Click here to read Mike Cassidy’s article which was featured in the Legal Report section of the September 2019 edition of the Allegheny County Medical Society Bulletin.
Mike Cassidy has been honored as one of the Best Lawyers in America for the 11th consecutive year.
The Pennsylvania Commonwealth Court, on remand from the Pennsylvania Supreme Court, has again decided that the previously agreed termination date of the access provisions contained in the UPMC/Highmark Consent Decrees, i.e. June 30, 2019, is not a term subject to the modification provisions of those Consent Decrees, and is definite. The adjudication of the Commonwealth Court, attached hereto, discusses the history of the negotiation of the terms, especially the termination date, and confirms the Consent Decrees will expire on June 30, 2019.
For additional information contact Mike Cassidy.
Today the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $3,000,000 settlement for a disclosure of patient protected health information (“PHI”) via its FTP server.
In 2014, HHS received an email tip that the social security numbers of Touchstone Medical Imaging (“Touchstone”) patients were accessible online via an insecure file transfer protocol (“FTP”) web server. HHS confirmed that this information was accessible via a simple Google search.
Both the FBI and HHS notified Touchstone of the breach, which included the name, date of birth, phone number, and address and in some cases social security number of over 300,000 individuals. Touchstone failed to investigate the issue until several months later.
HHS found that:
1) Touchstone impermissibly disclosed the PHI of over 300,000 individuals through its insecure FTP server.
2) Touchstone failed to have technical policies and procedures to restrict who could access the information through the server.
3) Touchstone failed to have a written business associate agreement with a business associate.
4) Touchstone continue to engage another business associate without having a business associate agreement in place.
5) Touchstone failed to thoroughly and accurate assess potential risks and vulnerabilities of electronic PHI that it held.
6) Touchstone waited well over four months to respond to the incident.
7) Touchstone failed to notify affected individuals of the breach until 147 days after it was notified of the breach.
8) Touchstone failed to notify media outlets of the breach until 147 days after it was notified of the breach.
To settle the matter, Touchstone has agreed to pay HHS $3,000,000 and enter into a Corrective Action Plan.
You can read the HHS Press Release and the Resolution Agreement here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/tmi/index.html
If your office would like guidance on how it can prevent HIPAA violations from occurring, please contact our firm.
Danielle Dietrich is a healthcare and litigation attorney in Tucker Arensberg’s Long Term Care Practice Group. She is licensed to practice law in Pennsylvania, Ohio and West Virginia. Danielle can be reached via email: firstname.lastname@example.org, telephone: 412-594-5605 or on Twitter at @DLDietrich.
Tucker Arensberg, P.C. is pleased to announce that Michael A. Cassidy has been honored as one of only seven healthcare lawyers in the nation to be selected in 2019 as a Fellow of the American Health Lawyers Association (“AHLA”). Only a fraction of 1% of AHLA’s nearly 14,000 members are selected for fellowship annually. This honor recognizes the career long achievements, the contributions and tenure with AHLA, and their continuing service and leadership in the legal profession. Fellows include past AHLA presidents, former members of the Board of Directors, former members of practice group and program planning committees, and others who have been very active within the association.
Mike is Chair of the Business and Finance Department and focuses his practice on compliance, credentialing and peer review, reimbursement, contracts, HIT, HIPAA and telehealth issues for physicians. Mike is also the publisher of the Med Law Blog https://www.medlawblog.com, the firm’s health law blog, and has been certified in Healthcare Compliance (CHC) by the Health Care Compliance Association (HCCA).
Mike received his Juris Doctor from the University of Pittsburgh School of law and his undergraduate degree from Brown University.
On April 4, 2019, CMS issued the final Medicare Advantage Rule for calendar year 2020, announcing it will allow Medicare Advantage carriers to significantly increase the range of telehealth services beyond traditional Medicare Part B covered services, stipulating only that, if a service is to be covered as a telehealth service, it must also be covered as an in-person service.
- A link to a PDF of the CMS summary in the rule entitled “Requirements for Medicare Advantage Plans Offering Additional Telehealth Benefits”
- A link to the CMS fact sheet – https://www.cms.gov/newsroom/fact-sheets/contract-year-2020-medicare-advantage-and-part-d-flexibility-final-rule-cms-4185-f
- A link to the final Rule – https://s3.amazonaws.com/public-inspection.federalregister.gov/2019-06822.pdf
The Patient Test Result Information Act was effective December 23, 2018.
The Act requires entities performing diagnostic imaging services, defined to include any medical imaging test intended to diagnose the presence or absence of a disease, to provide notice of the results to patients. The operative language states:
“When, in the judgment of the entity performing a diagnostic imaging service, a significant abnormality may exist, the entity performing the diagnostic imaging service shall directly notify the patient or the patient’s designee by providing notice that the entity has completed a review of the test performed on the patient and has sent results to the healthcare practitioner who ordered the diagnostic imaging service”.
The notice to the patient shall include:
· The name of the ordering healthcare practitioner
· The date the test was performed
· The date the results were sent to the ordering healthcare practitioner
The notice must also contain a statement to the patient that the patient is receiving the notice as a result of a determination by the diagnostic imaging services that further discussions of the test are warranted and would be beneficial. In other words, you must make sure the patient knows that the test is significant and that their doctor has it.
The Act exempts reports regarding routine obstetric ultrasounds used to monitor the development of a fetus and imaging services performed on a patient being treated as an inpatient or in an emergency room.
The Act also exempts diagnostic radiographs, which are defined as the digital images, so the notice need not include the actual image.
The Pennsylvania Department of Health has provided a one year grace period in order for diagnostic imaging entities to become accustomed to their obligations. Click the links to read that letter dated December 14, 2018 and the Act.
Although there have been a number of issues raised by the Pennsylvania Attorney General in the UPMC/Highmark situation, including UPMC’s status as a charitable institution, the primary issue in the Attorney General’s lawsuit was a request to extend the June 30, 2019 termination date for the UPMC-Highmark Consent Decrees. The Commonwealth Court declined to extend the term of the Consent Decree. Click here to read the opinion.
On Thursday, March 28, CMS issued a new MLN Connects article, which included updates for ambulatory surgery center payments. A link is attached below: