Health law is the federal, state, and local law, rules, regulations and other jurisprudence among providers, payers and vendors to the healthcare industry and its patient and delivery of health care services; all with an emphasis on operations, regulatory and transactional legal issues.
Pharmacies using automated dialers for prescription refill reminders and relying on the statutory prescription refill reminder exemption to the TCPA’s prohibition on the use of automated dialing equipment as an impenetrable blanket against liability need to think again.
The case of Smith v. Rite Aid Corporation, 2018 WL 5828693 (W.D.N.Y. Nov. 7, 2018), revolves around a Rite Aid pharmacy’s use of a prescription refill reminder program to contact a patient to pick up a prescription. The pharmacy placed several calls per week intended to remind the patient to come into the store to pick up their prescription. However, an innocent bystander instead of the intended recipient of the mediation received the calls; either due to error in taking the phone number down or a due to the number being reassigned (which happens to thousands of numbers on a daily basis!). The unintended recipient of the multiple prescription refill reminder calls filed a class action lawsuit under the federal Telephone Consumer Protection Act (“TCPA”), which provides for statutory penalties of $500-$1,500, per call. read more
It has been a busy autumn for the enforcement of health care privacy rights. Recent activities range from settling the claim for the largest HIPAA violation in US history, to penalties imposed for filming TV shows, to actions initiated by state governments. All of these actions confirm the serious position taken by regulators nationwide to protect the privacy of protected health information (PHI).
The Big One
On October 15, 2018, Anthem, Inc., an independent licensee of Blue Cross, paid $16 million to settle its claim with the HHS Office of Civil Rights (OCR), for a breach that compromised the PHI of 79 million people. This was the largest reported breach in history. The PHI breach occurred in 2015, when hackers initiated a “spearfishing” attack via fraudulent emails. The government found that Anthem lacked appropriate information system procedures to identify and respond to security breaches, and minimum access controls to stop these kinds of attacks.
In addition to the financial penalty, Anthem agreed to a corrective action plan, in which it agreed to perform a risk analysis, and incorporate the results of the analysis into its existing processes, in order to achieve a “reasonable and appropriate level” of HIPAA compliance.
This settlement is in addition to the $115 million settlement Anthem reached last year with the victims of the breach. read more
The concept of gainsharing in the health care industry has been around for decades. Under a typical gainsharing program, a hospital and participating physicians will develop a cost-savings plan in relation to a specific procedure or service line. As the savings are realized, the hospital will then share a portion of the measurable savings with those physicians. The goal of gainsharing has always been to align physician and hospital interests, in order to improve the quality and efficiency of clinical care.
Gainsharing has not always been viewed favorably by the government. In fact, in a 1999 Special Advisory Bulletin, the Office of Inspector General (OIG) took the position that gainsharing arrangements violated the law, and that the payments could even constitute kickbacks to the participating physicians. Since then, the government has not backed off its position that gainsharing programs might violate the law. However, the OIG has also determined that it would not seek sanctions in a growing number of gainsharing arrangements. read more
Not too long ago, when something would go wrong in a hospital, a patient’s medical record might note the facts of what had happened (“Mrs. Jones was found on the floor of her hospital room with a swollen wrist. An x-ray revealed a wrist fracture.”), while the hospital’s incident report would analyze why it happened in order to prevent further harm (“Orderly Green forgot to raise the guardrails on Mrs. Jones’ bed. Mrs. Jones fell out of her bed as a result of the displaced guardrail. Let’s put in place a policy that all guardrails must be raised if an orderly steps more than three feet from a patient’s bed.”). Should Mrs. Jones decide to sue the hospital, she and her attorney would have access to the medical record, but not necessarily the incident report.
Incident reports like the one mentioned above have long been meant as a learning tool for facilities to analyze unfortunate occurrences on their premises and learn from their mistakes to prevent future harm. However, these reports often contain admissions of fault, or near admissions of fault. So how can a hospital balance its need to improve on past practices without opening itself to a mountain of liability? Florida’s state laws seemingly contrast with Federal laws. read more