Wednesday, August 9, 2017

New PA and NP Privileges in Idaho Hospitals

Megan J. HopferHistorically, privileges to admit patients to Idaho hospitals and healthcare facilities were reserved only to physicians, thus creating a limitation for physician assistants and nurse practitioners who were not permitted to admit their patients when necessary for their care.  This limitation has become outdated and burdensome due to the expanding roles of physician assistants and nurse practitioners in health care in Idaho. The licensure of these midlevel practitioners allows them to perform services traditionally performed by physicians, and in some rural areas of the state they are the main source of access to health care for Idaho residents, yet the limitation has negatively impacted their ability to provide comprehensive care to their patients.
In July 2017, the Idaho legislature responded to these issues by enacting a law which allows these mid level practitioners to admit patients. Idaho Code § 39-1396 stipulates that a hospital or healthcare facility may give admitting privileges to doctors, advanced practice nurses, or physician assistants under the following conditions: 1) those privileges are recommended by the facility’s medical staff; 2) those privileges have met with approval by the facility’s governing body; and 3) those privileges fall under the admitting practitioner’s scope of practice.
The new law, however, is not a broad grant of unchecked power to physicians and mid level practitioners. The law requires the hospital or facility to specify in its bylaws the process by which its governing body and medical staff oversee those practitioners granted admitting privileges. The law further clarifies that such oversight must include, but is not limited to, credentialing and competency review.  In addition, Idaho law still requires that a member of the medical staff have responsibility for the overall care of a patient while in the hospital and hospital licensing regulations require that hospital bylaws specify that every patient be under the care of a physician licensed by the Idaho State Board of Medicine.
Mid level practitioners and health care facilities should take into special consideration subpart 1(a) of the new law, which requires that the medical staff of the facility recommend admitting privileges. The law gives much power to the medical staff to control or curtail the expansion of clinicians with admitting privileges. The question arises, will the medical staff withhold recommendation of these midlevel practitioners (perhaps in an effort to defend its territory)?  Time will tell whether this problem will surface in Idaho hospitals. 
In response to the new law, Idaho hospitals and healthcare facilities should review and update their bylaws to identify which types of clinicians are eligible for admitting privileges and specify processes for physician oversight in compliance with state law and other applicable regulations.
Megan J. Hopfer at 9:38 AM No Comments | Post a Comment
Health Care Law
Tuesday, June 6, 2017

Does Ransomware make you WannaCry?

On May 12, 2017, a worldwide ransomware attack assaulted businesses and government entities in 150 countries, including Britain’s national health system, FedEx, Spain’s Telefónica, and the Russian Interior Ministry.  The virus dubbed “WannaCry” was designed to access servers through vulnerabilities in Microsoft Windows software.   Many users’ systems were infected by opening a seemingly harmless email.  This virus was different from others in that it had the ability to spread throughout computer systems without any type of user interaction. 

The main targets of the virus were users of Microsoft Windows who had not implemented a patch distributed by Microsoft in March and users still operating on the Windows XP platform since their systems were the most vulnerable.  The attack was slowed after a researcher identified a “kill switch” for the virus. The kill switch couldn’t help devices the virus already infected, but it bought time to patch systems that hadn’t yet been hit. However, most computer security experts do not believe it has been halted completely, and there is at least one new strain of the ransomware that is unaffected by the kill switch, which has been slowly spreading.

So far, Britain’s national health system has been the most impacted health care organization worldwide. Because of the virus, many British hospitals were forced to cancel critical surgeries and divert patients to other hospitals when they could not access patients’ medical records.  Although the attack has not been reported to be as prevalent on the U.S. healthcare systems, the U.S. Department of Health and Human Services (HHS) issued a report urging healthcare organizations to be cautious in their cybersecurity practices. 

Taking that advice, there are several lessons we can learn from the WannaCry attack.  We suggest the following best practices to protect yourself from ransomeware attacks through email:

    1. Ensure that your computer and antivirus software are up to date.  Be sure to regularly check for patches and updates to your operating system and install the patches and updates as they become available.  The same goes for your antivirus software.

    2. Regularly backup your data and test to see if the backups can be restored.  Restorable backups can mean the difference between significant business disruption and simply restoring the data.

    3. Only open email messages from people you know and messages you are expecting to receive.

    4. Never click on links in emails if you weren’t expecting them.  

    5. Conduct regular security awareness training to remind your staff of the importance of good email hygiene. Phishing attacks with software downloads or links and attachments to malware are often the first sign that a ransomware event is looming.

    6. Before your practice has been attacked by ransomware, review and update your security incident response plan as well as your disaster recovery plans.

    7. Never Pay Ransom. Payment of ransom by one provider emboldens attackers and proliferates the attacks, placing other healthcare providers at risk.

If you were attacked, or know someone who was attacked, it is important to be aware of the HHS guidance on ransomeware.  HHS advises that when electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (since unauthorized individuals have taken possession or control of the information). Unless the organization can demonstrate that there is a low probability that the PHI has been compromised based on the factors set forth in the Breach Notification Rule, a breach is presumed to have occurred and notification is required.

Keep in mind that policies and procedures implemented prior to a ransomware infiltration will dramatically affect the outcome of a ransomware attack.  As they say, an ounce of prevention is worth a pound of cure.

For questions, please contact:

Megan Hopfer | Attorney
2105 Coronado St | Idaho Falls, ID 83404

(208) 523-5171 |

This article is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Beard St. Clair Gaffney PA or any of its attorneys other than the author. This news update is not intended to create an attorney-client relationship between you and Beard St. Clair Gaffney PA. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.

Megan J. Hopfer at 12:21 PM No Comments | Post a Comment
Health Care Law
Thursday, March 16, 2017

Do you know how to handle a HIPAA breach?

In the ever-growing world of electronic health records, cloud-based storage, and IT hacks, it is of the utmost importance to know how to handle a breach of protected health information (PHI).

Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with requirements to protect the privacy and security of health information. Health plans, such as health insurance companies or government programs such as Medicare and Medicaid qualify as covered entities.  Health care providers, such as doctors, clinics, dentists, chiropractors, and pharmacists also qualify as covered entities if they electronically submit claims or other information to carry out financial or administrative activities related to health care.

For any breach affecting more than 500 individuals, a covered entity, such as a doctor’s office, must investigate and report the breach without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. If it fails to do so, it may be subject to HIPAA fines. The Office for Civil Rights just settled its first case of the year against Presence Health, one of the largest integrated health systems in Illinois, for ‘unreasonable delay’ in reporting a HIPAA breach. The report was 45 days late. The fine was $475,000.

The HIPAA Breach Notification Rule requires that covered entities notify individuals and, if the breach involves more than 500 persons, report breaches to HHS and local media without unreasonable delay and in no event later than 60 calendar days after discovery of the breach. A separate HIPAA violation occurs for each day the covered entity fails to report the breach beyond the deadline.

We can learn a valuable lesson from Presence Health’s blunder: covered entities must take the reporting deadlines seriously. For notification to affected individuals, the breach must be reported without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. If the breach involves 500 or more individuals, the covered entity must notify HHS at the time it notifies affected individuals. If the breach involves fewer than 500 individuals, the covered entity may wait to notify HHS until no later than 60 days after the end of the calendar year. If the breach involves more than 500 residents in one state, the covered entity must notify local media at the time it notifies affected individuals.  One important clarification for covered entities: the 60-day time period begins to run from the time that any member of the covered entity’s workforce (other than the person committing the breach) knew or by exercising reasonable diligence should have known that the breach occurred.

In addition, while we’re on the topic, please allow us to remind you about a few best practices to avoid HIPPA blunders:

      1.   Update Your PoliciesCovered entities should adopt, implement, revise, and update your policies and procedures providing for the timely and adequate notification of a breach to HHS, individuals and the media. To avoid internal miscommunication, covered entities should ensure that such policies and procedures explicitly define employee roles and responsibilities with respect who 1) completes risk assessments of potential breaches, 2) receives and acts upon reports related to potential breaches, 3) prepares and sends notifications to individuals, HHS and the media without unreasonable delays and within the Rule’s prescribed timeframes, and 4) updates policies and procedures on an at-least annual basis.

      2. Train Your Employees. Make it a priority to provide annual and ongoing training based on your updated policies and procedures. It is best to provide training to all current and new workforce members on an at-least annual basis. Such trainings should be comprehensive and include information about what constitutes a breach, the importance of quickly reporting and acting upon reports of potential breaches, and identify the key people to whom such reports should be made.

      3. Incentivize Employee Compliance. Impose sanctions on workforce members (e.g., retrain, compensation/bonus impact and/or termination) that fail to adhere to HIPAA-related policies and procedures to ensure that employees are properly incentivized to comply. Accordingly, be sure that you do not merely have policies and procedures in place, but that you impose sanctions on staff members who fail to comply.

      4. Prepare and Practice Your Game Plan. Once you learn of a breach, the clock starts ticking so it’s best to be ready to spring into action as quickly as possible. The notification process requires multiple tasks, such as investigating the breach, analyzing any changes to the regulatory requirements, tracking down affected individuals’ names and addresses, communicating and coordinating with the relevant decision-makers, setting up call centers to answer data subjects’ questions, and preparing and mailing notifications.  Therefore, best practices are to have an incident response plan ready; a battle plan if you will. Put in place, and  practice as much as possible, your coordination and communication strategies related to the discovery and reporting of breaches. Such exercises are an important way for you to ensure that you have defined timetables, coordinated team members, and an overall awareness of compliance requirements.


For questions, please contact:

Megan Hopfer | Attorney
2105 Coronado St | Idaho Falls, ID 83404
(208) 523-5171 |

This article is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Beard St. Clair Gaffney PA or any of its attorneys other than the author. This news update is not intended to create an attorney-client relationship between you and Beard St. Clair Gaffney PA. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.

Megan J. Hopfer at 1:23 PM No Comments | Post a Comment
Health Care Law
Monday, October 10, 2016

CMS Prohibits Arbitration Provisions in LTC Admission Agreements

Jared AllenCenters for Medicare & Medicaid Services (CMS) seeks to provide basic protections to residents of long-term care (LTC) facilities in signing an agreement for the arbitration of disputes between residents and LTC facilites. On September 28, 2016, as part of a massive overhaul of consumer protections applicable to LTC facilities, CMS issued a rule prohibiting LTC facilities that accept Medicare or Medicaid from requiring potential residents to enter arbitration agreements as a condition of admission.

The rule places clear restrictions on arbitration agreements entered between LTC facilities and residents after November 28, 2016, the effective date of the rule. Restrictions and/or requirements include the following:

  • Arbitration agreements cannot be entered into prior to the existence of a dispute;
  • Arbitration agreements must be separate agreements in which residents make “an affirmative choice to either accept or reject binding arbitration for disputes between the resident and the facility[;]”
  • The LTC must provide an explanation of the agreement including, at a minimum, that the resident is waiving the resident’s right to judicial relief for any potential cause of action covered by the agreement;
  • The agreement must be voluntary;
  • The agreement must provide for the selection of a neutral arbitrator and a venue convenient to both parties;
  • The agreement must not be contained within another agreement relating to other issues; and
  • Guardians or other representatives entering agreements on behalf of a resident must be permitted to do so under state law and must not have a financial interest in the LTC facility.

Opponents of the new rule have suggested CMS lacks the statutory authority to restrict the use of arbitration, but in addressing those concerns CMS has concluded that the Federal Arbitration Act (FAA) does not limit its ability to regulate how arbitration agreements are reached as a condition of participation in the federal payment programs. Because CMS acknowledges the FAA applies to already existing arbitration agreements, the new rule has no application to such agreements between LTC facilities and current residents. The final rule provides: “[T]he rule we are issuing does not affect already-existing arbitration clauses, but prohibits Medicare-and Medicaid-participating LTC facilities from using them in the future, as a condition of participating in these programs. While we share the same public policy concerns about already-existing arbitration agreements, we are only addressing agreements reached after the effective date of this rule.”

Jared Allen at 4:35 PM No Comments | Post a Comment