An MLP brings together health care and legal professionals who share a common goal: to promote the well-being of their patients and clients. These partnerships leverage the resources and expertise of two knowledgeable service professions in order to alleviate the social and environmental stressors that affect the health of our nation’s neediest individuals and families.

By working together to improve their patients and clients’ health, doctors and lawyers benefit communities in many ways. For example, keeping children healthy reduces school absences and reduces the amount of time employed parents spend taking their child to a doctor.

How do MLPs help? The concept of a Medical-Legal Partnership (MLP) is the brainchild of Barry Zuckerman, M.D., Chief of Pediatrics at Boston Medical Center. He came up with the concept after repeatedly seeing patients who failed to recover from ear infections because their apartments lacked heat, and patients who were unable to control their asthma because their residences contained mold. In working with these patients, Zuckerman came to understand that legal remedies can be used to lessen or even prevent his patients’ need for health care. Putting his idea into action, Zuckerman founded the Medical-Legal Partnership for Children at Boston Medical Center in 1993, and subsequently created the National Center for Medical-Legal Partnership. Over the past 17 years, MLPs have moved beyond Boston. They now exist in 37 of the 50 states and account for more than 80 programs at just over 180 sites across the country. All of the MLPs bring lawyers into the health care setting to help patients and their families navigate through the maze of regulations involving such health-related concerns as food-stamp eligibility, utility shutoffs, mold removal, and landlord-tenant issues.

An MLP is a health and legal services delivery model which recognizes that the legal system already holds solutions for many problems associated with social determinants of health. By integrating legal assistance into the medical setting, an MLP helps underserved communities.

Health care reform has been a primary topic of political discussion for the last year. But over the last few decades, we have adopted laws that provide access to health care, adequate nutrition, safe housing, and other basic needs to millions of low income Americans. As recent and historic efforts reflect, legislatures, health care providers, and advocates increasingly recognize that social factors have a significant influence on health and well-being and that medicine alone cannot solve the health problems of those who struggle daily with hunger, safety, and other material hardships.

Medical schools teach doctors to heal, not for the most part to address social issues. As a result, doctors may not be equipped with the skill set useful for solving health problems that poor housing conditions, food and energy insecurity, and educational and employment factors cause or exacerbate. MLPs enable doctors to refer their patients with those and other social stressors to a legal advocate, who can provide the “preventative medicine” needed to avoid potential health problems. For example, a child with asthma living in a moldy apartment will never breathe symptom-free, no matter how much medicine is administered. But, with the assistance of a lawyer, the child’s parents can compel either the government or their landlord to remove the mold.

A variety of government programs are designed to address situations that can lead to health problems. However, many low-income individuals and families across the country continue to lack practical knowledge and, thus, access to the benefits these programs afford.

Traditional medicine and law have treated vulnerable populations in isolation, despite the strong links between certain social situations and health. Studies have shown that adverse social conditions, such as substandard housing and insufficient heat, make people vulnerable to poor health. At the same time, research also reveals that poor health makes people vulnerable to adverse social conditions. This “cycle of vulnerability” often consigns our nation’s most disadvantaged households to a lifetime of poverty, poor health, and other negative conditions.

An MLP can break this cycle. It recognizes the inextricable link between unmet basic needs and health, and it gives individuals and families the tools needed to address the factors that perpetuate poor health in underserved communities. MLPs are founded on the principle that early legal intervention can prevent social stressors from exacerbating health problems in the same way that a transactional legal practice prevents litigation. By bringing doctors, lawyers and other professionals together, an MLP helps patients and their families escape the cycle of vulnerability and put them on a track toward better health and well-being.

The MLP works to improve the health and well-being of vulnerable populations, in part, by shifting the service-delivery model of both law and health care. Traditional legal aid operates in an “emergency room” model, providing crisis-driven service to clients who are able to both identify their needs as having legal remedies and connect with a local legal services agency. By the time someone reaches legal aid, she is likely to have an urgent legal need, such as an eviction. An MLP engages and trains health care providers to recognize and refer these problems earlier so that legal staff can intervene in a preventive, “primary care” model.

Traditional health care acknowledges the effect of social stressors on patient health, but stops short of recognizing the role legal remedies play in curbing poor health. Identified social problems are referred to other professionals and advocacy is considered secondary to the practice of medicine. An MLP not only emphasizes the role legal intervention can play in promoting better health, it also helps to re-orient health care providers to view advocacy as a key component in the delivery of health care.

An MLP program known as Children’s Health Advocacy Project or CHAP has been established in St. Louis. CHAP is a partnership between Legal Services of Eastern Missouri, Grace Hill Neighborhood Health Center, SSM Cardinal Glennon Children’s Medical Center, St. Louis Children’s Hospital, Saint Louis University School of Law, local pro bono attorneys, and the Missouri Foundation for Health. The CHAP program follows the national model by addressing the issues on three fronts. First, CHAP engages in direct legal representation of patient and client. The program’s attorneys seek legal solutions for barriers to health such as inadequate housing, inaccessibility to public benefits and special education services, and family instability. Second, CHAP is integrated with the residency programs at Saint Louis University School of Medicine and Washington University School of Medicine. These training sessions teach health care providers to spot legal issues, become better advocates, and understand the basics of the law. Finally, CHAP partners with health care providers to identify and address systemic, recurring legal barriers to health through litigation.

I would be remiss in discussing MLPs in St. Louis without acknowledging Missouri’s “first family” of medical-legal partnership. Dr. Patricia B. Wolff practices pediatric medicine locally with the Forest Park Pediatrics. She is an active participant in CHAP and has literally saved lives via the program. She has also traveled to Haiti to treat children regularly since 1988, and, more recently, proactively addressed some of the nutritional and economic issues in that country. Dr. Wolff is married to Missouri Supreme Court Judge Michael A. Wolff. Judge Wolff is a former attorney for multiple legal aid organizations. In addition to his many law-related activities, he also served on the faculty of the Department of Community Medicine, Saint Louis University School of Medicine, and the School of Public Health, Saint Louis University. Locally and nationally, MLPs highlight the exceptional difference that lawyers and doctors can make in the lives of their patients/clients and for society as a whole. I encourage every person who reads this article to consider helping CHAP or another medical-legal partnership by talking about the concept with the doctors you know. Together, we can make a difference.

This article originally appeared in the St Louis Bar Journal and is reprinted with permission.

I am not simply referring to the recent federal health care reform debate. Rather, I am referring to the larger debate that has occurred over the last century. The principal question this raises in my mind is: Why, after more than 100 years of politically debating medical services, are we not facing similar questions about provision of legal services to low and moderate income people?

The answer is simple and straightforward: We already answered many of these questions. Unlike the medical profession, the legal profession has lead the debate about how to provide professional services to people who cannot afford them for centuries.

I point out frequently and with much pride that the Bar Association of Metropolitan St. Louis’s original 1874 charter declared the desire and need of our profession to make provisions for legal services to poor people. BAMSL began implementing this declaration in 1911, when it created a program to provide legal assistance to the poor of St. Louis. Eventually, BAMSL spun off this program into the independent entity now known as Legal Services of Eastern Missouri (LSEM). Almost 60 years after our association created this program for the provision of legal services to low and moderate income people, President Richard Nixon signed the act authorizing the creation and financing of the Legal Services Corporation.

While I’m proud of our local and national legal services programs, it is not the extent of our profession’s efforts to address the provision of legal services to the poor. Included in our professional oath, we each swear, or affirm, our individual obligation to address this issue. By comparison, the modern variations of the Hippocratic Oath do not address the issue of provision of free or low-cost medical care. The American Medical Association code of ethics does recognize the need for the medical profession to address this issue. However, I suggest a substantial difference exists between recognition of this concept as a broad inspirational goal for an entire profession and inclusion of the concept in the individual oath each practitioner takes. The latter assures the integrity of the profession as a whole through individual responsibility to address the issue.

Creation of organizations and oaths to provide services is ultimately meaningless without providing funding for those efforts. Without a continuing means of funding for these efforts we are left with nothing more than the model of provision of medical services to the poor that existed before the New Deal and Great Society social welfare programs. At that time, medical services for the poor were largely sustained by the benevolence of individual doctors to provide medical care to essentially random individuals who showed the courage to contact a professional, knowing they could not pay for that professional’s services. These individual doctors’ efforts were admirable but were not broad enough to meet the needs of the poor for medical services. Since our profession is much more focused on sustaining broad policy in the long term, we can also count among our accomplishments funding mechanisms that assure sustained structural provision of legal services to the poor. These efforts include not just the benevolence of individual attorneys or even the benevolence of the financing through organizations like our St. Louis Bar Foundation, but also more systematic structured mechanisms like Interest on Lawyer’s Trust Accounts and funds from payment of court costs that fund LSEM.

I spotlight our efforts to provide legal services to low and moderate income persons not merely as a point of professional pride. I have more selfish reasons. Our governmental system of checks and balances tends to assure that major legislative action occurs only when a matter reaches crisis level and when a majority of people believe that governmental intervention is mandated. At that point, governmental intervention tends to be sweeping, inefficient, and full of compromise. Doctors have learned that as a result of such intervention, the nature of their profession as a whole is subject to political change by forces outside their profession. Avoidance of such intervention and the ensuing negative impacts to our profession demand that we continue our individual and collective efforts to assure that the need for legal services for those with low and moderate income is addressed.

These continuing efforts to provide legal services to those unable to afford it can include political and financial support for a variety of local organizations and include taking pro bono cases through organized efforts like LSEM’s Volunteer Lawyer Program. Such support of and participation in these programs assures that the needs of the community are benefited as well as the needs of individual clients.

The legal profession has long been afforded the relatively unique privilege of self-regulation. If our profession is to retain that unique privilege, then we must not only continue our efforts to meet the legal needs of low and moderate income individuals, but redouble them. Preventing unmet needs from reaching crisis level assures that demand for intervention into the regulation of our profession does not increase. Any political or community intervention would interfere with our profession generally and our professional satisfaction individually.

While many lessons may be gleaned from both the recent and century long debates over health care, one is clearly applicable to us lawyers. We must individually and collectively continue to work diligently to provide legal services to people who cannot afford them. Otherwise, the legal profession risks interference similar to that just placed upon the medical profession.

This article originally appeared in the St Louis Bar Journal and is reprinted with permission.

The Act amends the definition of a creditor to mean any creditor that (i) in the ordinary course of business obtains or uses credit reports in connection with a credit transaction, (ii) furnishes information to a credit reporting agency in connection with a credit transaction, or (iii) advances funds to a person on the obligation of repayment. Under this new definition, typically physicians and attorneys will not be considered creditors for purposes of the Red Flags Rule.

Certain healthcare providers, however, that use or obtain consumer reports routinely in connection with credit transactions or that furnish information to consumer reporting agencies may still meet the definition and thus be subject to the Red Flags Rule. This potentially means that hospitals or physician groups that routinely submit information about non-paying patients to collection agencies, which in turn submit such information to credit reporting agencies, will need to be in compliance with the Red Flags Rule.

In the end, the underlying reason for implementing an identity theft program, such as the one required under the Red Flags Rule, is to help prevent identity theft. Therefore, whether or not a health care provider is directly affected by the Red Flags Rule by falling within the definition of creditor, providers should still be encouraged to implement an Identity Theft Prevention Program to detect warning signs, or “red flags”, that could indicate identity theft.

Identity theft is rampant in today’s society. As many as ten million individuals per year become victims of identity theft and the number of medical identity theft cases are on the rise. In response to this growing problem, several federal agencies jointly promulgated regulations that require certain entities to implement a plan to detect, prevent, and correct identity theft. The “Red Flags Rule” applies to various types of entities, including most healthcare providers. Thus, entities ranging from a small doctor’s office to a hospital must be in compliance with the new Red Flags Rule by the date on which the Federal Trade Commission (“FTC”) will begin enforcing the Rule.   After that date, an entity may be penalized up to $3,500 per violation. Thus, healthcare providers need to take steps to comply, including creating an Identity Theft Prevention Program.

Before understanding the Rule, a healthcare provider must determine whether it is subject to the Rule in the first place. Under the Red Flags Rule, any “creditor” that offers or maintains one or more “covered accounts” is required to develop and implement a written Identity Theft Prevention Program. A “creditor” is defined as any person who regularly extends, renews, or continues credit. Healthcare providers will be considered a “creditor” if they regularly bill patients after the completion of services, allow payment plans after services have been rendered, or aid patients in obtaining credit from other sources (see note).

Under the Rule, a “covered account” is defined as (1) an account a creditor offers or maintains that involves or is designed to permit multiple payments or transactions, and (2) any other account the creditor offers or maintains for which there is a reasonably foreseeable risk of identity theft. The second portion of the definition is very broad and may include records that an entity may not recognize as a “covered account.” For healthcare providers, this definition of “covered account” generally encompasses patient and employee records. Thus, the vast majority of healthcare providers are subject to the Red Flags Rule and must comply.

Development of Identity Theft Prevention Program

With proper guidance, a healthcare provider can establish an Identity Theft Prevention Program that will comply with the Red Flags Rule. The Red Flags Rule does not require any specific practices or procedures, because it provides flexibility to tailor a Program to the nature of the business and the risks its faces. In other words, the Program is scalable to the size and complexity of the entity and the nature and scope of its activities. In the case of a company at high risk for identity theft, such as a large hospital system, the Program may need more robust procedures, including strict verification procedures for each and every patient’s identity. However, such extensive procedures would be inappropriate for a low-risk company, such as a solo practitioner, who can identify and verify each patient. Thus, there are no set procedures for a Program, but it is a discretionary decision that should be made by someone knowledgeable about the business and its day-to-day operations.

Although the Red Flags Rule does not establish specific procedures, it does require that any Program include “reasonable” policies and procedures to:

• Identify relevant patterns, practices, and specific kinds of activity that may be “red flags” signaling possible identity theft;
• Detect red flags;
• Respond to those detected red flags to prevent and mitigate identity theft; and 
• Update the Program periodically to reflect changes in identity theft risks.

For red flag identification, a healthcare provider should review its own experiences with identity theft and incorporate that knowledge into the Program. Red flags should include concerns raised by patients — both internally and externally. Some examples of such red flags could be suspicious account activity, inconsistent personally identifying information, inconsistent medical histories, and possibly altered identification documents. For red flag detection, a healthcare provider should state what procedures will be in place in the day-to-day operations to detect red flags, which may include procedures to authenticate a new patient and verify the validity of any changed information. For prevention and mitigation of identity theft, a healthcare provider should take necessary steps such as notifying the real patient or law enforcement, monitoring an account and correcting the medical record. Lastly, a healthcare provider must periodically review and reflect on its experience with identity theft and update its Program to verify the effectiveness of the Program.

Even if the Red Flags Rule does not apply to your practice, it may still be advisable to develop an Identity Theft Prevention Program. In the event of a medical identity theft, the federal government and health insurance companies may require a healthcare provider to pay reimbursement for claims made. Furthermore, if a healthcare provider files a claim and later learns that medical identity theft has occurred without taking corrective measures, the provider may be subject to criminal and civil penalties based upon fraud. Importantly, medical identity theft also puts the life of the victim at risk, which plainly could lead to potential civil liability for a healthcare provider. False entries in a medical history can lead to improper medical treatment, denial or exhaustion of health insurance, or an individual’s uninsurability for life or health insurance. An Identity Theft Prevention Programis an important tool for a healthcare provider to minimize its liability and risks, and risks to its patients, even if it is not subject to the new Red Flags Rule.

The task of developing an Identity Theft Prevention Programmay seem daunting, but a provider should not feel overwhelmed. A successful Program for a healthcare provider will build on existing efforts already in use to combat fraud and protect patient privacy. A healthcare provider should review and adapt its current tools used to comply with HIPAA and state privacy, security, and breach notification laws to satisfy the new Red Flags Rule. Thus, with its current tools and available resources, a healthcare provider is already on the way to developing a compliant Identity Theft Prevention Program.

Implementation and Administration

Healthcare providers must be mindful of key issues regarding the implementation and administration of an Identity Theft Prevention Program. Staff training and delegation of duties may generate issues for a healthcare provider attempting to implement and administer such a Program. Internal staff must be trained as necessary. If a healthcare provider outsources or subcontracts portions of its operations that would be covered by the Red Flags Rule, then the Program must address how the provider will monitor the contractor’s compliance. Furthermore, periodic supervision and review after any incident of identity theft will be invaluable to the proper functioning of a Program.

Management and the board of directors of a healthcare provider are required by the Red Flags Rule to play a central role in the creation, implementation and continued administration of the Program. According to the regulations, either the board of directors, or an appropriate committee thereof, must approve the initial written Program. Other responsibilities include assigning specific responsibility for the Program’s implementation, reviewing staff reports about how the practice is complying with the Rule, and approving important changes to the Program. The board of directors should also receive at least annual reports regarding the administration of the Program. Thus, it is critical that a board of directors or management remain active in the administration of the Program to ensure compliance with the Rule. Mere creation of a Program will not shield a healthcare provider from civil fines under the Red Flags Rule.

Conclusion

When the FTC begins enforcing the Red Flags Rule, it will require any entity that regularly extends, renews, or continues credit concerning a “covered account” to develop and implement an Identity Theft Prevention Program. The Rule does not set specific procedures, but the Program must identify how the entity will:

• Identify red flags; 
• Detect red flags; 
• Prevent and mitigate identity theft; and 
• Update its Program.

As long as a healthcare provider begins with its current tools and available resources, it can develop a Program that complies with the Rule. In the implementation and administration, a healthcare provider must be mindful of certain issues, such as delegation of operations, and its board of directors and management must maintain periodic supervision. Although the task may seem daunting, a healthcare provider can successfully comply with the requirements of the new Red Flags Rule, if it takes the proper steps now.

This article was co-authored by Laura Gerdes Long & David Binder.

Note updated 1/24/2011.

This HHS publication triggers two key deadlines, one commencing September 23, 2009, when employers and health care providers (“covered entities”) will be required to comply with the Act’s security breach notification requirements; and, the other, is February 22, 2010, the 180 day enforcement grace period announced by HHS. Accordingly, during this 180 day grace period, covered entities need to digest the new requirements, revise existing HIPAA policies and procedures and develop new ones, put in place a security incident response plan, train employees, confer with business associates about security breach response and negotiate modifications to existing business associate agreements. Employers and health care providers who discover a security breach after that date and fail to provide the required notices may be targeted for an enforcement action.

A security breach notification will only apply to “unsecured PHI”. PHI that is not encrypted or completely destroyed is considered “unsecured” by HHS. The only way, generally, that HHS has said that PHI would be considered “secured” is if it encrypted or completely destroyed. If that is the case, then the covered entity does not need to develop internal procedures for notification of security breaches. In any event, those practices should review their existing Notice of Privacy Practices to update it with respect to the new notification rule.

WHAT IS A “BREACH” REQUIRING NOTIFICATION UNDER THE RULE?

HHS has defined “breach” to mean a use or disclosure of unsecured PHI in violation of the HIPAA Privacy Rule. As we learned when the Privacy Rule was implemented, PHI generally cannot be used or disclosed without the individual’s prior, written authorization. However, the Privacy Rule also contains a laundry list of exceptions to the general rule. Consequently, covered entities may often have to scrutinize the Privacy Rule to determine whether a breach, indeed, even occurred. Hence, a breach will only occur if the following requirements are met:

• the information is “unsecure” PHI;
• the information was used or disclosed in an unauthorized manner (see, HIPAA Privacy Rule); and
• the use or disclosure poses a “significant risk of financial, reputational, or other harm to the individual”. To determine if such a harm has occurred, the covered entity must review factors such as:

(a) to whom the information was disclosed;
(b) the type of information disclosed;
(c) what steps were taken that mitigate the potential harm to the individual; and
(d) whether the use or disclosure falls under an exception listed in the statute. The exceptions are:

(i) Unintentional access by a covered entity’s or business associate’s employee. Such access must be in good faith, within the employee’s course and scope of employment and not result in further use or disclosure. HHS provided an example of a nurse mistakenly sending an e-mail with PHI to a hospital billing employee, who opened it in the normal course of business; however, the billing employee deletes the e-mail and notifies the nurse.
(ii) Inadvertent disclosure from one covered entity or business associate employee to another similarly situated employee. HHS explains that the information should not be further used and that “similarly situated” means both employees must be authorized to access the information. For example, a doctor and billing employee may be similarly situated, because they are both authorized to view PHI, but a doctor and a receptionist may not be or, for example, when a doctor inadvertently gives a patient chart to a nurse who is not responsible for the doctor’s patients.
(iii)The recipient would not reasonably have been able to retain the information. For example, a nurse gives out incorrect discharge papers, but immediately discovers the error and takes them back.

NOTIFICATION OF BREACHES

If a breach occurs, then the covered entity must notify the individual “without unreasonable delay”, but no later than 60 days after discovery of the breach. HHS notes that, if a business associate is an “agent” of the covered entity, the business associate’s discovery of the breach will be imputed to the covered entity.

If the breach involves 500 or more individuals, the covered entity must notify HHS at the same time it notifies the affected individuals. Breaches involving fewer than 500 individuals must be logged, and a log must be submitted to HHS by March 1st of the following calendar year.

There are also provisions for what needs to be done if a breach involves 500 or more individuals from an entire state or jurisdiction. Since business associates are impacted by the discovery and breach notification, covered entities should address those matters in their business associates agreements or vendor agreements, by rewriting or amending those agreements.

WHAT MUST THE NOTICE SAY?

The Notice must be written in plain language and contain five (5) subject areas:

1. a brief description of what happened, including the date of the breach and the date the breach was discovered, if known
2. the types of unsecured PHI involved in the breach (e.g., Social Security number, full name, date of birth, home address, account number, diagnosis)
3. steps that affected individuals can take to reduce the risk of harm from the breach
4. a brief description of the covered entity’s investigation, efforts to mitigate harm to affected individuals and steps taken to prevent a recurrence of breaches
5. contact information for people to ask questions and obtain information, including a toll-free telephone number, e-mail address, website or postal address.

HHS has devised electronic notification forms on its website for submitting notice of breach to the Secretary. These requirements are in accord with the Privacy Rule that requires each covered entity to take reasonable steps to mitigate the harmful effects of an unauthorized use or disclosure of PHI.

There are also provisions for substitute notice under the HHS rules.

THE EFFECT ON STATE SECURITY BREACH NOTIFICATION LAWS

HHS has said that the HIPAA requirements do not pre-empt state notice law and that covered entities will be required to comply with both sets of laws when both are applicable. For example, where a state law requires notification within five days, HHS says notice within this period also would satisfy the new HIPAA requirements, so the two laws do not conflict. Similarly, if a state law requires additional elements be included in a notice, HHS says there would be no conflict because a covered entity could develop a notice that satisfies both laws.

STEPS FOR COVERED ENTITIES

• Establish notice procedures for a security breach response plan
• Implement systems for detecting a security breach
• Maintain a breach log
• Train workforce members on their role in responding to a security breach
• Revise business associate agreements to address security breaches
• Revise HIPAA policies and procedures regarding training, complaints, and sanctions, as applicable
• Update address lists for patients and/or plan participants to reduce the number of return notices in the event of a breach.

This is only a short review of considerations. Consultation with an attorney is advised to ensure that all matters specific to your practice have been covered. If you have further questions or if you would like to set up an appointment to discuss your practice’s protected health information needs, please contact Laura Gerdes Long, Esq.

The fact is that employee costs, and curbing those costs, are the “bottom line” for most employers. For years, employers have been struggling to control and minimize the rising costs of health care for their employees. Employers are increasingly forced to transfer health care costs to their employees through higher premiums, copayments and deductibles. Only in the past few years have employers realized that they can assist their employees in improving their overall wellness, while at the same time potentially reducing the employers’ health care costs. The methods that employers have begun experimenting with include implementing wellness programs, offering health risk assessments, and education.

Hard, Cruel Facts

Since 2000 U.S. healthcare cost increases have exceeded the overall inflation rate by a factor of two to five times. (National Coalition on Healthcare, Economic Cost Fact Sheets.)

At the same time, employees’ contributions to employer-provided health insurance have increased an average of 143%, with their out-of-pocket costs, including co-payments and deductibles, also increasing an average of 115%. Id.

Countless studies have shown that certain conditions impact employers’ costs, overall, and not only for health care.

• For example, survey findings recently reported in the Archives of Internal Medicine found that obese employee medical claim costs were seven times higher than average and those employees missed 13 times more work days. (Ostbye T., et al., Obesity and Workers’ Compensation, 167 Arch Intern. Med. 766-773 April 23, 2007).

• A study conducted by the Centers for Disease Control found that the cost increase for obese employees, combining medical costs and absenteeism,range from an additional $460.00 to $2,500.00 per employee. (Forbes, 10/05/2006, U.S. Companies Embrace Wellness Programs).

• Some estimates put the annual medical costs of smoking and the illnesses that link to it, such as cancer and heart disease, at $150 billion or more. (September 2007, HR Magazine, 115).

How wellness programs can help employers

With all of this bad news, what is an employer to do? Final federal regulations have been released for wellness programs and may provide one approach for improving employee health and potentially reducing health care costs. (71 Fed. Reg. 75014 (Dec. 13, 2006); 45 C.F.R. Part 146). These new, final rules and guidelines are detailed in the Health Insurance Portability and Accountability Act’s (HIPAA) non-discrimination and wellness program rules. These HIPAA regulations were issued, and will be enforced, by the Internal Revenue Service, the Department of  Labor, and the Department of Health and Human Services.

What is a wellness program?

A wellness program is defined as “any program designed to promote health or prevent disease.” (71 Fed. Reg. at 75035; 45 C.F.R. at § 146.121(f)). The wellness plan must make participation in the program available to all similarly situated individuals, and cannot condition a reward on an individual satisfying a standard based on a health factor. Id. For example, an employer can provide a waiver of co-payments for preventive care; reimbursement for participation in a smoking cessation program, without regard to success; rewards for attendance at monthly health education seminars; a diagnostic testing program that provides a reward for participation and does not base any part of the reward on outcomes; and reimbursement of fitness center memberships. Id.

What are some employers doing?

Wellness programs take a myriad of forms. Some wellness programs include employers providing educational materials about health choices, health risk assessments or free gym memberships. Other plans integrate a variety of elements, including nutritional counseling, screenings, use of health data to target high cost diseases, and incentives to motivate physical activity.

Recently, Guardian Insurance, in conjunction with Healthways’ Whole Health Networks, started offering programs, including complimentary nutrition coaches, tai chi, yoga and pilates, and membership fees at gyms such as Bally’s Total Fitness, in addition to discounts for weight loss programs, Jenny Craig and Weight Watchers (Forbes/2007/05/29/pilates-yoga-taichi-leadmanage-ex).

Some of the nitty gritty (the regulations, a/k/a, “boring lawyer stuff”)

Under the HIPAA prohibition against discrimination on the basis of health status, there exist eight health factors:

• health status,
• medical condition (both physical and mental),
• claims experience,
• receipt of health care,
• medical history,
• genetic information,
• evidence of insurability, and
• disability.

What this means is that employees cannot be denied eligibility or charged a higher premium based on one or more of those health factors. It is essential that the employer be aware that the HIPAA non-discrimination rules generally prohibit group health plans from discriminating against individuals based on certain health factors. In other words, a plan cannot penalize an employee who is unsuccessful in ending their nicotine habit after attending a smoking cessation program. Similarly, an employee cannot charge greater premiums to employees with a body mass index over 25.

Thus, if a wellness program conditions a reward on satisfying some standard, based on such health factors, then the
regulations require the program to meet five criteria:

• the value of the reward must not exceed 20% of the cost of employee-only coverage (or 20% of the cost of the coverage in which any employee and any dependents are enrolled);
• the program must be reasonably designed to promote health or prevent disease;
• the program must give individuals an opportunity to qualify for the reward under the program at least once per year;
• the reward must be available to all similarly situated individuals, including a reasonable alternative which must be offered to those individuals for whom it is unreasonably difficult or medically unadvisable to participate; and
• the health plan must disclose the availability of the alternative standard in any plan materials describing the terms of the wellness program.

(71 Fed. Reg. at 75036; 45 C.F.R. § 146.121(f)(2).)

As for the fifth criteria, a wellness program must include some sort of alternative standard for employees who cannot reach a particular target. Sometimes employers have to fashion alternative standards on a case-by-case basis. For example, a premium discount may be offered to employees who walk five miles per week, but there must be an alternative, such as teaching a class about cardio fitness, instead, or offering swimming opportunities.Employers may also pay for employees’ gym memberships or nutritionist services, or give policy discounts to employees who lower their cholesterol. But if an individual is genetically predisposed to having high cholesterol, and provides verification from a doctor, that individual cannot be penalized.

This “alternative method” is a common sense approach, which HIPAA requires by using a “reasonably designed” standard to balance the needs of employers to experiment with various programs to provide employees incentive to participate, while at the same time, protecting employees from plans that are mere subterfuge for discrimination. Many examples of such alternatives and the kind of language that may be used to satisfy these requirements are  included in the comments to the Federal Rules at 71 Fed. Reg. at 75036-75038.

A summary:

Thus, Wellness Programs allow for a lot of experimentation by employers while, at the same time, providing employees an opportunity to receive an offered reward for their efforts at maintaining a healthy lifestyle. Of course, other laws may intersect with various provisions of the regulations, such as the Americans With Disabilities Act (ADA). Generally, to comply with the ADA, the incentives should be voluntary, and any medical information gathered in connection with the incentive should be kept confidential and separate from the employees’ personnel records.

In summary, by following a few simple rules and sometimes thinking “outside the box” in terms of developing a program to assist your employees with creating and maintaining a healthy lifestyle, employers may gain a group of employees who are healthier, less likely to become sick, and who are, hopefully, happier. Definitely, a win-win situation for both employees and employers.

Caveat: As usual, these rules can be complicated stuff. They are not all inclusive or applicable in all contexts and, although the author is a lawyer, she is not your lawyer. So, enjoy the article, but if you are ready to jump onto the wellness parade, please consult a lawyer qualified to advise you on these matters relative to your specific situation.

View PDF

All cafeteria plans let employees pay for health coverage with pre-tax dollars, which effectively lowers the cost of coverage and may make it more affordable for employees.

Missouri House Bill 818 (new Missouri Revised Statute § 376.453) applies to employers who provide and contribute to insured health coverage. The law, however, does not apply to employers who offer health insurance through any self-insured or self-funded group health benefit plan. No penalty for non-compliance has been described in the law. Thus, any other employer providing insured health coverage, and pays any portion of the premium, must now establish a premium-only section 125 plan.

Unfortunately, state regulators have not issued any guidance yet, and the law is fairly ambiguous. There are open questions as to the size of employer affected, the application of the law to employers that are headquartered outside of Missouri, and to employers that provide both insured and self-insured plans.

Employers are cautioned to watch for State regulations and communications from their insurance carriers.

A second provision in the Missouri law, which is also unclear, permits small employers (without specifically defining “small employer”) to contribute through a cafeteria plan to the individually underwritten health benefit plan of an employee who is eligible for coverage under the employer’s plan.

View PDF

Following a motorcycle accident involving George Clooney and his girlfriend, they were seen at the Palisades Medical Center in New Jersey for their injuries. More than two dozen employees were suspended for a month, without pay, for allegedly accessing Clooney’s confidential medical records. A union representing seven of the suspended nurses said that the employees, although they looked at Clooney’s records, did not divulge any confidential information.

The interesting thing about this case is that it shows the tight link between the HIPAA Privacy and Security Rules. Due to the number of employees who allegedly, inappropriately accessed his records, it is likely that it was done by looking at electronic information—a security breach by “inside employees.” Fortunately, it appears that the hospital’s audit practices, which are required under the Security Rule, caught the breach. Unfortunately, it appears that the staff was not trained well enough to keep from inappropriately accessing the information in the first place, and apparently were not aware they could be caught and disciplined.

The case also illustrates some of the differences between privacy risks posed by paper versus electronic records. Electronic records can lead to a breach of a patient’s privacy without even having physical access to the health records. And, after a patient’s privacy is breached electronically, it can never be recovered.

Punitive Damages for Breaches of Medical Privacy

A case out of New York also serves as a cautionary tale with regard to the monetary damages that may be awarded for breaches of medical privacy.

In J. v. Long Island Surgi-Center (N.Y.A.D. 2nd Dept., September 25, 2007), a 20 year-old, unmarried woman who lived with her parents decided to terminate her pregnancy at the Long Island Surgi-Center. Since her parents disapproved of pre-marital sex and were implacably opposed to abortion, she was determined to keep her decision from them.

When she first contacted the clinic to arrange for the procedure, she provided her cell phone number and gave specific instructions never to call her at home. The day after her abortion, nevertheless, one of the clinic’s nurses telephoned the young woman’s home and spoke with the person she knew to be her mother. In the course of the conversation, the nurse revealed information sufficient to allow the mother to conclude that her daughter had had an abortion.

On appeal, the Court of Appeals held that, in the young woman’s subsequent action to recover damages for wrongful disclosure of confidential medical information under New York’s Public Health Law, the trial court was “not in error” to submit the issue of punitive damages to the jury.

View PDF

The case alleged that plaintiff was a patient at a particular medical group. Blood samples and/or records were sent to a hospital and examined by a phlebotomist. The phlebotomist revealed the results of those records at a public tavern to the plaintiff’s twin sister. The hospital admitted the phlebotomist had revealed one fact about the plaintiff, discovered from her medical records, to the plaintiff’s sister at a tavern, but also alleged that when the phlebotomist revealed the information, she was not acting within the scope of her employment with hospital. Although HIPAA does not provide a private cause of action, in Illinois a common-law right-of privacy cause of action existed for the doctor’s violation of plaintiff’s right to privacy.

The court held that the question whether the phlebotomist was acting in the scope of her employment with the hospital was a question for the jury. The court went on to note, however, that the defendant hospital and employee had a duty not to disclose confidential information, without limitation as to time or place.

The court reasoned that the “hospital’s training of its employees did not limit the duty of the employee to maintain confidentiality of patients’ medical information only during working hours. Rather, that duty, imposed by the hospital in its execution of its duties, was, according to its own training, to extend to all times and to all places. In effect, for purposes of patient confidentiality, [the phlebotomist] was on duty 24 hours a day, 7 days a week.” Thus, the defendant had a continuing off-shift duty to maintain the confidentiality of patient records. This duty derived not only from the hospital’s rules of employment, but also from the patient’s right to privacy.

The court further included employees of lawyers, therapists, and other employers who maintain confidential information, as examples of other workers who have a constant duty to keep confidentiality.

View PDF

In Missouri, patient records under the care, custody and control of a medical licensee must be maintained for a minimum of seven years from the date of when the last professional service was provided. (R.S.Mo. § 334.097).

If selling a practice, a series of steps must be accomplished when notifying patients of the sale, including notifying the patient of the process for obtaining a copy of medical records and the potential need for the written authorization before medical records can be transferred to another provider. Moreover, under HIPAA, a specific authorization is required for the release of information considered sensitive, such as HIV/AIDS status, psychiatric history, drug or alcohol abuse, or sexual abuse.

Since the physical record is considered the property of the practice and the information in the record is considered the property of the patient, a practitioner who is leaving one practice to go to another should not simply take the records with him of those patients who will continue in his or her care.

For instance, if a practice is dissolved, a custodian of patient records may have to be located and a business associate agreement obtained requiring that custodian or receiving physician to respect the confidentiality of the records in accordance with HIPAA. The state medical board or department of health should also be notified where the records are being stored in case patients, at some point in the future, need to access their records if the former physician or custodian cannot be located.

In addition, the Code of Ethics of the American Medical Association at E-7.03 provides similarly. Patients should initially be notified and informed that upon authorization, their records will be sent to their choice of physician. Any records not forwarded to a new physician should be retained, either by the treating physician, another physician, or such other person lawfully permitted to act as a custodian of the records. If the physician is leaving a group practice, after notification, the patients should also be informed of the physician’s new address and offered the opportunity to have their medical records forwarded to the departing physician at his or her new practice location. The Code warns that it is unethical to withhold such information upon request of a patient.

In the case of a retiring physician, it may be most practical to transfer the records to a hospital. The hospital should agree to treat the records as if they were their own for HIPAA purposes and only transfer the records to another physician upon the patient’s written authorization. Essentially, the hospital becomes a business associate of the retiring physician and is subject to the business associate requirements of HIPAA.

As you can see, many issues and precautions must be taken into account when a physician retires, moves from an existing practice, or sells a practice with regard to patient records.

View PDF

For the small employer, however, these kinds of decisions must be addressed by management, who may not always be experienced in the nuances of human resource law. In essence, three files should be maintained for each employee:

1. The personnel file contains new hire and termination information, change forms, performance documentation and miscellaneous information such as requests to inspect employee files, underemployment claims, training courses, and achievements.

2. The confidential file contains information such as references, background investigations, financial obligations, settlement agreements, and EEO data. Information not specifically related to employee wage and hour status or job performance should be scrutinized to determine whether it reveals any private facts about an individual. If it does, it should be placed in this file rather than the Personnel File. This could include:

• health-related documentation (not related to the health plan), e.g., injury reports, requests for reasonable accommodation, FMLA forms, fitness for duty, post-offer medical information, workers’ compensation injury forms and reports, disability leave documentation, and self-identification of disability;
• financial information, including W-4’s (federal and state), direct deposit authorization, payroll corrections, requests for verification of employment, wage attachments, credit reports, and retiree insurance premium agreements; and
• miscellaneous information, including settlement, arbitration and dispute agreements and decisions; EEO complaints or other information; investigation interview notes; grievances; affirmative action; reference and background check forms; interview evaluation, skills or personality tests, funeral and jury duty notices.

3. The Confidential Protected Health Information (“PHI”) file, includes all the information pertaining to the health plan(s) offered by the employer, including, self-insured health plans, flexible spending accounts (for medical and prescription) and cafeteria plans:

• benefits enrollment forms;
• benefits change forms;
• benefits claim forms;
• dependent and beneficiary designations;
• insurance waivers;
• open enrollment forms;
• COBRA documentation;
• health care provider certification;
• voluntary medical information; and
• authorization to release information (preemployment).

Drug and alcohol tests should be filed in a separate binder, not with any other information, segregated by current and separated status. Form I-9′s should also be filed in a separate binder, segregated by current and separated status.

View PDF