It's hard to believe that we are embarking on 2018! As my readers know, I usually start the year off with a watch list and 2018 is no exception.
It has been said, "[l]ife can only be understood backwards; but it must be lived forwards." In other words, learning from the past can mitigate the risk of repeating mistakes in the future. For 2018, physicians should focus on the following five areas and learn from the outcomes of various events.
1. The HITECH Act and Meaningful Use – While 2017 was not a banner year for HHS-OCR enforcement, a couple of cases were notable. First, on May 31, 2017, the U.S. Department of Justice (DOJ) announced that eClinicalWorks, an electronic health records (EHR) software vendor would pay $155 million to settle False Claims Act allegations that it misrepresented the capabilities of its EHR. Physicians should take note because there has been a series of cases alleging that providers falsely attested that they were HIPAA/HITECH Act compliant on their Meaningful Use Attestations.
The Office of the Inspector General issued a report that a potential demand for the return of meaningful use payments and the possibility of pursuing a False Claims Act case are serious actions that can adversely impact a physician or other provider's financial stability, tax liability and reputational viability.
2. HIPAA – Most of the focus on HIPAA over the past several years has been on risk assessments, business associate agreements, encryption and other Privacy and Security Rule related items. Providers should pay particular attention to 45 CFR §164.512, which some consider the law enforcement exception (even though it is broader in scope). Over the past few years, several State Supreme Courts have held that persons had a private cause of action when their protected health information was released either as discovery during the course of a non-government legal proceeding or when a law enforcement officer demanded PHI without a legitimate warrant or patient consent.
In Utah, Alex Wubbles, a nurse, was arrested for refusing to permit a law enforcement officer to draw blood from a patient. Because she refused to comply with the officer's demand, she was arrested. As a result, the arresting officer was fired from the Salt Lake City Police Department and subsequently reached a $500,000 settlement with the police department and the hospital where she was employed. The take-away for physicians is two-fold: (1) if it is a lawyer in a civil suit sending a subpoena, notify the patient and consult an attorney with expertise in HIPAA/the HITECH Act; and (2) if a police officer demands information without a warrant or other viable legal document, make sure you know when you can disclose the minimum necessary information and when a legal document is required to disclose the information.