January 16, 2014

Question: Our employment agreement states that a signing bonus must be repaid on a pro-rata basis if the physician does not remain employed for the initial term of the Agreement.  We have decided to terminate the agreement and the physician is claiming that because we are terminating the agreement we cannot collect this debt.  Have you ever heard of anything so ridiculous?

Answer: Yes, we are aware of claims similar to this one.  In fact, earlier this month, a court decided a similar claim.  (See Sheik v. Grant Regional Health Center (Jan. 3, 2014).)

The employer in that case provided an upfront payment to an employed physician that would be forgiven if the physician continued to be employed for two years.  The agreement also stated that this payment must be repaid if the agreement was terminated during its initial term.  The employer terminated the physician, and then demanded the repayment of the amount due.  The physician refused, claiming that by firing her, the employer rendered impossible her ability to work this amount off.

While her claim was not immediately dismissed by the court, the court eventually ruled that the terms of the Agreement were clear and the reason for termination had nothing to do with her repayment obligation.  So, the court found in the employer’s favor.

Is this case unusual?  Unfortunately, no.  Fortunately, the terms of repayment were clear in the employment agreement.  Was there another way to secure repayment?  We think so.  How?  Please join us at the Institute on Employed Physicians and Their Impact on the Medical Staff on January 23-25, 2014 in Naples, Florida, or on December 4-6, 2014 in New York City to learn how to secure repayment of this type of payment without the need to go to court – and much, much more.

 

January 9, 2014

Question: We recently sent patient information to the wrong recipient.  Rather than sending a package to our malpractice counsel, we sent it to another hospital across town.  The information in question included CDs with imaging studies and two pages of a radiology report that included the patient’s name and medical record number.  The hospital that received the information tells us that it recognized immediately that the information had been mis-addressed and called us right away.  There were over 100 imaging studies on the CDs.  Do we have to notify the patients of this incident?

Answer: Probably not.  To understand why, it may help to review the HIPAA breach reporting requirements.

In the past, if a patient’s “unsecured” Protected Health Information (“PHI”) (i.e., not encrypted) was improperly used or disclosed, the hospital was required to conduct a “harm analysis” to determine if there was a “significant risk of financial, reputational, or other harm to the patient.”

HHS believed this test made it too easy for hospitals and physicians to avoid notifying patients.  Thus, under the January 25, 2013 final regulation, an improper use or disclosure of PHI is “presumed” to require patient notification unless the covered entity demonstrates there is a “low probability” that the PHI has been “compromised” based on a risk assessment that considers various factors.  This is a lower threshold for patient notification.

In evaluating whether PHI was “compromised,” the new regulation requires hospitals to consider at least the following factors:

(1)        nature and extent of the PHI involved, including the types of identifiers and the likelihood of PHI being re-identified;

(2)        identity of unauthorized person who received the PHI;

(3)        whether the PHI was actually acquired or viewed; and

(4)        the extent to which the risk to the PHI has been mitigated.

Importantly, HHS is not using the dictionary definition in asking whether information has been “compromised.”  Merriam-Webster defines “compromise” to mean “reveal or expose to an unauthorized person.”  The test described by HHS in the new regulation does not simply ask if that information was “revealed or exposed to an unauthorized person.”  Instead, hospitals must consider what PHI was involved, who received that PHI, and the extent to which any risk has been mitigated.

Thus, in some ways, HHS’s new test is not very different from what hospitals have been doing up to this point.  That said, even if the new test is more similar to the old test than HHS would like to admit, HHS did make clear that it expects hospitals to notify patients of breaches more often.  HHS noted that some individuals had interpreted the prior regulation as “setting a much higher threshold for breach notification than we intended to set.”

In the case at hand, the information in question was sent to another covered entity (a hospital) that has an obligation to comply with HIPAA.  In the preamble to the January 25, 2013 final regulation, HHS identified this as a factor that weighs against notification.  (78 Fed. Reg. 5566, 5643 (Jan. 25, 2013)).  Also, the PHI does not appear to be particularly sensitive (though the nature of the imaging tests should be reviewed).  Finally, it does not appear that the PHI on the CDs was even viewed, based on the comments of the hospital that received the mis-addressed package.  Thus, notification of the patients is probably not required.

 

December 12, 2013

Question:

We have questions. Lots of them. About everything from nurses (and physicians) taking photos of patients on their smart phones, to credentialing locum tenens physicians, to how to go about designing policies for collaboration among  physicians, advanced practice nurses and physicians’ assistants for team-based care.

Where do we get answers?

Answer:

These are among the most common questions we get from clients! Lucky for you, we have answers. Some short answers: taking photos of patients with your smart phone carries a lot of risk, credentialing locum tenens physicians should only be done in very specific circumstances, and a good starting point for addressing the roles of Advanced Practice Clinicians can be a multi-disciplinary work group led by physicians experienced in supervision and collaborative practice.

For more detailed answers, Horty, Springer, & Mattern is happy to announce the schedule for its 2014 Grand Round audio conference series.  Offered on the first Tuesday of every month from 1:00 p.m. to 2:00 p.m. (Eastern Time), this year’s schedule includes the following timely topics:

So join us in 2014 by registering here.  (And save $350 if you complete your registration by December 31!)

 

December 5, 2013

Question:

We are reviewing and updating our Medical Staff Professionalism Policy and, while we include sexual harassment in the definition of unprofessional or inappropriate conduct, we are attempting to decide whether we should have a different process for addressing reports of sexual harassment.

Answer:

Some courts have concluded that hospitals may be held liable for sexual harassment perpetrated by an independent member of the medical staff if the hospital knew or should have known of the conduct and failed to take immediate and appropriate action.  Because of the unique legal implications surrounding sexual harassment, we recommend that a policy addressing inappropriate conduct incorporate a modified process for review of reports involving sexual harassment.

A single, confirmed incident of sexual harassment should trigger a well-defined process that involves the medical staff and hospital taking immediate and appropriate action to address the conduct and to prevent it from reoccurring.  For example, a personal meeting should be held with at least two members of the professionalism committee (or similar committee) to discuss the incident.  If the physician acknowledges that the incident occurred and agrees not to repeat the conduct, the physician is sent a formal letter of admonition and warning that is placed in his or her file.  The letter should set forth any additional actions or conditions imposed on the physician’s continued practice at the hospital which result from the meeting.  If the physician refuses to acknowledge the confirmed incident of sexual harassment or there are confirmed reports of retaliation, the matter should be immediately referred to the Medical Executive Committee to conduct a review consistent with the credentials policy or bylaws.  A well-defined process which incorporates these details demonstrates the hospital’s efforts to address any incidents of sexual harassment and attempts to prevent them from occurring again, minimizing the risk of the hospital being held liable in a court of law.

November 14, 2013

Question: Our hospital is considering whether it should affiliate with another, larger hospital or a health system.  What are the major steps to take for a significant transaction such as this?  How long does a transaction like this take?

Answer:

Many hospitals have done, or are doing, the same kind of review that you are now starting.  Whether it is some kind of loose affiliation or partnership, becoming a subsidiary of another hospital or health system, or a full-fledged merger, this is one of the most important choices the hospital’s Board is ever going to make.

Step one is just that – the Board going through a thoughtful and careful process to make its decision.  That will take time, and often involves an outside consultant to help the Board.  If the Board’s decision is to move forward, the end result of this first step is usually to create a Request for Proposal (“RFP”) that the hospital sends out to anywhere from one to a number of different entities.  From the responses, the Board decides with whom to move forward.

Step two is the negotiation process, where the key terms of the affiliation are spelled out in a Letter of Intent (“LOI”).  A while ago, LOIs used to be fairly short documents, the “spine” of the transaction upon which to build the Definitive Agreement.  Now, given the importance of this kind of transaction and the details of any affiliation, LOIs have become rather substantial documents.  They usually address, among other things, important conditions to move forward, the delineation of powers involved, details of financial commitments and the assumption of liabilities, if any.

Step three is the due diligence process.  “DD,” as it’s called, is the process by which each entity reviews information and materials about the other.  This work is led by the legal counsel for each entity and often involves some review work by the entities themselves and any consultant(s) involved.

The whole point to the DD process is to provide each entity with sufficient information to make good judgments and good risk management decisions.

The DD process has always been very time and labor-intensive and voluminous when it comes to the documents and information involved.  Like the universe, DD lists look to be constantly expanding.

Step four, which usually begins at some point in the DD process, is for the Definitive Agreement to be drafted and eventually signed.  The details of the LOI create the base of the Agreement.  The remainder is completed by addressing any other issues that need to be resolved and adding the kind of provisions needed for such an Agreement:  representations and warranties, covenants, requirements for closing, schedules and exhibits, etc.

Step five concerns major regulatory reviews on both a federal and state level.  Due to the nature of these transactions, antitrust regulatory review has become an enormous piece of the regulatory review.  If the federal government is to be involved, that’s likely to be the Federal Trade Commission (“FTC”) or it could be the Department of Justice (“DOJ”).  If no federal review is required, that’s a best outcome.  State reviews, usually by the state’s Attorney General’s Office, are usually quite rigorous and time and document-consuming.

On the state level, the appropriate agency that reviews charitable organizations will become involved.  The extent of this is often dependent upon the particulars of the hospital’s situation.  Some transactions are so clearly needed that the agency may not be too demanding in its review.  With others, the state agency uses the full extent of a detailed review protocol.

Other state agencies will be involved, certainly the Department of Health and perhaps the Insurance Department, depending upon the transaction.  All of this takes time, planning and document management.

The sixth step begins once the Definitive Agreement has been signed.  It’s all the work that must be completed to take the parties through to the transaction’s Closing.  During this time, DD issues must be cured or settled, contractual notices given, all the requirements in the Agreement met, and appropriate Board action taken.  If the transaction also requires approval by a court, that step is taken here.

Step seven is the Closing and Post-Closing duties.  The Closing occurs on the chosen date when all regulatory reviews have concluded, all requirements and conditions have been met, all approvals received and legal documents filed.  Difficult regulatory reviews can extend this process and make the run-up to and through the Closing kind of choppy at times.

Post-Closing, from a legal perspective, is the final work to make sure that all post-closing notices are given and any remaining loose ends tied up.

Generally speaking, you should count on at least one year’s time to go through steps one through seven.  If you’re lucky, it takes less, and it’s not uncommon to take longer.

Then, of course, comes step eight:  making the affiliation work.  No lawyers here.  It’s leadership, staff, personnel, physicians, health care providers, etc. – all the people and populations that make up the hospital, and their counterparts in the other hospital or health system, coming together to achieve the purposes and goals identified by the Board in step one.

November 7, 2013

Question: What will happen next year to individuals who do not have health insurance as required by the Affordable Care Act?

Answer: Not a heck of a lot.  The so-called “individual shared responsibility provision” of the Affordable Care Act provides that (subject to certain exceptions) if individuals don’t have “minimum essential health coverage” as defined in the Act, they will be subject to penalties starting at $95 a year in 2014, with higher amounts as income goes up.  The minimum penalties go up to $325 in 2015 and $695 in 2016.  However, these penalties can only be assessed by the IRS as an offset to any refund or other amount due to the taxpayer. So if the individual does not have a refund coming, there is no effective penalty.  Moreover, those who do have a refund will simply get a lower one and may not view the “shared responsibility payment” as a payment at all.  This is likely going to work as an additional incentive for individuals not covered by employer-provided  insurance to go bare, especially in light of the large premium increases and enrollment difficulties that have recently been reported.  Therefore, hospitals and physicians should be prepared for a substantial uptick in uninsured patients, at least for the next couple years.

The IRS has published a useful summary of the individual shared responsibility provision on its website (which as of this morning was working fine, unlike that of HHS).

 

October 31, 2013

Question: We are holding a Halloween party for our children’s ward.  A musician has volunteered to host a sing-along with the kids and a local church is going to send some volunteers (dressed in costume) to hand out small candies and toys and paint children’s faces (as the children are able).  Do we have to get any special consent for HIPAA purposes prior to holding the party?  What about if we take pictures?

Answer: You do not need to have patients (or their parents) sign an authorization form permitting volunteers to be present on the children’s ward.  It is not a violation of patient privacy to have those individuals present for the purpose of hosting a holiday celebration for hospitalized children.

If volunteers intend to go into patient’s rooms (instead of greeting them at a centralized location, such as a lounge), you should consider getting the patient’s prior consent (in this case, the parent’s prior consent) due to the greater likelihood that the patient’s privacy and modesty could be encroached.

You do not need to have volunteers sign business associate agreements (after all, they are not providing an administrative service for the hospital – some might argue they are providing a treatment or health care operations function by keeping patients happy).  But that does not mean privacy issues are not raised by the presence of party volunteers.  Volunteers who come to the hospital to provide services to patients, including brightening their spirits, fall within the hospital’s “workforce” and should be given basic training about patient privacy.  This does not mean that those individuals need to sit through an entire HIPAA training session.  The “training” can be limited to that necessary for the role they will play in the hospital.  In the case of individuals coming to the hospital on a one-time or occasional basis to play music, paint faces, or help with holiday celebrations, the HIPAA training might consist merely of a statement signed by volunteers indicating that they understand patient privacy is paramount and they agree not to disclose specific information about patients, including their identities and specific health information, outside of the hospital.  Consider, too, having them agree not to take pictures.

Finally, it is okay to take pictures when events such as a Halloween party are hosted.  Before any such pictures are taken, however, we recommend that patients/parents are clearly informed that photographs will be taken at the event.  And better yet, get a signed authorization from the parent of each patient who is photographed (this could be attached to a general “permission form” to attend the party).  This will ensure that any future use of the photographs is authorized (for example, posting on a bulletin board, sharing with other parents on the ward, publishing in a hospital newsletter, release to a newspaper, or advertisement in a fundraising communication).

 

October 24, 2013

Question: Our hospital is about to enter into a professional services contract with an anesthesia group.  Can we require, as a part of this contract, the anesthesia group to test its physician employees who will be providing care at our hospital for drugs and alcohol?

Answer: A hospital can require testing for drugs and alcohol in hospital-based contracts, such as professional services contracts with anesthesia groups.  However, since hospital-based contracts are usually between the hospital and the group/corporation and not with the individual physicians of the group, any requirement in the hospital’s professional services contract with the group may not be enforceable against the group’s individual physicians.  Specific contract language can address these difficulties and ensure that the group is requiring drug testing for its individually employed physicians.  For example, the hospital’s contract with the group can state that each of the group’s physicians, as a condition of providing services at the hospital under the contract, shall be free from the influence or presence of alcohol or drugs and that this shall be determined by the group testing the physicians at the time of conditional offer of employment, following a reasonable suspicion of use or abuse, and upon return to work after a leave of absence for drug or alcohol treatment.  This approach can be reinforced by requiring every member of the group to sign an agreement to be bound by all the terms of the hospital’s contract with the group.

A hospital and its medical staff can achieve a similar result by having drug and alcohol testing requirements in the bylaws or another medical staff policy.  Since a group’s physicians would have to be appointed to the medical staff and granted clinical privileges to practice at the hospital, the group’s physicians would have to comply with any requirements in the bylaws or other policies, including those for drug and alcohol testing.

For further discussion of this issue and others related to drug testing physicians, join Linda Haddad and Charlie Chulack for the audio conference “Drug Testing Physicians:  Does Physician Privacy Trump Patient Safety?” on October 29, 2013 from 1:00 p.m. to 2:30 p.m.  Eastern Time.

October 17, 2013

Question: Did the federal government shutdown affect the Hospital Compare website?

Answer: Yes.  The Centers for Medicare & Medicaid Services (“CMS”) was not able to update the data on October 10, as planned, because of the federal government shutdown.  The next update to the data, including 30-day readmission and complication measures, is due December 12.

October 3, 2013

Question:

Questions have arisen regarding the quality of care provided by Dr. R. Kiner at the hospital.  The Chairs of our Credentials and Peer Review Committees, Dr. H. Wagner and Dr. P. Traynor, both say that a review, and not an investigation, should be performed concerning Dr. Kiner’s hospital practice.  Why is there a distinction?

Answer:

Part of the answer is that an investigation is usually a much more formal process and is to be conducted in accordance with the investigation process described in the hospital’s Credentials Policy or Medical Staff Bylaws.  A review is less formal and may be conducted pursuant to a designated process, such as the peer review process, or a more ad hoc process.  Part of the answer is also legal.  A physician who relinquishes his or her medical staff appointment and/or clinical privileges either during or in lieu of an investigation is to be reported to the Data Bank.  That is not the case when a review is involved.