Tag Archives: hipaa

Implementing International Medical Providers Into The U.S. Workers' Compensation System, Part 4

This is Part 4 of a multi-part series on legal barriers to implementing international providers into Medical Provider Networks for workers' compensation. Previous articles in the series can be found here: Part 1, Part 2, and Part 3. Subsequent articles in the series will be forthcoming soon.

Workers Compensation And The Legal Barriers To Medical Tourism
The parallels to health care costs rising and workers' compensation medical costs are no coincidence, since workers' compensation is a subset of the health care system.

The average workers' compensation medical cost per loss time claim (in which the worker has lost more than seven days from work) in 2008, as previously stated in this series, was $26,000, which is a 6% increase from 2007. In addition, medical costs in 2008 were 58% of all total claims.62 63 Approximately 40% of workers' compensation costs are associated with medical and rehabilitative treatment. In the 1980's and 1990's, medical costs for workers' compensation fluctuated, and in the last decade rose again, and in 2002, totaled $41.7 billion annually.64

As with health care, states have experimented with different ways to reduce workers' compensation costs. Former California Governor Arnold Schwarzenegger made workers' compensation reform a part of his legislative program.65 Some of the same strategies applied to health care have been tried with workers' compensation: utilization management of workers' compensation medical services, restricted networks of designated physicians, case management, mandatory treatment guidelines, and hospital payment regulations.66 The introduction of DRG's for hospital payments and ICD-9 and CPT codes for provider payments for health care in the 1980's, also impacted workers' compensation, as insurance companies began to use them.

This has led some to believe that there is a place for medical tourism in workers' compensation.

Merrell: “… Can you see a role of medical tourism in workers' compensation injury?”

Ludwick: “I could, if it were a long-term issue. Many workers' comp issues are emergent, so that would take out the medical tourism aspect. However, if it was a long-range issue, I could see us involving workmen's comp issues into that, or problems.”

Lazzaro: “I would support that. I don't know the incidence, for example, of some of the orthopedic procedures that are non-emergent, such as knee or hip replacement, which would fall under workmen's comp. But theoretically, a case could be made for that …”

Merrell: “I was thinking about it in terms of the chronic back injury and the repetitive action injuries and hernia that are in the workers' compensation area. An acute injury on the job would probably not be at issue, but a work-associated problem with a potentially surgical solution might be a matter for medical tourism.”67

The savings from medical tourism mentioned in Part 1 of this series are even more relevant to workers' compensation. As Lazzaro and Merrell discussed above, knee and hip replacement, as well as chronic back and repetitive action injuries and hernia are just some of the work-related injuries that can benefit from medical tourism. Table 1 lists three of the most common procedures performed and the costs of each in the U.S. and three countries that cater to medical tourists.68

Cost Comparison of Common Procedures
*Retail and insurer costs are mid-point between high and low ranges.
**U.S. rates include one day hospitalization; international rates include airfare, hospital and hotel.69

Given the data presented here, one could conclude that implementing medical tourism into workers' compensation is a logical solution to rising medical costs for workers' compensation, and should be seriously considered. However, there are legal barriers to accomplishing this.

One of the most obvious legal barriers to implementing medical tourism into workers' compensation are the provisions of State workers' compensation laws that establish who can provide medical care to injured workers. In four of the largest workers' compensation states — California, Florida, New York and Texas — medical providers must be licensed by the state to practice medicine.70 71 72 73 Florida's statutes have a provision to allow certain foreign-trained physicians to practice in the state, but do not mention treatment outside of the state.74

On the other hand, two states, Oregon and Washington State, both have statutes or rules that allow workers to choose an attending doctor or physician in another country. Oregon's labor code states, “… The worker also may choose an attending doctor or physician in another country or in any other state or territory or possession of the United States with the prior approval of the insurer or self-insured employer.”75

The WA State Department of Labor and Industries has a page on their website that allows workers to find an attending practitioner in the U.S., Canada, Mexico and Other countries. The webpage allows the worker to search for a U.S. physician by entering a zip code, miles, doctor or provider type, and specialty.76 Workers seeking physicians in Canada, Mexico and Other countries, such as England, Germany, Honduras, New Zealand, the Philippines, Spain, Thailand and Ukraine, are directed to .pdf files that list selected doctors and their specialties and contact information.77

Among some of the other barriers to medical tourism is the result of entrenched interest groups wishing to avoid competition with low-cost providers78 79 and outdated federal and state laws intended to protect consumers, but which only increase costs and reduce convenience.80 81 Additionally, state and federal regulations restrict public providers from outsourcing certain expensive medical procedures.82 83 Federal laws inhibit collaboration84, and state licensing laws prevent certain medical tasks being performed by providers in other countries.85 86 Foreign physicians lack the authority to order tests, initiate therapies and to prescribe drugs that U.S. pharmacies are able to dispense.87 88

Restrictions on the practice of medicine have been removed, and many still exist. Some laws, for example, make it illegal for a physician to consult with a patient online without an initial face-to-face meeting; it is illegal for a physician who is outside the state and who has examined the patient in person to continue treating via the Internet after the patient goes home; and, it is illegal (in most states) for a physician outside that state to consult by phone with the patient residing in that state if the physician is not licensed to practice there.89 90

Other barriers or potential barriers, which are extremely important ones, also exist that must be addressed before medical tourism is accepted for workers' compensation. Issues regarding medical malpractice and liability laws overseas, patient privacy and medical record laws (including the Health Insurance Portability and Accountability Act of 1996), the Employee Retirement Income Security Act of 1974 and the impact of the Patient Protection and Affordable Care Act of 2010 have to be dealt with before medical tourism is a viable option not only for non-compensation patients, but for compensation patients as well. Some of these issues will be spelled out in the next article in this series.

62 Barry Llewellyn, (2009, September). Workers' Compensation Medical Cost Issues. Casualty Loss Reserve Seminar (presented at the meeting of the Casualty Actuary Society (CAS), Chicago, Illinois, September 14, 2009).

63 Dennis C. Mealy, (2009, May). State of the Workers' Compensation Line. (Presented at the meeting of the Annual Issues Symposium at the National Council on Compensation Insurance, Boca Raton, Florida, May 7, 2009). Figures shown in the 2009 report for 2008 were adjusted in later years, so that in the latest report, the average medical claim cost per lost-time claims in 2008 was $255,000, as shown in Figure 1 of Part 1 of this series.

64 Facts in Brief, “Workers' Compensation Medical Care: Controlling Costs”, University of Massachusetts, Worcester, (2002).

65 California Healthcare Foundation, “Schwarzenegger Signs Workers' Compensation Reform Bill,” California Healthline, (April 20, 2004), accessed February 22, 2011.

66 University of Massachusetts, Worcester, (2002).

67 Ronald C. Merrell, et al., Roundtable Discussion, Medical Tourism, Telemedicine and e-Health, (January/February 2008), 16.

68 Herrick, Table 1, The Cost of Medical Procedures in Selected Countries (in U.S. dollars), 11.

69 Ibid, 11.

70 CA Labor Code, § 3209.3 (a) (2010).

71 FL Statutes, Title XXXI, Chap. 440.13, (1)(q) (2010).

72 NY Workers' Compensation Laws, Art. 2, § 13-b (2010).

73 TX Labor Code, Title 5, Subtitle A, Chap. 401, Subchapter B, § 401.011 (17) (2005).

74 FL Statutes, Title XXXII, Chap. 458.3124).

75 Oregon Labor Codes §656.245 (2)(a).

76 WA Dept. of Labor and Industries website, (2012).

77 Ibid, see http://www.lni.wa.gov/ClaimsIns/Claims/FindaDoc/FadMexico.pdf, http://www.lni.wa.gov/ClaimsIns/Claims/FindaDoc/FadCanada.pdf, http://www.lni.wa.gov/ClaimsIns/Claims/FindaDoc/FadOtherCountries.pdf

78 Herrick, 23.

79 Longe, 21.

80 Herrick, 23.

81 Longe, 21.

82 Herrick, 23.

83 Longe, 21.

84 Ibid, 21.

85 Herrick, 24.

86 Longe, 22.

87 Herrick, 24.

88 Longe, 21.

89 Herrick, 24.

90 Longe, 22.

Privacy Enforcement In The Healthcare Arena​

The Exposure
Organizations that deal with private health information (PHI) should know how to properly handle such data in absence of a breach as well as how to respond after a breach occurs. According to the 2011 Computer Security Institute Crime and Security Survey, 97% of organizations report using anti-virus software, 95% use firewalls, 85% use anti-spyware software, 66% use data encryption and 62% use intrusion detection systems.

The Open Security Foundation’s website, www.datalossdb.org, shows that despite taking meaningful steps to prevent security breaches, healthcare organizations accounted for 18% of the 1,032 data breaches reported in 2011 and 15% of all time. Further, according to the Ponemon Institute’s 2011 Cost of Breach Study, the per capita costs of a breach for healthcare organizations average around $240 per record. When compared to retail, which averages $174 per record, education which averages $142 per record, and an average of $194 per record for all industries, healthcare organizations clearly have cause to be concerned about breach response expenses.

A healthcare organization or business associate1 should also be aware of the increased standards that have been imposed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the Privacy Rule and the Security Rule. One aspect of the Health Information Technology for Economic and Clinical Health Act act that may surprise many is the potential for the Office of Civil Rights (OCR) to fine an organization in absence of a breach.

In 2012, the Office of Civil Rights will conduct 150 audits of Covered Entities. If material security weaknesses are reported, a formal compliance review will follow. If that review uncovers blatant security violations, civil monetary fines could follow. Enforcement action around data breaches has been on the rise, and fines and penalties are being levied more frequently than in the past. The Department of Health & Human Services (DHHS) posts examples of resolutions including fines on their website. These initial audits are likely only the beginning of expanding regulatory oversight related to private health information.

Theodore Kobus III of Baker & Hostetler LLP, one of the national leaders of their Privacy, Security and Social Media Practice, advises the following regarding the current regulatory environment:

Data security extends beyond breach response and we are seeing an increasing number of regulatory investigations and fines stemming from how an organization responds to changes in its risks. A big part of being prepared includes understanding the nature and scope of the information you hold and how that data needs to be protected as risks in the organization evolve. For example, if you store data in an area that was once monitored by a security guard, but that area is now unoccupied, you may want to consider implementing other security measures.

Reducing The Exposure
In a previous article regarding lost laptops, we provided basic tips for handling a privacy breach.

With the type and volume of private health information that organizations in the healthcare arena touch, they are expected to take even more comprehensive steps to anticipate, prevent, respond to, and survive a breach. While many organizations are large enough to have entire departments dedicated to this issue, the complexity of the privacy laws means that, regardless of the organization’s ability to dedicate resources, it is important to work with legal counsel that is solely focused on privacy related issues. Similarly, healthcare providers should also seek out specialized network security risk management providers who can help answer important questions like:

  • Am I prepared to show that I took the proper steps before a data breach occurred?
  • Do I have an effective incident response plan in place when there is a problem?
  • Am I protecting digital records as well as paper records under the requirements of the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act?
  • Are my vendors and business associates also in compliance with the proper standards?

Many insurers have existing relationships with computer forensic firms, notification vendors, credit monitoring providers, legal forensic firms, public relations firms and others to help navigate the huge distractions following a data breach. To this end, we have seen insureds purchase cyberliability coverage solely for the value-added services provided by the insurer. Many of these buyers feel that they can afford a security breach, but that they don’t have the time to line up all the necessary critical response vendors if a breach occurs.

Neeraj Sahni of Kroll Advisory Solutions points out:

The ease of access to electronic data, anywhere-anytime, makes security a challenge as negligence leads to recurring data breaches. Preventive preparation is the most important loss control mechanism for any organization that has sensitive data. Thus waiting for a breach to occur is reactive and may incur more liability for any company. An incident response plan potentially helps lessen the impact of a breach. Also note, being compliant with security and privacy regulations does not provide assurance to an organization against a data breach.

Contractual Risk Transfer May Not Be Enough
Contracts with business associates and other trading partners may be part of the solution, but not the whole solution, as observed by Theodore Kobus III:

Many organizations think that a contract shifting liability to a third party is all that you need to protect the organization in the event that a vendor causes a breach. This type of protection is good, but it does not solve all of the organization’s issues. Notwithstanding the public relations issues the organization may face after a breach by a vendor, laws such as HITECH and various state laws still hold the organization who owns the data ultimately responsible for the breach. Another consideration about shifting all responsibility for a breach to the vendor is the lack of control about the messaging after a breach occurs. Remember, even though the vendor may have caused the breach, these are still your customers and your reputation is at risk.

Mr. Kobus brings up a dangerous situation. If a healthcare provider has fully shifted post-breach responsibilities to a vendor that caused the breach, the treatment of its customers or patients is in the hands of the vendor. To shift financial responsibility is one thing, but the provision of post-breach services such as call centers and identity/credit services should remain in the healthcare provider’s control. When it comes to the handling of an organization’s reputation, the preferred approach is to proactively protect its reputation rather than scramble to restore it after a poorly handled data breach.

The Right Insurance To Survive A Breach
Healthcare providers and business associates should have their own policy to protect their organization. The company’s own employees are a significant cause of data breaches, as are external hacks. The organization will not be able to unfailingly transfer that risk to other parties.

Organizations should also ensure their vendors have the financial assets or insurance to back up their contractual promises. If an entity is going to rely on a third party vendor to hold on to private health information for which they are responsible, they should be reviewing the vendor’s professional liability insurance rather than just asking if they have a policy.

Types Of Risk Transfer Vehicles
Cyberliability is the generic description of the type of policy healthcare organizations will need. In a prior article, we went into some detail about what is available. Here are some of the typical insuring agreements in a Cyberliability policy:

  • 1st Party Business Interruption — Covers lost business income in the event a virus infection or hacker shuts down your network.
  • 1st Party Data Asset — Covers the expense to recover lost data and other expenses.
  • Cyberextortion — Covers expenses and ransom if a hacker threatens your network or data.
  • 3rd Party Network Security — Covers your liability when hackers use your system to inflict damage on others.
  • 1st Party Privacy
    • Notification Expenses — When data is lost, you must notify all potential victims within a very brief period of time and in accordance with the state laws where the potential victims reside.
    • Forensic Expenses — The insurer will cover the expenses associated with bringing in computer experts to determine the cause of a breach and list of potential victims. Some insurers also cover legal forensic experts.
    • Credit Monitoring — The insurer may cover one to two years of credit monitoring services for those exposed.
    • Credit or Identity Repair Services — The insurer will cover the expenses for up to one year to restore compromised identities and repair a victim’s credit rating following an actual identity theft.
    • Crisis Management — Public Relations expense coverage to protect the image of the organization.
  • Regulatory Defense and Expenses — Many new regulations exist related to the protection of confidential data. The insurance will provide defense cost coverage and in many cases cover fines, penalties and restitution funds levied by a regulatory body, where insurable. This coverage is designed to help healthcare organizations respond to actions brought by state agencies, state attorneys general, the Department of Health and Human Services, the Office of Civil Rights and other regulatory agencies.

There are now more than 30 different insurers with dedicated cyberliability policies, and no two insuring agreements are the same. It is important to be diligent in making sure the coverage sought is the coverage bought.

Conclusion
The current regulatory oversight and monetary implications surrounding a loss of private health information means that firms in the healthcare arena should be more aware than most of privacy enforcement and how to protect their clients, constituents, reputation, and organization.

1 A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. (For more information, see hhs.gov.)