Center did not falsely imprison two alien patients when it extrajudicially deported them following fulfillment of its EMTALA obligations.
After the patients were stabilized, a hospital social worker located the patients' families in Mexico and informed them of the men's condition. The social worker then worked with the families to establish a discharge plan which included needed long-term rehabilitation services. The social worker was unable to find a facility in Iowa willing to accept them as patients "due to their undocumented status," although both were insured.
The social worker then worked on a plan to repatriate the men to Mexico, after contacting the U.S. Embassy for a list of suitable rehabilitation facilities. The social worker found a hospital in Vera Cruz, Mexico that was willing to accept the men as patients. After securing a treatment facility, the hospital chartered a plane to fly the semi-comatose and mostly unresponsive patients to Vera Cruz. Treatment of the men did not go well in Vera Cruz.
As a result, the patients sued Iowa Methodist alleging it had violated EMTALA and had falsely imprisoned them by transporting them to the hospital in Vera Cruz without their consent. The plaintiffs dismissed their EMTALA claim shortly after a motion for summary judgment was filed.
As to the tort of false imprisonment, the court found that it requires an unlawful restraint on a person's freedom of movement or personal liberty. Thus, the patients must establish: (1) a detention or restraint against their will, and (2) the unlawfulness of the detention or restraint. Consent to the confinement may nullify a claim of false imprisonment.
The patients argued that their confinement occurred during the transfer to Vera Cruz, as it was effected without consent and therefore unlawful. The social worker claimed she reviewed the families' options with them, which included discharging the men to family members or transferring them to a facility in Mexico. The social worker stated both families verbally consented to the transfer to the Vera Cruz facility. The families contested the social worker's statements, contending they were never asked for consent and never gave it.
The families, however, did not protest the patients' transfer to Mexico. The social worker testified she passed on to the families the names of the Mexican facilities received from the U.S. Embassy. The families then narrowed down their choices to two hospitals. The social worker contacted both facilities and reported her conversations with the hospitals to the families, who decided that the Vera Cruz hospital was the best option. The families' participation in the decision-making process was deemed by the court to be an acquiescence or consent to the medical repatriation.
The court then considered whether the confinement was unlawful. A person generally is subject to liability for false imprisonment if: (1) he intends to confine the person; and (2) in fact, directly or indirectly, causes the person to be confined; and (3) the other is conscious of the confinement or is harmed by it. Restatement (Second) of Torts § 35.
The court held that because the patients were not conscious of their confinement, they must prove they were harmed by it. To prove injury, the patients argued they were injured by the inadequate rehabilitative care received in Vera Cruz. The court found that Iowa Methodist was not responsible for injuries that occurred once the men's care was officially taken over by the hospital in Vera Cruz. The court found that Iowa Methodist more than adequately met its duty of care when it successfully transferred them in stable condition to a care facility that provided all the services these men medically required.
While the outcome in this case was favorable to the hospital, care must be taken in extrajudicial repatriations to assure that consent or, at least acquiescence, is obtained and reasonable processes are followed.
For more information, please contact Robert M. Wolin, firstname.lastname@example.org or 713.646.1327.
top of page
Houston partner Donna S. Clark will speak on "Integrating Community Physicians into the Academic Medical Center" at the Legal Issues Affecting Academic Medical Centers and Other Teaching Institutions conference sponsored by the American Health Lawyers Association in Washington, D.C.
Cleveland Partner, Christopher J. Swift, will speak on "Healthcare Industry-Under the Microscope-Bringing Sales Tax Issues into Focus" at the 22nd Annual Ohio Tax Conference sponsored by the Ohio Department of Taxation, the Ohio Chamber of Commerce and the Manufacturers' Education Council in Columbus, Ohio.
Houston counsel Gregory S. Saikin will speak on "Identifying Organized Health Care Fraud Rings," at the 15th Annual Fraud Conference sponsored by the Texas Department of Insurance in Austin, Texas.
Cleveland counsel Thomas S. Campanella will speak on "Hot Topics in Healthcare Policy" at the Annual Conference of the North Central Academy of Podiatric Medicine in Cleveland, Ohio.
top of page
Baker & Hostetler LLP publications are intended to inform our clients and other friends of the Firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience. © 2013 Baker & Hostetler LLP