Medical Staff By-laws are Contracts? Minnesota Supreme Court Says “Yes”

That sound you just heard was the simultaneous gasp of hospital boards of directors throughout the state of Minnesota. In Medical Staff of Avera Marshall Regional Medical Center v. Avera Marshall, Minnesota’s highest court made two holdings that strengthened the autonomy of physicians and may shed light as to how courts may interpret medical staff by-laws in the future.

In the case at hand, the medical staff by-laws of Avera Marshall Regional Medical Center (“Avera Marshall”) included a provision that required a two-thirds vote of the eligible voting members (which included the medical staff) to revise or repeal the medical staff by-laws. Any changes to the by-laws approved by vote of the medical staff were still subject to the approval of the Board of Directors (“board”). The by-laws were silent, however, on whether actions of the board concerning revision of the by-laws required approval by the other voting members.

In January of 2012, the board notified the medical staff that it had approved both a repeal of the current by-laws and a replacement with new ones. It also eTeam Of Expert Doctors Examining Medical Reports at Hospitalssentially suggested that it would ignore the input of the medical staff as a body. The Medical Executive Committee reviewed the new by-laws and came to the conclusion that the rights of the medical staff and its ability to maintain quality patient care would be restricted under the new provisions. The medical staff then held a vote under the provision of the former by-laws, explicitly rejecting the repeal of the old set and the enactment of the new set. This, however, didn’t stop the new by-laws from taking effect, so the medical staff sued Avera Marshall.

Two issues ultimately came before the Minnesota Supremes: 1. Whether the medical staff had standing to sue the hospital, and 2. Whether the medical by-laws constitute a contract between the Avery Marshall and the medical staff.

The court answered both questions in the affirmative. The court first ruled that the medical staff is an unincorporated association that has standing to sue the hospital under Minnesota law. The second, and potentially the most instructive, held that the medical staff by-laws are enforceable as an implied contract.

This case is a clear win for physicians and medical staff, but it may have the most profound effects in the case of newly-acquired hospitals, such as in the present case. Avera had acquired the Avera Marshall Regional Medical Center in 2009, but the medical staff by-laws had been in effect since 1995. Jurisdictions are still split as to whether medical staff by-laws constitute a contract, but Minnesota just added another “Yes” to the pile. Kentucky law is still unsettled as to the matter, so Kentucky boards of directors and medical staff should cast a wary eye on the outcome of this case.

For more information on how medical staff by-laws could be interpreted as a contract, please contact the attorneys of McBrayer.

Molly LewisMolly Nicol Lewis is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Lewis concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at or at (859) 231-8780. 

This article is intended as a summary of federal and state law and does not constitute legal advice.

Leave a comment

The Importance of HPSA and MUA Designation

Rural communities in Kentucky are still largely underserved by health care providers. With the expanded range of Medicaid and Medicare services now available as a result of the Patient Protection and Affordable Care Act (“ACA”), rural health care infrastructure needs a shot in the arm to meet the demand. Fortunately, several programs exist to incentivize the provision of rural health care, and Kentucky providers in underserved areas should begin taking advantage of them.

Mother with girl being examined by female pediatrician in clinicThe Health Resources and Services Administration (“HRSA”) has the ability to designate certain areas as a Health Professional Shortage Area (“HPSA”) or a Medically-Underserved Area (“MUA”). Providers in these areas of critical shortage can qualify as either a Federally Qualified Health Center (“FQHC”) or a Rural Health Clinic (“RHC”). The main difference between these two types of entities is that the FQHC designation only applies to non-profits, whereas an RHC is for profit. Both types of providers are eligible for enhanced Medicare payments based on costs. There are a whole host of other incentives to bolster the health care workforce and rural practices in HPSAs and MUAs, including loan repayment and scholarships.

The catch for these benefits is, however, that the RHC or FQHC must be located within a HPSA and MUA that has been designated by HRSA within the past four years. This may be a high hurdle, as some designations date to 1976. Before applying to become an RHC or FQHC, health clinics may first need to get an updated designation from HRSA that the area or population is underserved. In Kentucky, this is done through the office of the Inspector General of the Cabinet for Health and Family Services.

The benefits of these designations are too good to leave on the table, so rural practices should begin the qualification and designation process immediately if they haven’t already done so. Please contact the attorneys of McBrayer for help and guidance through the HRSA designation process or for more information on the benefits of HPSA and MUA designation.

Gina M. Riddell, MPA, is a Research and Compliance Analyst of McBrayer, McGinnis, Leslie & Kirkland, PLLC. Ms. Riddell concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at  or at (859) 231-8780.

This article is intended as a summary of federal and state law and does not constitute legal advice.

Leave a comment

HIPAA and “Meaningful Use” Audits: Issues to Consider and How to Prepare

As more and more providers adopt electronic health records (“EHRs”) systems (and with new regulations concerning their required use for purposes of Medicare billing for chronic care management, their popularity can only continue to grow), a myriad of compliance issues continue to surround them. To that end, the federal government has stepped up auditing programs to ensure compliance with HIPAA/HITECH as well as making sure taxpayer money has been invested wisely through the Meaningful Use program. The bent of these audit programs is clearly along the lines that applicable covered entities and business associates should be preparing with a “when” mindset, rather than “if,” as these audits are going to happen.


The Department of Health and Human Services’ Office for Civil Rights (“OCR”) has been the enforcement authority for HIPAA since 2003, but it was the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”) that began requiring the OCR to perform periodic audits of covered entities and business associates for compliance with HIPAA security rules. The OCR launched an audit pilot program in 2011, which found that 58 of 59 providers audited has at least one negative security finding or observation, and there was no complete and accurate risk assessment in two-thirds of the audited entities. These numbers should immediately give covered entities and business associates a serious moment of pause: the vast majority of audited entities were not in full compliance with the HIPAA Security Rule. Scarier yet, the most common non-compliance finding of the audits was that the entities audited were “unaware of the requirement”. OCR determined that the non-compliance in these cases wasn’t based on confusion surrounding the rules – most of these findings were about “elements of the Rules that explicitly state what a covered entity must do to comply.” The entities with the most trouble complying with the Rules were smaller entities – those with assets of $50 million or less. This audit program and the early findings should be a wake-up call for any entities to which HIPAA protections apply, but especially small ones.

After evaluating the audit process through the 2011 pilot program, the OCR created an audit protocol that contains the requirements assessed through these audits, available online. In 2014, the OCR began a new round of audits designed to test and evaluate the new audit protocol, focused heavily on compliance with the Security Rule. So, in light of the ramping up of the OCR audit program, what should applicable entities do?

  • The first thing that any covered entity or business associate should do is take a hard second look at HIPAA Privacy, Security and Breach Notification Rules. As stated above, a great many of the findings were attributable to the entity being unaware of a clearly-stated rule.
  • Review every bit of guidance available from federal oversight agencies as to best practices and compliance issues. Read Resolutions Agreements on the OCR website to discover which issues have tripped up other entities so that your organization doesn’t make the same mistakes. Review the OCR audit protocol, as it gives detail and insight into how the OCR conducts audits.
  • Bring your organization into compliance before there’s an audit. If your organization has not conducted a Security Risk Assessment (“SRA”), do so. This is a key element of Security Rule compliance, as well as a necessity for Meaningful Use requirements (which will be explored in the next post). This SRA will highlight whether or not the entity has implemented security measures to sufficiently safeguard electronic health information, and should be done whenever technology within the entity changes.
  • Train your staff. The most advanced and secure technology in the world can’t overcome an employee who isn’t properly trained in compliance with the Privacy Rule. Training doesn’t have to be painful, but make it thorough and easily understandable.

Meaningful Use Audits

Meaningful Use, of course, is shorthand for the incentive program for eligible health care providers to impleBusinessman Calculating Taxes At Deskment or upgrade electronic health record (“EHR”) technology to demonstrate the meaningful use of such technology. The Medicare HER incentive program is administered through the Centers for Medicare & Medicaid Services (“CMS”), and eligible professionals (“EPs”) can receive up to $44,000 (eligible hospitals (“EHs”) can receive a base payment of $2 million). CMS reported that, by April 2012, $4.5 billion had been dispensed through the program. That year, CMS began conducting post-payment audits, and any EP or EH that received money under the program may be the subject of an audit.

A CMS Meaningful Use audit begins as a desk audit of submitted information, although it can escalate to a site review if necessary. The audit reviews compliance with Meaningful Use requirements for the reporting year and stage of implementation. The harsh reality of these audits is this: if an entity that has received payment under the program fails to meet even a single requirement, the entire incentive payment must be returned. This crucially important fact must be reiterated: failure to meet every single Meaningful Use requirement results in the entire incentive payment being forfeited, long after the costs of the EHR technology have been paid using those incentive funds.

Not only does the failure to comply with Meaningful Use requirements require forfeiture of incentive payments, the knowing noncompliance can also invoke the Federal False Claims Act. Payments under the program can be considered overpayments if the recipient had reason to know that it was not in compliance. Overpayments held for more than sixty days after being identified as such trigger False Claims provisions.

So what should EPs and EHs do to ward off the specter of an unfavorable audit?

  • As with HIPAA audits, the first thing EPs or EHs should do is review the rules themselves. Review relevant statutes, regulations and CMS guidance on audits.
  • The easiest requirement for recipients to check compliance with is the certification of the EHR system itself – the Office of the National Coordinator for Health Information Technology keeps a list on its website.
  • Keep all documentation for at least six years. The EHR should have this capability, but find other ways to document if it does not.
  • Also, as with HIPAA audits, the best thing an entity can do is make every possible move to come into full compliance as early as possible – don’t wait until the threat of an audit looms, as mere knowledge of non-compliance can create liability under the Federal False Claims Act. Consult an attorney and begin a compliance checklist.

Finally, the intersection of Meaningful Use and the HIPAA audits discussed in the prior post is this: BOTH laws/programs require a Security Risk Assessment. As two-thirds of entities initially audited under HIPAA Security, Privacy and Breach Notification Rules had not actually conducted one, it becomes clear that many, if not most, entities are not taking these provisions seriously at their own peril. There is no doubt at this point that EVERY entity that must comply with HIPAA rules and that has received payment as Meaningful Use incentives needs to complete a Security Risk Assessment as soon as possible or face severe penalties. With the initial audits showing a shocking lack of compliance, it’s clear that increased oversight through an expanding regime of audits will be the new reality for health care providers. Compliance should be a primary concern, not an afterthought.

If your organization has questions or would like more information about compliance with HIPAA or Meaningful Use programs, consult the attorneys at McBrayer for guidance.

Chris Shaughnessy Christopher J. Shaughnessy is an attorney at McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Mr. Shaughnessy concentrates his practice area in health care law and is located in the firm’s Lexington office.  He can be reached at or at (859) 231-8780. 

This article is intended as a summary of federal and state law activities and does not constitute legal advice.

Leave a comment

What the Anthem Cyberattack Means for the Health Care Industry

Unfortunately, account hacks and data breaches are nothing new. Every day, we hear reports of hackers compromising networks and their protected data. When it happens on a massive scale to a powerful player in the health insurance industry, however, all health care entities should sit up and take note. On February 4, 2015, Anthem Inc. (“Anthem”), the second largest health insurance company in America, admitted that hackers compromised the company’s network and stole the information of up to 80 million customers. This may be the largest health-related data breach in history.

Anthem claims that member data such as names, birthdays, social security numbers, and addresses were stolen. Because the breach of medical information triggers specific provisions of the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), it is prudent following such an incident for professionals in the health care industry to review HIPAA’s security and notification requirements. A case study of HIPAA’s application to Anthem may prove useful in such a review. First, as a health insurer, Anthem is considered a ‘covered entity’ pursuant to HIPAA and as such must comply with certain privacy rules when dealing with the protected health information of its members. Protected health information (“PHI”) is information that relates to an individual’s past, present or future health or condition; the provision of health care to the individual; or any payment for provision of health care to the individual. This information either identifies the individual or provides a reasonable basis to belief that it can be used to identify the individual. Covered entities are required to implement certain technical safeguards to protect PHI as prescribed by HIPAA, which provides standards for access and audit controls, the integrity and authentication of data, and transmission security. Any improper use or disclosure of PHI is presumed to be a data breach unless the covered entity can demonstrate that there is a low probability that the PHI has been compromised based on an internal risk assessment.

HackerIf any of the data stolen in its recent breach qualifies as PHI, Anthem is required to provide written notice of the breach to individuals whose data may have been affected via first-class mail, or e-mail if the individual has agreed to receive notices electronically. If Anthem’s contact information for at least ten of its members is out-of-date, notice must also be posted on its webpage for ninety (90) days or published in major print or broadcast media where the affected individuals reside. If more than 500 residents of a state or jurisdiction are affected, notice must be provided to major media outlets in the area (usually through a press release). Such notice must be provided without reasonable delay (no later than sixty (60) days after discovery of the breach) and must include a description of the breach, the PHI involved, how members may protect themselves from harm resulting from the breach, and steps that Anthem is taking to investigate the breach and prevent future incidents. In addition, Anthem must give notice to the U.S. Secretary for Health and Human Services.

For information on how HIPAA and cybersecurity operate hand-in-hand, as well as how to mitigate the potential effects of a data breach, contact your McBrayer health care attorney today.

Anne-Tyler MorganAnne-Tyler Morgan is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Morgan concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at or at (859) 231-8780. 

This article is intended as a summary of federal and state law and does not constitute legal advice.

Leave a comment

Quality Over Quantity: The Shift from Fee-for-Service to Value-Based Payment Systems

The United States Department for Health and Human Services (“HHS”) recently announced its intention to tie thirty percent of fee-for-service Medicare payments to alternative and value-based payment models by 2016. HHS hopes to increase that amount to fifty percent by the end of 2018. Currently, up to twenty percent of payments are made through alternative models, a substantial increase in a short amount of time since almost no payments were made through alternative models as recently as 2011. Two days after HHS’ announcement, a group of key health care industry stakeholders announced the formation of the Health Care Transformation Task Force, a new industry consortium making a public commitment to transition seventy-five percent of its business between now and 2020 to value-based arrangements. These developments demonstrate the shift from fee-for-service payments based on quantity of work regardless of outcome and signals a larger trend to seek quality over quantity. With the seemingly meteoric rise of value-based care, it is important to understand the ramifications of alternative payment models within the health care industry as a whole.

Perhaps the most visible component of the rise of value-based payment models is the Accountable Care Organization (“ACO”). ACOs have been inspired by the Patient Protection and Affordable Care Act (“PPACA”) to coordinate care in order to reduce the overall cost of health care. These organizatioCaduceus Medical Symbol Chromens hold providers accountable for patient health through measured quality targets and incentivize them to streamline the health care process through mutual cooperation. Those ACOs that are ultimately able to avoid unnecessary costs receive a portion of the resulting Medicare savings as a reward. This approach emphasizes collaboration, efficiency, and quality of care.

A close relative of the ACO, the bundled payment model presents an opportunity for hospitals, physicians, and other providers to share a single payment for a Medicare patient’s single episode of care. Savings earned are determined by the efficiency of the providers’ collaboration during the episode of care. Use of a bundled payment model may not require as many changes to providers’ current business models as the formation of an ACO.

A key feature of alternative payment models, however implemented, is the shift of quality accountability from payor to provider, with the goal to maximize value while cutting costs. Both of the aforementioned payment models require increased efficiency and collaboration while meeting measurable quality standards.

For more information on these and other health care alternative payment models, contact the health care attorneys at McBrayer.

Anne-Tyler MorganAnne-Tyler Morgan is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Morgan concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at or at (859) 231-8780. 

This article is intended as a summary of federal and state law and does not constitute legal advice.

Leave a comment

New Rule on Medicare Reimbursement for Chronic Care Management Services

In November 2014, the Centers for Medicare & Medicaid Services (“CMS”) issued a final regulation with changes intended to ensure Medicare’s payment system “reflect[s] changes in medical practice and the relative value of services, as well as changes in the statute.”[1] One of the beneficial changes for physicians is the new Medicare reimbursement of chronic care management (“CCM”) services, which began with the New Year on January 1, 2015. All providers should pay special attention to the essential requirements for chronic care management reimbursement and begin identifying eligible fee-for-service Medicare patients.

The new CCM provisions are designed to pay for services that many practitioners are already doing – managing patient care and continuity of care through follow up care and case management after a patient visit and outside of a face to face visit. Providers will now receive monthly payment for at least 20 minutes of clinical staff CCM time fAttentive doctor and nurse caring for an elderly hospital patienor Medicare patients with multiple significant chronic conditions as long as the CCM care is directed by a physician or other qualified health care professional. The reimbursement rate for these non-face-to-face services is $42.60 (an RVU of 0.61 with 20 minutes of clinical staff time) and providers should bill under the new CPT code of 99490 once per month. CMS touts this new CCM coverage as part of an initiative to improve access to primary care for Medicare beneficiaries. The use of CCM will also enhance continuity of care and hopefully reduce hospital readmissions for Medicare patients with chronic conditions. The high rate of hospital readmissions for Medicare patients with chronic health conditions drives up healthcare costs and Medicare covers a large population with multiple chronic health conditions.

The final regulations also provide some flexibility in the supervision of clinical staff providing CCM services. Before this regulation, clinical staff had to be under the direct supervision of the practitioner, which meant that the practitioner had to be in the office suite and available to provide assistance, for the clinical staff’s service time to be reimbursed as furnished “incident to” a practitioner’s professional service. In contrast to the prior reimbursement policy, the new regulation recognizes that the increased need for round-the-clock access to CCM means that direct practitioner supervision is not always feasible. As a result, the final regulations merely ask for “general,” as opposed to “direct,” supervision of the clinical staff for the provision of CCM services after business hours. Although the clinical staff still must be direct employees of the practitioner or practice, CMS requires less practitioner supervision of the clinical staff’s CCM services, which gives providers some breathing room in the supervision of these services.

The potential downside to the new CMS rule is that practitioners wishing to bill CMS for qualified CCM services must adhere to certain standards for their electronic health records (“EHR”) systems. The EHR systems must be certified under the terms of the EHR Incentive Payment Program that picked up in 2011 as a result of the American Recovery and Reinvestment Act. Providers wishing to bill for CCM services must use EHR systems that were certified as of December 31st of the prior year. As a practical result, this means that both 2011- and 2014-certified EHR systems are currently acceptable. While this slightly-softened rule benefits many current providers, some providers will have to invest in updating their EHR system in the future, and this may have a significant cost.

For more information on the new CMS rule, please contact the attorneys at McBrayer.

[1] 79 FR 67547 at 67548

Emily HordEmily M. Hord is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Hord concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at or at (859) 231-8780. 

This article is intended as a summary of newly enacted federal and state law and does not constitute legal advice.

Leave a comment

Charitable Hospitals and Community Health Needs Assessments

In the last days of 2014, the IRS released regulations that finalized the compliance requirements for charitable hospitals. These new 2014 IRS regulations relate to the Community Health Needs Assessment (CHNA or needs assessment) requirements for nonprofit hospitals or nonprofit organizations oSenior female doctor using a tablet computer in her officeperating a hospital contained in Section 501(r) of the tax code, which was created by the Patient Portability and Affordable Care Act (“ACA”). Section 501(r) requires that thorough CHNAs be conducted every three years in order to maintain their 501(c)(3) nonprofit status. These needs assessments must define the community served by the hospital, the needs of the community, and a strategy addressing the identified community needs. Since each facility that fails to meet CHNA requirements loses its nonprofit status and has to pay a $50,000 excise tax, nonprofit hospitals and networks need to pay special attention to the changes and incorporate these new requirements into their needs assessments.

The new IRS regulations require that a CHNA be conducted with the following steps:

(i) Define the community it serves.

(ii) Assess the health needs of that community.

(iii) In assessing the health needs of the community, solicit and take into account   input received from persons who represent the broad interests of that community, including those with special knowledge of or expertise in public health.

(iv) Document the CHNA in a written report (CHNA report) that is adopted for    the hospital facility by an authorized body of the hospital facility.

(v) Make the CHNA report widely available to the public.

26 CFR §1.501(r)-3(b)(1)

The new IRS regulation allows nonprofit hospitals and nonprofit organizations to define what constitutes their actual “community” for the CHNA as long as the community definition does not exclude low-income, minority, or other medically underserved populations. Fortunately, the regulation has a cost saving or resource pooling provision that allows hospitals with identical community definitions to conduct a joint needs assessment and develop a joint strategy for addressing the identified community needs. Hospitals that have overlapping, but not identical, communities can jointly prepare parts of their CHNA.

The IRS regulations also expand the scope of the assessable health needs to include

“the need to address financial and other barriers to accessing care, to prevent illness, to ensure adequate nutrition, or to address social, behavioral, and environmental factors that influence health in the community.”[1] These are only examples, however, and those conducting a CHNA should determine if these needs are significant health needs in their defined community. When conducting a needs assessment, the nonprofit hospital or organization must receive input on these needs from a governmental health agency, members or representatives from low-income, minority or medically underserved populations. Nonprofit hospitals will also need to consider the written comments about their most recent CHNA and its impact on the community. The nonprofit hospital needs to fully document all of its efforts to obtain input and feedback from the identified populations and document in the CHNA report whether those populations responded or failed to respond to those requests for input.

The final CHNA report adopted by the facility must, under the new regulations, include an evaluation of the impact or results of any actions or efforts made as part of the strategy to address the needs identified in the prior needs assessment. Thus, the current or future CHNA report must include assessment of the effectiveness of the prior needs assessment strategy.

The implementation strategy no longer has to be adopted within the same taxable year CHNA’s completion. Instead, the implementation strategy or plan must now be adopted or implemented before the 15th day of the fifth (5th) month after the end of the taxable year in which the CHNA was carried out, which gives nonprofit hospitals an extra five and a half months to implement the plan or strategy. So, if a CHNA was completed in December 2014, the implementation strategy would need to be implemented in the next 5.5 months, which would be in May 15, 2015.

The regulations concerning nonprofit hospitals continue to be a complex labyrinth, and nonprofits hospitals and nonprofit organizations operating a hospital should consult the attorneys at McBrayer for advice on the how to comply with them.

[1] 26 C.F.R. §1.501(r)-3(b)(4)

Emily HordEmily M. Hord is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Hord concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at or at (859) 231-8780. 

This article is intended as a summary of newly enacted federal and state law and does not constitute legal advice.

Leave a comment


Get every new post delivered to your Inbox.