In addition to advising practices about fraudulent activity such as Stark Law violations and Anti-Kickback Statute violations, Cohen Healthcare Law Group, PC, also advises physicians and medical practices about a range of federal and state laws and regulations. Some of these laws affect the privacy and care of the patients. Other laws and regulations address the ways in which technology is reshaping how medical care is delivered and how medical practices keep and store patient information.
Many regulations apply to all types of practices. Other rules apply to specific medical practice areas or to specific ways in which the medical practice conducts business. A few of the key laws we address follow:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to create national standards for the protection of patient health information (PHI) – so that patients can consent to its release. There are several components to the HIPAA law including a privacy rule and a security rule.
- The HIPAA privacy rule. This rule governs “covered entities.” This means the first step in any compliance review, an experienced healthcare regulatory lawyer will explain, is if the law applies to your practice. The rule seeks to provide a proper balance between the patient’s desire to protect his/her medical information and the need of physicians and others to communicate with those people/entities who can provide the medical care the patient needs.
- Covered entities are defined as:
- Healthcare providers. “Healthcare providers include “every healthcare provider, regardless of size of practice, who electronically transmits health information in connection with certain transactions. These transactions include claims, benefit eligibility inquiries, referral authorization requests, and other transactions for which the US Department of Health and Human Services HHS has established standards under the HIPAA Transactions Rule.”
- Health plans. This category applies to entities that provide or pay for medical care cost. Health plans include a range of insurers, HMOs, Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers. This category also includes “long-term care insurers (excluding nursing home fixed-indemnity policies).” Health plans sponsored by employers, by the government, and by churches are also included. The privacy rules does not apply to health plans that have fewer than 50 participants – if the plan is “is administered solely by the employer that established and maintains the plan.”
- Healthcare clearinghouses.
- Business associates. This category applies to organizations or people (who aren’t member of a covered entity’s workforce) that use or disclose individual identifiable health information – for various “covered entity” services and functions. Examples of such functions include “claims processing, data analysis, utilization review, and billing.”
- Permitted Uses and Disclosures. Covered entities, including physicians, can use and disclose “protected health information” without the consent of the patient in the following situations (some exceptions your healthcare lawyer can explain may apply).
- Treatment, payment and healthcare operations
- “Disclosure to the individual (if the information is required for access or accounting of disclosures, the entity MUST disclose to the individual).”
- When it’s necessary to determine if the patient agrees to or objects to the disclosure of the PHI
- Incident to an otherwise permitted use and disclosure
- When it’s in the public interest such as:
- The disclosure is required by law
- There are public health concerns
- If someone is a victim of domestic violence, abuse, or neglect
- Health oversight
- Judicial and administrative proceedings
- Law enforcement
- Identification of deceased people or other such functions
- Cadaveric organ, eye, or tissue donation
- To prevent or reduce the risk of serious health or safety threat
- Some research
- Workers’ compensation
- Essential government functions
- Covered entities are defined as:
- HIPAA Security Rule. The privacy rule was enacted to provide safeguards for protected health information. The Security Rule applies to just the PHI that is electronic (e-PHI). The security rule does not apply to patient health information that is oral or is written-down the old-fashioned non-electronic way. Covered entities must:
- “Ensure the confidentiality, integrity, and availability of all electronic protected health information.
- Detect and safeguard against anticipated threats to the security of the information
- Protect against anticipated impermissible uses or disclosures
- Certify compliance by their workforce”
A skilled healthcare compliance attorney helps doctors and other covered entities understand what security measures are required, when and how they must be implemented, and when exceptions may apply. We’ll also explain what penalties and enforcement actions may result if these rules are violated.
For a variety of reasons, including the pandemic, many health providers are creating telemedicine procedures so they can communicate with patients online. There are a variety of pros and cons to telemedicine. In addition, there are many compliance issues involving the government and involving medical boards – depending on where the patient is located, where the doctor is located, and the type of medical care you provide.
Some of the advantages of telemedicine are:
- The patient doesn’t have to leave home. Many patients can’t afford to visit a doctor. Many patients are just too ill, too sick to leave home. In rural communities, it may be difficult to find a physician or specialist who can treat them. Sometimes, delays in speaking with a physician can mean the difference between life and death or wellness and permanent poor health.
- A chance for the patient to see physicians who are leaders in their fields
- No need to wait in an office. Patients and doctors can both manage time better with telemedicine.
The laws and regulations governing telemedicine are continually developing and expanding.
Some of the federal issues involving telemedicine include:
- Federal Trade Commission (FTC) review
- FDA mobile apps and online health programs
- HIPAA compliance
- Stark Law, AKS law and other fraud and fee-splitting issues
- National telehealth standards
- Other federal compliance issues
Some of the state issues involve:
- State laws that govern the practice of telemedicine
- State and local medical boards and societies that govern the general practice of medicine and each type of medical practice
- informed consent issues
- The need for an initial in-person meeting with the patient
- Contract issues involving medical doctors, medical groups, and other healthcare providers
- Contract issues involving the technical companies providing telemedicine access and maintenance
For example, the Medical Board of California emphasizes the following:
- “Physicians using telehealth technologies to provide care to patients located in California must be licensed in California.”
- “Physicians need not reside in California, as long as they have a valid, current California license.”
- The standard of medical for telemedicine health is the same as for in-person visits
- That information consultations (for example, email exchanges and text messaging exchanges) may not be considered telemedicine.
We help medical practices understand the formal definition of telemedicine. We explain that the state laws that may apply to telemedicine are BOTH the state where the physician is located and the state where the patient is located. Generally, physicians must be licensed in BOTH state locations.
“Our Telemedicine and E-Health lawyers advise telemedicine and telehealth clients about legal rules applicable to their enterprises. Because telemedicine occurs nationally, this requires sensitivity to the nuances of laws in different states. Some states allow special telemedicine licenses while others simply prohibit telemedicine by requiring that physicians be licensed in-state to diagnosis or treat any patient in-state.”
California regulates telemedicine based on the thought that telemedicine is just another vehicle to practice medicine – it’s an extension of the standard medical practice. This means that as long as licensing requirements are met, doctors can practice medicine through technology.
Different medical practices have unique telemedicine issues. Many medical problems require in-person consultations. There are major differences between consulting with:
- A patient who has a broken arm
- A patient who has dental problems
- An owner of a dog or pet or cow that needs medical care by a veterinarian
California Business & Professions Code – Corporate Practice of Medicine
There are many different ways that a medical practice may violate California or other state laws on the corporate practice of medicine. The fundamental aim of these laws is to ensure that patients are being treated by qualified licensed physicians and that patient care is based solely on health factors and not the investment or financial interests of the medical practice.
In today’s video, we’ll talk about how to inoculate yourself against Corporate Practice of Medicine kryptonite, using some sound legal risk mitigation tools and tips.
Corporate practice of medicine issues may arise based on:
- What roles investors are allowed in running the medical practice
- What roles technology such as AI or telemedicine plays in making a medical diagnosis
- Many other situations and experience healthcare lawyer can explain
Violations of the corporate practice of medicine lawyers are a practice’s kryptonite – they can force the practice to stop operations immediately.
“Any person who practices or attempts to practice, or who holds himself or herself out as practicing…[medicine] without having at the time of so doing a valid, unrevoked, or unsuspended certificate…is guilty of a public offense.”
Business and Professions Code section 2400, within the Medical Practice Act, provides in pertinent part:
“Corporations and other artificial entities shall have no professional rights, privileges, or powers.”
California wants to ensure the only licensed medical professionals make the following decisions:
- “Determining what diagnostic tests are appropriate for a particular condition.
- Determining the need for referrals to, or consultation with, another physician/specialist.
- Responsibility for the ultimate overall care of the patient, including treatment options available to the patient.
- Determining how many patients a physician must see in a given period of time or how many hours a physician must work.”
Some of the factors that may determine who is making the medical decisions include:
- Who owns the practice
- Who has responsibility for hiring and firing
- Who has responsibility for billing and coding
- Who decides what medical equipment is purchased
These decision can’t be delegated to someone who is unlicensed – such as a management service organization (MSO).
California’s corporate practice of medicine law specifically prohibits:
- Non-physician ownership
- “Physician(s) operating a medical practice as a limited liability company, a limited liability partnership, or a general corporation.”
- MSOs providing medical services or advertising – instead of administrative staffing and services
- “A physician acting as ‘medical director’ when the physician does not own the practice. For example, a business offering spa treatments that include medical procedures such as Botox injections, laser hair removal, and medical microdermabrasion, that contracts with or hires a physician as its ‘medical director.’”
Some of the strategies we review with physicians and medical practices are the following:
- Incorporating the practice as a professional medical corporation – pursuant to the California Moscone-Knox Professional Corporation Act
- Drafting a clear management services agreement (MSA) to establish the relationship between the medical side of the venture and the business side. The MSA helps identify the relationships.
- Separating the advertising side from the marketing side. For example, we encourage that marketing be paid on a flat fee basis and not patient volume.
- Focusing on reducing complaints of kickbacks or fee-splitting.
We also explain the roles of the FTC and FDA. FTC regulates advertising and promotions and most public communications by the physician and medical practice. FDA oversight regulates many aspects of the drugs, medical devices, cosmetics, and other products that the physicians recommend or use for the clients.
Physicians who run their own medical practices and doctors who run, mange, or assist practices that provide traditional, complementary, and integrative care for patients need to review the laws and regulations that apply to their practice. Failure to comply with these laws can result in the closure of the business, fines, and penalties – including HIPAA violations, using telemedicine, and the corporate practice of medicine.
Contact Cohen Healthcare Law Group, PC to review the compliance and transactional needs of your medical practice. Our experienced healthcare attorneys advise medical groups, allied health providers, direct services, concierge care, complementary and integrative care, healthcare facilities, anti-aging, and functional medicine practices.