As hospitals, clinics and health care professionals know, their industry is among the most strictly regulated in the United States. Included in the complex set of health care laws is the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires health care organizations to adhere to national standards for electronic health care transactions, code sets, health identifiers and security. Additionally, Congress incorporated mandated provisions to HIPAA to ensure privacy protection for individually identifiable patient health information.

Given the importance placed on HIPAA, it is vital to ensure your health care organization is compliant. Below are five steps to help you achieve compliance with HIPAA regulations.

1) Develop privacy and security policies

Health care organizations need to develop, adopt and implement policies to ensure the privacy and security of patients' protected health information (PHI). Included in this documentation should be what actions should be taken when a breach occurs. Comprehensive policies also should include policies for email and mobile communications, with patients, between employees and with business partners. In most organizations, it may be beneficial to appoint an employee or group of employees and privacy and security officers. These people will serve as resources for the organization and should have extensive knowledge of HIPAA regulations.

2) Educate your employees

It is essential for health care organizations of any size to offer official training and ongoing communication to employees regarding HIPAA privacy standards and policies, particularly regarding permissible uses and disclosures of PHI. New employees need to be trained immediately, and training refresher courses should be offered to all employees on at least a yearly basis, or whenever policies are updated. Additionally, HIPAA requires ongoing awareness communications and activities be provided to all employees.

3) Work with compliant contractors

When you share PHI with vendors, business partners and contractors, you trust them to uphold HIPAA privacy standards. If they do not, your organization will likely share liability for their violations. Before working with third-party entities, make sure they are also HIPAA compliant regarding privacy and security, employee training and risk management.

4) Conduct regular risk management assessments

Through regular risk assessments, health care organizations can identify vulnerabilities to PHI and remediate identified issues or revise gaps in policy. If these measures are taken on a regular basis, it can help to ensure the confidentiality and integrity of your organization's PHI and avoid significant administrative, technical and physical breaches. Additionally, it is vital to conduct other activities to help manage risk, including tracking mobile devices and computers with access to PHI, monitoring big data analytics performed by your organization, keeping anti-malware updated and applying security patches when necessary.

5) Provide patient education and access to records

Health care organizations must correctly publish and distribute a Notice of Privacy Practices to all patients. Additionally, an acknowledgement of receipt should be obtained from every patient, and updated whenever policies are revised. The notice should also be published to your organization's website.

Patients also have the right to access their PHI within 30 days of making a request. Full records must be provided, rather than just a summary.

6) Work with an attorney

If your organization is in need of guidance in fulfilling your compliance with HIPAA or other health care laws, contact an experienced attorney. In addition to advising regarding policies and procedures, your legal representative can become vital if you or your organization is being investigated for a HIPAA violation.

That health care providers might disagree is not a novel concept. As the stakes increase, the potential for disagreement increases. Consider the many different treatment regimens for an illness, and the nature of medicine as an art comes sharply into focus.  The treatment for a sore throat, for example, may be as simple as salt water gargles and acetaminophen, or involve various antibiotics, depending on the particular patient or physician. Consider our nationwide epidemic of obesity; the number of appropriate surgical options for treatment alone is significant. Add in the numerous non-surgical treatment regimens and the number dramatically increases.

In medicine, we do not find this odd, as we have long recognized the practice of medicine as an amalgam of art and science, the interaction of the subjective to the objective. Treatment plans for patients are often highly individualized; individualized to the patient, the doctor, the health plan and so forth.  Within an accepted framework, variation is significant, expected, and accepted.

Despite this, there is an intense interest in making medicine more scientific and objective. While no one would argue the merits of exactness and predictability, the end of variation in clinical judgment remains a challenge to patients, providers, and the courts.

Perhaps nowhere is this more intense than in several recent false claim act cases. Fortunately, courts have recognized that variation in the practice of medicine is not proof of some underlying nefarious intent. In its early 2016 decision in US v. AseraCARE INC., the Northern District of Alabama rejected conflicting opinions of physicians as adequate to support an assertion of falsity. Experts can and do tend to have differing opinions, and the difference alone is insufficient to sustain a claim of fraud. The court required objective, not subjective, proof of falsehood in this context.

US v. Vista Hospice Care, Inc., decided in the Northern District of Texas in June 2016, represents yet another rejection of differences in clinical judgment as adequate to support a false claim.  Here the relator was dealt two significant blows. First, the relator in Vista Hospice relied on non-randomized statistical analysis and extrapolation, which the court deemed inadequate to sustain relator’s claims of fraud.  Second, the court acknowledged that the mere disagreement by relator’s expert with a certifying physician’s assessment was inadequate to sustain the claim.

From Chief Judge Barbara M. G. Lynn’s opinion in Vista Hospice:

… [A]n FCA claim about the exercise of that judgment must be predicated on the presence of an objectively verifiable fact at odds with the exercise of that judgment, not a matter of questioning subjective clinical analysis.

These two important decisions, which no doubt will be challenged repeatedly by the plaintiff’s bar, demonstrate the skepticism courts have for claims based on mere differences of opinion devoid of collateral, supporting objective evidence of misdeeds.

The visual arts and medicine have had a long relationship. Since the written word cannot capture the subtleties of a condition or a disease, practitioners have been quick to adopt drawings, photographs and motion pictures to supplement their written descriptions. When I look back over my medical career, there were many times that I best learned about a particular syndrome when I found an image of a patient with that problem. 

While HIPAA offers protections, it does not provide the private cause of action many believe it does. Anyone suspecting a HIPAA violation should make a report to the US Department for Health & Human Services Office of Civil Rights. The OCR may sanction the violator, but HIPAA will not give a patient the right to sue their doctor or hospital. 

There is a compelling attraction of an image. Scientists easily relate this to the importance of our visual cortex. Seeing is part of believing. Medical amphitheaters flourished in the past, as students and laypersons watched surgeries or attended lectures featuring various patients with visually interesting conditions. Some hospitals even marketed these exhibitions, charging fees for attendance. Do you remember the Junior Mint episode from Seinfeld? (If not, I suggest a quick web search.) Throw in some open windows, don some street clothes, and grab some lunch; throw out anesthesia, forget antibiotics and never mind sterile technique or even air conditioning. Now you have an idea of the sideshow that grew along with medicine. 

Since HIPAA does not give a private right of action, we look to state law for a solution. State law privacy violations require a showing of certain types of harm. “Harm” generally requires more than simple embarrassment or hurt feelings. That is not as easy as all those folks calling me to represent them in their “sure-fire million dollar” cases realize. In truth, you can run up huge legal bills making these claims if you are not careful, and your attorney does not know when to say “No, but thanks for calling.”

Today we watch differently. Photography, and then motion pictures, allowed more viewers to enter our operating rooms at their leisure, and study over and again in minute detail the imagery of an operation. Items missed on first glance could be analyzed later, recorded forever in our new, auxiliary visual memory. While the drama may have been lessened, these were useful new tools for education. 

I know first-hand the visceral attraction of the surgical amphitheater. As a younger man, before an injury ended my operating days, I spent many hours operating beneath a gallery designed for medical spectators seeking to learn new techniques or master old ones. Sometimes, even were there to be no amphitheater, mid-operation a gentle tap on the shoulder would remind me to slide a bit to the left or right so a camera brought in to film the surgery could capture a better image. Viewers could watch from an adjacent room or even later in a lecture hall with the surgeon who had performed the procedure on-hand to narrate the procedure. 

Today our cameras are so advanced and our internet so fast we can watch operations thousands of miles away. We transport the viewer to the operating room. This is not without risk. I recall just a few years ago watching a groundbreaking surgery, coffee and croissant in hand, when the patient experienced a significant complication mid-procedure. To a room full of heart surgeons and cardiologists, it was a known risk, and punctuated the lesson we had debated over several days at the meeting and in our literature for months. To the kind lady serving coffee, it was more than a little distressing when she realized what she had witnessed. 

Today most practitioners will have a library of x-rays, photographs, and videos collected over the years from many sources. We learn so much about new techniques, mastering concepts and procedures without shedding a drop of blood. Beyond the practitioner, patients themselves can learn about their diagnoses and proposed treatments by sampling the virtual world of medical images. A patient who needs a certain procedure can be shown certain elements of the operation to demonstrate what perhaps words cannot capture. Questions unformed in the patient’s mind are answered without ever being asked. 

Images can be an important part of the consenting process it is oft repeated that patients tend to “hear what they want.” Having been a patient myself, I know that is often the case. When we show a video or photographic presentation of what the patient should expect from a procedure, they understand the vital concepts better. 

Search the internet even casually and you will find a host of medical images and videos. Some are posted by patients, eager to share their maladies with family, friends, and strangers alike. Patients with unusual conditions may be diagnosed because someone notices they have a lesion that looked like one seen on the internet. I recall learning of a child with a rare ophthalmic disorder who would likely have perished were it not for a family member’s recollection of a photograph seen on the internet. Can anyone dispute the utility to that child, or that child’s family, of sharing medical imagery? 

The advent of the Health Insurance Portability and Accountability Act of 1996 dramatically changed how medical professionals shared information. Because the internet was growing by leaps and bounds, this sometimes cumbersome law was timely in its arrival. How we deal with it remains awkward. Those images of a disease process shared so readily in the past would quickly conflict with privacy regulations today. This punctuates the uneasy tension between science and privacy. In the past, a patient’s privacy concerns were secondary to needs of science and society. With privacy laws, our scientific willingness to share and our drive to document have collided with our need to protect and respect our patient’s privacy. Consent forms for “Medical Photography and Videography” were added to the ever-growing stack of authorizations patients were asked to sign in order to receive care. While these precautions and protections might lead one to believe it rare for an image to be used without permission, too often we learn of practitioners who failed to obtain consent for the use of a patient’s image. 

Some patients expect to receive photographs or even a digital video of their operations. For physicians and surgeons, this can present a conundrum. Not only are there privacy concerns, but diagnoses and treatments can be subjected to scrutiny over and again. Hindsight, especially seen through the lens of a camera, from the comfort of an armchair, or over the internet, is always 20/20. 

Errors in diagnosis are not the only hazard. Lurking in the background of many images are bits of data that will land a practitioner in hot water. Images in clinical settings may inadvertently capture other patients in the background. A high-resolution photograph of a patient properly consented for a photograph may also record images from an electronic medical record not shielded from the camera’s eye. Moreover, the metadata attached to our digital images will immortalize more than just the perfect image of the patient with the strange new syndrome we just discovered! 

A new challenge is probably in your pocket right now – a cell phone, complete with camera. Patients, and staff, often take photographs without realizing that the images on their phones may represent HIPAA violations and potentially violate state privacy laws if shared. Publish that shot of yourself with some other patient in the background, and you may be in hot water. 

No matter the pitfalls, medical imagery is an important tool. We can use images to track disease progression, monitor health, improve care, and teach the next generation of providers. Medical voyeurism is just as alive today as it ever has been, and with the growth of the internet, we have an ever-expanding menu with which to sate our appetite. My teen children explained the phenomenon to me one day when they showed me a video someone had posted on YouTube demonstrating some malady. 

Imagine this – you see a patient who needs some particular treatment. You have just the person in your office to provide the service, but there is a catch; they are not licensed. No big deal, you think, they can do the service, and you, the licensed provider, will bill for it. “I know they are qualified; I know it will be right.”

No problem, right?

Wrong.

In this month’s Supreme Court Decision in the matter Universal Health Services v. United States ex rel. Escobar, the court addressed this issue head on. If a contractor submits claims for a service provided by an individual for reimbursement, the claims are treated as an implied certification that these individuals are qualified. If they are not, as was the case in Escobar, the claim is a fraudulent claim.

Here the court made clear that, while stating something false is fraudulent, failing to state something important also can be fraudulent.  False statements must be material, and the falsehood must be so serious that the government, had it known of the falsity, would withhold payment.  A great discussion of this case can be found at SCOTUSblog. 

The long term implications of the decision remain to be seen, but think about what you are implying when you certify that claim you are about to submit.

Texas A&M Health Science Center, in a partnership with the Houston Methodist Hospital, plans a hybrid Engineering-Medicine program to launch in the fall of 2017.

This is a new take on what many have seen as stressing the role of biomedical engineering in healthcare, so these physician-engineers will work to devise technology that will transform medical delivery through telemedicine, limb regeneration, organ growth, and more.  This is a welcome evolution, as many incredibly bright physicians and brilliant engineers never learn how to actually shepherd their ideas from a sketch on a napkin to reality; this program aims to teach them how to do this.  Look for innovations from this new program.

For 35 Texans, Wednesday was a very bad day. In the Southern District of Texas, 24 individuals were charged with fraudulent billing of almost $150 million. In the Houston area, one physician responsible for falsely billing Medicare for almost $40 million. This physician, along with his cohorts, allegedly billed Medicare for unnecessary home health services – many of which were not even delivered. Others were charged with recruiting patients for unnecessary services, many of which were also not delivered, or, in the case of durable medical equipment and supplies, were bought back from the patients and resold. 

Not to be outdone, the Northern District of Texas yielded claims of almost $50 million, with 11 charged for their misdeeds. One case involved a physician allowing unlicensed persons to perform physician services, while billing Medicare for the services as if he had performed them himself. This should be a caution to Texas physicians who feel tempted to allow unlicensed personnel to perform certain services. Remember, it is not merely a question of whether or not they are capable of performing the service, it is also a matter of licensure and legal qualification.

Documents related to these Indictments and Complaints can be found here – they make for interesting reading for physicians and attorneys alike.

This wave of enforcement comes close on the heels of the Supreme Court’s ruling in Universal Health Services v. United States ex rel. Escobar, where the court made clear that the implied false certification theory can be a basis for False Claims Act liability.

It looks like it is going to be a long, hot, false claim enforcement summer.