Welcome
Welcome to our fourth issue of The Health Record - our healthcare law insights e-newsletter. In this edition, we take a look at the Biden administration's proposed insurance rule regarding mental health and substance use care, the latest in Stark Law settlements, the recent implications of Florida's "Free Kill" law, the increase of female healthcare providers utilizing telehealth options, the increasing costs of healthcare data breaches, and what really happens with FDA recalls. Speaking of healthcare costs and data breaches, in this month's Featured Attorney Q&A, Alex Turner of our Winston-Salem office provides guidance when it comes to the unique challenges facing healthcare and cybersecurity.
SPILMAN EVENTS
There is still time to register and attend our conference tomorrow, September 19, in Pittsburgh, PA - "Your Business in the Digital Era: Legal and Commercial Challenges". This forum, intended for business owners and risk management professionals, is offered free of charge to clients and friends of the firm. We will address cybersecurity threats, data privacy, legal and ethical concerns with AI in business operations, intellectual property protection, and how to avoid and protect yourself from litigation. Click here to learn more and register.
On October 4, we are hosting our 2024 North Carolina SuperVision Labor & Employment Symposium in Winston-Salem, NC. This complimentary symposium is tailored for business owners, HR professionals, and anyone who manages employees. Dive into a day of invaluable insights on topics such as remote work; workplace investigations; AI, emerging technologies, and privacy; union avoidance; workplace violence; and more. Click here to register.
SPONSORED EVENTS
We are very pleased to sponsor and attend the WV Hospital Association and the West Virginia State Medical Association's Health Care Leadership Summit being held September 25-27 at The Greenbrier in White Sulphur Springs, WV. This is a marquee event highlighting a variety of healthcare issues throughout the region. Click here to learn more.
On September 25-26, we are sponsoring and attending the National Workers' Compensation Defense Network's Annual Conference in Denver, CO. This conference is focused on today's trends and tomorrow's solutions. Click here to learn more.
We are also sponsoring and attending the DRI Annual Meeting October 16-18 in Seattle, WA. This is a perfect event to connect with the DRI community and beyond at the flagship event of the year for civil defense practitioners, where relationships build business. Click here to learn more.
We hope you enjoy this issue of The Health Record. Thank you for reading!
Brienne T. Marco
Member, Chair of the Corporate Department, and Co-Editor of The Health Record
and
Joel P. Jones, Jr.
Counsel and Co-Editor of The Health Record
| |
“That may mean ‘adding more mental health and substance use professionals to their networks or reducing red tape for providers to deliver care.’”
Why this is important: In 2008, a bipartisan Congress enacted the Mental Health Parity and Addiction Equity Act (MHPAEA), which was intended to increase access to mental health and substance use disorder treatment services by requiring health insurance providers that offer mental health or substance use disorder benefits to cover those benefits without imposing greater restrictions on mental health or substance use disorder benefits as compared to medical and surgical benefits. Despite the Act, a disparity continues to exist between the affordability of services for mental health and substance use disorders versus services for physical health. On September 9, 2024, the U.S. Departments of Labor, Health and Human Services, and Treasury issued a final rule to clarify and strengthen the protections under the MHPAEA. The new rule added protections against treatment limitations that limit the scope or duration of benefits, such as prior authorization requirements, step therapy, and standards for provider admission to participate in a network. Supporters of the new rule believe it will make mental health and substance use disorder services more available for Americans. Critics believe the rule will have unintended consequences for employers offering behavioral health benefits and could raise the cost of healthcare. --- Brienne T. Marco
| |
“According to the data, CMS settled an agency record of 176 self-disclosures, totaling more than $12,000,000.”
Why this is important: The “Stark Law” prohibits physicians from referring Medicare/Medicaid patients for designated health services (i.e., laboratory services, radiology and certain other imaging services, and durable medical equipment and supplies) to an entity in which the physician or immediate family member of the physician has a financial interest. This article discusses the self-reporting by physicians/facilities and the high amount of settlements recovered by CMS for violations of the Stark Law. While self-reporting is voluntary, it is a good way of avoiding more severe penalties if CMS brings an action on its own. --- Matthew W. Georgitis
| |
“While this might seem like a clear-cut case of malpractice, Florida’s ‘free kill’ law is a legal wall for adult children and other surviving families seeking legal recourse in cases where they believe malpractice may have taken place.”
Why this is important: Debate over Florida’s “Free Kill” law, which bars certain family members over the age of 25 from filing medical malpractice lawsuits for wrongful death, has reignited after a patient died during a routine splenectomy when his doctor mistakenly removed his liver instead of his spleen. Critics argue that the free kill law bans access to justice for victims of casebook medical negligence. Its advocates argue that it is needed to develop a growing healthcare industry.
Florida’s law, currently the only statute of its kind, prevents adult children and parents from filing medical malpractice lawsuits for wrongful death if the victim is over the age of 25. Enacted in 1990, the law was designed to control rising malpractice insurance costs and keep doctors from leaving the state.
As many as 75 percent of doctors in low-risk specialties, and 99 percent in high-risk specialties, will face a claim by age 65. Supporters of the law argue that it reduces the financial burden of malpractice claims. In its current form, as many as 51 percent of medical negligence claims in Florida would fall under the “Free Kill” law. The costs of malpractice premiums, if the law were to be repealed, may increase and could be passed on to patients or their insurers. Opponents of the law observe that in cases such as this, the law works injustice for the victim and the victim’s family.
Ultimately, the “Free Kill” law raises difficult questions about the balance between controlling the ever-rising costs of healthcare and ensuring access to justice for victims of medical malpractice. The debate over reform continues as Florida weighs the needs of its healthcare system against the rights of affected families. --- Hikmat N. Al-Chami
| |
“The study offers insight into which physicians and practices would be impacted by telehealth policy changes as a deadline for extending pandemic-era Medicare flexibilities looms.”
Why this is important: Advances in telehealth services over the past few years have improved access to care for rural patients and given some physicians more flexibility in their schedules. One factor attributing to telehealth’s success is the Medicare flexibilities created after the COVID-19 pandemic, which included, among other things, removing the in-person requirements for mental health visits and other medical services. Medicare flexibilities allow patients to receive telehealth services from their homes, potentially improving access to care in rural communities with few physical healthcare facilities.
Some Medicare flexibilities are set to expire at the end of the year, but there is bipartisan support for extending or codifying these flexibilities. While lawmakers consider extending Medicare flexibilities, questions about telehealth cost, quality, and impacts on in-person care remain.
When considering healthcare providers, psychiatrists are more likely to offer telehealth services than primary care physicians. Additionally, physicians in metropolitan areas deliver more telehealth care than rural physicians. This could be, in part, because telehealth visits require reliable, high-speed internet, which could be limited in some rural areas. Further, women physicians are more likely to offer telehealth services because they likely have more family responsibilities, leading them to value the flexibility telehealth provides.
If lawmakers do not extend or codify Medicare flexibilities, it could affect both patients, who could not otherwise access the care they need, and physicians, who need flexibility in their work schedules. --- Arianna P. Webb
| |
“The global average cost of a data breach reached an all-time high of $4.45 million in 2023, which is a 15% increase over the past three years.”
Why this is important: As cyberattacks have grown in frequency and complexity, so too has the cost of these attacks on the victims. The average cost of a data breach has risen 15 percent since the year 2023. This is largely attributed to the expenses in dealing with the breach after it happens and lost profits from the breach. While many different industries experience cyberattacks, the healthcare industry suffered the highest average breach costs. Due to the rise in the level of complexity of these breaches, there continue to be more and more large breaches that involve millions of records.
There are ways for those in the healthcare industry to combat these breaches and to protect themselves. It is better to be proactive rather than reactive. Those in the industry who fail to stay on top of their cybersecurity measures will be prone to more breaches and higher costs on the back end to pay for the cleanup of a breach. Doing more and spending more on resources before the breach can mitigate the costs after one occurs. By staying vigilant, healthcare organizations can detect breaches much faster as opposed to a hands-off and reactive approach. Many times, breaches go on for weeks before the appropriate parties notice and act. The average length of a breach in the healthcare industry is 213 days. A shocking way to reduce costs is to not pay the ransom requested by the attackers. Organizations that caved in and paid the ransom to the cyber-attackers did not save any significant amount of money. Another way to mitigate costs is by using AI technology. There are AI threat detection and response systems that can be implemented into an organization's software to fight against cyberattacks. Using AI to detect breaches faster will reduce the costs of those attacked. Also, if healthcare organizations can consolidate their data into one environment this will help defend their data. When data is stored across different environments like private clouds, public clouds, and on-site servers, attacks tend to happen more frequently and with more ease.
When thinking about cybersecurity and the potential data breaches organizations experience, it is important to think about how to save money. It is equally as important to think about how to protect your data from potential attacks. Both of these desired outcomes can be achieved. Taking the necessary precautions to defend against attacks and being proactive can save organizations money while at the same time making them less vulnerable to these cyberattacks. --- Nicholas A. Muto
| |
“Some products undergo recall after recall while they remain on the market.”
Why this is important: Not all recalls are created equal. The public is conditioned to believe that a recall means that a product is removed from the market because federal product safety agencies, like the Consumer Product Safety Commission, the National Highway Traffic Safety Administration, and FDA often tell customers that in the event of a recall to stop using the product altogether, or in regards to a vehicle, to bring it to local dealer for repairs. However, the FDA may take a different tact when dealing with the recall of a medical device. The FDA may decide to keep the medical device being recalled in use after considering all options. This is called a “correction” recall. This type of recall results in the manufacturer addressing the issue in the field through repairing, adjusting, relabeling, or inspecting the device. The FDA spokesperson stated that “[w]hen deciding whether a recall warrants device removal from the field, the FDA considers the frequency and severity of adverse events, effectiveness of the corrective actions that have been executed, and the benefits and risks of preserving patient access to the device.” This evaluation may lead to numerous rounds of recalls that do not result in a medical device being removed from the market. These numerous rounds of recalls can include additional training, changes to warnings and instructions, additional technical guidance, or software updates and patches. Even as the manufacturer and the FDA work through how to make the medical device safer while it is still available to the public, injuries can and still do occur. If these remedial measures do not improve the safety of the medical device, the FDA can still ask the manufacturer to stop marketing the device or remove it from the market altogether. --- Alexander L. Turner
| |
Feature Attorney Question & Answer | |
We are excited to introduce you to our large healthcare law team. To help you get to know our team a little better, we are highlighting an attorney in each issue by asking them a healthcare-related question. We hope their response will be insightful for you. | |
With the healthcare industry being one of the most targeted entities by cyber attackers, those organizations have to be especially vigilant in protecting their financial details, employee data and patient information. Since you are extremely well-versed in this area of law as the Co-Chair of our Cybersecurity & Data Protection Practice Group and your CIPP/US certification (demonstrating a foundational understanding of broad global concepts of privacy and data protection law and practice, including, jurisdictional laws, regulations and enforcement models; essential privacy concepts and principals; legal requirements for handling and transferring data and more), what are the top tier, most important actions healthcare organizations can take to help protect themselves from these growing threats?
Alexander L. Turner, CIPP/US, Member, Co-Chair - Cybersecurity & Data Protection Practice Group
"Healthcare organizations are especially vulnerable to cyberattacks due to the transition to electronic health records and the extremely sensitive nature of the information healthcare organizations retain, including personally identifiable information (PII) and protected health information (PHI). Constant vigilance for cybersecurity is a must for any organization, especially in the healthcare industry. Everyone is so focused on the implementation of new AI tools to prevent cyberattacks. But, do not be overwhelmed into inaction by the myriad of possible threats and the perceived cost of protecting your organization. The first step is to have a culture that prioritizes cybersecurity and data privacy at all levels of the organization. Everyone in the organization needs to be invested in protecting the organization’s data, and strong leadership in cybersecurity and data privacy from the top is essential for successfully protecting your organization’s data. Next steps include installing any neglected software patches to close known software vulnerabilities, and providing data privacy and cybersecurity training for your staff.
Additionally, having annual data security meetings with all department heads, legal counsel, and your organization’s IT team is critical. This will allow you to coordinate your organization’s approach to cybersecurity and data privacy, and help identify potential weaknesses. During these meetings, you should perform data audits to know what data your organization is holding, what data it needs to keep, and what data should be discarded. More data is not always better, and the more data your organization holds, the greater the risk in the event of a data breach. This team should also be utilized to create and annually update your organization’s cybersecurity and data privacy plan and your data breach response plan. Preparedness now will help save your organization in the future.
Not everyone needs access to all data. During your annual data security meetings, discuss who needs access to what data. Does a charge nurse need access to employee files, or does a person in human resources need access to patient records? No. Identify what data you're holding, who needs ready access to specific categories of data, and then limit access to those specific categories of data to those individuals who need to access it in order to complete their job duties.
While new and emerging technologies to combat bad actors are necessary, do not allow the cost and inexperience with these tools scare you into inaction. Begin with the simple steps first, create your cybersecurity and data privacy team and plans, train your team on the importance of cybersecurity, gain additional knowledge, and move on from there. You need to walk before you can run, and even these first steps significantly lower the risk of a cyberattack."
| |
This is an attorney advertisement. Your receipt and/or use of this material does not constitute or create an attorney-client relationship between you and Spilman Thomas & Battle, PLLC or any attorney associated with the firm. This e-mail publication is distributed with the understanding that the author, publisher and distributor are not rendering legal or other professional advice on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use.
Responsible Attorney: Michael J. Basile, 800-967-8251
| | | | |