Issues Concerning Substance Abuse Patient Confidentiality Laws

It was with the best of intentions that Congress passed the Federal Confidentiality of Alcohol and Drug Abuse Patient Records Law over forty years ago. The patient privacy regulations (“Part 2”) spawned by this law reflected a sensitivity to the stigma that can accompany substance abuse, preventing highly vulnerable patients in need from seeking appropriate treatment.[1] In the interim, however, the field of behavioral health care has experienced seismic shifts in coordinated patient care while the regulations concerning these patient records have failed to adapt to changing standards such as electronic health records or health information exchanges. Due to this inflexibility, providers and patients are now facing a host of impediments in the provision of behavioral healthcare.

Upset man at rehab group with hands to face at therapy session

Part 2 regulations concerning information for those being treated for substance use disorders (“SUDs”) are more stringent than the rules embodied in HIPAA, adding additional layers of explicit patient consent for every disclosure of patient information. This consent must be written and given prior to the disclosure, and blanket waivers of consent are not permitted. Unlike the privacy provisions of HIPAA, Part 2 does not allow for the disclosure of protected patient information for the purposes of treatment, payment or health care operations without the consent of the patient except in limited circumstances. It may be easy to tell how this can pose problems for newer strategies of coordinated patient care and the integration of electronic health records (“EHRs”). These regulations did not envision a technological timeline where health records could be stored, accessed or transferred instantly and digitally, so their application to modern and evolving healthcare has been awkward at best.

Also, the required contents of the disclosure can prove limiting when trying to provide coordinated care across multiple providers and entities. For instance, a consent to a disclosure must identify every single individual or organization to which that disclosure will be made, which can be problematic for disclosing to newer entities such as Accountable Care Organizations or Health Information Exchanges that experience ever-shifting memberships.

The regulations also do not contemplate the way treatment of SUDs blurs the lines between specialized providers, primary care physicians and others. For instance, some SUD treatment may take place with a primary care provider, and records for this treatment are not covered under the Part 2 regulations, even if they would be covered had the patient seen an SUD specialist at a federally-funded facility for the same treatment. If a patient sees a specialist in SUDs, however, that record from that visit is confidential. If a consent form from that specialist is not thorough with the amount and type of information allowed, a follow-up visit with a primary care provider may not have sufficient information to provide necessary treatment.

There is little guidance as to how providers should deal with the intersection between the necessary written consent of patients and electronic health records or coordinated care. The Department of Health and Human Services, Substance Abuse and Mental Health Administration (“SAMHSA”) addressed several of these issues in a published set of FAQs, but questions remain as to how providers can effectively participate in ACOs or health information exchanges under these rules. This is an especially important question in Kentucky, where, for example, new regulations from Kentucky’s Medical Licensure Board that govern the treatment of SUDs with certain medication-assisted therapies require physicians providing these treatments to register with Kentucky’s health information exchange.

Last year, SAMHSA conducted a public listening session to begin addressing these concerns. The primary takeaways from this session were that patient consent should include the ability to consent to disclosure to entities such as ACOs and health information exchanges and the ability to consent to disclosure of an open class of any provider involved in that patient’s care, and redisclosure of information without the patient’s consent should be allowed in line with HIPAA regulations, such is in patient treatment, payment and healthcare operations.

Protection for patients in the treatment of SUDs remains paramount, but existing Part 2 regulations only provide complexity and uncertainty in the face of new and evolving treatments and technology. Providers dealing with the treatment of SUDs should be wary of compliance with Part 2 regulations and how they interact or even hinder areas of care that involve EHRs, HIPAA requirements and principles of coordinated care. Providers shouldn’t try to negotiate the tangled web of Part 2 regulations alone, instead seeking out legal guidance from a trusted source to ease compliance with complicated requirements. The attorneys at McBrayer, McGinnis, Leslie & Kirkland, PLLC can help.

Molly LewisMolly Nicol Lewis is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Lewis concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at or at (859) 231-8780. 

This article is intended as a summary of federal and state law and does not constitute legal advice.

[1] 42 C.F.R. Part 2

Time to Exclude the IMD Exclusion

Some rules are borne out of the best of intentions, and the Institutions for Mental Disease Exclusion (“IMD exclusion”) bears the hallmarks of such a beginning. The IMD exclusion bars federal funding for care of patients between the ages of 21 and 65 who receive inpatient treatment in an IMD, a hospital, nursing facility or other institution with more than 16 beds that primarily treats those with mental illness. This provision came into being in 1965, primarily as a way to prevent dubious institutions from stocking up on mentally ill patients for the purposes of collecting federal funds en masse, but also to put the onus on states, rather than the federal government, to care for the mentally ill.

Psychology TherapyIn modern times, however, the IMD exclusion is arguably one of the larger impediments to expansion of mental and behavioral health treatment, particularly in the area of substance abuse disorders, where a brewing epidemic of opioid addiction demands a proportional institutional response. Not only does this exclusion apply to standard mental health institutions, a Center for Medicare & Medicaid Services (“CMS”) interpretation applies the exclusion to other facilities such as substance abuse treatment center. The irony is that states which have accepted the Medicaid expansion to cover a wide range of newly-eligible patients for mental and behavioral health disorders such as substance abuse find themselves stymied by a lack of appropriate facilities in which to treat them. The Mental Health Parity and Addiction Equity Act of 2008 (“MHPAEA”) provides that covered individuals receive the same coverage for mental and behavioral health as for other medical and surgical benefits, yet medical and surgical facilities are not limited to a maximum of 16 beds, rendering much of the benefit of this law illusory.

The Medicaid expansion provides mental and behavioral health providers with a steady new flow of patients in dire need of assistance – so long as that inpatient treatment is provided in increments of 16. Substance abuse victims now have the coverage to receive the services they desperately need, and behavioral health providers now have more tools than ever to combat the problem. The obstacle in care comes in the limitation of the facilities.

Even an exception for behavioral health provider facilities for substance abuse treatment would provide significant relief, and CMS went so far as to allow eight states to include IMD benefits under Medicaid managed care programs for a period of ten years. Although this exception hasn’t been allowed recently, it at least provides a ray of hope that CMS can adapt regulatory policies to reflect a growing problem, understanding that it may be standing in the way of progress with draconian measures.

True parity can only be attained when mental and behavioral health facilities are free from the limitations imposed by the IMD exclusion. Until then, rather than protecting patients from unscrupulous institutions, this policy will only continue to hurt those who need real care.

For more information on the interplay between the IMD exclusion and Medicaid, contact the attorneys of McBrayer, McGinnis, Leslie & Kirkland, PLLC.

Molly LewisMolly Nicol Lewis is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Lewis concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at or at (859) 231-8780. 

This article is intended as a summary of federal and state law and does not constitute legal advice.

What a PA Should Know When Searching for a Supervising Physician

Although supervising physicians are required to follow regulatory guidelines, it is also important that physician assistants (“PAs”) understand their role in the authority delegated to them and the specifics of regulatory compliance for supervision.

Attentive doctor and nurse caring for an elderly hospital patienKRS 311.850 allows the Kentucky Board of Medical Licensure (“KBML”) to revoke, suspend, deny, decline to renew, limit, or restrict the license of a PA, or fine, reprimand or place a physician assistant on probation for up to five years for certain licensure violations, including exceeding the scope of medical services described by the supervising physician in the applications required under KRS 311.854; exceeding the scope of practice for which the physician assistant was credentialed under KRS 311.856 and 311.858; and/or aiding or assisting in the unlawful practice of medicine or osteopathy or any healing art, including the unlawful practice of physician assistants.

The actual scope of practice, including any locations where the PA would practice separately from the supervising physician, must be clearly explained in the physician’s application that must be approved by the KBML as well as the plan of supervision. It is important that the PA is aware of these requirements and know application process.

Further, PAs should understand the full gamut of “supervision”. Physician supervision means overseeing the activities of and accepting of responsibility for the medical services rendered by a PA. Both physicians and PAs are required to ensure that the delegation of medical tasks is appropriate to the PA’s level of training and experience, that how the PA is to access to the supervising physician is clearly defined, and that a process for evaluation of the PA’s performance is established. The KBML has established clear definitions and requirements for the different levels of supervision required: Direct, On-site, and Off-site. Due to these specific criteria for supervision, PAs and supervising physicians must understand what is expected of them to maintain compliance with regulatory requirements. For more information on the regulation of physician assistants in Kentucky, contact McBrayer, McGinnis, Leslie & Kirkland, PLLC.

Gina M. Riddell, MPA, is a Research and Compliance Analyst of McBrayer, McGinnis, Leslie & Kirkland, PLLC. Ms. Riddell concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at  or at (859) 231-8780.

This article is intended as a summary of federal and state law and does not constitute legal advice.

What Physicians Should Know About New Kentucky Law Regarding Physician Assistants

During the 2015 legislative session of the Kentucky General Assembly, HB 258, was approved by lawmakers and signed by Governor Beshear.  This legislation amends KRS 311.854 to allow a physician to supervise up to four physician assistants (“PAs”) at the same time. This amended regulation goes into effect on June 24, 2015.

PAs perform a wide range of duties, including providing routine care, treating acute and chronic illnesses, managing hospital inpatients, performing minor surgeries, and assisting during major surgeries. To a large degree, supervising physicians are granted the flexibility to delegate tasks to PAs and determine appropriate supervision methods, but state scope-of-practice laws sometimes limit physicians’ authority.

Doctors And NursesIn addition, a physician must file an application, and be approved, with the Kentucky Board of Medical Licensure (“KBML”) before supervising a PA. This process must be completed for each PA that is supervised. As part of this application process, a physician must provide a statement of assurance, therefore placing himself/herself as being responsible for the actions of the PA. Failure to obtain board approval as a supervising physician or failure to comply with the requirements of KRS 311.840 to 311.862 or related administrative regulations will be considered unprofessional conduct and will subject the physician to disciplinary action by the board. This may include revocation, suspension, restriction, or placing on probation the supervising physician’s right to supervise a physician assistant.

It is also important to remember that the application process requires specific descriptions of the scope of practice of the PA. If for any reason, the scope of practice changes, the physician is required to supplement the application and receive approved for the expansion/change in scope. The KBML has the regulatory authority to either approve the scope of practice or place limitations on the methods of supervision required by the physician.

The task of complying with the regulatory responsibilities of supervision while simultaneously supervising multiple PAs can become onerous. Obtaining guidance before assuming these important supervisory responsibilities is a crucial step to take in order to help alleviate any obstacles with these tasks. If you need that assistance, contact McBrayer, McGinnis, Leslie & Kirkland, PLLC.

Gina M. Riddell, MPA, is a Research and Compliance Analyst of McBrayer, McGinnis, Leslie & Kirkland, PLLC. Ms. Riddell concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at  or at (859) 231-8780.

This article is intended as a summary of federal and state law and does not constitute legal advice.

FDA Issues Guidance for Mobile Medical Apps

Just so you know, that iPhone or iPad you have with you may be an FDA-regulated medical device. More precisely, the apps on the device may meet the definition of a medical device under the Federal Food, Drug, and Cosmetic Act (“FD&C Act”).[1] In February of this year, the FDA released a revised set of guidance concerning how it will apply regulatory oversight to mobile apps, addressing the growing number and potential uses of these apps as they proliferate alongside rapidly changing mobile technology.

Mobile devicesIn this new guidance, the FDA set forth three classifications of mobile apps: those that do not meet the definition of a medical device under the FD&C Act, those that may meet the definition but pose a low risk to the public, and those that do meet the definition of a medical device, the functionality of which could risk patient safety in a malfunction. The determining factor in whether an app meets the definition of a medical device for purposes of the FD&C Act is the intended use of the app, which the FDA will determine through labeling, advertising, and statements by the manufacturer. If a mobile app is intended to perform a medical device function, such as diagnosing or curing disease, it is considered a medical device.

While the FDA could regulate all devices it deems meet the definition for “medical device,” it will draw the regulatory line only when there is potential risk to a patient if an app doesn’t perform as specified. These apps include those that connect to other devices to control them or actively monitor patient data, apps that transform a mobile platform into a medical device by using sensors, attachments or display screens, and apps that perform patient-specific analysis, diagnosis, or treatment recommendations.

Apps that function as medical devices but that pose a low risk of harm will escape FDA scrutiny, although the FDA urged manufacturers of all mobile medical apps to abide by Quality System regulations.[2] The list of low-risk app types that the FDA is currently choosing to provide little, if any, oversight over has grown significantly since the last guidance just two years ago.

The guidance is intended to help mobile medical app creators determine if their app falls under FDA regulations, triggering certain controls according to device class (I, II or III). If a mobile app is seen as a medical device, it must conform to applicable regulations concerning device classification and follow regulatory controls, which may include registration, labeling, and premarket notification or approval, among others.

From a provider standpoint, healthcare practitioners who use mobile medical apps on tablets, phones or other devices should consider whether those apps have been FDA-approved if they meet enough criteria to reasonably fall under the definition of a medical device. For more information on mobile medical apps and potential regulatory issues, contact the attorneys of McBrayer, McGinnis, Leslie & Kirkland, PLLC.

Chris Shaughnessy Christopher J. Shaughnessy is an attorney at McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Mr. Shaughnessy concentrates his practice area in health care law and is located in the firm’s Lexington office.  He can be reached at or at (859) 231-8780. 

This article is intended as a summary of federal and state law activities and does not constitute legal advice.

[1] 21 USC §301 et seq.

[2] 21 CFR 820

OIG Guidance for Healthcare Boards

In April, the Office of the Inspector General for the U.S. Department of Health and Human Services (“OIG”), in conjunction with the American Health Lawyers Association, the Association of Healthcare Internal Auditors, and the Health Care Compliance Association, released “Practical Guidance for Health Care Governing Boards on Compliance Oversight.” Rather than merely discussing aspirational goals or stating governing principles, the guide lives up to its name in giving practical suggestions for how health care governing boards oversee compliance programs, a true product of a partnership between the OIG and associations that represent those regulated by the office. The document stressed new compliance challenges for healthcare governing boards, such as value-based payment systems and the effect of ever-expanding publicly available data (under the Sunshine Rule, for instance). The guidance covered specific topic areas of concern, each of which will be discussed briefly.

Expectations for Board Oversight of Compliance Program Functions

Business - meeting in an office; lawyers or attorneys (only hands) discussing a document or contract agreement

Reporting and communication systems need to be in place that will provide assurance to the governing board that necessary information with regard to compliance will come to the fore in a regular and timely fashion. The guidance suggests using widely-recognized public compliance resources as benchmarks to establish baseline assessment tools, such as the Federal Sentencing Guidelines, the OIG’s voluntary compliance program guidance, or OIG Corporate Integrity Agreements. The guidance stressed that no compliance program design is “one size fits all,” and boards should evaluate programs in light of the size and complexity of an organization.

Roles and Relationships

Organizations should be structured clearly and with defined spheres of responsibility and functional boundaries while supporting collaboration and cooperation among functions. The guidance recommended a structure with several delineated roles – the compliance function, the legal function, the internal audit function, the human resources function, and the quality improvement function. In addition, the guidance suggested that boards should evaluate how management addresses risk and the roles each plays in identifying compliance risks, investigating compliance risks and avoiding duplication of effort, identifying and implementing appropriate corrective actions and decision-making, and communicating between the various functions throughout the process.

Reporting to the Board

Stressing the oversight role of a board, the guidance suggested that a board should receive regular reports on the organization’s risk mitigation and compliance efforts. In implementing this, boards could use a ‘dashboard’ that presents all key information in a well-organized fashion. A board could also consider conducting regular “executive sessions” with leadership from the various functions that encourages more communication.

Identifying and Auditing Potential Risk Areas

Healthcare governing boards need strong processes for identifying risk areas from both internal and external resources, and those areas should be consistently reviewed and audited, with appropriate corrective actions developed and implemented. Boards should look to recent industry trends in the design of risk assessment plans, taking into account an increased emphasis on quality and value of care, as well as the ways in which new payment models create both incentives and compliance risks. Boards also need to be aware that if physicians are employed by both their organization and another entity, these relationships may have consequences for clinical and research decision-making.

Encouraging Accountability and Compliance

As a general rule, the OIG encouraged governing boards to create a culture of compliance through the creative implementation of compliance programs, stressing the need for communication of expectations, as well as clear communication channels throughout an organization. Boards should also foster a level of trust and comfort so that employees can raise compliance issues free of retaliation fears. The guidance emphasized the benefits of operating an aware and proactive organization, such as fast resolutions of cases with the OIG, lower payments and exclusion release as part of a settlement.

The overall tenor of the guidance stressed the necessity of unobstructed flow of information throughout an organization from the lowest levels to the board, structuring roles and responsibilities with an eye to strengthening and preserving communication. Simply put, a board cannot respond to information it doesn’t have, and a backbone of communication throughout an organization will assist in the assessment and mitigation of risk.

To learn how this OIG guidance can help your healthcare organization’s board with its oversight functions, contact the attorneys at McBrayer, McGinnis, Leslie & Kirkland, PLLC.

Chris ShaughnessyChristopher J. Shaughnessy is an attorney at McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Mr. Shaughnessy concentrates his practice area in health care law and is located in the firm’s Lexington office.  He can be reached at or at (859) 231-8780. 

This article is intended as a summary of federal and state law activities and does not constitute legal advice.

Wellness Programs and the EEOC, Part Two

Tuesday’s post discussed recent Equal Employment Opportunity Commission (“EEOC”) litigation concerning employer-sponsored wellness programs. Today’s discussion turns toward further guidance recently issued by the EEOC to assist employers in ensuring that their wellness plans are compliant with federal law.

On April 16, 2015, the EEOC issued a proposed rule concerning wellness program compliance with the Americans with Disabilities Act (“ADA”), as outlined below.

Purpose of the Plan

Wellness written on a white calendar page

The proposed rule states that a wellness program must be reasonably designed to promote health or prevent disease, but the program may not be overly burdensome or a subterfuge to violate antidiscrimination laws.

Voluntary vs. Mandatory

In its recent litigation, the EEOC has stressed the requirement that wellness programs be truly voluntary. The proposed rule further emphasizes this point by mandating that employers not require employees to participate in a wellness program, deny coverage under a group health plan based upon an employee’s refusal to participate in a wellness program, limit the extent of health benefits for non-participating employees, or take adverse employment action against an employee who refuses to participate in a wellness program.

Incentive vs. Penalty

The proposed rule clarifies the distinction between incentives and penalties established by employers in connection with wellness plans. An employer may offer incentives for an employee to participate in a wellness program that is part of a group health plan and includes physical examinations or disability-related questions only if the total incentive available to the employee does not exceed thirty percent of the total cost of the employee’s health coverage, or fifty percent if the employee participates in a tobacco cessation program.

Medical Information Obtained

When offering a wellness program as part of a group health plan, an employer must provide its employees a notice that clearly explains what type of medical information will be obtained, how that information will be used, and who will have access to the information, as well as the methods by which the employer intends to prevent improper disclosure of the information and restrictions on how the information is disclosed. Medical information collected through a wellness program may only be disclosed to the employer in aggregate form without any reference to specific employees, unless this information is necessary to administer a group health plan.

If you are creating or reviewing an employer-sponsored wellness program, contact your McBrayer healthcare attorney today to ensure that your plan complies with the EEOC’s proposed rule!

Anne-Tyler MorganAnne-Tyler Morgan is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Morgan concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at or at (859) 231-8780. 

This article is intended as a summary of federal and state law and does not constitute legal advice.