Health Information and Technology : SZD Health Law Scan

Home > Health Information and Technology >

Posted on November 10, 2008 by Jarad Hunter

Resource Allocation and Health Care Enforcement

The OIG recently released a report that was critical of the oversight and enforcement by CMS with respect to the HIPAA Security Rule. The report included the following remarks: “CMS had taken limited actions to ensure that covered entities adequately implement the HIPAA Security Rule. These actions had not provided effective oversight or encouraged enforcement of the HIPAA Security Rule by covered entities.” The report notes that CMS primarily relied on complaints to identify non-compliant covered entities that it might investigate and recommends that CMS establish policies and procedures for conducting HIPAA Security Rule compliance reviews of covered entities.

The report raises an interesting topic that should receive more scrutiny in upcoming years: Resource allocation for enforcement of Federal health care laws and regulations. OIG indicates that CMS could be more effective in its oversight and enforcement of the HIPAA Security Rule by conducting compliance reviews. But, this begs the question: Why did CMS not conduct compliance reviews during the period under review?

If the answer is that CMS allocated significant resources to compliance reviews and simply failed to execute, then a critique on this failure may be justified. But, if CMS chose not to engage in compliance reviews during the period under review, relying on other (perhaps, less expensive) methods of enforcement and allocating resources to achieve other objectives on its agenda, than the assessment should focus on the decision not to allocate significant resources to compliance reviews.

And, if this latter statement is true, that CMS chose not to allocate significant resources to compliance reviews during the period in question, to analyze this decision, one should look at the opportunity cost of compliance reviews, i.e., the CMS projects that could have been given less attention in order to direct more resources to compliance reviews.

CMS’s response to the report is marked by its disagreement with OIG’s conclusions on the complaint-driven enforcement process. Is CMS saying, with the hand we are dealt, we believe our complaint-driven enforcement model is appropriate?

In reviewing performance, the reviewer should consider the resources available to the performer. Allocation of Federal government resources, already a topic of mainstream discussion, will continue to be dissected heavily in upcoming years given the capital that has been infused into the economy and the likelihood for increased dedication of resources to regulation of the financial industries. Of course, how this resource allocation will affect enforcement in the health care industry remains to be determined.

Tags: CMS, HIPAA Security Rule, Health Information and Technology, Hospitals and Health Systems, OIG report, enforcement, resource allocation

Posted on September 27, 2008 by Jarad Hunter

New HIPAA Guides on Communicating with a Patient's Family and Friends

The U.S. Department of Health and Human Services, Office for Civil Rights, recently released guides to providers and patients on when health care providers may communicate with a patient's family, friends, or others involved in the patient's care under the HIPAA privacy regulations. The guides include frequently asked questions on this subject. The provider's guide also notes that it is intended to clarify HIPAA requirements so that health care providers do not unnecessarily withhold a patient's health information from family, friends, and other health care providers.

Tags: Health Information and Technology, Hospital In-House Counsel

Posted on July 23, 2008 by Anthony Shaffer

EHRs - Cost and Other Barriers Result in Low Rate of Physician Adoption

A survey published this month in the New England Journal of Medicine tends to confirm what we have all generally suspected about the low rate of electronic health record (“EHR”) adoption by physicians in the United States. Although the number of survey respondents was small (2,758) in relation to the number of physicians in the U.S., the survey shows that only about 4% of the responding physicians reported having an extensive, fully functioning EHR system. About 13% of the physicians reported implementing at least a basic EHR system. Physicians who were younger, who worked in large groups, primary care groups, hospitals or medical centers or who practiced in the western part of the U.S. were more likely than other physicians to have implemented some form of EHR.
Continue Reading...

Tags: Health Information and Technology

Posted on July 10, 2008 by Chad Helmick

Blue Cross Funds Hospital EMRs

A recent story from Healthcare IT News presents an interesting intersection between the managed care and health information technology areas. New Jersey's Horizon Blue Cross is apparently providing funding for electronic medical record implementation in network hospitals.

For those of you thinking on a national scale, EMRs for eight hospitals may be a relatively small step, but one that may foreshadow more intriguing possibilities. After all, who else has as much to gain from, and is in a better position to support electronic health information exchange, as the payors? Not to mention the impact that a program like that could have on payor contract negotiations.

Tags: Health Information and Technology, Hospitals and Health Systems, Payors, Plans, and Managed Care

Posted on June 22, 2008 by Jarad Hunter

No Privilege for Hospital EKG Discrepancy Reports

Recent confirmation of the premise that labeling a document "peer review" does not automatically invoke the peer review privilege came via the Ohio 12th District Court of Appeals, which affirmed a trial court decision ordering the production of hospital EKG discrepancy reports.

Per hospital procedures, cardiologists overread emergency room physician EKG readings. A discrepancy report was completed whenever the cardiologist's interpretation differed from the emergency room physician. The defendants argued that the discrepancy reports were peer review documents and non-discoverable, based on Ohio Revised Code Section 2305.253, Incident or risk management report not admissible or discoverable; and Ohio Revised Code Section 2305.252, Confidentiality of proceedings and records within scope of peer review committee of health care entity.

Critical to the Court's finding that the trial court did not abuse its discretion in ordering production of the reports was evidence in the record that the reports were used for patient care. The Court also cited a lack of evidence that the reports were actually examined by a peer review committee at the hospital. And, the Court noted that the reports were not "incident or risk management reports" since the purpose of the forms is not to record a patient injury occurring at the hospital.

Tags: False Claims and White Collar Crime, Health Information and Technology, Hospital In-House Counsel, Hospitals and Health Systems, Medical Staff, Credentialing, and Peer Review, discrepancy reports, peer review, privilege

Posted on June 20, 2008 by Jarad Hunter

Ohio's Physician-Patient Privilege and Grand Jury Subpoenas

The Fourth District Court of Appeals in Ohio recently released an opinion indicating that the trial court erred by refusing to grant a motion to quash a grand jury subpoena requesting medical records from a physician. The grand jury had issued a subpoena ordering the physician to produce the medical records of over 50 patients.

The case is instructive regarding application of the physician-patient privilege to grand jury subpoenas in Ohio. Under Federal privacy regulations, a covered entity may disclose protected health information without a "HIPAA-compliant" authorization in compliance with and as limited by the relevant requirements of a grand jury subpoena. See 45 C.F.R. 164.512(f)(1)(ii)(B). However, an Ohio court has recognized that the state law physician-patient privilege is more stringent than the Federal privacy regulations. See Grove v. Northeast Ohio Nephrology Assoc., 2005-Ohio-6914, Paragraphs 18-23.

The Ohio Supreme Court has stated that in the absence of a prior authorization, a physician or hospital is privileged to disclose confidential medical information in those special situations where disclosure is made in accordance with a statutory mandate or common law duty, or where disclosure is necessary to protect or further a countervailing interest that outweighs the patient's interest in confidentiality. Biddle v. Warren Gen. Hosp., 1999-Ohio-115 (syllabus).

In this case, the Court found no statutory exception to the physician-patient privilege. In addition, the Court refused to "judicially create a public policy exception to the privilege statute for grand jury subpoenas." Physicians and hospitals should be aware of this opinion (and its analysis) when responding to grand jury subpoenas requesting medical records.

Tags: HIPAA, Health Information and Technology, Hospital In-House Counsel, Hospitals and Health Systems, Ohio, grand jury subpoena, physician patient privilege

SZD Health Law Scan Schottenstein Zox & Dunn Co., LPA

Columbus
250 West Street
Columbus, OH, 43215
Phone: 614-462-2700
Fax: 614-462-5135

Cincinnati
629 Oak Street, Suite 600
Cincinnati, OH 45206
Phone: 513-792-0792
Fax: 513-792-0803

Cleveland
1350 Euclid Avenue, Suite 1400
Cleveland, OH 44115
Phone: 216-621-6501
Fax: 216-621-6502

Raleigh
150 Fayetteville Street, Suite 1270
Raleigh, North Carolina 27601
Phone: 919-256-5700
Fax: 919-256-5701

Health Care Lawyers & Attorneys : Schottenstein Zox & Dunn Law Firm : Strategic Planning, Managed Care, Insurance : Columbus, Cleveland, Cincinnati, Central Ohio

Published By
SZD - Schottenstein Zox & Dunn Co., LPA.