Healthcare Contracting and Regulatory Compliance

Healthcare contracts and healthcare regulatory compliance each present its own risks.  Poor contracts can lead to bad economic outcomes while failure to comply with healthcare regulations can lead to sanctions and penalties.

The space where healthcare contracts and regulatory compliance overlap, however, is loaded with risk.  Ensuring that your healthcare contracts serve the dual purpose of keeping you in compliance while requiring that the other party maintain compliance is essential to protecting yourself and your healthcare practice.

My practice emphasizes healthcare contracting and regulatory compliance, particularly in matters involving the Health Insurance Portability and Accountability Act (“HIPAA”).  I have almost 20 years serving the health insurance and healthcare provider communities. That experience includes the operational aspects of healthcare contracting and compliance – the actual work of making contracts and compliance work for the benefit of the organization.  My experience includes:

  • Compliance Plan development, drafting and implementation
  • Health Insurance Policy Analysis and Coverage Opinions
  • HIPAA Interpretation, Implementation and Remediation
  • Information Technology Purchasing and Licensing Agreements
  • Insurance and Risk Management
  • Medicare Self-Dealing and Anti-Kickback Analysis
  • Provider/Payer Network Contracting

HIPAA Compliance

The importance of HIPAA compliance for a covered entity or business associate cannot be overstated.  Non-compliance presents significant and potentially very expensive risk to those entities regulated by HIPAA.  Consider the case of Phoenix Cardiac Surgery, P.C., which agreed to $100,000 settlement with the U.S. Department of Health and Human Services.    Pursuant to the press release issued by DHHS:

April 17, 2012

Contact: HHS Press Office
(202) 690-6343

HHS settles case with Phoenix Cardiac Surgery for lack of HIPAA safeguards Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay the U.S. Department of Health and Human Services (HHS) a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients.

The settlement with the physician practice follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.   On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).

“This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR.  “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”



OCR’s investigation also revealed the following issues:

  • Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
  • Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
  • Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
  • Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.

Under the HHS resolution agreement, Phoenix Cardiac Surgery has agreed to pay a $100,000 settlement amount and a corrective action plan that includes a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules.

Here is a copy of the Settlement Agreement and Corrective Action Plan that Phoenix Cardiac Surgery entered into with DHHS.

Phoenix Cardiac Surgery’s experience is a sobering reminder that the cost of compliance is often significantly less expensive than the cost of non-compliance.    The Settlement Agreement between DHHS and Phoenix Cardiac Surgery clearly indicates that DHHS’ three primary concerns were:

1.       The alleged failure to implement administrative and technical safeguards;
2.       The alleged failure to train staff; and
3.       The alleged failure to properly contract with Business Associates.

DHHS states very plainly in the Settlement Agreement, “From September 1, 2005 until November 1, 2009, Covered Entity failed to have in place appropriate and reasonable administrative and technical safeguards to protect the privacy of protected health information (PHI).“  Consequently, it should be very clear to health care providers that DHHS takes a providers failure to implement policies and procedures to protect the privacy and security of protected health information very seriously and will take action against a provider given the opportunity to do so.

It should be noted that although it entered into a Settlement Agreement with DHHS, Phoenix Cardiac Surgery did not admit or acknowledge any liability or wrongdoing in the Settlement Agreement.

I can assist your practice or other healthcare entity in:

  • Reviewing its current privacy and security policies (if any),
  • Conducting a gap analysis to determine any deficiencies that might exist
  • Developing any new privacy and security policies that are necessary
  • Documenting all privacy and security policies
  • Conducting training for staff

Business Associate Compliance

DHHS did not have the legal authority to directly regulate business associates prior to 2009.  This changed with the American Reinvestment Act of 2009 which made material changes to HIPAA.  DHHS published new and revised regulations (commonly referred to as the “Omnibus HIPAA Rules” or “Final Rules”) on January 25, 2013 with a compliance date of September 23, 2013.  With the new Omnibus HIPAA Rules, DHHS now directly regulates business associates and has the authority to bring enforcement actions, including the imposition of civil money penalties, against Business Associates.  This means that DHHS can now bring the type of enforcement that it brought against Phoenix Cardiac Surgery, including the hefty fine, against Business Associates.

Under HIPAA, a Business Associate is any entity the accesses, discloses, maintains or uses protected health information (PHI) about a patient for, or on behalf of, a covered entity.  This may include the following types of service providers:

  • medical billing companies
  • physician practice companies
  • revenue enhancement consultants
  • transcriptionists
  • computer service providers which may have network access that provides access to protected health information
  • attorneys that use or have access to PHI
  • auditors and accountants that use or have access to PHI
  • cloud-based electronic information storage companies (including electronic medical record providers)
  • records storage companies
  • document destruction (shredding) companies

If your company performs any of these or similar services that may include maintained of or access to PHI, even if your company doesn’t actually view or use the PHI in the performance of the services, your company is a Business Associate and is now directly regulated by HIPAA.  As such, your company now needs a full set of HIPAA compliance policies and procedures to ensure that your company is complying with its HIPAA obligations.