Telemedicine Credentialing and Privileging Protecting Patient - - PowerPoint PPT Presentation

Presenting a live 90‐minute webinar with interactive Q&A

Telemedicine Credentialing and Privileging

Protecting Patient Privacy, Avoiding Fraud and Abuse Liability, Ensuring Quality Care

T d ’ f l f

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific WEDNES DAY, AUGUS T 21, 2013

Today’s faculty features:

S arah E. S wank, Principal, Ober | Kaler, Washington, D.C. Kelley Evans, S enior Counsel, Dignity Health, Rancho Cordova, Calif.

• C. Elizabeth O'Keeffe, Associate General Counsel, University of Mississippi Medical Center, Jackson, Miss.
• C. Elizabeth OKeeffe, Associate General Counsel, University of Mississippi Medical Center, Jackson, Miss.

The audio portion of the conference may be accessed via the telephone or by using your computer's

• speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Tips for Optimal Quality

S d Q lit S

• und Quality

If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial 1-866-258-2056 and enter your PIN when prompted Otherwise please send us a chat or e mail when prompted. Otherwise, please send us a chat or e-mail sound@ straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Qualit y

To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again press the F11 key again.

Continuing Education Credits

FOR LIVE EVENT ONLY

For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of

attendees at your location attendees at your location

• Click the S

END button beside the box If you have purchased S trafford CLE processing services, you must confirm your participation by completing and submitting an Official Record of Attendance (CLE Form). Y

• u may obtain your CLE form by going to the program page and selecting the

appropriate form in the PROGRAM MATERIALS box at the top right corner. If you'd like to purchase CLE credit processing, it is available for a fee. For additional information about CLE credit processing, go to our website or call us at 1-800-926-7926 ext. 35.

Program Materials

If you have not printed the conference materials for this program, please complete the following steps:

• Click on the + sign next to “ Conference Materials” in the middle of the left-

hand column on your screen hand column on your screen.

• Click on the tab labeled “ Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

TELEMEDICINE CREDENTIALING TELEMEDICINE CREDENTIALING

AND PRIVILEGING

Protecting Patient Privacy, Avoiding Fraud and Abuse Liability, Ensuring Quality of Care

5

WELCOME WELCOME

Today’s Speakers Introduction Credentialing Implementing a Telemedicine Program  Fraud and Abuse  HIPAA  Other issues to consider

6

TODAY’S SPEAKERS

Sarah E Swank Kelley Evans Sarah E. Swank Principal OBER | KALER Washington DC Kelley Evans Senior Counsel Dignity Health Rancho Cordova CA Washington, DC (202) 326-5003 seswank@ober.com Rancho Cordova, CA Kelley.Evans@DignityHealth.org

• C. Elizabeth O'Keeffe

Associate General Counsel University of Mississippi Medical Center Jackson, Miss. , cokeeffe@umc.edu

7

STRATEGIC PLANNING

 Telemedicine NOT just another service  Telemedicine NOT just another service  Telemedicine a modality to deliver many

types of services yp

 Strategic because:  A tool to determine where and how to provide

i services

 An alternative to brick and mortar  Full service delivery or used to supplement services

y pp already in place

 Show cases expertise

8

STRATEGIC PLANNING

Strategic planning requires:

g p g q

 Assessment of relevant markets and environment  Understanding of competition  Determine areas of clinical services  Determine areas of clinical services

Important for counsel to “be at the table” early

in the planning process p g p

Requires an understanding of strategic

elements of telemedicine and the underlying l l i legal issues

Consider Exit Strategies

9

REASONS FOR THE GROWTH OF TELEMEDICINE

 Advances in technology  Academic medical centers asked to assist other

hospitals

 Mission driven hospitals seek to assist their  Mission driven-hospitals seek to assist their

communities

 Physician shortage, especially in rural areas  Aging patient population and an increase of patients

with chronic diseases

 Current regulatory environment with an emphasis on  Current regulatory environment with an emphasis on

care coordination and shifting care settings

 Global health care

10

TELEMEDICINE PITFALLS

Lack of reimbursement Lack of reimbursement Difficult to oversee and regulate with

expanding technology p g gy

Patient safety issues Potential decrease patient satisfaction Potential decrease patient satisfaction Quality of care and communication Fraud and abuse Fraud and abuse HIPAA/HITECH

11

SO MANY TERMS . . .

Are the following Are the following “telemedicine”?

 Telehealth  Telehealth  Virtual Care  mHealth  mHealth  Social Media

12

E

G S C S

EXPANDING SERVICES

Examples of Telemedicine: Examples of Telemedicine:

 Videoconferencing  Transmission of still images

g

 E-health including patient portals  Remote monitoring of vital signs  Nursing call centers  Tele________ [Fill in the blank]

P ibi

 e-Prescribing

NOTE: Not all of these examples are governed by the CMS telemedicine credentialing rule the CMS telemedicine credentialing rule

13

E S EXPANDING SETTINGS

Variety of practice settings Variety of practice settings

 Academic medical centers (AMCs)  Large hospital systems  Large hospital systems  Health care clinics  Ambulatory Surgery Centers (ASCs)  Ambulatory Surgery Centers (ASCs)  In the home

14

E

G T C O OG

EXPANDING TECHNOLOGY

Technology changes drive expansion and gy g p access to telemedicine, even globally

15

CMS CREDENTIALING RULE

16

OVERVIEW OF CREDENTIALING

The CMS Condition of Participation (CoP)

C C p (C )

• n Telemedicine Credentialing

Written Agreement Accreditation Governance

S ff

Medical Staff

17

CONDITION OF PARTICIPATION (COP)

 Hospital Condition of Participation: Both

p p Hospitals and CAH are permitted to rely upon the credentialing and privileging Decisions made by the distant site hospitals or distant site by the distant-site hospitals or distant-site telemedicine entity

 Effective Date: July 5 2011  Effective Date: July 5, 2011

18

PRIOR JOINT COMMISSION RULE

Required the governing body of the hospital or q g g y p Critical Access Hospitals (“CAH”) to make all privileging decisions based upon the recommendations of its own medical staff after its recommendations of its own medical staff after its medical staff had thoroughly examined and verified the credentials of every single practitioner applying f f for privileges irrespective of whether that practitioner was providing services in person and

• nsite at the hospital or remotely through a

p y g telecommunications system

19

THE JOINT COMMISSION’S REACTION

“The Joint Commission is very pleased that CMS y p has revised its telemedicine requirements to provide more flexibility to hospitals and lessen their regulatory burden This is an especially their regulatory burden. This is an especially positive step for improving access to care for patients in rural areas. Of f Of particular importance is the fact that critical access hospitals will have additional avenues to benefit from the services of particularly skilled p y physicians and practitioners.” Mark Chassin, MD, FACP, MPP, MPH May 6, 2011

20

ACCREDITATION

“Privileging by proxy” for all TJC-

g g y p y accredited hospitals and CAHs

Standards: LD.04.03.09, MS.13.01.01 and

MS 01 01 01 MS.01.01.01

Goals of TJC Standard  Eliminate duplicative credentialing  Concerns over impeding patient access to

health care services

Many agreements already in place under

y g y p the TJC standards

NOTE: Don’t forget the Joint Commission if it NOTE: Don’t forget the Joint Commission if it is your accrediting body.

21

IS IT STREAMLINED?

22

TELEMEDICINE CREDENTIALING RULE

Governing Body Medical Staff

Allows the Governing Body of the hospital to Allows the Medical Staff to rely upon the

Governing Body Medical Staff

Body of the hospital to rely on the Governing Body of the distant site to rely upon the credentialing and privileging decisions hospital to meet requirements made by the distant site hospital for physicians providing telemedicine providing telemedicine services at the distant site hospital

23

WRITTEN AGREEMENT - HOSPITAL

The Governing Body of the distant site hospital will meet the requirements of CoP regarding the distant site physician providing services The distant site hospital is Medicare certified The distant-site practitioner is privileged at the distant-site h i l id d b li f h i i ’ hospital as evidenced by a current list of the practitioner’s privileges provided by the distant-site hospital The distant-site physician holds a license issued or recognized by h S i hi h h h i l h i i i h the State in which the hospital whose patients are receiving the telemedicine services is located The hospital that credentials and privileges the distant-site i i h h i i ’ f i practitioners shares the practitioner’s performance review information with the distant-site hospital

24

WRITTEN AGREEMENT – DSTE

The distant site telemedicine entity (“DSTE”) is a contractor of services to the hospital and furnishes the services so that the hospital can comply with all CoPs for the contracted services The process and standards of the DSTE for assessing the qualifications of its practitioners at least meet those standards set forth in the CoPs The physician at the DSTE is privileged at the DSTE providing h l di i i d h S id h h i l the telemedicine services and the DSTE provides the hospital with a current list of the physician’s privileges at the DSTE The physician at the DSTE holds a license issued or recognized b h i hi h h h i l h i i i by the state in which the hospital whose patients are receiving telemedicine services are located The hospital that credentials and privileges the physician at the DSTE h h h i i ’ f i i f i DSTE shares the physician’s performance review information with the DSTE

25

REPORTING OF INFORMATION

 Minimum required: All adverse events resulting

q g from the telemedicine services and all complaints received about the Hospital, DSTE or physician, as applicable as applicable

26

GOVERNANCE

Governing body Bylaws should be Governing body Bylaws should be

considered

Medical Staff Bylaws revisions must be

y approved

Education for Board on its role and what

it is delegating

Approval of delegation, if applicable, and

agreement with distant site telemedicine entity (DSTE) or hospital

27

MEDICAL STAFF: BYLAWS

Requires revision to Bylaws Requires revision to Bylaws  Address any aspect of Bylaws or policies that

involve the physical presence of a physician

 Meeting requirements  Definition of patient encounters or contacts  Minimum number of contacts or encounters  Minimum number of contacts or encounters  Emergency room coverage

 Describe process and information being relied

upon upon

 Include privilege category

28

MEDICAL STAFF

 Medical Staff Policies

 Physician Health  Corrective Action  Fair Hearing  Disruptive Behavior  Patient Consent

 Impact on:

pact o :

 Department Chiefs  Credentials Committee  Medical Executive Committee

 Required to monitor quality and risk for distant

site practitioner

 How to effectively do so?  Communications with DSTE or hospital

29

MEDICAL STAFF

Medical Staff Policies

 Physician Health  Corrective Action  Fair Hearing  Disruptive Behavior

30

NOTE: Including an exit strategy in the agreement may remove barriers to removal.

THE IMPACT ON THE IMPACT ON HEALTHCARE FACILITIES & PRACTITIONERS

31

IMPLEMENTATION CHECKLIST

Fraud and Abuse HIPAA Other issues and concerns

• Operational Concerns
• Telemedicine Vendors and Technology

I d Li bilit

• Insurance and Liability
• Medical Records
• Licensure Requirements

Licensure Requirements

• Costs and Marketing

32

FRAUD AND ABUSE

Key Questions: Key Questions:  Will the cost of TM equipment be billed by a

federal government payor?

 Will the equipment be provided for free?

33

FRAUD AND ABUSE

 No obligation to refer by local site (customer) to

g y ( ) the distant site (UMMC)

 No additional payment for physicians to provide

TM i ( l h t ld di il b TM services (only what would ordinarily be considered a consultation fee)

 No restrictions on the distant site physicians to  No restrictions on the distant site physicians to

refer outside the distant site

 Customers would be targeted based upon need,

f l not referrals

 Each party is responsible for its own marketing

costs costs

34

FRAUD AND ABUSE

 Expectation of less cost to MC/MA as avoidance

p for admissions

 The cost of the equipment is not billed to a payor  The equipment is used exclusively for the

telemedicine service and it is an integral part of the physician’s use of the service (this requires the physician s use of the service (this requires that the distant site have policies and procedures to ensure that the equipment and services are used only to provide TM services to the local site) used only to provide TM services to the local site). The agreement must represent and warrant that the physicians that use the TM are only using the equipment for TM

35

FRAUD AND ABUSE

 Otherwise, the equipment must meet all the

, q p requirements of the equipment lease safe harbor (and this only protects this remuneration, not the professional or other services) and provided at professional or other services) and provided at FMV.

 Rural providers (rural customers) may be treated

l i l d h AKS b h i i i l more leniently under the AKS, but the initial structure is supported by a grant and the OIG reserved its opinion if the provider would profit p p p from the service beyond the terms of the grant.

36

FRAUD AND ABUSE

See, e.g.,: Advisory Op. 11-12: “The Requestor’s contracted telemedicine service id ld t th R t ’ i t ll provider would, at the Requestor’s expense, install neuro emergency telemedicine technology, including both hardware and software, in the Participating Hospitals’ emergency departments. The telemedicine service provider would provide maintenance, upgrades, technical training, and support services pursuant to a contract between it and the Requestor Central to the services pursuant to a contract between it and the Requestor. Central to the telemedicine technology is a web-enabled stroke treatment consultation and decision support system with integrated audio-visual capabilities (the “Tele- Stroke Application”) that would enable the Requestor’s neurologists, who have extensive training and experience in the treatment of stroke, to consult, in real g p , , time, with the Participating Hospitals’ emergency physicians. Each Participating Hospital would be required to, among other things: (i) enter into, and comply with, an end user license agreement with the telemedicine service provider; (ii) at its

• wn expense, install and maintain the communication links and connectivity

f h l di i h l li k i h h d (iii) necessary for the telemedicine technology to link with the Requestor; and (iii) at its own expense, install and maintain at least one computed tomography (“CT”) scanner capable of transmitting CT scan images to a remote server, thereby permitting the Requestor’s neurologists to view the images remotely. The Requestor has certified that neither it nor any Participating Hospital would Requestor has certified that neither it nor any Participating Hospital would bill any patient or third party payor for the cost of the telemedicine technology.”

37

FRAUD AND ABUSE

Interestingly, an opinion came out recently that addressed a similar issue (Adv. Op. 12-19) in an arrangement(s) between a pharmacy and a community home: “Next, we turn to the second category of functions. While it remains the OIG’s position, as mentioned above, that free or below- k t it d i t th OIG h di ti g i h d market items and services are suspect, the OIG has distinguished between situations in which a provider offers free items and services that are integrally related to that provider’s services, and those that are not. 56 Fed. Reg. 35,952, 35,978 (July 29, 1991) (preamble to g , , , ( y , ) (p the 1991 safe harbor regulations). When the item or service offered can be used only as part of the underlying service being provided, it appears that the free items or services have no independent value apart from the underlying service.

38

FRAUD AND ABUSE

 Upon review of the additional functions within the second

category, we conclude that they would be integrally related to the Requestor’s services, such that they would have no independent value to the Community Homes apart from h i h R id ” H h i i f the services the Requestor provides.” Here, the provision of a free software license was not acceptable to OIG (although the Requestor would be permitted to provide the referral source that had residents who obtained prescription source that had residents who obtained prescription medications from the Requestor with free, limited access to Software Y for each resident receiving his

• r her prescription medications from the Requestor)
• r her prescription medications from the Requestor)

citing long held OIG policy represented below, in a July 3, 1997 Opinion

39

FRAUD AND ABUSE

July 3, 1997 Re: Free Computers, Facsimile Machines and Other Goods whether the provision of free fax machines, free computers and free fax lines by a supplier of transtelephonic monitoring services to physicians who refer patients to such supplier implicates the Medicare and Medicaid antikickback t t t 42 U S C § 1320 7b(b)

• statute. 42 U.S.C. § 1320a-7b(b).

The OIG has stated on numerous occasions its view that the provision of free goods by a seller to an actual or potential referral source can violate the anti-kickback statute depending on the circumstances. For example, with respect to free computers, we

• bserved in the preamble to the 1991 safe harbor regulations:
• bserved in the preamble to the 1991 safe harbor regulations:

"A related issue is the practice of giving away free computers. In some cases the computer can only be used as part of a particular service that is being provided, for example, printing out the results of laboratory tests. In this situation, it appears that the computer has no independent value apart from the service being provided and the computer has no independent value apart from the service being provided and that the purpose of the free computer is not to induce an act prohibited by the statute. . . . In contrast, sometimes the computer that is given away is a regular personal computer, which the physician is free to use for a variety of purposes in addition to receiving test results. In that situation the computer has a definite value to the h i i d d di th i t ll tit t ill l physician, and, depending on the circumstances, may well constitute an illegal inducement." 56 Fed. Reg. 35978 40

FRAUD AND ABUSE

We are aware that many suppliers, not simply transtelephonic monitoring suppliers, are providing various kinds of multi-use equipment to customers pursuant to various written and unwritten various kinds of multi use equipment to customers pursuant to various written and unwritten arrangements, typically with a condition that such equipment is only to be used in connection with their service. However, in determining whether a free or "loaner" computer or fax machine constitutes illegal remuneration, the substance -- not the form -- of the transaction controls and any reasonably foreseeable "misuse” of the equipment implicates the entity providing the equipment as well as the

• user. Simply put, if the equipment is used by the recipient for any purpose other than in connection

with the ordered service, there is potential illegal remuneration and potential liability for both parties to the transaction. Frankly, we are concerned that many of these arrangements are shams. Not only is there often no substantial business need for the equipment, but also there is no attempt to police the arrangement to ensure that the "restrictions" are being followed. While it may theoretically be possible to conceive an arrangement in which such general purpose equipment would have no independent l t th f l i ll h t ith k ti i I ti l i value to the referral source, we view all such arrangements with skepticism. In particular, we examine



• - the criteria used by the supplier of the equipment to determine which customers receive the

equipment;



• - the ownership of the equipment;



the location and access to the equipment at the customer's place of business;



• - the location and access to the equipment at the customer s place of business;



• - the procedures used by the customer and supplier to police unauthorized use of the equipment;



• - the value added to the core service being provided by the additional general purpose equipment;

and



• - the number and extent of similar arrangements with other parties



• - the number and extent of similar arrangements with other parties.

41

FRAUD AND ABUSE

 Finally, we point out that in addition to potential criminal

liability under the anti-kickback statute, there is legal authority that any claim tainted by a kickback arrangement is a "false or fraudulent" claim under the F d l F l Cl i A U S C S Federal False Claims Act, 31 U.S.C. 3729, et seq. See U.S. ex rel. Pogue v. American Healthcorp. Inc., 914 F.

• Supp. 1507 (M.D. Tenn. 1996). Parties to such

arrangements risk exposure not only to the government but arrangements risk exposure not only to the government but also to qui tam suits by their employees and customers' employees.

42

FRAUD AND ABUSE

In OIG Advisory Opinion 12-20 , the OIG determined that a proposed arrangement (the “Proposed Arrangement”) by a

The OIG took the opportunity to note that the Interface access offered under the Proposed Arrangement is a

hospital (the Requestor”) would not constitute grounds for the imposition of sanctions under the Anti-Kickback Statute (“AKS”). Under the Proposed Arrangement, the Requestor would provide free access to an electronic interface (the “Interface”) to all community physicians and physician practices (the “Physicians”) that request it. The Interface would allow the

access offered under the Proposed Arrangement is a contemporary analog to the limited-use computer offered to a physician by a laboratory for purposes of transmitting test results as described in the preamble to the 1991 Safe Harbor Regulations . The OIG notes that the analysis in this Advisory Opinion reflects application of the same

y ) q Physicians to transmit orders for certain laboratory and diagnostic services to be performed by the Requestor and to receive the results of those services. The Interface would only be used to transmit these orders and results. While the Requestor would provide contracted support services necessary to maintain the Interface, the Physicians would be responsible for

underlying principles to the current state of available

• technology. OIG based this determination on its finding

that the free Interface access would be integrally related to the Requestor’s services, and would therefore have no independent value to the Physicians t f th i th R t id Th OIG

, y p all aspects of their own electronic health records systems that would permit them to communicate with the Requestor through the Interface. In its analysis, the OIG reiterated its “longstanding and clear” position that the provision of free or below-market goods or services to actual or potential referral sources are suspect and may violate the AKS depending on the

apart from the services the Requestor provides. The OIG took the opportunity to note that the Interface access

• ffered under the Proposed Arrangement is a

contemporary analog to the limited-use computer offered to a physician by a laboratory for purposes of transmitting test results as described in the preamble to the 1991 Safe

suspect and may violate the AKS depending on the

• circumstances. However, the OIG determined that the free access

to the Interface and the related support services that the Requestor would provide under the Proposed Arrangement would not constitute remuneration to the Physicians under the AKS. The OIG based this determination on its finding that the free Interface access would be integrally related to the

p Harbor Regulations . The OIG notes that the analysis in this Advisory Opinion reflects application of the same underlying principles to the current state of available technology.

Interface access would be integrally related to the Requestor’s services, and would therefore have no independent value to the Physicians apart from the services the Requestor provides.

43

FRAUD AND ABUSE

Therefore, to meet the “integrally related test” (a/k/a the “no independent l ” ) h OTH dd i ddi i h d li value” test) the OTH must address, in addition to the enumerated lists, above, in their business plan:

 the criteria used by the supplier of the equipment to determine which

customers receive the equipment;

 the ownership of the equipment;  the location and access to the equipment at the customer's place of

business;

 the procedures used by the customer and supplier to police unauthorized

use of the equipment;

 the value added to the core service being provided by the additional

general purpose equipment; and general purpose equipment; and

 the number and extent of similar arrangements with other parties.

Even so, the most recent TM advisory opinion (11-12, cited above) is based upon the customer paying some costs related to the technology (probably those least likely to be considered of limited use).

44

Hospital E – Leased Equipment

• TC

Office of

Hospital A– Leased Equipment Hospital D – Owned Equipment

TeleHealth – Distant Site

q p – No TC q p – No TC

Site

Hospital B – Owned Equipment Hospital C – Leased Equipment

• TC
• TC

45

HIPAA HIPAA

Security (first and foremost)

y ( )

Privacy Rule Breaches and Penalties

Mi ll

Miscellaneous  Subpoenas  Law Enforcement  De-identification  Marketing  Sale of PHI  Sale of PHI HITECH  Breach reporting

46

HIPAA applies to “Covered Entities”; State Law can be broader

HIPAA: BACKGROUND

HIPAA Privacy Rule – April 2003 HIPAA Security Rule – April 2005 HITECH Act – February 2009 C ct eb ua y 009

 Breach Notification Interim Final Rule – August 2009

 Enforcement Interim Final Rule – October 2009  GINA NPRM – October 2009  Privacy/Security Rule NPRM – July 2010

FINAL HIPAA OMNIBUS RULE released on January 25 2013 25, 2013

Effective Date: March 26, 2013 Compliance Date: September 23, 2013 (special date for

BA di ti S t b 23 2014)

4 7

BA remediation – September 23, 2014)

47

HIPAA: SECURITY RULE

 Ensure the integrity, confidentiality and availability of the information  Protect against any reasonably anticipated threats or hazards to security

• r integrity of the information

 Protect against any unauthorized use or disclosure of the information

(encryption/firewalls)

 Maintain reasonable and appropriate administrative, physical and

technical safeguards

 Identify a Security Official (separate from a Privacy Official)  Ensure compliance by and training of your workforce  Establish formal policies and develop a Security Plan (use HIPAA  Establish formal policies and develop a Security Plan (use HIPAA

Security Standards as a Table of Contents for the Plan)

 Conduct frequent risk assessments of potential vulnerabilities (NIST)

U ifi d it h ith b ilt i d d i

 Use a unified security approach with built-in redundancies  Controls over access to electronic records (passwords, ex-employees)

48

HIPAA: BUSINESS ASSOCIATES

 With limited exceptions,

p , a Covered Entity (CE) may not disclose PHI to a Business Associate a Business Associate (BA) without a written agreement

 New HIPAA Omnibus

Rule Made Certain Changes: Changes:

 Definition Changes  Sub-Business Associates

B i A i

 Business Associate

Agreement Changes

49

HIPAA: BUSINESS ASSOCIATES

 Responsibility of Covered Entities

p y

 Old exception (“not my brother’s keeper”) gone; now

responsibility per federal common law of agency

 Federal common law of agency  Federal common law of agency

 No bright line – facts & circumstances  Contract language important, but not

g g p , controlling—totality of actual circumstances

 Terms/labels used (independent contractor) not

t lli g controlling

 Per OCR, the essential factor is the right or

authority to control the BA’s conduct in the y course of performing BA services or functions

50

HIPAA: BREACH NOTIFICATION

 Old rule – “risk of harm” assessment  New rule – good bye “risk of harm” assessment;

hello “risk of compromise” assessment

 Breach is presumed and reporting required unless:  Assessment by covered entity of at least 4 elements

shows a low probability that the PHI was compromised

 Nature and extent of PHI involved  The unauthorized person who used the PHI or to whom

h di l d the disclosure was made

 Whether the PHI actually was acquired or viewed  The extent to which the risk to the PHI has been

mitigated mitigated

51

HIPAA: BREACH NOTIFICATION

Nature & extent of PHI Involved Whether the PHI actually was i d i d

 More sensitive info?



Clinical (type of service, amount of detail)



Financial (credit card number, SSN)

acquired or viewed



Forensic analysis may be needed



Opened mail means actual viewing

 Amount of PHI involved  Determine probability that

recipient could use info in a d t th ti t

g The extent to which the risk to the PHI has been mitigated



Assurances received of d i d/ way adverse to the patient

The unauthorized person who used the PHI or to whom the disclosure was made

destruction and/or no further use/disclosure? Some Dignity Health facilities have attestation

 To person known to patient?  To BA? CE?  To someone able to re-

facilities have attestation forms



Are assurances sufficient? Other factors may be

 To someone able to re

identify? Ot acto s ay b considered

52

HIPAA: ELECTRONIC ACCESS

 Patients now have right to electronic access to

g electronic PHI in designated record sets (for self and third party) Th i ht t d t ll ti f th

 The right extends to all portions of the

designated record set (“may need to invest in

• rder to meet the requirements”)

 CEs may:

 Require a written request

P d th d i th f t t d if “ dil

 Produce the record in the format requested if “readily

producible” or in agreed-upon format, if not

 Charge a cost-based fee, which includes the cost of labor

t th l t i d li f f t to copy the electronic record, supplies for format requested, and postage if mailing is requested

53

New Penalty Structure Finalized

HIPAA: PENALTIES

Violation Category Each Violation Year Cap Same Violation (A) Did Not Know $100 - $50,000 $1,500,000 (B) Reasonable Cause $1,000 - $50,000 $1,500,000 (C) Willful Neglect- $10 000 - $50 000 $1 500 000 (C) Willful Neglect $10,000 $50,000 $1,500,000 Corrected (D) Willful Neglect- $50,000 $1,500,000 Not corrected

5 4 54

OPERATIONAL CONCERNS

Defining the “Service” Staff Equipment Space

• Consults
• Call coverage
• Professional

services

• Not just

clinical staff

• Examples: IT,

scheduling

• Maintenance
• Downtimes
• Replacements

W ti

• Designated

location

• Description
• Mobile

services scheduling personal

• Warranties
• Costs
• Mobile
• Leases

55

TELEMEDICINE VENDORS

Selection Process Contracts with Vendors

 Due diligence

RFP

 Support levels

W i

Selection Process Contracts with Vendors

 RFPs  What can be done in

house and what needs

 Warranties  Intellectual property  Costs

house and what needs to be contracted out

 Costs  Insurance  Indemnification  Indemnification  HIPAA

56

INSURANCE AND LIABILITY

Check current policies Check current policies  Professional liability coverage  Directors and Officers (D&O) coverage

( ) g

 Cyrberinsurance Policies, clinical protocols and education Indemnification Standard of Care Consent Issues

57

MEDICAL RECORDS

 Documentation  Transfers between

care settings Connectivity with

 Connectivity with

EHR

58

LICENSING

State licensing State licensing

varies by state:

 Separate

telemedicine license

 Consultations

F ll li

 Full licensure

needed

The future? The future?  Compact licensing  National licensing  International

59

COST AND MARKETING

Look to OIG Look to OIG

• pinion

Each paid their

p

• wn cost of

marketing

Determined by

lack of i b reimbursement

FMV always safe

60

THANK YOU!

Sarah E Swank Kelley Evans Sarah E. Swank Principal OBER | KALER Washington DC Kelley Evans Senior Counsel Dignity Health Rancho Cordova CA Washington, DC (202) 326-5003 seswank@ober.com Rancho Cordova, CA Kelley.Evans@DignityHealth.org

• C. Elizabeth O'Keeffe

Associate General Counsel University of Mississippi Medical Center Jackson, Miss. , cokeeffe@umc.edu

61