HIO-201 health - Certified HIPAA Professional Updated: 2023

Recent cases in Indiana have revealed the inconsistent and hard-to-decipher rules protecting patient records under the Health Insurance Portability and Accountability Act of 1996, known as HIPAA.

Since its inception in 1996, HIPAA has been politicized, weaponized and misunderstood by the health care industry, litigators and the general public.

Since 2000, the U.S. Department of Health and Human Services has updated HIPAA provisions repeatedly to offer guidance, simplify rules, define confidentiality and clarify enforcement. The advent of health records electronically accessibility has added to the challenges.

In Indiana, the most egregious and best example of the confusion has been the case of Dr. Caitlin Bernard, who was accused by Indiana Attorney General Todd Rokita of violating HIPAA rules.

In 2022, Bernard treated a 10-year-old rape victim who was referred to her by an Ohio doctor. When questioned by a reporter, Bernard provided the age and home state of the victim but not the girl’s name. In May, the Indiana Medical Licensing Board found Bernard liable for violating privacy laws and fined her $3,000 but did not pull her medical license.

Granted, the attorney general’s office has been vital in shutting down unscrupulous practices. But no case has been used as blatantly as the 10-year-old’s plight to further a political agenda.

Indiana court cases related to HIPAA have involved a third party’s ability to access a hospital paging system that contained patient information and another where a medical assistant accessed a woman’s records to disclose them to the woman’s husband. In yet another, an Indiana software company paid $100,000 in 2019 to the HHS’s Office of Civil Rights after hackers accessed protected health information for about 3.5 million people.

In April, the U.S. Government Accountability Office, exploring electronic health information, underscored the variations in state privacy laws.

First, there’s misapplication of HIPAA, hindered by variations in state privacy laws.

Second, there’s the Health Information Technology for Economic and Clinical Health (HITECH) Act, which provided $23.4 billion to participating states to Boost electronic health information exchanges.

Under the latter, the accountability office found that electronic exchanges had increased for large hospitals. Yet small and rural providers had difficulty in obtaining technology. An accountability officer survey found that smaller acute-care hospitals (with 100 beds or fewer) on average received mail or faxes 54.5% of the time, compared to larger hospitals at 38.5%. About 28% of small hospitals used a vendor’s network to store records; large hospitals were at 45%.

Lastly, the Trusted Exchange Framework and Common Agreement is intended to establish a countrywide medical records sharing system. However, the act requires participants to adhere to rules that are substantially similar to HIPAA, including participants who are not HIPAA-covered entities.

Talk about confusion. We live in an era when HIPAA forces a reevaluation of trust and respect between patient and doctor.

We don’t want politicians to nudge their way into the patient-physician partnership. All we want is for licensed medical professionals to do their best to protect our health — and our privacy.

HIPAA and Privacy

Three interrelated concepts relate to controlling access to health data: privacy, confidentiality, and security.

Privacy . Privacy relates to an individual s desire to control access to personal health information. The health record should be under the control of the individual to the fullest extent possible, and release should be based upon consent. Adequate safeguards can only be assured through clear and strong legislation implemented through regulation. The NCVHS supports the adoption of privacy legislation that incorporates provisions of fair information practices and provides strong protections for personal health data. ^[3] These protections should be afforded for data in either a paper or an electronic format.

Confidentiality. Confidentiality relates to the obligation of a holder of identifiable personal health information to protect the person s privacy. That obligation is determined by common practice, laws, and regulations and may vary from state to state. Those laws and regulations also may indicate instances where that information can or must be shared for public health or other purposes. Otherwise, holders of personally identifiable health information should only share it based upon fair information practices. Concerns have been raised about the risk that the sharing of such information may result in adverse insurance decisions, employment decisions, and other adverse social outcomes. These concerns seem to be heightened as information moves from paper to electronic formats.

Security . The extent to which health information can be stored with access limited to those who are authorized is called security. Security involves protecting data at rest and data in motion. At rest, personally identifiable health data exist in clinicians offices, hospitals, other health care facilities, and health plan and other third-party payers offices. The NCVHS has recommended that these data be protected with industry standard approaches, including controlling and monitoring access and organizational practices to make security an integral part of health information systems development and operation. ^[4] Data in motion include personally identifiable health data that are transmitted from one location to another over local area networks, telephone lines, the Internet, or other means. Data in motion need to be protected like data at rest, but doing so presents a different set of challenges and requires sophisticated technologies, such as encryption.

HIPAA's task. Pursuant to the direction given by Congress in HIPAA, HAHS has issued two sets of proposed rules to address privacy and security. These rules have made great strides in bringing uniformity to an industry that has not been as aggressive as it needs to be to ensure the privacy and protection of individually identifiable health data. Although many of the provisions in the security regulation are part of the functionality of the under-lying operating systems, testimony at NCVHS hearings indicated that these functions are often disabled in health care installations. The rules as proposed seek to protect the data and individuals privacy independent of the operating platform and means of communication. They are equally applicable in a system that communicates over a local area network, a wide area network, or the Internet.

Copyright ©2023 Nelson Mullins Riley & Scarborough LLPNational Law Review, Volume XIII, Number 138

May 22, 2023

Melanie Fontes Rainer
Director, Office for Civil Rights
Department of Health and Human Services
Hubert H. Humphrey Building
200 Independence Avenue, S.W., Room 515F
Washington, DC 20201

Re: HIPAA Privacy Rule to Support Reproductive Health Care Privacy; 88 Fed. Reg. 23506 (RIN 0945–AA20) (April 17, 2023)

Dear Director Fontes Rainer:

On behalf of our nearly 5,000 member hospitals, health systems and other health care organizations, our clinical partners — including more than 270,000 affiliated physicians, 2 million nurses and other caregivers — and the 43,000 health care leaders who belong to our professional membership groups, the American Hospital Association (AHA) strongly supports the Office of Civil Rights’ (OCR) proposed rule. The AHA agrees with OCR that a “positive, trusting relationship between individuals and their health care providers is essential to an individual’s health and well-being.”¹ The proposed rule will enhance provider-patient relationships by providing heightened privacy protections for information about care that is lawful under the circumstances in which it is provided, but may nonetheless get swept up in criminal, civil or administrative investigations.

At the same time, the AHA has serious concerns about a recent, related OCR policy: the December 2022 guidance on the “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” (hereinafter “Online Tracking Guidance”). This guidance — ostensibly issued with the same worthy goal in mind as the proposed rule — is too broad and will result in significant adverse consequences for hospitals, patients and the public at large. In particular, by treating a mere IP address as protected health information under HIPAA, the Online Tracking Guidance will reduce public access to credible health information.

As you finalize the proposed rule, the AHA urges you to (1) consider whether the Online Tracking Guidance remains necessary in light of the heightened privacy protections in the proposed rule; (2) if OCR continues to believe that some form of the Online Tracking Guidance remains necessary, amend that guidance to better reflect the realities of online activity by hospitals and health systems; and (3) potentially seek public comment before reissuing it.

OCR Should Finalize the Proposed Amendments to Its Privacy Rule

The proposed rule rests on a series of unobjectionable principles, all of which are clearly and concisely set forth on page 23508:

• “The prospect of releasing highly sensitive [protected health information (PHI)] can result in medical mistrust and the deterioration of the confidential, safe environment that is necessary to quality health care, a functional health care system, and the public’s health generally.”
   
• “If individuals believe that their PHI may be disclosed without their knowledge or consent to initiate criminal, civil, or administrative investigations or proceedings against them or others based primarily upon their receipt of lawful reproductive health care, they are likely to be less open, honest, or forthcoming about their symptoms and medical history. As a result, individuals may refrain from sharing critical information with their health care providers, regardless of whether they are seeking reproductive health care that is lawful under the circumstances in which it is provided.”
   
• “If an individual believes they cannot be honest about their health history, the health care provider cannot conduct an appropriate health assessment to reach a sound diagnosis and recommend the best course of action for that individual.”
   
• “Heightened confidentiality and privacy protections enable an individual to develop a trust-based relationship with their health care provider and to be open and honest with their health care provider. That health care provider is then more likely to provide a correct diagnosis and aid the individual in making informed treatment decisions.”
   
• “[A]n individual’s lack of trust in their health care provider to maintain the confidentiality of the individual’s most sensitive medical information and a lack of trust in the medical system more generally may have significant repercussions for the public’s health more generally. Individuals who are not candid with their health care providers about their reproductive health care may also withhold information about other matters that have public health implications.”

The AHA’s hospital and health system members agree with these propositions. Lawful medical care should not carry adverse legal consequences. Patients and providers should not have to risk government enforcement action based on care that is permissible where it is provided. Accordingly, the AHA strongly supports policies that reduce the risk of inappropriate enforcement and thus foster trust within the patient-provider relationship.

The proposed rule advances these important goals by making only modest changes to the Privacy Rule. By simply requiring requesters to attest to the fact that they are not seeking to use health information to investigate or penalize the lawful provision of health care, the proposed rule appropriately balances patient/provider privacy with the government’s occasional need for health information. The AHA welcomes these commonsense amendments to the Privacy Rule.

In addition, the proposed rule correctly ensures that hospitals and health systems are not required to investigate the accuracy of an attestation.² Any final rule should reiterate — indeed, emphasize — that hospitals and health systems will not be burdened by having to question the validity of an attester’s statements, so long as those statements are objectively reasonable.

Relatedly, the AHA would welcome other measures that would reduce the burden on hospitals and health systems. For example, the AHA would support OCR creating a model attestation form, coupled with a certain that a provider’s good faith reliance on such a form is objectively reasonable. It also may be helpful to require requesters to attach the relevant legal process (e.g., a subpoena or administrative order) to that attestation to provide further assurance that the request is legitimate. Similarly, OCR specifically sought comment on whether “requesters of PHI should be required to name the individuals whose PHI they are requesting, or if describing a class of individuals whose PHI is requested is sufficient.”³ Allowing bulk requests would not only increase costs and burdens for covered entities, but they would raise unique privacy concerns about why any requester would seek so much information. Therefore, to minimize administrative burdens on hospitals and to ensure a reasonable scope for requests (and, in turn, attestations), the AHA would support a requirement for individualized requests.

OCR Should Suspend or Amend Its December 2022 Online Tracking Guidance

In December 2022, OCR issued guidance regarding the use of online tracking technologies, i.e., technologies that are used to collect and analyze information about how users interact with regulated entities’ websites or mobile applications. The AHA understands that this guidance may have been motivated — at least in part — by the same concerns as the proposed rule.⁴ Regrettably, the Online Tracking Guidance errs by defining PHI too broadly — specifically, to include all IP addresses.⁵ As a result, the guidance will inadvertently impair access to credible health information. It should be suspended or amended immediately.

Americans are increasingly reliant on digital platforms for health information. According to a March 2023 report by the National Quality Forum, “[a]pproximately 74 percent of surveyed Americans use search engines to start their patient journey.”⁶ But online health information “can be disconcerting, confusing, and even misleading, leaving the onus on the consumer to decipher the information.”⁷ And as Surgeon General Vivek H. Murthy recently explained, “Health misinformation is a serious threat to public health. It can cause confusion, sow mistrust, harm people’s health, and undermine public health efforts. Limiting the spread of health misinformation is a moral and civic imperative that will require a whole-of-society effort.”⁸

It is therefore critical that consumers who use the internet to obtain health information visit trustworthy, helpful and accurate sources. Hospitals and health systems play an important role in this regard. Our members’ digital platforms are typically the best sources of health information. For this reason, Surgeon General Murthy specifically recommended that medical professionals, like our hospital and health system members, use “technology and media platforms to share accurate health information with the public.”⁹ What’s more, the AHA is well-aware that a “wide gap in accessibility exists between the information from credible sources and the information that consumers find, understand, and use” for “consumers affected by digital access, health literacy, and other factors related to health equity and disparities.”¹⁰ Through the use of their websites, apps and other digital platforms, hospitals and health systems are able to reach underserved communities that would not otherwise have access to reliable health information.

The Online Tracking Guidance aggravates the risk of health misinformation by treating a mere IP address as a unique identifier under HIPAA. In particular, the guidance errs by concluding that IP addresses constitute PHI whenever they are shared with a third party, regardless of the context surrounding when someone visits a regulated entity’s website. Under the guidance, an IP address is protected even if consumers are not actually seeking medical care. The same HIPAA protections apply if a consumer is searching for a physician or medical service, seeking general health information (e.g., information about vaccines, flu season, or symptoms of an unknown illness), or merely looking for information about visiting hours, facility locations, cafeteria menus or any of the multitude of reasons one might go to a hospital’s website. In addition, an IP address is treated as HIPAA-protected even though that address provides no indication whatsoever whether the person using that computer is a potential patient, a friend or relative of that patient, or just a curious online visitor.

Critically, if an IP address, in and of itself, is treated as a unique identifier under HIPAA, hospitals and health systems will be forced to restrict the use of certain technologies that help Boost community access to health information. For example, many hospitals use valuable online tools that sometimes require them to provide IP addresses to third-party vendors, including:

• Analytics technologies. These tools capture and report upon key events such as webpage views and clicks. Analytics technologies allow hospitals to optimize their online presence to reach more members of the community, including members of the community most in need of certain healthcare information. And beyond healthcare information, analytics tools allow hospitals to actually reach more patients and expand access to underserved communities. For example, depersonalized IP address data may be used to predict a geographic area’s needs. This allows hospitals to expand services (e.g., OB/GYN, children’s services, or other specialties) to new areas, including areas and populations that have been historically underserved. As such, the guidance will limit access to quality care by impairing the ability of health systems to understand and predict the real demand for services in their communities.
• Translation services. Some hospitals contract with third parties to translate parts of their websites, so that non-English speakers can access vital healthcare information. Failure to optimize these translation services will hit vulnerable communities, who are already heavily impacted by health misinformation.
• Map and location applications. Some hospitals use third-party services to provide better information about where healthcare services are provided.
• Social Media. Some health systems use social medial tools to drive traffic to websites containing trustworthy sources of information. Americans heavily rely on social media platforms for health information. These platforms are typically free to use, which makes them accessible to people of all income levels. Likewise, many social media platforms require only a mobile phone, not a computer. Users of social media include: 69% of those making an annual household income of $30k or less; 64% of those with high school education or less; 80% of the Hispanic population and 77% of the black population.¹¹ These populations will be particularly disadvantaged if hospitals and health systems can no longer rely on social media to put out credible health information.

Hospitals can only use these technologies with the help of third party vendors. But those vendors often refuse to comply with the Online Tracking Guidance because they are not subject to HIPAA’s strictures. Hospitals are now caught in the middle. The Online Tracking Guidance puts hospitals and health systems at risk of serious consequences — including class action lawsuits,¹² HIPAA enforcement actions, or the loss of tens of millions of dollars of existing investments in existing websites, apps and portals — for a problem that ultimately is not of their own making.

Take, for example, Google Analytics. In response to the Online Tracking Guidance, Google refuses to enter into any business associate agreements and that covered entities should simply stop using Google Analytics.¹³ Prior to this, many hospitals had made the reasonable choice of working with Google to reach more consumers with better-designed websites and better-presented health information. Now, the Online Tracking Guidance has caused Google (and many other similar vendors) to abandon support of hospitals and health systems, while presumably not abandoning support of more questionable sources of health-related “information” that are not subject to HIPAA.

We respectfully request that OCR address this situation — particularly in light of the proposed rule:

• First, we ask OCR to consider whether the Online Tracking Guidance is necessary if the proposed rule is finalized. If, as AHA believes, that guidance is no longer necessary, OCR should suspend it immediately.
   
• Second, if OCR concludes otherwise, we ask that OCR amend that guidance to make clear that (1) IP addresses alone do not qualify as unique identifiers under HIPAA because they do not individually identify a person; or (2) if OCR nonetheless wishes to protect IP addresses, it do so only for IP addresses provided via authenticated (i.e., nonpublic) webpages like password-protected patient portals that are more likely to contain private personal health information. With these minor amendments, hospitals would be able to provide necessary health information and education to their communities, while protecting privacy consistent with HIPAA’s goals.
   
• Third, if OCR is unwilling to make these simple changes to its Online Tracking Guidance, it should seek public comment via an RFI or notice-and-comment rulemaking (rather than issuing sub-regulatory guidance that did not benefit from any input by regulated entities). This is a complex subject, with legal, technological and practical nuances. OCR would benefit greatly from public participation. See generally Memorandum from Barack Obama, President of the U.S., to the Heads of Executive Departments and Agencies (Jan. 21, 2009) (“Public engagement enhances the Government's effectiveness and improves the quality of its decisions. Knowledge is widely dispersed in society, and public officials benefit from having access to that dispersed knowledge.”)
   
• Fourth, because any issues related to the release of IP addresses to third parties is ultimately caused by the decisions of third-party vendors, it seems more suited to regulation by the Federal Trade Commission — not OCR. As the proposed rule itself notes, “the Federal Trade Commission (FTC) has recognized that information related to personal reproductive matters is ‘particularly sensitive.’… As a result, the FTC has committed to using the full scope of its authorities to protect consumers’ privacy, including the privacy of their health information and other sensitive data.” Here, OCR should work with the FTC to identify and regulate third parties that refuse to protect health information, rather than putting hospitals to the Hobson’s Choice created by the December 2022 Online Tracking Guidance.

The AHA remains eager to discuss our members’ concerns about the Online Tracking Guidance at your earliest convenience. In the meantime, as noted above, the AHA supports the related privacy protections set forth in the proposed rule. We appreciate your consideration.

Sincerely,

/s/

Melinda Reid Hatton
General Counsel and Secretary

__________

¹ 88 C.F.R. 23506, 23508
² Id. at 23536 (“The Department does not propose to require a regulated entity to investigate the validity of an attestation provided by a person requesting a use or disclosure of PHI; rather, a regulated entity would be able to rely on the attestation provided that it is objectively reasonable under the circumstances for the regulated entity to believe the statement required by 45 CFR 164.509(c)(1)(iv) that the requested disclosure of PHI is not for a purpose prohibited by 45 CFR 164.502(a)(5)(iii).”).
³ Id. at 23536.
⁴ See, e.g., United States Department of Health and Human Services, Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (Dec. 1, 2022), at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html#ftnref22 (“Examples of unauthenticated webpages where the HIPAA Rules apply include … [t]racking technologies on a regulated entity’s unauthenticated webpage that addresses specific symptoms or health conditions, such as pregnancy or miscarriage.”); id. (“For example, the HIPAA Rules apply to any PHI collected by a covered health clinic through the clinic’s mobile app used by patients to track health-related variables associated with pregnancy (e.g., menstrual cycle, body temperature, contraceptive prescription information).”).
⁵ As you know, an IP address is simply a long string of numbers assigned to every device connected to a network that uses the Internet. Critically, the IP address identifies the computer, smart phone, tablet or other device, whether it is in someone’s home, office, a public library, apartment building or somewhere else. As such, that device could be associated with a particular person or it could be shared by many different people.
⁶ National Quality Forum, Issue Brief: Improving the Accessibility of High Quality Online Health Information 1 (Mar. 14, 2023), https://www.einnews.com/pr_news/622101919/high-quality-health-info-online-must-be-accessible-says-issue-brief-from-nqf-with-support-from-youtube-health (hereinafter National Quality Forum Study).
⁷ Id.
⁸ Vivek H. Murthy, Confronting Health Misinformation: The U.S. Surgeon General’s Advisory on Building A Healthy Information Environment 2 (2021), https://www.hhs.gov/sites/default/files/surgeon-general-misinformation-advisory.pdf.
⁹ Id. at10; see id. (“[P]rofessional associations can equip their members to serve as subject matter experts for journalists and effectively communicate peer-reviewed research and expert opinions online.”)
¹⁰ National Quality Forum Study at 1.
¹¹ Pew Research Center, Social Media Fact Sheet (Apr. 7, 2021), at https://www.pewresearch.org/internet/fact-sheet/social-media/?tabId=tab-ad42e188-04e8-4a3c-87fb-e101714f1651
¹² In latest months, plaintiffs’ attorneys have used the Online Tracking Guidance against regulated entities and in groundless class action litigation. This is particularly problematic during a time of decreased reimbursements, increased labor costs and supply chain shortages.
13 See HIPAA and Google Analytics, at https://support.google.com/analytics/answer/13297105?hl=en (“Can Google Analytics be used in compliance with HIPAA? … Google makes no representations that Google Analytics satisfies HIPAA requirements and does not offer Business Associate Agreements in connection with this service.”); cf. Geoffrey A. Fowler, Google promised to delete sensitive data. It logged my abortion clinic visit, Washington Post (May 9, 2023), at https://www.washingtonpost.com/technology/2023/05/09/google-privacy-abortion-data/ (“Google offered a partial solution: It would proactively delete its trove of location data when people visited “particularly personal” places, including abortion clinics, hospitals and shelters. Nearly a year later, my investigation reveals Google isn’t doing that in any consistent way.”).
¹⁴ 88 C.F.R. at 23510 (quoting Kristin Cohen, ‘‘Location, health, and other sensitive information: FTC committed to fully enforcing the law against illegal use and sharing of highly sensitive data,’’ Federal Trade Commission Business Blog (July 11, 2022), https://www.ftc.gov/business-guidance/blog/2022/07/location-healthand-other-sensitive-information-ftc-committedfully-enforcing-law-against-illegal); see FACT SHEET: President Biden to Sign Executive Order Protecting Access to Reproductive Health Care Services (July 8, 2022), at https://www.whitehouse.gov/briefing-room/statements-releases/2022/07/08/fact-sheet-president-biden-to-sign-executive-order-protecting-access-to-reproductive-health-care-services/ (“The President’s Executive Order takes additional steps to protect patient privacy, including by addressing the transfer and sales of sensitive health-related data, combatting digital surveillance related to reproductive health care services, and protecting people seeking reproductive health care from inaccurate information, fraudulent schemes, or deceptive practices. … The President has asked the Chair of the Federal Trade Commission to consider taking steps to protect consumers’ privacy when seeking information about and provision of reproductive health care services. The President also has directed the Secretary of HHS, in consultation with the Attorney General and Chair of the FTC, to consider options to address deceptive or fraudulent practices, including online, and protect access to accurate information.”).

May 16, 2023 - This is the third piece in our series on private equity investment in health care — which explores why conducting due diligence in a health care purchase requires special attention, particularly for private equity firms entering the sector for the first time. The first piece focused on compliance precautions and the second focused on enforcement trends.

This piece details the questions that should be asked to uncover compliance concerns and the red flags that should give a private equity investor in health care pause. If private equity moves too quickly to turn a profit, fundamental regulatory and compliance elements may be overlooked, leading to major headaches down the road.

Why conduct due diligence?

The due diligence process is critical when purchasing a health care entity, especially because acquisitions in this space tend to move quickly — private equity is usually aggressive once it sets its sights on a target. Hidden compliance issues such as nonconformity with health care regulations on fraud and abuse or those related to privacy and security are easy to overlook. However, failure to conduct due diligence, or to assess and negotiate the proper delegation of risk once compliance issues are uncovered, could lead to financially devastating consequences.

Critical considerations when performing due diligence include:

(1) Understanding the entity's business model, people, organizational structure, and any pending or consequential governmental investigation.

(2) Reviewing the entity's health care compliance program.

(3) Examining any existing partnerships, arrangements and ancillary relationships.

A thorough understanding of the health care entity and any shortfalls will enable an investor to better negotiate the terms of the purchase agreement and secure necessary representations and warranties before closing the deal.

Evaluate organizational structure

Some view private equity and health care compliance as antithetical: One party seeks to make a profit while the other party puts patient outcomes first. While nothing is as simple as this, private equity does take on new ethical obligations when investing in a health care entity. To uphold, or even improve, the quality of care being provided to patients, private equity must learn all it can about the entity it is purchasing, as well as its providers.

At the onset of the due diligence process there are critical elements to unpack. Here are five critical issues to address:

(1) Who owns the health care entity? Unclear ownership can be a harbinger for future claims of illegal referrals. For example, a practicing physician who owns an interest in a management company that "owns" the profits of the professional practice might raise a red flag. Legal analysis of the organizational structure prior to and following acquisition is critical to avoid any potential fraud and abuse concerns.

(2) Any issues related to state corporate practice of medicine restrictions are also important. Only licensed and certified professionals can practice medicine and dentistry. The corporate practice of medicine doctrine aims to protect patients by prohibiting corporate entities from practicing medicine, interfering with medical decision-making, or employing physicians to provide professional medical services in a prohibited manner. The due diligence phase must confirm that the target health care entity is properly owned by the party legally allowed to do so under state law.

Also under this doctrine, a private equity firm cannot influence or manage the medical direction of a medical practice, and it may likely require working through a separate management services organization to operate the administrative end of the practice. The goal is to ensure the health care providers put the needs of their patients ahead of the organization and avoid unlawfully commercializing their practice.

(3) Research is necessary to ensure the organization's financial relationships fit within the regulatory guidelines of the Stark Law and Anti-Kickback Statute, including all ancillary services provided, service and employment contracts, and ownership matters, with special consideration of fair market value, commercial reasonableness and referral risks. Be wary of the fair market value range, because any practice overvaluation can be interpreted as the result of paying for referrals. A purchaser should strongly consider hiring a third party to conduct a financial evaluation and gauge the soundness of the business arrangement. Understanding what referrals the health care practice makes and receives is also of utmost importance.

(4) The purchaser should consider the intellectual property assets the health care entity may own. Does it have a federal or state trademark on its name or logo? Copyrighted publications or software? It is critical to investigate the status of any intellectual property associated with the health care entity and the ownership of such intellectual property.

(5) Organization culture should be assessed by evaluating the entity's health care compliance program. The target entity must have a culture that supports and enforces its compliance policies and procedures and shows the compliance program is not an afterthought.

A few key questions to consider include:

•Is the organization acting in a way that shows it is a health care compliant entity?

•Have key players bought into the culture?

•Does the culture align with the anticipated culture moving forward?

•Does the health care entity have written policies and procedures that are followed?

•Does the target entity conduct effective training for its employees?

•Is there a compliance officer overseeing the program?

•Does that officer conduct audits and take corrective action as necessary?

•Does that officer have a direct chain of communication to the leadership of the purchasing organization?

•Are standards enforced through disciplinary actions?

If in conducting specific due diligence, the answer to any of the above questions is "no" it may be a recipe for buying many hidden and costly problems.

Assess the health care compliance program

Private equity's knowledge of the strengths and weaknesses of the target entity's compliance program is essential if allegations of fraud and abuse are made after the transaction closes. A private equity firm cannot be completely insulated from liability for prior bad acts of an acquired health care entity, but a robust due diligence process is essential to reduce this risk.

Here are the areas a private equity firm should explore and address in the seller's representations and warranties:

•Compliance program. Does the organization and/or its entities have a strong compliance program that follows the U.S. Department of Health and Human Services' Office of the Inspector General's (OIG) Seven Elements of an Effective Compliance Program?

•Billing history. Having a health care auditor review a sampling of bills from each provider and deliver a report card on the billing practices can significantly mitigate potential risks.

•Government investigations. Are the entity or its providers the target of current or former governmental investigations, including any related to a Corporate Integrity Agreement?

•Privacy and security. An audit of the entity's privacy and security program can prevent potential problems post-acquisition. Is the practice operating on a secure network? Are there workplace controls in place? Are HIPAA (Health Insurance Portability and Accountability Act) policies followed?

•OIG Exclusions Database. Referencing the database to search for individuals and entities excluded from Medicare is necessary. If the target or any of its employees or contractors are on the list, seek out further information.

•Proper documentation. Copies of all licensing documentation and surveys should be secured. Are providers appropriately licensed and credentialed and not under investigation or probationary status, including with a medical staff where the providers have privileges? Is the facility in compliance with licensing requirements, including, but not limited to any required Certificate of Need?

•Marketing. Do marketing arrangements fall under the guidelines of the Anti-Kickback Statute and the Eliminating Kickbacks in Recovery Act?

Furthermore, a purchaser should ensure that the seller's representation and warranty disclosures attest, among other issues, that:

•The seller is defined to include those who have a direct or indirect ownership in the entity, including any managing officer, director manager or agent or any managing employee (e.g., as to their knowledge about overpayments);

•There are no known:

•Violations of state and federal fraud and abuse laws;

•Whistleblower lawsuits;

•Exclusions from federal or state payment program;

•Current or previous overpayment penalties.

Due diligence to this extent can take months but ultimately depends on the closing date set by the parties. Regardless of the timeline, due diligence is essential to protecting against government scrutiny following the purchase of a health care entity.

Consider service provider relationships

The due diligence process also needs to include reviewing any agreements that are in place with organizations and individuals that serve the seller.

For example, the purchaser should examine if the entity has hired any physicians to be a medical director. Are the medical director services bona fide services, clearly indicated in a written agreement, or is the medical director merely being paid in a manner that could be construed as a payment for referrals? Here, it is important to determine whether fair market value for enumerated medical director services reasonably aligns with the total compensation. If there are gaps, a government agency could infer illegal remuneration for referrals. All such contracts must be reviewed to understand the goals and payment structure and to be sure everything is reconciled.

The health care entity's relationship with its outside vendors must also be considered, as well as relationships where the target health care practice is providing services, to ensure all are in compliance with fraud and abuse laws.

Happily ever after?

When the due diligence process is complete, look at the big picture. If red flags abound, a purchaser may want to call off the deal. Or, if there is a tolerance for risk, a purchaser could negotiate some allocation of liability — an indemnity agreement, for example — where a sum of the purchase price is retained and potentially withheld if a government investigation occurs post-closing due to the seller's negligent billing practices.

The bottom line is that private equity investment in a health care entity must be sound from top to bottom. Examine the target organization in whole, ensuring there is a robust compliance program in place and that it is operating in proper fashion before pulling the trigger.

Opinions expressed are those of the author. They do not reflect the views of Reuters News, which, under the Trust Principles, is committed to integrity, independence, and freedom from bias. Westlaw Today is owned by Thomson Reuters and operates independently of Reuters News.

Mental health explained by Dr. Jen Ashton

SHARE

SHARE

TWEET

SHARE

EMAIL

What to watch next

• 

  Mike Pence, Chris Christie expected to announce runs for president

  ABC News
• 

  ‘GMA’ takes a first look at docuseries ‘The Age of Influence’

  ABC News
• 

  Jack Dorsey's Twitter alternative 'Bluesky Social' is seeing boost in users

  ABC News
• 

  Sonic boom that rattled Washington, DC, caused by military jets

  ABC News
• 

  New York to propose legislation criminalizing printing ghost guns at home

  ABC News
• 

  Tension between US and China after close call

  ABC News
• 

  Ukraine continues to build toward counteroffensive

  ABC News
• 

  Biden cracks down on ‘ghost guns’

  ABC News
• 

  Pediatrician charged in alleged murder-for-hire plot

  ABC News
• 

  Canadian fires bring dangerous air quality to the US

  ABC News
• 

  Indian crash leaves at least 200 dead as fatalities rise

  ABC News
• 

  Body of missing resident in collapsed Iowa building found, officials say

  ABC News
• 

  'Ghost guns' rule to be announced by Biden admin, DOJ

  ABC News
• 

  White House on alert after 2 aviation incidents

  ABC News
• 

  Ramaswamy would not reinstate transgender military ban

  ABC News
• 

  Escalating aggression from China is ‘unacceptable’: Turner

  ABC News

Click to expand

UP NEXT

Digital mental health company BetterHelp is facing multiple potential class action lawsuits over claims from patients that it shared their personal information to advertisers — including Facebook. The lawsuits came soon after BetterHelp agreed in March to pay $7.8 million over charges from the Federal Trade Commission that it revealed sensitive patient data.

"When a person struggling with mental health issues reaches out for help, they do so in a moment of vulnerability and with an expectation that professional counseling services will protect their privacy,” said Samuel Levine, director of the FTC's Bureau of Consumer Protection, in a statement. "Instead, BetterHelp betrayed consumers’ most personal health information for profit.”

This isn’t the first time a digital mental health service — which could include apps that connect you with a therapist, chatbots, meditation apps, and others — has come under fire for privacy violations. These products market themselves as useful resources for people struggling to navigate mental health care. They’re also more accessible at times than traditional therapists and easier to use from home.

© Alex Brandon/AP, FILE In this Jan. 28, 2015, file photo, the Federal Trade Commission building is shown in Washington , D.C.

But many of these mental health tools have privacy risks that you won’t find with a traditional, in-person therapist. Mozilla’s Privacy Not Included project says that mental health apps, as a category, have some of the worst privacy protections of any apps on the market.

However, digital mental health tools might still be a good option for some people, but it’s important to check beforehand if you can trust the privacy protections offered by the service you’re using, says Dr. Rebecca Brendel, president of the American Psychiatric Association.

Here are some things to think about when you sign up.

Don’t assume your information will be private

Many digital mental health tools are not governed by the medical privacy law HIPAA. That law protects data collected by health care professionals or hospitals — but not always by apps or websites. An app could, for example, legally share the fact that you signed up for its service with third-party advertisers.

That’s why it’s so important to do your due diligence before using a service, Brendel says. “Entering into mental health treatment is something that's deeply private and personal for so many of us. And so being sure ahead of time that you can trust that your treatment is actually private and protected is critical,” she says.

Check the privacy policy

Read the privacy policy of any mental health tool closely before you use it, Brendel says. Check if it will be sharing data and what kind of data it will be sharing. Find out if any information will be used for research — either medical research or to Boost the app.

“What are some of the guarantees that are being made and what isn't being made?” she added. Make sure you’re comfortable with the policy, and that you know your rights.

Ask questions during your first visit

People should also ask questions about privacy during their first visit with a provider through the app, Brendel says.

“Asking direct questions at the beginning of a first session is a really important way to ensure that there is integrity in the treatment, and that it protects privacy in a way that makes treatment possible and trustworthy,” she says.

That should include asking if there have been any data breaches at the company, where data is stored, and if there are any reasons to worry about data privacy.

“If there are any red flags or any concerns, it might not be the best option or it might require a little more investigation, Brendel says.

Consider using a virtual service through a hospital rather than a tech company

It can be hard to track down all the information about privacy on an app or website, Brendel notes. If you want to have a higher level of certainty, you may consider accessing a virtual mental health service that’s connected to a hospital or a health care system — rather than a startup or app-based platform.

“Think about systems that really are behind medical firewalls,” she says.

If you’re really panic about privacy, those might be able to give you more peace of mind.

“That can be very, very helpful and reassuring so that you can enter into treatment and focus on getting better and getting the help you need, rather than whether you're going to be exposed or others are going to find out about it,” Brendel says.

If you are struggling with suicidal thoughts, substance use, or other mental health crises please call or text 988. Trained crisis counselors are available for free, 24 hours a day, seven days a week.

Remotely monitoring patients without violating their privacy is a challenging task. But one co-founder believes that she’s cracked the code.

On a latest episode of TechCrunch Live, TC’s weekly event designed to help founders build better venture-backed businesses, Romi Gubes, the CEO of Sensi.AI, spoke about how she built a company that uses audio-based AI software to detect and predict anomalies that can impact the health of those receiving in-home care.

Romi, a software engineer by training who’s worked at Fortune 500 companies including Cisco, Dell and Vonage, says that she was inspired to found Sensi.AI after an episode of abuse in her daughter’s daycare center.

“It was one of the things in life that really changes your life,” she said. “And I wanted to leverage my technological background in order to help those vulnerable individuals be safe in any kind of care environment.”

That turned her on to the massive shortage of in-house care professionals in the U.S., as well as the effects that “aging in place” without the proper infrastructural support can have.

“As most of you know, as time goes by, there are more and more older adults and less than less younger people that can potentially take care of them,” Romi said. “Very soon, I understood how big the pain in the senior care industry is.”

© Provided by TechCrunch Sensi.AI TC Live

Image Credits: Sensi.AI

Sensi.AI, founded in 2018, grew rather quickly, scaling today to 70 employees across two countries — the U.S. and Israel — and to customers in 37 states serving thousands of individuals. Along the way, Sensi.AI raised $25 million from investors including Sergey Gribov, a general partner at Flint Capital and a board member at Sensi.AI, who joined for the TC Live discussion.

Bolstered by the pandemic, the market for remote care monitoring solutions is quite large. So how did Sensi.AI manage to stand out from the crowd? Romi attributes it to the company’s differentiated technology, which uses a combination of AI and audio monitoring to detect key events in and around patients’ environments.

Sensi.AI spent years collecting data from the field to train its AI system. To date, the company has captured more than 10 million caregiver interactions from tens of thousands of people throughout the U.S., Romi claims.

“For example, we know to detect if a caregiver has a specific problem with transitioning the older adult from bed to the chair, where this is a huge risk factor for both of them, actually,” she explained. “We’re more focused on the prevention layer in order to really allow professionals to act before something’s happening.”

But what about privacy — both the privacy of the patients and of the caregivers?

Romi pointed out that Sensi.AI doesn’t use cameras for monitoring, unlike some of its competitors. On top of that, the system is compliant with HIPAA — the major medical records privacy bill in the U.S. — and anonymizes data so that the audio data isn’t tied to any individual being monitored.

That contributed to Sensi.AI’s funding success as well, according to Gribov. But the pandemic arguably played a larger role.

“When the pandemic hit, many caregivers weren’t able to get to the homes of the older adult and really serve them, and older adults stayed at home by themselves,” Romi said. “And this is where the need for solutions such as Sensi was very, very clear.”

© Provided by TechCrunch Sensi.AI TC Live

Image Credits: Sensi.AI

One might assume that Sensi.AI’s grand ambition is to replace care workers entirely. But Romi asserts that this isn’t the case. In fact, she thinks it isn’t feasible from a technical standpoint — and won’t be for the foreseeable future. She hopes, rather, that Sensi.AI can grow into a care tool that clinicians — and even parents of older adults — can use to keep track of what’s going on in the home of a vulnerable patient.

“We can make their work much more efficient, and to get them make better decisions,” Romi said.

Sensi.AI and Flint Capital speak on developing and deploying AI solutions in healthcare by Kyle Wiggers originally published on TechCrunch

Investment will grow workflow automation engine, integration ecosystem, rich analytics platform and healthcare community

GREAT BARRINGTON, Mass.–(BUSINESS WIRE)–May 25, 2023–

Dock Health, Inc., the administrative hub for healthcare professionals, today announced $5 million in funding led by MassMutual through its MM Catalyst Fund (MMCF) with participation from DaVita Venture Group and initial seed investor, August Capital. The new funding will grow its administrative hub for healthcare from its initial task and workflow management platform to a more powerful automation engine and robust analytics platform with new integrations to drive administrative best practices.

This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20230525005254/en/

Dock Health: HIPAA-compliant task management and workflow automation together in the only administrative hub for healthcare. (Graphic: Business Wire)

“The MM Catalyst Fund provides catalytic funding for high-impact companies that are helping to solve problems that will make positive societal impacts,” said Jason Allen, Portfolio Manager of Impact Investments at MassMutual. “We are inspired by Dock Health’s vision to eliminate friction, rampant throughout the healthcare delivery system, with a platform that reduces disparities in health outcomes and stabilizes the provider community. With its roadmap and scalable business model, we believe that Dock is uniquely positioned to revolutionize how healthcare is administered.”

Dock Health seeks to reduce the onslaught of administrative tasks that are currently required while managing highly complex patients. By more effectively tracking and managing administrative requirements, clinicians are better positioned to direct their focus on delivering outstanding patient care. Founded within the innovation department at Boston Children’s Hospital and spun out in 2020, Dock addressed an internal need to better collaborate between the clinical and administrative halves of care delivery.

“We believe our vision at Dock Health aligns with the missions of the MM Catalyst Fund and DaVita in supporting better outcomes, reduced costs, and better provider and patient experiences,” said Dr. Michael Docktor, CEO and co-founder of Dock Health. “We’re thrilled with the opportunity to propel Dock into the next phase of our journey, enhancing our technology and building out our team to better support the needs of healthcare organizations looking to provide more efficient, highly-reliable and accountable care.”

The Administrative Hub for Healthcare

“Our model of care centers around the complex needs of kidney care patients, which requires seamless, connected data flows and easy communications among many care providers. We expect that the powerful capabilities of Dock Health will help support our mission to be the provider and partner of choice,” said Dr. Adam Weinstein, chief medical information officer for DaVita.

In addition to growing Dock Health’s employee base, the new funding propels its roadmap forward with large-scale product and technical developments, including:

• Integrations marketplace: Dock’s ever-growing apps marketplace of EHRs and productivity solutions allows organizations to seamlessly sync patient, business and organizational data and processes in one place. For tech-enabled partners, Dock’s APIs allow the platform to connect to internal and external data streams and embed within their systems and workflows.
• AI-powered workflows: Dock’s proprietary SmartFlow^TM replaces the time-honored paper flow diagram with a digital and scalable process map complete with automations, branching logic, dependencies and time delays. The next generation of workflows in Dock will be developed and supported by AI tools.
• Analytics + insights dashboard: Dock is able to capture novel data on the processes and workforces supporting highly reliable and efficient patient care. Its future analytics and insights will provide visibility into the bottlenecks and inefficiencies of care teams and workflows surfacing new possibilities for providing more effective and efficient care.
• Administrative best practices community: Thousands of healthcare providers use Dock every day to help keep healthcare moving forward. Dock will give users the opportunity to share best practices, brand their own content, ask questions to like-minded groups, and even upvote the best protocols, help articles, process-improvements, and reviews.

HIPAA-compliant Task Management + Workflow Automation

Dock Health is a HIPAA-compliant workflow management platform “For The Other Half Of Healthcare” — the administrative side of care delivery. Dock reduces dropped balls and care delays, eliminates administrative friction through process improvements and accountability, and delivers better patient care.

From managing complex workflows and protocols to tracking phone calls, emails, prior authorizations and forms, Dock gets the clinical and administrative teams on the same page and accelerates processes with workflow automations and meaningful integrations. Clinical care and outcomes must be matched with efficient, accountable, automated administrative work – made possible by enabling every healthcare professional with the right tools, processes and connectivity to do their jobs.

The Only Task and Workflow Platform Built for Healthcare

Simple yet powerful, Dock Health’s web and mobile platform was developed at Boston Children’s Hospital to solve a problem experienced in nearly every clinical environment in healthcare.

“As a practicing pediatric gastroenterologist, I was acutely aware of the lack of a platform where I could securely manage all the tasks for my patients and collaborate with my clinical and administrative colleagues,” said Docktor. “I felt overwhelmed, as most clinicians do, by the amount of administrative steps associated with delivering the best care to my patients. I wanted one place that integrated with my other systems to capture the essential but mundane to-dos, automate repetitive tasks, and illuminate where the patient was in their care journey.”

Spun out in 2020, Dock Health accelerated its growth during the pandemic with robust APIs and professional services to demonstrate immediate value and help healthcare providers adopt quickly and easily.

Headquartered in Great Barrington, Mass., with teams outside Boston, New York Metro, Minneapolis, Chicago, San Francisco and Denver, Dock serves customers in every healthcare specialty and setting.

About Dock Health

As the only administrative hub built for healthcare, Dock Health helps provider teams save time and work better with HIPAA-compliant task management and administrative workflow automation in one integrated platform. Founded in 2020 by a physician-led team out of Boston Children’s Hospital, Dock empowers thousands of healthcare teams of every size, setting and specialty as they work to transform their practices and processes. Based in Great Barrington, Mass., Dock’s mission is to eliminate the friction within the healthcare ecosystem and pave the way for sustainable care delivery. For more information, please visit www.dock.health.

View source version on businesswire.com: https://www.businesswire.com/news/home/20230525005254/en/

MassMutual: Chelsea Haraty, chelseaharaty@massmutual.com or 413-426-2008
DaVita Inc.: Karen Modlin, karen.modlin@davita.com or 214-773-2152
Dock Health: Jen Asbury, jasbury@dock.health or 303-241-3126