Question: We heard that the Health Care Reform law has several provisions on malpractice reform. Have those provisions been implemented?

Answer: The Patient Protection and Affordable Care Act (“PPACA”) does contemplate malpractice reform. Section 10607 of the PPACA provides for $50,000,000 to be awarded to states to develop and implement malpractice demonstrations. The demonstrations were meant to be alternatives to current tort litigation models and were to include both promotion of a reduction in medical errors and resolution of malpractice disputes. However, the distribution of these awards has been stalled by Congress’s unwillingness to fund the malpractice demonstrations. Nonetheless, some states have begun experimenting with malpractice reform. For example, Oregon is considering developing “safe harbor” legislation that would limit liability for those physicians who follow state-endorsed, evidence-based guidelines. Oregon is also studying the effects of defensive medicine and overutilization. Hospitals and health care systems are also testing ideas to reduce malpractice claims and amounts, such as the University of Michigan Health System’s disclosure program that found that there were fewer lawsuits and claims after the program was implemented. To find out more on this topic, please join Linda Haddad, Ian Donaldson and Charlie Chulack for the audio conference “Be Careful What You Ask for: Tort Reform and Malpractice Litigation” on Tuesday, March 6, 2012 from 1:00 p.m. – 2:00 p.m. Eastern Time.

Question: Our hospital recently became part of a multi-health care system. The Chief Medical Officer of the System announced, at a recent Medical Executive Committee meeting, that one of the System’s top priorities was to standardize the medical staff bylaws and related policies. We’re not sure what this will mean to us or what role, if any, we will get to play in the process. Can you help us?

Answer: Many health care systems are recognizing the importance of having similar bylaws, policies and procedures throughout their organization. The standardization makes it easier for physicians who want to move from one hospital in the System to another. If they meet the standards for appointment and privileges at one hospital, they will meet the standard at the other hospitals in the System. And, there won’t be new policies or procedures to learn as they move from one system facility to the next. This benefit also extends to the System’s Chief Medical Officer and legal counsel who, with standardization, will not be forced to follow completely different policies for similar situations that occur in the different hospitals.

Having the same or similar bylaws, policies and procedures has the added benefit of ensuring or at least facilitating similar outcomes with respect to credentialing and privileging decisions. Different standards, without a rational basis, could be hard to explain in a legal challenge brought by a physician who was appointed to one system hospital and rejected at another or by an injured patient in a malpractice claim.

For most medical staffs, living through a hospital merger, consolidation, or acquisition can be a bit unsettling. There are often lots of questions about the new organization, including how it will function, how much will change, and the role physicians will play in it.

Resisting the change (including trying to hold on to past bylaws, policies, and procedures) is probably not the most productive approach. It would be better to make sure that physician leaders from your organization play a role in the transition. Make sure you attend meetings that are scheduled to discuss the transition and that you read newsletters and other information published about the transition. It would also be a great idea to volunteer to serve on key transition committees, like the Bylaws Task Force.

Try to maintain an open mind during the transition and be willing to bend. And keep your eye on the issues that are really important.

Question: The medical director of one of our specialty clinics would like to create a Facebook page where he could communicate with his patients. What are the legal risks we need to keep in mind if we allow this endeavor?

Answer: There is nothing legally that would prohibit a physician from interacting with his or her patients via electronic mediums such as Facebook or Twitter. In fact, it seems logical to expect increased demand for this type of communication from both patients and physicians. Allowing physicians to interact with patients electronically provides a number of potential benefits, including increased practice efficiencies, a reduction in the number of office visits, and greater convenience for both parties. However, it must also be recognized that a physician who interacts with patients in this way must still comply with the minimum standards of care for the practice of medicine in your state.

Documentation also could become problematic (e.g., if any communications are relevant to the individual’s ongoing care, what mechanisms will be in place to get the information documented in the medical record?).

Privacy, security, and confidentiality are also of primary concern. Under the HIPAA security regulations, health organizations are required to ensure the confidentiality and integrity of all electronic protected health information the organization creates, receives, maintains, or transmits. As such, it is generally recommended that some type of secure communication tool be used for e-communications between a physician and a patient in order to avoid the risk of inappropriate disclosure of protected health information. We would recommend an analysis be completed to see if Facebook provides an appropriate level of security to ensure compliance with these requirements.

To learn more about the wonders of using social media at your hospital, please join Alan Steinberg, Phil Zarone and Ian Donaldson on February 28, 2012 for a special HSM audio conference entitled “OMG! Hospitals, EHR Patient Portals and Social Media – What Hospitals Need to Know.”

Question: We received a request for medical records from an attorney who says he is representing one of our former patients in a criminal matter. He included the patient’s signed authorization for the release of the records. What’s unusual is that he is requesting records not only for the patient but also records filed under an alias that the patient alleges to have been using at times. The patient signed the authorization form with his real name and with his alleged alias. Should we release the records?

Answer: Federal law (HIPAA) requires that covered entities verify the identity of an entity or individual requesting protected health information and the authority of that entity/person to have access to that information. 45 C.F.R. §164.514(h)(1).

A person who claims to have used an alias to obtain medical treatment will not, in most circumstances, be able to verify that he or she is – in fact – the person who received treatment under that name. Often, the person will have no government-issued identification with the relevant name. And even if he or she did, since the person has already admitted that the identity is a fraud, you would be unwise to trust it.

Also problematic is the fact that if the person has been using the identity of an existing patient, you could be releasing medical records not only for the requestor, but also for the individual whose identity he or she has stolen.

For these reasons, we recommend that you do not release records filed under the alias without a court order or other lawful process.

Though not directly responsive to your question, we also advise that you take this opportunity to evaluate the medical record filed under the alias’ identity. If it appears that different individuals have been using that identity, you will want to put red flags in the file. This way, if anyone seeks treatment under that name in the future, the hospital will be tipped off immediately to the potential for fraud and the care provider will know that the medical record includes discrepancies. Also take this opportunity to identify and contact any payors who may have been billed for services provided to the individual using an alias. Repayment of those amounts may be required. Lastly, unless the patient is clearly insolvent, consider filing suit against the patient for theft of services.

Question: We use “proxy credentialing” for our telemedicine providers, relying on the credentialing and privileging decisions of the Medicare-certified distant site hospital where the providers are located. Can we also rely on the distant site’s Data Bank queries, or do we need to query the NPDB on our own for each of our telemedicine providers?

Answer: CMS simply does not address this issue, based on a review of the preambles to the proposed and final telemedicine regulations, the applicable regulations themselves (including those that are cross?referenced in the telemedicine regulations), a CMS survey and certification memo on the topic, and the CMS web page.  The telemedicine credentialing rules do not specifically address whether an NPDB query that is performed by either (1) a “distant” hospital (i.e., the hospital where the telemedicine practitioner is located) or (2) a telemedicine entity (i.e., a telemedicine group) may be used by the hospital where the patient is located.

Because the telemedicine regulations do not address this issue, it is necessary to review the general NPDB rules to see what they say about sharing query information.  The NPDB regulations permit a hospital to use an “authorized agent” to perform queries on its behalf.  See, 42 C.F.R. §60.12(a).  Thus, the hospital where the patient is located could designate a distant hospital (or a telemedicine entity) as an “authorized agent” to perform a query on its behalf.

However, there is an important caveat.  The “authorized agent” must perform a separate query for each hospital.  Thus, a distant hospital (or a telemedicine entity) could not perform a single query, with that query then being used by each hospital that wants to use a telemedicine physician to provide services to its patients.  Here is the relevant guidance from the NPDB Guidebook:

The agent is explicitly prohibited from using information obtained from the NPDB for any purpose other than that for which the disclosure was made.  For example, two different health care entities designate the same authorized agent to query the NPDB on their behalf. Both health care entities wish to request information on the same practitioner. The authorized agent must query the NPDB separately on behalf of each health care entity. The response to an NPDB query submitted for one health care entity cannot be shared with another health care entity.  (Emphasis added.)

NPDB Guidebook, page B-7.

Thus, the “streamlined” credentialing process described by CMS in the telemedicine regulations will not work for NPDB queries.  Instead, either the hospital where the patient is located or the “authorized agent” must query the NPDB separately for each telemedicine practitioner.

Question: We heard that the IRS released a draft revised Schedule H and new instructions in December. We thought that the IRS released those in August. What’s the story?

Answer: The IRS issued an “early release” of those documents in August, then revised them and issued the revised documents in December.

In any event, the new Schedule H and instructions adopt changes required by the Patient Protection and Affordable Care Act (“Act”). The Act created a new Section 501(r), which includes additional requirements that hospitals must meet in order to qualify for tax-exempt status under Section 501(c)(3) of the Internal Revenue Code.

The instructions make it clear that for hospital tax years beginning after March 23, 2012, all tax exempt hospitals must perform a community needs assessment that takes into account input from persons who represent the broad interests of the community and must be made widely available to the public. The hospital then must repeat that needs assessment once every three years and adopt an implementation strategy to meet the community needs identified through that assessment.

For more on the revised Schedule H, please join us for our audio conference on February 6, 2012 that discusses these issues and more.

Question: I understand that the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) recently issued its “Annual Report to Congress on Breaches of Unsecured Protected Health Information.”  This report “describes the types and numbers of breaches that occurred between September 23, 2009 (the date the breach notification requirements became effective), and December 31, 2010” and “describes actions that have been taken by covered entities in response to the reported breaches.”  What was the magnitude of those breaches and how did most occur?

Answer: Please hang on to your HIPAA hat because the OCR reported that, during those 15 months, there had been approximately 250 breaches affecting more than 7.8 million people!

This annual report to Congress is mandated by the Health Information Technology for Economic and Clinical Health Act (“HITECH”).  Enacted in 2009, HITECH made significant changes to the HIPAA Privacy and Security Rules. One of the most important changes was the requirement that hospitals notify patients of a “breach” of their “unsecured” protected health information (“PHI”).  If the breach affected more than 500 patients, HHS must be notified of the breach at the same time that individuals affected by it are notified.  Breaches that involve 500 or more individuals are publicly posted on the OCR’s website.

Theft of PHI accounted for the majority of breaches. The largest reported theft affected approximately 1.9 million people.  Back-up tapes which contained electronic medical records were stolen as they were being transported by a vendor from the covered entity to the vendor’s site.  Thefts of laptops, desk top computers, smart phones and flash drives accounted for 67 of the 250 incidents reported.

The second category of large breaches (in terms of the number of incidents and the number of people affected) involved the loss of electronic media or paper records.

 

Question: Can our tax exempt physician organization, which employs all the physicians in the system, limit the number of Medicaid and indigent patients that it accepts?

Answer: Yes, but that doesn’t mean that someone won’t challenge it.

The IRS uses the so-called “community benefit standard” as the test for determining if a health care provider like a physician organization or clinic is operated to promote health in a way that accomplishes a charitable purpose.  The community benefit standard was enunciated in Revenue Ruling 69-545, 1969-2 C.B. 117.  Prior to Rev. Rul. 69 545, tax-exempt health care providers were required by Rev. Rul. 56-185, 1956-1 C.B. 202 to admit and treat patients who were unable to pay, either without charge or at rates below cost.  This requirement was referred to as the “financial ability standard” because this uncompensated care had to be provided to the extent of the hospital’s financial ability.  Rev. Rul. 69-545 modified the financial ability standard by introducing additional considerations known as the community benefit standard.  Although a formal policy to provide charity care is still relevant, the new standard also takes into account a number of additional factors indicating that the operation of the health care provider benefits the community as a whole.

The most current IRS guidance (albeit informal) about how tax-exempt physician practices or clinics can meet the community benefit standard can be found in Internal Revenue Manual Exhibit 7.20.4-9, Healthcare Provider Guidesheet.  Among other things, the Guidesheet lists participation in Medicare and Medicaid as well as the adoption of a charity care policy as key criteria that will be considered by the IRS when granting an exemption to non-hospital healthcare providers like clinics.

Specifically, the Guidesheet states:  “Participation in Medicare…or Medicaid…is a factor that helps establish that a health care provider meets the community benefit standard.”  With respect to charity care, the Guidesheet says:  “many [healthcare providers] demonstrate community benefit by implementing a charity care policy and by providing a significant amount of charity care.”  Among other things, the charity care policy must be available to the public and must provide “that certain patients will be offered free or reduced-cost care, often using a sliding scale, based on the patient’s ability to pay.  Health care providers should be in a position to describe the amounts expended or anticipated to be expended on charity care.”

It is critical to note that the IRS has never said that any specific amount of Medicaid or charity care must be provided as a condition of an organization’s tax-exempt status, or that tax-exempt physician practices are prohibited from limiting the number or geographic location of patients who are covered by Medicaid or eligible for charity care.  Therefore, if a nonprofit health system adopted a consistently enforced policy that closed its physician practices to new indigent patients,  that would not jeopardize its tax-exempt status.

It should also be noted that hospital organizations exempt under Section 501(c)(3) are subject to additional requirements relating to charity care imposed by new Section 501(r), added to the Internal Revenue Code by Section 9007(a) of the Patient Protection and Affordable Care Act.  However, Section 501(r)(2) defines “hospital organizations” as including:  (1) an organization that operates a facility required by a State to be licensed, registered, or similarly recognized as a hospital; and (2) any other organization that the Secretary determines has the provision of hospital care as its principal function or purpose constituting the basis for its exemption under Section 501(c)(3).  Physician clinics that are not an integral part of a hospital do not fit within this definition, so the new Section 501(r) rules do not apply.

Federal law requires physicians to enroll with the states as Medicaid providers to receive payment for services provided under the Medicaid program; enrollment does not require physicians to serve a specific number of program beneficiaries or accept all program beneficiaries seeking care, unless the physician works for a Federally Qualified Health Center.  Therefore, if a clinic adopted a consistently enforced policy that closed its physician practices to new indigent patients it would not violate the Medicaid law.

However, Medicaid provider agreements usually require physicians to provide services without discrimination as required by Title VI of the Civil Rights Act of 1964 and Section 504 of the Rehabilitation Act of 1973.  The Office of Civil Rights (“OCR”) of the federal Department of Health and Human Services has taken the position that Title VI could be violated, for example, if Medicaid providers, on the basis of race, color, or national origin,  (1) deny services, financial aid or other benefits to Medicaid beneficiaries; (2) provide Medicaid beneficiaries a different service, financial aid or other benefit, or provide them in a different manner from those provided to others; or (3) segregate or separately treat individuals in any matter related to their receipt of any service, financial aid or other benefit.  45 C.F.R. Part 80.  The same general prohibitions would apply to actions which discriminate on the basis of handicap.

Therefore, it is OK to decline to accept indigent patients without regard to the race, color, national origin or handicap status of those patients.  However, it is possible that indigent patients who were unable to access the physicians as a result of such a policy might try to argue that the policy has a disparate effect on minorities and/or handicapped individuals to the extent that those populations are more likely to be indigent patients than those who are not.

 

Question:

I attended The Peer Review Clinic in Monterey, California in November. We are in the process of revamping our process based on your recommendations.  The faculty recommended not using a scoring system for peer review cases. If a scoring system is not used, how should we report the results of the process?

Answer:

We do not recommend incorporating a scoring system into the peer review process for several reasons.  Our experience has been that when a scoring system is used, the score given to a case becomes the whole focus of the process, as opposed to identifying whether there is, in fact, a concern with the care provided in a particular case and determining the appropriate intervention to address that concern.

In addition, scoring systems often include descriptors from “standard of care met” to  “standard of care not met,” to “serious deviation from standard of care,” or sometimes even “unexpected and catastrophic adverse patient outcome due to care.”  Hopefully, the state peer review statute would protect those findings from discovery in a malpractice case but if they were discovered or admitted, they would be very detrimental.  In addition, most physicians would be very uncomfortable applying such a description to the care rendered by a colleague. Thus, too often, the outcome of reviews is not to take any action or intervention but to continue to “trend” to see if a pattern develops.  Unfortunately, that forfeits an opportunity to help a colleague improve his or her clinical practice and may put patients at risk.

Rather than reporting “scores,” consider developing reports for individual practitioners and for departments that reflect the reasons that cases are reviewed, the findings of the reviewers and the final determination or the interventions implemented – “No further review required,” “Educational letter,” “Collegial intervention,” or “Performance Improvement Plan.”  Such reports are more informative than those that simply report scores.  Samples of such reports are available on our website.

(The Peer Review Clinic will be offered March 1-3 in Washington, D.C. and April 12-14 in Chicago.  More information is available here.)

Question:

How high can you set your threshold criteria for appointment? Clearly, a license to practice medicine in the state is required. Can you require an unrestricted license? Can you require that the physician’s license has never been restricted?

Answer:

As the practice of medicine becomes more complex, specialized, and hi-tech, many hospitals and their medical staffs have taken steps to strengthen the qualifications for medical staff membership and clinical privileges. Detailed objective criteria leave less room for subjective determinations that are more likely to be subject to legal challenges.

It is our experience that beyond even the most basic criteria such as completion of an accredited residency and maintenance of board certification, medical staffs have been implementing more stringent objective criteria, such as evidence of an “unrestricted” medical license that has never been suspended or revoked by any state agency; “unrestricted” professional liability insurance coverage; “unrestricted” DEA registration and state controlled substance license; no conviction of Medicare, Medicaid, or other federal or state governmental fraud or program abuse; no exclusion or preclusion from participation in Medicare, Medicaid or other federal or state governmental health care programs; no conviction of any felony or of any misdemeanor relevant to Professional Staff membership; and no adverse professional review action regarding appointment to the Medical Staff or clinical privileges by any health care facility for reasons related to clinical competence or professional conduct.

By incorporating these standards with the concept of eligibility, applicants who do not meet them are not “denied,” but, rather, are informed that they are not eligible to apply to the Medical Staff.To learn more about these and other credentialing standards that promote greatness, please join the attorneys of Horty, Springer & Mattern for their newest audio conference series entitled “Grand Rounds: Information Doctors Can’t Afford to Miss.” These 1-hour presentations will be held on the first Tuesday of every month and are designed with even the busiest physician’s schedule in mind. And, best of all, each live audio conference includes 1 CME credit! Click here to learn how you can participate and how you can save when you purchase the 12 conference series. The first audio conference, Cream of the Crop: Credentialing Standards That Promote Greatness, will be held January 3.