Join the experts in healthcare April 25 & 26 to learn innovative and new ideas for your practice!
Search Warrants: The Crisis Delivered Directly to Your Front Door
By: Jason Bologna
Knock-Knock. Who’s there?
The government.The government who?
The government who has a search warrant, open the door.
At this point, it’s fair to note that search warrants are never funny. They are a crisis delivered directly to your company’s front door. Fortunately, you can prepare for that crisis by planning ahead. During my time as a federal prosecutor, I found that a company’s preparation often reduced the fallout when the government came knocking. Now, as a white collar defense attorney, I want to share some thoughts that can help you prepare for a search warrant.
Call outside criminal counsel immediately when the government arrives.
The stakes could not be higher for your company. To obtain a search warrant, the government presented sworn information to a judicial officer establishing probable cause that a crime has been committed and that evidence of that crime is located in your company. It is vital to keep this bad situation from becoming even worse. A brief example will illustrate how a criminal lawyer can help in this regard. A search warrant defines the scope of where the government can search and what the government can seize. The government often seeks to expand its warrant by asking for consent to search additional places, such as a cell phone, an email account, or a car. It is rarely advisable to consent to additional searches. Outside criminal counsel can tell the agents that all consent to search requests must be made directly to them and can be approved only by them. Further, the attorney can explain the consequences of consenting to additional searches. These discussions will call for a careful balancing of the company’s desire to cooperate with law enforcement and the compelling need to protect its rights.
Have outside criminal counsel speak to the government’s agents on behalf of the company.
The attorney can request the search be delayed until he or she arrives on location and can monitor the search upon arrival. If the agents refuse to delay their search, the attorney can maintain phone contact with the agents as they travel to the location. The agents will likely attempt to speak to executives and employees at the scene. As a general rule, statements made by an executive or employee can be used against those individuals and possibly attributed to the company in later court proceedings. As described below, executives and employees have the right to refuse to answer questions and outside counsel can provide prompt guidance about the advantages and disadvantage of speaking.
Request a copy of the search warrant, an inventory of items seized, and the agent’s name and contact information.
Federal law requires the officer executing the warrant to leave a copy of the search warrant and a receipt of any property taken. The warrant lists the crimes that were allegedly committed. The inventory identifies evidence that was seized and removed from the company. This information is essential to understanding what the government is investigating and whether the business can continue its daily operations without the seized evidence. Further, the warrant can guide a company’s internal investigation into what happened, who is responsible, and whether anyone violated the law.
Know how to handle your employees, your visitors, and the media.
That plan should be put into writing and distributed to key stakeholders in your company. People should know their role and responsibilities before the government arrives. This knowledge is especially important during COVID-19, when companies have key stakeholders working from home. A few key points:
Know if privileged materials are being seized by law enforcement.
For many companies, litigation is a constant. Consulting with lawyers in those cases establishes an attorney-client privilege and generates attorney work product. It is critical for the company to immediately identify whether privileged materials were taken. Outside criminal counsel should be provided with the names of all attorneys who represent the company and will communicate with the government to alert them of privileged materials. This information will ensure that the government establishes a “taint team,” which is a special group of agents and lawyers that are tasked with finding and removing all privileged materials so that they are not used as evidence.
There is a well-known saying that “by failing to prepare you are preparing to fail.” Common sense tells us that statement is true, but also, that the statement lacks a sense of proportion. Failure comes in different shapes and sizes. For a company, the failure to effectively respond to a search warrant can be catastrophic. The areas discussed above provide a basic start to your company’s preparations. Consult your legal advisor to develop a comprehensive response to search warrants that is tailored to your company’s needs.
About the Author
Jason brings his vast experience as a trial lawyer and former federal prosecutor to all of his matters. He represents businesses, executives, professionals, and other individuals in federal and state criminal matters, grand jury investigations, internal investigations, and civil litigation involving the False Claims Act. Jason served as an Assistant United States Attorney in the Eastern District of Pennsylvania for over 14 years. He prosecuted complex matters involving the False Claims Act, mail and wire fraud, health care fraud, federal program bribery, honest services fraud, tax violations, money laundering, the unlawful distribution of opioids, unlawful sports betting, and RICO. He has handled multi-week federal criminal trials and notable homicide cases at the Philadelphia District Attorney’s Office, where he began his career. Jason has tried over 80 jury trials and hundreds of bench trials.
Jason’s prosecutorial background gives him insight into what drives criminal investigations and charging decisions, and it enables him to effectively advocate for his clients at every stage. He has worked with the FBI, IRS, HHS, DEA, HSI, DOT, TIGTA, DOL, ATF, the U.S. Marshals Service, Amtrak, the Philadelphia Office of Inspector General, and state and local police departments. He was selected to mentor multiple Assistant United States Attorneys and taught classes on federal criminal trial practice as an Adjunct Professor at the Temple University Beasley School of Law.
The Realities of HIPAA Enforcement
By: Daniel F. Shay
HIPAA has existed since 1996. For most physician practices, it is now a fact of life. Many are familiar with the HIPAA Privacy Rule’s requirements, and some with the Security Rule’s requirements. Most, however, are far less familiar with the Enforcement Rule. The Enforcement Rule was first published in 2000, and evolved over time. It addresses government investigations, and the imposition of civil money penalties (CMPs) (among other issues not addressed in this article, such as preemption of state law, and certain hearing and appeals procedures).
Understanding the compliance review/investigation process and how and when CMPs are imposed can help guide group practices’ compliance efforts. Enforcement actions, performed by HHS’ Office for Civil Rights (OCR), begin with either a complaint investigation, or the OCR initiating its own compliance review. Anyone may submit a complaint to the OCR if they believe a covered entity (or business associate) has violated HIPAA. The OCR then conducts a preliminary review, and examines the facts and whether the complaint meets certain technical requirements.
If there is a possible violation, the OCR will investigate. During an investigation, the OCR reviews documents such as the covered entity’s policies, procedures, and practices, and obtains specific information from the complainant and the covered entity.
Compliance reviews happen outside of the complaint process. During a review, covered entities must provide policies, procedures, and other documentation to the OCR, and give the OCR access during normal business hours to their facilities, books, accounts, records, and other sources of information.
Once an investigation is concluded and determines no violation occurred, the matter is closed. When noncompliance is found, the OCR usually tries to resolve the matter informally. In practice, this means that the covered entity voluntarily complies (by correcting the problem itself), engages in corrective action (with the OCR’s technical assistance), or enters into a “resolution agreement.” Under a resolution agreement, the covered entity agrees to meet certain requirements and often to pay a fine. The fine is usually a percentage of what a CMP would be if one were imposed.
According to the OCR, most Privacy and Security Rule investigations are concluded satisfactorily using these approaches. When they fail, or in cases of egregious violations, the OCR will impose a CMP, which could amount to as much as roughly $1.9 million, depending on the severity of the violations. However, the OCR rarely imposes CMPs. Between 2018 and 2021, while there were between 25,000 and almost 30,000 complaints resolved each year, CMPs were imposed between 10 and 19 times each year.
Reviewing case studies and resolution agreements provided on the OCR’s website can be helpful in orienting one’s own compliance efforts. Common problem areas include ensuring patient access to records, impermissible uses and disclosures, and insufficient security rule safeguards. Patient access cases also offer examples of both the OCR’s goal of ensuring compliance, and how not to handle an OCR inquiry. Compare two cases: that of Danbury Psychiatric Consultants, and ACPM Podiatry.
In Danbury’s case, a patient requested access to their records, and was denied this access due to an outstanding balance (which is not permitted under HIPAA). The patient complained to the OCR, which contacted Danbury and began an investigation. Danbury then provided the patient with full access to the patient’s records, and entered into a resolution agreement with the OCR to develop and update its access policies and procedures.
By contrast, ACPM Podiatry had a patient complain multiple times about not being given their records, again, due to an outstanding balance. The OCR sent multiple letters to ACPM, and made multiple phone calls, all of which were ignored. The OCR’s final letter offered ACPM a chance to submit evidence of mitigating factors or affirmative defenses, to support the waiver of a CMP, but this letter was also ignored, result in the OCR imposing a $100,000 CMP. However, the CMP was only imposed after the OCR repeatedly attempted to resolve the matter informally.
Again, the message is clear: physician practices, as HIPAA-covered entities, should take proactive steps to ensure HIPAA compliance, so as to avoid this entire process. However, when faced with an OCR investigation, the practice should take steps to show the OCR its efforts to comply, as well as to attempt to correct any issues raised by the OCR. Effective compliance efforts, especially with the help of knowledgeable legal counsel, can avoid CMPs and potentially even a resolution agreement.
About the Author
Daniel F. Shay
Daniel's practice is restricted to health law and health care regulation focusing primarily on physician representation, fraud and abuse compliance, Medicare Part B reimbursement, and HIPAA compliance in the physician context. Mr. Shay is admitted to the Pennsylvania Bar, and is a member of the American Health Law Association.
Majority of Patients Repeatedly Provide Duplicate Health Information, Carta Healthcare Survey Finds
Reprinted from Fierce Health Care, By: Annie Burky
Matt Hollingsworth founded Carta Healthcare after he watched his mother carry a binder cataloging her five bouts with cancer between medical appointments. A new study from the company found that 83% of patients have had the same experience of repeating their health history.
The survey of over 1,000 patients found that almost three-quarters reported filling out a duplicate form and 42% spent six minutes or more recounting past medical history at every appointment due to a lack of integrated data. Hollingsworth, CEO at Carta Healthcare, said he designed the company with the goal of addressing the issue he thinks patients care the most about in relation to their data: interoperability.
“One thing that I think is completely unconscionable is that you can't share your data with other care providers when you want to get better care, and people get frustrated about that constantly,” Hollingsworth told Fierce Healthcare.
When asked about patients’ top concerns regarding their experience at healthcare visits, 53% of respondents said time spent waiting was their primary concern while 48% said cost or lack of data regarding outcomes for their condition.
Over a third of respondents expressed frustration that their doctor was unable to provide them with outcomes of their condition based on other patients’ results. Hollingsworth said this gap in information is a matter of poor health data integration.
While it is currently possible to integrate and aggregate de-identified clinical data, lack of adoption results in patients feeling that important information is being kept from them. Of the respondents, 64% said their doctor being honest about their condition and what factors are and are not in their control in regard to their health would increase their chances of recommending their doctor to others.
What patients don’t see, Hollingsworth said, is the mountain of labor done between appointments, largely by clinicians like nurses, inputting patient data. With staffing shortages and burnout rampant, Carta works to fill the gap by providing software that eases data input and integration tedium.
“The way that you get comparable data sets in the U.S. healthcare system is you have nurses go and fill forms out with a standard code set,” Hollingsworth said. “That's the only place in the U.S. healthcare system where translatable data is created. You have a nurse at one site and a nurse at another site that are filling out forms with the same exact definition so that they can be directly compared.”
What patients do see is the waiting room. About half of respondents said they spend the majority of their visit waiting for a doctor or a nurse. Only 20% said they spent most of their visit talking to a healthcare professional.
The vast majority, 80% of respondents, said healthcare providers spent over half their time looking at screens rather than at the patient in front of them during the visit.
Despite all this time spent trying to input patient data so they can be shared between providers and from appointment to appointment, Hollingsworth points to the mistakes that are made in electronic medical records. A 2012 CHIME study found that 20% of CHIME members could trade an adverse medical event to problems with patient identification or patient matching.
The Office of the National Coordinator for Health Information Technology (ONC) released a 2014 report revealing that seven out of 100 patient records are mismatched. What’s more frightening, the error rates jump to 10% to 20% within healthcare and 50% to 60% when entities exchange with one another.
“Everybody in my mom's cancer survivor community has had almost the same exact experience,” Hollingsworth said. “Mistakes kill people. There are examples of where some history was missed, and folks died. It is sad, and totally addressable. Hence the survey was to try to draw attention to this because it's ridiculous.”
In April 2021, a federal government regulation went into effect requiring health IT vendors, providers and health information exchanges to enable patients to access and download their medical records via third-party apps.
As of March 2022, 300 complaints of healthcare organizations defying this regulation and blocking access to patient data have been logged.
While patients also expressed concern about the security of their data and being compensated for the use of their data, Hollingsworth said in his experience the concern brought up around the dinner table is health. “I'd be willing to bet that a majority of the people are practically most concerned about how the use of their data could help them improve their health,” Hollingsworth said.
© 2015 - 2023 Pennsylvania Medical Group Management Association, Inc.