This week, the HIPAA FAQ series continues with another topic about business associate agreements (BAAs). As most Covered Entities and Business Associates know, in the event that a Covered Entity utilizes a service provider that may have access to Protected Health Information (PHI), a BAA is required. Further, in the event that a Business Associate utilizes a subcontractor that may have access to PHI, a slightly different type of BAA is required. While this rule is generally understood, applying it is not always simple. Last week, this series explored the relationship between Covered Entities, Business Associates, and their mail carriers, and explained that entities that act as mere conduits without intended access to PHI, such as mail carriers, are not considered Business Associates. This week, this series considers a related question: in the event that a Covered Entity or Business Associate utilizes a cloud storage provider to maintain PHI, does HIPAA require a BAA to be in place?
Significant recent regulatory and enforcement activity related to laboratory fees and services continues to demonstrate an increased focus on this industry. Government enforcers are active in cases involving both the laboratories and physicians involved in kickback schemes.
The U.S. Department of Justice (DOJ) announced in late March and early April that three New Jersey doctors were sentenced to prison for accepting bribes in exchange for referring patients to a medical-testing laboratory company. The DOJ also announced this month that a New York physician admitted to accepting bribes in the same scheme. According to the DOJ, 26 physicians and 12 other individuals have been convicted to date of participating in the bribery scheme with the laboratory and the government has recovered $10.5 million in forfeitures.
Earlier today, the U.S. Department of Health and Human Services Office of Inspector General (OIG), in conjunction with the American Health Lawyers Association (AHLA), the Association of Healthcare Internal Auditors (AHIA) and the Health Care Compliance Association (HCCA), announced the release of a guidance document titled, “Practical Guidance for Health Care Governing Boards on Compliance Oversight” (2015 Guidance). The 2015 Guidance supplements previous guidance documents issued by the OIG in 2003, 2004 and 2007 related to oversight by boards of directors (BOD) for health care companies.
In addition to discussing BOD oversight expectations, the 2015 Guidance defines and discusses the relationship between the compliance, legal, internal audit, human resources (HR) and quality functions of an organization. The 2015 Guidance also tackles tough topics related to reporting to the BOD, identifying and auditing potential risk areas, and compliance accountability.
The 2015 Guidance document should be carefully reviewed by directors of health care companies, as well as compliance, legal, audit, quality and HR professionals.
Does your company sell medical devices to the U.S. Government, either directly or through a reseller or distributor? Are those devices or supplies manufactured at least partly in a country other than the U.S.? If you answered yes to both questions, then you need to understand the Trade Agreements Act and verify that your U.S. Government sales to date have complied with the law.
The Trade Agreements Act, or “TAA,” requires certain products sold to the U.S. Government to be manufactured in the U.S. or in one of the “designated countries” with which the U.S. has a free trade agreement or other special trade-related arrangement. Notably, the TAA applies to all Federal Supply Schedule contracts, including Schedule 65 II A (Medical Equipment and Supplies), Schedule 65 II F (Patient Mobility Devices), and Schedule 65 II C (Dental Equipment and Supplies). Contractors with these VA Schedule contracts must certify, in their proposals to the Government, that the products listed for sale on those contracts comply with the TAA. If such certifications turn out to be false, the contractor may face unwelcome consequences, including (i) a mandatory disclosure obligation, (ii) significant monetary liability under the False Claims Act, (iii) the potential of criminal charges, and (iv) debarment from U.S. Government contracting. Continue reading
The Texas Medical Board (the Board) voted last week to sharply restrict the practice of telemedicine in the state. The rules adopted by the Board were the culmination of a four-year battle between the Board that licenses and regulates doctors in Texas and a national company based in Dallas that provides phone and video consultations with doctors on its staff. While many states are moving in the direction of loosening restrictions on the use of telemedicine, Texas has taken the opposite approach.
This week, the HIPAA FAQ series continues with a topic about business associate agreements (BAAs). Most Covered Entities and Business Associates are familiar with general BAA obligations. In the event that a Covered Entity utilizes a service provider who may have access to Protected Health Information (PHI), a BAA is needed. Further, in the event that a Business Associate utilizes a subcontractor who may have access to PHI, a slightly different type of BAA is needed. That being said, many entities often wonder about the need for BAAs with mail carriers. In the event that a Covered Entity or Business Associate is transporting PHI via mail with the help of the U.S. Postal Service, United Parcel Service, or a similar service, does HIPAA require a BAA to be in place? Continue reading
The Governor of West Virginia signed last week Senate Bill 267 to repeal the Code provisions that created the Governor’s Office of Health Enhancement and Lifestyle Planning (GOHELP). This includes section 16-29H-8 of the Code, which requires prescription drug manufacturers and labelers to annually report advertising and promotion costs for the prior calendar year by April 1st. Because Senate Bill 267 becomes effective 90 days after enactment, manufacturers and labelers are still expected to file the calendar year 2014 report by April 1, 2015.
Is this a new trend for 2015? Although the CMS Open Payments database is now live and the second round of reporting will be completed by applicable manufacturers and applicable group purchasing organizations this week, Minnesota and Connecticut each recently expanded the list of health care providers for whom payment reporting is required. We will be watching further federal and state transparency developments.