Skip to Content

Cybersecurity Alert

July 12, 2016

Internal Use Only

We wanted to send a quick update on some of the Health Care regulatory Issues that the Data Use, Privacy and Protection team has been working on over the past month.

Physician Group Partners with Mobile Application Developer

  • Question: Is this transaction permissible under various Health Care regs and MD statutes?

We reviewed and revised a complex physician compensation agreement in which the physician group wanted to partner with a mobile app developer for “Doctor Online” type services.  We took a deeper dive on physician compensation models, Stark, Corporate Practice of Medicine doctrines, Anti-kickback, etc.  This was interesting work, because Jennifer spent a year on a joint DOJ-FBI Fraud, Waste & Abuse Task Force (for the Mid-West Region) back in 2013-2014. 

 Lender/Borrower Agreement with Boutique Retail Pharmacy

  • Question: Have we adequately protected the Lender from HIPAA?  Is there any vicarious lender liability for CMS Sunshine Act or Fraud, Waste & Abuse, or Credentialing issues?

We determined that given the business model and data flow, there was no exposure to the lender under any of the above.  We also determined that a general indemnity was fine inasmuch as calling out data or legislation-specific indemnities may draw more attention to the issues. We do not want to implicitly create a duty on the part of the Lender, our client.

Pharmacist and HIPAA

  • Question: Has the pharmacy violated HIPAA? 

Local pharmacist that is part of a national chain refused to fill a customer’s prescription for a controlled substance.  Grounds for the rejection was that the customer was “too early” to qualify for the refill.  Customer left the pharmacy empty-handed.  Pharmacist then voluntarily reached out to every local pharmacy within a 30-mile range to advise them that an “individual may be coming in to get an ‘early refill’ for [the drug].”  While not a technical violation of HIPAA, we determined that the pharmacy would have made a better business decision by either notifying the Maryland PDMP (Prescription Drug Monitoring Program), or by notifying local law enforcement.