Workforce training and increased security can help radiology practices navigate the legal landscape while continuing to deliver high-quality care, according to a presentation given August 3 at the 2021 AHRA meeting in Nashville, TN.
In their presentation, Clinton Mikel and Adrienne Dresevic from the Health Law Partners went through some of the regulatory changes in health and medicine that occurred before and during the COVID-19 pandemic, including how the pandemic caused temporary waivers to take effect.
"It's really a daunting task to keep up with these things," Mikel said. "Candidly, even with some of the larger (medical) groups, they're not yet large enough that they've got dedicated regulatory counsel. Healthcare law is second only really to the nuclear industry in the amount of regulation it has for the state and federal levels. It's very daunting."
With medical care increasingly using digital resources, Mikel and Dresevic said it's important to make sure medical networks are secure from cyberattacks and devices are given patches to be up-to-date and accurate, thus protecting patients' HIPAA rights. A 2020 study by IBM and the Ponemon Institute showed breaches cost the U.S. healthcare industry approximately $8.6 million per breach in 2020, a roughly 10% increase from the average cost per breach in 2019.
An executive order signed by the Biden administration this year issued multiple directives to bolster the U.S. government's response to cybersecurity vulnerabilities and incidents.
Mikel said through workforce training in best practices, radiologists can help protect data from ransomware schemes, phishing, and data theft. Some steps to protect networks include implementing email and endpoint protection systems, backing up data, being skeptical toward suspicious emails, and incident response planning.
"You'd be amazed at the amount of low-hanging fruit that people don't implement from a healthcare regulatory perspective that would prevent some of these data breaches," Mikel said. "If training your workforce was the only thing that was done, we'd be 70% away to eliminating some of these problems."
Having knowledge of fraud and abuse laws is also important for radiologists, presenters said. In their talk, Mikel and Dresevic spent the most time discussing the Physician Self-Referral Law (Stark law) and the Anti-Kickback Statute.
The Stark Law prevents physicians from referring Medicare patients for certain specified designated health services, such as health imaging or radiation therapy, to an entity with which the physician or an immediate family member has a financial relationship, unless an exception applies. Case law suggests that the Stark law applies to Medicaid through application of the False Claims Act, the presenters said.
One Stark Law update Mikel and Dresevic pointed out included how group practices must first aggregate their designated health service profits before making any profit-based payments. Another update to the law clarifies that productivity bonuses may continue to be paid to a group practice's physicians based on services personally performed. Both updates take effect on January 1, 2022.
Some requirements were temporarily waived during the pandemic, such as referral for in-office ancillary services or remuneration from an entity to a physician that is above or below fair market value.
"It just illustrates the complexity of what the government gives or takes in terms of regulation," Mikel said.
The Anti-Kickback Statute prohibits the exchange of anything of value to persuade the referral of business reimbursable by federal healthcare programs. The presenters said the statute applies "much more broadly" than the Stark law.
One update to the statute includes revision of the Personal Services Safe Harbor to no longer require aggregate compensation under a personal service arrangement to be set in advance. The prior requirement that a personal service arrangement must specify the schedule, length, and exact charge has been eliminated.
The safe harbor also now protects nonmonetary service payments consisting of cybersecurity technology and services that are necessary and used for cybersecurity.