Pierce & Mandell, P.C.

11 Beacon Street, Suite 800
Boston, Massachusetts 02108-3002

Phone: (617) 720-2444
Fax: (617) 720-3693

Facebook Twitter

Health and Dental Law

RSS Grab Health and Dental Law RSS Feed

Medicare Physician Payment: A Brave New MACRA and MIPS World

Thursday, April 30, 2015

By William Mandell, Esq. and Karen Rabinovici, Esq.

The Medicare Access and CHIP Reauthorization Act of 2015 (“MACRA”)  --  passed this month in an unusual bipartisan effort  -- permanently repealed the Medicare Part B Sustained Growth Rate formula that would have resulted in a 21.2% cut to physician reimbursement scheduled to take effect on  April 1, 2015. It also notably establishes a new Medicare Part B performance driven payment system.

Under MACRA – which became effective on April 1, 2015 -- the Medicare Part B payment system for physicians has undergone perhaps its most dramatic change since the enactment of Medicare in 1965 or certainly since the adoption of the RBRVS fee system. MACRA gradually increases Medicare Part B rates over the next 4 ½ years and will then reward or penalize physicians financially based on measures of their performance. During this initial 4 ½  year period, Medicare participating doctors will receive a 0.5% increase each year as Medicare transitions away from a primarily fee-for-service system to one designed to reward physicians based on the quality of the care that they provide.  The first increase takes effect on July 1, 2015, followed by annual 0.5% increases going into effect each January 1 through 2018.  From January 2020 through 2025, there are no increases to rates but physician will be subject to performance based adjustments. For 2026 and beyond, physicians who are participating in alternative payments systems will be eligible for an annual update of 0.75% with all others receiving a 0.25% increase.

Between this year and 2018 the Physician Quality Reporting System, Meaningful Use, and the Value-Based Payment Modifier programs continue in their current form. Beginning in 2019, these program will end and elements of each will be included in a new Merit-based Incentive Payment System.

The MIPS Medicare Part B reimbursement system goes into effect in 2019 and is intended to move physician and other professional Part B reimbursement from a fee-for-service to a quality and performance driven system. Under MIPS physicians, and other practitioners such as physician assistants, nurse practitioners, clinical nurse specialists and certified registered nurse anesthetists, participating in the Medicare program will be evaluated via a composite score based on four factors: quality, resource use, meaningful use, and clinical practice improvement activities. Each doctor’s composite score will result in positive or negative adjustments to Medicare reimbursement based on the doctor’s performance on these factors. Physicians may receive a bonus or be assessed a penalty that will be calculated using a sliding scale based on whether the doctor is above or below performance thresholds.

MACRA requires the United States Department of Health and Human Services to establish an annual list of quality measures from which doctors and other MIPS-eligible professionals may choose for purposes of assessing the quality factor. HHS is also required to establish MIPS performance standards that consider historical performance, improvement and the opportunity for continued improvement.

Under MACRA there is a provision that prohibits plaintiffs from using a physician's performance on federal quality measures, including MIPS as well as the remainder of the Meaningful Use, Physician Quality Reporting System and Value-Based Payment Modifier programs, as the sole basis to prove negligence in a medical malpractice lawsuit.

Before the passage of MACRA the medical community was very concerned about the use of quality metrics as evidence by plaintiffs as a basis to assert that a doctor committed negligence. Now medical malpractice plaintiffs may not assert a negligence claim against a doctor on the sole basis that he or she did not earn an incentive or was penalized under any federal health care guideline or standard, used in the MU, PQRS, VBPM or MIPS programs. Furthermore, the fact that a physician did not render a service covered under the Affordable Care Act may not be the sole fact to assert that a physician breached his or her duty of care to a patient.

The MACRA liability protections, however, do not totally prevent the introduction of these facts into evidence in a medical malpractice case. And, it certainly does not go as far as legislation that has been sought by many medical associations that would have provided immunity from liability and other civil suit protections for doctors who are sued and can prove they followed any evidence-based clinical guidelines.

MACRA provides $100 million in funding -- $20,000,000 for each of the fiscal years 2016 through 2020 --   to underwrite technical support to small medical practices with 15 or fewer professionals that desire to participate in the new alternative payment models.  HHS is to work with quality improvement organizations and other regional entities certified by the federal government to provide guidance to such small practices on how to prepare for and transition to quality driven reimbursement, with priority given to rural practices, locations with provider shortages, and medically underserved areas.

In order to devise alternative payment models, develop measures to judge the quality of care provided, and determine how physicians will be rewarded or penalized based on their performance, MACRA mandates the establishment of a 11 person technical advisory committee This committee is charged with reviewing and recommending physician-developed alternative payment models based on criteria developed through an open comment process. Not later than July 2016, HHS is required to submit to Congress a study on the feasibility of integrating alternative payment models in the Medicare Advantage payment system.

MACRA also establishes Medicare payment for chronic care management when performed by a physician, physician assistant, nurse practitioner, clinical nurse specialist, or certified nurse midwife.

Alternatively, physicians who choose to participate in ongoing and future new payment models such as accountable care organizations (ACOs), patient-centered medical homes, and initiatives under Medicaid waivers can receive annual bonuses of 5 percent for services in 2019-2024 and not be subject to MIPS requirements.

As with any major federal health reform legislation many more details will be forthcoming in agency rules and other implementation actions required under the law. So while much has yet to be seen, what is clear is that all medical practices and other Part B providers must begin to prepare now for adapting to a substantially overhauled Medicare reimbursement system where performance measures will drive payments and the infrastructure needed to capture and utilize performance data effectively will be essential to maximizing revenues and fulfilling patient expectations and payer requirements.

If you would like more information about any part of MACRA, please do not hesitate to contact us.

William Mandell is a shareholder and health law practice leader, and Karen Rabinovici is an associate, at Pierce & Mandell, P.C, of Boston. 

Obama Administration Announces “Next Generation ACOs”

Thursday, March 19, 2015

by Curtis Dooling

On March 10th, the Centers for Medicare and Medicaid Services launched a new Accountable Care Organization (ACO) program called the Next Generation ACO. The Next Generation ACO builds on earlier ACO models. ACOs were established under the Affordable Care Act to provide high-quality care to Medicare beneficiaries through coordination of doctors, hospitals, and other health care providers. ACOs differ from Medicare Advantage plans in that beneficiaries can retain their choice of providers, whereas in Medicare Advantage plans beneficiaries are confined within a network.

The Next Generation ACO will differ from existing ACOs in several ways. First, they will be permitted to take on greater financial risk while also qualifying for a greater portion of shared savings. Next Generation ACOs will also be encouraged to coordinate care by enhancing and expanding services to beneficiaries, including skilled nursing care and post-discharge home services. Next Generation ACOs will also be able to offer reward payments to beneficiaries.

ACOs traditionally created care and performance benchmarks based on an ACO’s historical expenditures. Thus, some high performing health care providers were reluctant to joint ACOs. Next Generation ACOs are changing benchmarking methods to transition away from comparisons to past performance. By making this change, high performing health care systems will have a greater incentive to join the ACO program because they won’t be penalized for past quality and cost containment success.

Next Generation ACOs represent a bold move toward population-based payment and greater care coordination. They also allow for greater engagement of beneficiaries, a more predictable financial model and greater tools to coordinate care for beneficiaries. For further information on Next Generation ACOs, visit: innovation.cms.gov/initiatives/Next-Generation-ACO-Model/.

William M. Mandell was quoted in the July 2014 Physician Risk Management

Thursday, July 24, 2014

William M. Mandell was quoted in the July 2014 Physician Risk Management article entitled: “Sunshine Act reporting has implications for malpractice litigation”.


Systems Engineering and Health Care Reform - Boston

Friday, July 18, 2014

By: Michael C. Fee, Esq. and William M. Mandell, Esq.

While reasonable minds may debate the methodologies and cost shifting associated with the Affordable Care Act, it is undeniable that millions of individuals have gained access to the health care system this year as a result of its implementation.  Increased access brings many challenges for professionals at all levels to provide high quality care that focuses first on the needs of individual patients and their families.

In a provocative article published in the Journal of the American Medical Association on Monday, Doctors Christine K. Cassel and Robert S. Saunders argue that the health care system needs to aggressively implement systems engineering in order to improve efficiency and reliability.  They note growing traction for the concept, as the President’s Counsel of Advisors on Science and Technology (“PCAST”) recently issued a report describing systems engineering tools for health care in detail, but also noting significant impediments to implementation, especially in rural and small practice settings.

The PCAST makes a variety of recommendations, including payment incentives that are tied to outcomes (as opposed to the current predominant fee for service system); increased access to health data and analytics, including vast pools collected by the U.S. Department of Health and Human Services; greater technical assistance in systems engineering approaches especially for small practices; and encouraging Accountable Care Organizations to collaborate more broadly with community health organizations and other providers outside of their traditional sectors.

The authors conclude that health care delivery transformation is essential to achieving the primary goals of affordability, quality and creating healthy communities.  As the Affordable Care Act is further implemented over the next several years, systems engineering science, broadly supported by the Federal government, is likely to become a core function for improving the health care delivery system. Moreover, as reform begins to transform the insurance driven aspects of the system, improved quality and coordination of care imperatives will likely motivate physicians, medical groups, hospitals and other providers to explore new types of contracting relationships, integration and expansion strategies.  Massachusetts continues to be at the forefront of these developments, having implemented health care reform well ahead of the Affordable Care Act.

Read the Cassell/Sanders article, and check out the PCAST recommendations.

Lawyers in Pierce & Mandell’s Health Law Department provide creative, effective advice to hospitals, physicians, medical practices and professionals on a broad range of business, compliance and litigation matters. www.piercemandell.com/health-law.html.

Pierce & Mandell, P.C. to Sponsor the Annual Schwartz Center Health Attorneys Breakfast - Boston

Wednesday, March 19, 2014
Pierce & Mandell, P.C. is proud to be a sponsor law firm for the Annual Schwartz Center Health Policy Breakfast, to be held on Friday, April 4. This year’s program will focus on the Schwartz Center's Call to Action, which outlines seven guiding commitments to create a more compassionate healthcare system. Peter Slavin, MD, CEO of MGH; Sandra Fenwick, CEO of Boston Children’s Hospital; and Kevin Tabb, MD, CEO of Beth Israel Deaconess Medical Center, will comment on the Commitment to Compassionate Healthcare Leadership.
The Schwartz Center for Compassionate Healthcare, named after Boston healthcare attorney and patient compassion advocate, Ken Schwartz. Ken was an excellent health lawyer and a wonderful person who left us tragically way too early. His family, friends and colleagues have established a fitting and enduring organization in his honor. The Schwartz Center is a nationwide non-profit organization with a long and respected history of providing patient-centered, compassionate care while striving to strengthen the relationships between patients and providers.  

In 1995 Ken wrote about his experience as a cancer patient in an article for the Boston Globe Magazine entitled “A Patient’s Story.”  In it, he cited how doctors and nurses can make “the unbearable bearable” for patients with “the smallest acts of kindness.” This article was a source of strength and solidarity for my late father who was undergoing cancer treatment at that time.

Please take a moment to learn about the history and remarkable work of The Schwartz Center for Compassionate Care and we encourage all of you who care about improving the training and resources available for compassionate care to support the Schwartz Center.

The HIPAA/HITECH Mega Rule Compliance Deadline is Fast-Approaching

Monday, September 09, 2013
By Karen Rabinovici, Esquire

The September 23, 2013 deadline for compliance with the final Omnibus Rule which amends HIPAA and the HITECH Act, called the “Mega Rule,” is just 15 days away.  The Mega Rule, which became effective on March 26, 2013, calls for medical providers to update and revise privacy policies, procedures and notices, business associate relationships and agreements, and employee training.  The Mega Rule affects both Covered Entities and Business Associates.  

What is Protected Health Information (“PHI”)?

PHI refers to individually identifiable health information.  Individually identifiable health information is information that can be linked to a particular person.  This can relate to an individual’s past, present, or future physical or mental health or condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.  Common identifiers are names, social security numbers, addresses, and birth dates.

What is a Covered Entity?

A Covered Entity is a health care provider, a health plan, or a health care clearinghouse.  A health care provider is a Covered Entity only if the provider transmits information in an electronic form in connection with transactions that involve the transmission of information between two parties to carry out financial or administrative activities related to health care.  Simply put, a Covered Entity is any entity that handles and transmits health information.
What is a Business Associate?

A Business Associate is a person/entity who, with respect to a Covered Entity, performs or assists in the performance of a function or activity involving the use or disclosure of PHI, or provides management, administrative, accreditation, or financial services to or for a Covered Entity, where such services involve the disclosure of PHI by a Covered Entity to a Business Associate.

The definitions of Covered Entity and Business Associate can be found at 45 CFR 160.103.  

What are the main Mega Rule requirements of which Covered Entities and Business Associates should be aware?

The following are the main components of the Mega Rule of which Covered Entities and Business Associates should be aware and should incorporate into their practices.  This is not a complete list.

1. Extension of HIPAA privacy and security requirements to Business Associates and Subcontractors of Business Associates
Before the Mega Rule, Subcontractors who used or disclosed PHI were not subject to HIPAA.  Now, both Business Associates and third-party Subcontractors can be held accountable for unauthorized disclosures under the Mega Rule.  Business Associates and Subcontractors of Business Associates can be subject to compliance requirements and civil penalties for unauthorized disclosures.  Business Associates and Subcontractors must update Business Associate Agreements to reflect these changes. 
2. Breach redefined
When an impermissible access, acquisition, use or disclosure of PHI occurs, the Mega Rule presumes such transaction is a breach.  Prior to the Mega Rule, such transaction was not a breach unless it posed a significant risk of financial, reputational or other harm to the individual.  In order for a Covered Entity not to be required to notify the patient of the breach, it must demonstrate that there is a low probability that the information was compromised.  This is determined by examining the type and extent of the PHI involved, to whom the disclosure was made, if the PHI was actually acquired or accessed, and if the risk of unauthorized disclosure was mitigated.  This review must be documented according to the Covered Entity’s established policies and procedures.  If Covered Entities do not follow these guidelines, or have established policies and procedures, they could face monetary penalties for willful neglect.  
3. Updates to Notice of Privacy Practices (“NPPs”) and redistribution of NPPs
Covered Entities must update their NPPs, and redistribute the updated NPP.  The updated NPP must include a description of the disclosures that do and do not require authorization, the fact that:  patients can opt out of fundraising and marketing communications, patients can request disclosure restrictions, patients can access their PHI, and Covered Entities are legally required to notify patients whose PHI is breached.  It must also state that any disclosures not described in the NPP may only be made with authorization, and that relevant PHI may be disclosed to a deceased’s family member, friend, or representative if that person was involved in the patient’s care or payment for services (unless the patient expressed otherwise). 
4. Expansion of patient privacy and patient empowerment

The Mega Rule empowers patients to request further restrictions on disclosure of their PHI.  Covered Entities must comply with such requests if the disclosure is for payment or health care operations purposes, the disclosure is not required by law, or if the requested restriction applies to disclosure of a service which has already been paid for in full by someone other than the health plan.

Patients may also specify to whom PHI may or may not be disclosed (friends, family members, etc.).  In addition, patients have the right to access their PHI.  If the Covered Entity maintains PHI in electronic format, the Covered Entity, upon request, must provide the patient with electronic access to the PHI.  Covered Entities may charge patients a reasonable fee limited to the cost of supplies, labor, and postage.  Furthermore, if patients wish to amend their PHI, they have the right to do so (although there are several limited circumstances where this request may be refused). 
5.    More rigorous HIPAA enforcement
Under the Mega Rule, the Department of Health and Human Services is responsible for investigating private complaints of non-compliance alleging unauthorized disclosures due to willful neglect.  As required by the HITECH Act, these investigations and reviews may result in increased and tiered civil money penalties.  The penalties take into account whether Covered Entities or Business Associates should have known of the violation, if the violation was due to willful neglect or reasonable cause, whether the violation was corrected within 30 days, and whether the Covered Entity or Business Associate mitigated the harm.
6.    Option for patients to opt out of receiving fundraising and marketing communications  
When Covered Entities communicate with patients regarding fundraising, they must notify the patient clearly of the patient’s option to opt out of receiving such communications.  In addition, Covered Entities cannot sell patient information for fundraising and marketing purposes without authorization.  When seeking such authorization, the patient must be made aware that the provider will receive remuneration for disclosing PHI.  However, Covered Entities may continue to receive financial remuneration to provide refill reminders, or to send out other communications about a drug currently used by the patient as long as the remuneration is related to the costs of making the communication.

What should Covered Entities and Business Associates do before September 23?

Covered Entities and Business Associate should use the several days left before the compliance deadline to update policies and procedures, train staff accordingly, and become familiar with the Mega Rule in order to ensure compliance and avoid lofty penalties.  For further assistance, please contact one of the health law practice area attorneys at Pierce & Mandell, P.C.

Read William Mandell's Most Recent Article in Boston Bar Association's Health Law Reporter

Wednesday, July 10, 2013

William M. Mandell who heads Pierce & Mandell’s Health Law Practice authored an article entitled: “Should I Tell Someone?” Permissible Disclosures by Massachusetts Health Providers and the Need for Greater Statutory Clarification which was  published in the Boston Bar Association's Health Law Reporter Summer 2013 edition.  To read this article, click here.


Monday, July 01, 2013

The federal HHS Office of Civil Rights recently adopted final HIPAA regulations covering a broad range of topics, to strengthen privacy and security protections for individual health information.  This blog is another in a series examining these new regulatory requirements.   

By Dean P. Nicastro, Esq.

The new HIPAA Final Rule for Privacy, Security, Enforcement and Breach Notification (adopted in January 2013) creates new obligations for Business Associate Agreements (“BAA”) between physicians, hospitals and other health care providers (“Covered Entities”), and those contractors who perform services for them involving the use or disclosure of Protected Health Information (“PHI”).

As was mentioned in a previous blog, HIPAA now defines “Business Associate” (“BA”) to include a BA’s subcontractors who create, receive, maintain or transmit PHI on the BA’ behalf.  The new Final Rule goes on to require that a BAA between a Covered Entity and its BA must require the BA to ensure that the BA’s subcontractors comply with HIPAA privacy and security requirements.  Effectively, and as a mandate, this means that the Covered Entity’s BA must have in place a separate BAA with the BA’s subcontractor.

HIPAA makes clear that the Covered Entity need not have a BAA in place directly with the BA’s subcontractor. However, the Final Rule puts the burden on the Covered Entity to arrange for subcontractor compliance, by requiring the BA to obtain compliance assurance from its subcontractor.  Thus, HIPAA BAA’s between health care providers and their servicing vendors need to be revised and updated to include these “downstream” subcontractor compliance obligations.

Care should be exercised when drafting the updating revisions: for example, the main BAA should require that the downstream BAA mirror the BA’s privacy and security obligations; additionally, it may be advisable to expressly disavow any relationship of agency between the Covered Entity and the subcontractor.

Finally, when updating a BAA template, it would be helpful to include language of compliance with Massachusetts law and regulations that protect the security and disposal of data that contains personal information, like names and social security or financial account numbers.  Massachusetts consumer regulations require that a service provider contract be in place with vendors who access such data, so it is a good idea to have the HIPAA BAA serve as such a contract as well.  

In general, the HIPAA Final Rule must be complied with by September 23, 2013.  The federal HHS Office of Civil Rights has posted some helpful sample language for BAAs on its website.

Please contact the health law professionals at Pierce & Mandell for additional information on this subject.

CMS and OIG Propose to Amend Stark and Anti-Kickback Rules for EHR Donations

Wednesday, May 01, 2013
By Dean P. Nicastro

Last month, the Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General of the U.S. Department of Health and Human Services (OIG) proposed similar amendments to the Stark exception and to the Anti-Kickback safe harbor for the donation of electronic health records (EHR).  The current rules permit hospitals, group practices and other entities to donate technology-related items and services to physicians, to be used to create, maintain, transmit or receive EHR.  Highlights of the proposed changes:

  • Eliminate the requirement that EHR must include an electronic prescribing component or interface ability
  • Change the procedure for deeming EHR software “interoperable,” so as to follow the current certification process employed by the Office of National Coordinator for Health Information Technology (ONC); and eliminate the 12-month prior timeframe for certification
  • Postpone the EHR sunset from December 31, 2013 to December 31, 2016

The two agencies believe that “sufficient alternative policy drivers” exist to advance electronic prescribing, and that the ONC certification program (which certifies to any edition of EHR certification criteria that is identified in the regulatory definition applicable at time of donation) is consistent with the objective of ensuring that EHR products are certified to the current standard of interoperability when they are donated.  In addition, the sunset extension is thought needed in order to help achieve more widespread adoption of EHR in the healthcare industry (the December 31, 2016 date corresponds with the closing timetable for Medicare/Medicaid EHR incentive programs; the agencies even suggest an extension to December 31, 2021).

The agencies have invited comment on the proposed amendments through June 10, 2013.  Also, they seek comment on whether to limit the class of permitted donors, so as to exclude certain ancillary suppliers, such as lab companies, durable medical equipment suppliers and independent home health agencies, and on other suggestions for preventing “data and referral lock-in” and for encouraging the free exchange of data.

The proposed changes are contained in the April 10, 2013 Federal Register.  Please contact the health law professionals at Pierce & Mandell for additional information on this subject.

New HIPAA Limitations and Changes

Monday, April 01, 2013


(I)The United States Department of Health and Human Services Office of Civil Rights final modified HIPAA regulations under the HITECH Act are now in effect and health care providers must achieve compliance with all of the new requirements by September 23, 2013. This is one in a continuing series of blogs from Pierce & Mandell, P.C. describing some of the major changes health and dental practices, hospitals and other health care facilities must be following by that date.   

By Kate Auerbach, Esq., Rebecca Merrill, Esq.  and William Mandell, Esq.


The modified HIPAA Privacy Rule redefines ‘marketing’ and increases the limits on the use and disclosure of protected health information (“PHI”), including patient contact information, by health care providers to do marketing.

Previously, marketing was defined as communication about a product or service to encourage individuals to purchase or use the product or service. While providers previously had to obtain a patient’s written authorization before using or disclosing their contact information for marketing purposes, the HIPAA Privacy Rules has allowed for several broad exceptions to securing patient authorization, including any communication about products or services offered by the provider itself or that recommended alternative treatments.  

Under the modified Privacy Rule, starting on September 23, 2013, providers will now have to secure their patients’ written authorization in order to use their contact information for marketing about health-related products or services if the provider or its business associates receive any financial remuneration in exchange for making the marketing communication from or on behalf of the third party whose product or service is being described. The modified rule does include an exception for refill reminders or communications about a medication being prescribed as long as the only remuneration received is reasonably related to costs of making the communication (labor, supplies, & postage). For example, if a medical practice sent a mailing without advance patient authorization about a new medication on the market and received compensation the practice could violate HIPAA (such remuneration, however, could raise fraud and abuse compliance issues). However, if the practice sent information about refilling a prescription and was reimbursed for the cost of the mailing it would not need to secure written authorization from the recipient/patients.

Under the modified Privacy Rule, marketing authorization forms must disclose to the patients the remuneration received by the provider from the third party and must also state that the patient may revoke the authorization at any time.     

There are exceptions to this authorization requirement.   If a communication is made face-to-face by a practitioner to a patient or if a promotional gift of nominal value is given, then advance patient written authorization is not required.  Additionally, refill reminders, adherence reminders and delivery system instructions are allowed without pre-authorization, as long as the remuneration received is reasonably related to the cost of making the communications, and the provider does not make a profit.  


The original HIPAA Privacy Rule allowed non-profit providers to use, or disclose to a business associate or an institutionally related foundation, specific types of information about patients for fundraising activities without advance authorization, including demographic information and dates of service.   

The modified Privacy Rule creates additional categories of PHI that can be used for targeted fundraising communications.  These categories include: (i) department of service (general department of treatment); (ii) treating physician information; (iii) outcome information, and (iv) health insurance status.  This expanded scope of permissible information flow for fundraising related uses and disclosures is intended to permit non-profit providers to develop more focused fundraising efforts to particular individuals.    

However, HIPAA now requires starting on September 23, 2013 that fundraising communications to patients include a clear and conspicuous opportunity for the patient to “opt out” of receiving further fundraising communications.  The opt-out method can be chosen by the provider but it must not cause an “undue” burden” to patients and they cannot be required to write letters to the provider in order to opt-out of having their PHI used for fundraising purposes. Once a patient elects to opt-out the provider is absolutely prohibited from sending any more fundraising communications.  Non-profit providers are also prohibited from conditioning treatment or payment on a patient’s choice not to receive fundraising communications.

Obviously, these new requirements and limitations imposed on providers that do fundraising will add to their administrative burden and cost as a result of the need to avail patients of an opt-out or opt-in system and to track and ensure properly targeted marketing to patients and their families.   

Sale of PHI.

The modified HIPAA Privacy Rule also prohibits the sale of PHI by a covered entity or business associate. “Sale” is defined as the receipt of remuneration, directly or indirectly, in exchange for PHI, without patient written authorization, unless the sale meets a specified exception.  

There are eight exceptions to this sale of PHI prohibition, which include: (1) for public health activities; (2) for research, where the only remuneration received by the covered entity is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose; (3) for treatment and payment purposes; (4) for the sale, transfer, merger or consolidation of all or part of the covered entity and related due diligence; (5) to or by a business associate, if the only remuneration is provided by the covered entity to the business associate for the performance of its contracted services; (6) providing an individual with access to his or her PHI; (7) for disclosures required by law; and, (8) for any other purpose permitted by and in accordance with the applicable requirements of the Privacy Rule, where the only remuneration received by the covered entity is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose, or a fee otherwise expressly permitted by other laws.

Modification to Notice of Privacy Practices and health Information Policies and Procedures

No later than September 23, 2013 all providers that are covered entities under HIPAA must modify their required HIPAA Notice of Privacy Practices (“NPP”) and Health Information Policies and Procedures to incorporate the above mentioned changes on the patient privacy rights as to the use and disclosure of their health and personal information for marketing, fundraising and sales purposes, as well as the other new rights established under the HIPAA modified Privacy Rule. These include:

  • Right to limit any use or disclosure of PHI for certain sales, marketing and fundraising purposes before granting written authorization
  • Right to restrict disclosure of PHI to a health plan when the patient opts to pay the provider in full directly out of pocket
  • Right to be informed by a provider or other covered entity of any breach of unsecured PHI
  • Right to obtain electronic copies of PHI
  • Any uses and disclosure of PHI for treatment, payment or operations not stated and described in the NPP may only be upon patient written authorization.
  • Any prior written authorization granted may always be revoked.

Providers should be moving forward now to update their NPPs and Policies to reflect the new requirements in the modified HIPAA Privacy Rule. Care should be taken in the drafting of the modified NPP as it will now dictate if written authorization is needed for certain uses an disclosures even beyond those otherwise required under more stringent applicable state privacy laws. The new form of the NPP does not have to be shared with existing patients. It only needs to be posted on the provider’s website and in prominent place in its office or facility and given to all new patients during their first encounter or admission starting no later than September 23, 2013.

Please feel free to contact the health law attorneys at Pierce & Mandell if you desire additional information on this subject.

Enter your e-mail address below to receive updates on new blog posts!

Recent Posts