Last week, we published the first article installment covering the HEA 1004 legislation, which was signed into law by Governor Eric Holcomb earlier this spring. HEA 1004 contains a number of sweeping health law changes in Indiana and goes into effect on July 1, 2020.
Two Key Developments That You Will be Required to Follow
As we noted in last week’s article, there are two specific provisions in HEA 1004 that need to be on the radar of every health care entity in Indiana that employs physicians or utilizes the services of physicians.
- First, HEA 1004 creates a new law—I.C. § 25-22.5-5.5—that “applies to physician noncompete agreements originally entered into on or after July 1, 2020” (the “Physician Noncompete Law”).
- Second, HEA 1004 creates an additional new law—I.C. § 25-22.5-17—that requires employers of physicians to comply with certain patient information protocols upon the physician’s departure from the organization; these requirements apply regardless of whether or not a physician noncompete exists.
Part I of this blog article analyzed the Physician Noncompete Law. Part II of this blog article analyzes the requirements associated with HEA 1004’s patient information protocols.
Quick Recap of Public Policy Considerations
The public policy underlying HEA 1004 was couched in terms of providing the highest quality health care for Indiana. In broad strokes, supporters of HEA 1004 argued that the legislation was necessary to attract and retain physicians in Indiana and to guard against rising health care costs; those were the policies motivating the Physician Noncompete Law.
Additionally, supporters of HEA 1004 also argued that physician noncompetes were bad for patients because they prevented or interfered with continuity of care and restricted the patient’s access to certain information regarding the departing physician; those were the policies underlying the patient information protocols contained within HEA 1004.
New Patient Information Protocols—I.C. § 25-22.5-17
In addition to the Physician Noncompete Law, HEA 1004 includes another new law—I.C. § 25-22.5-17—regarding patient information protocols that health care entities will be required to follow any time “a physician…leaves the employment of an employer. . . .” (the “Patient Information Protocols”).
The Patient Information Protocols are very similar to the requirements set forth in the Physician Noncompete Law (i.e., I.C. § 25-22.5-5.5). But the primary difference is that the Patient Information Protocols apply to health care entities regardless of whether or not a physician noncompete agreement exists. In other words, if you employ physicians in Indiana but don’t have noncompete restrictions in place, you’re still required to follow the Patient Information Protocols in I.C. § 25-22.5-17. You would not, however, be covered by the Physician Noncompete Law.
The Patient Information Protocols require health care entities to take the following steps any time a physician leaves the employment of an employer:
- Patient notification letter to be provided to physician—The employer must, in the event of a physician’s separation of employment, provide the physician with a copy of any patient notification letter that (a) concerns the physician’s departure; and (b) was sent to any patient seen or treated by the physician in the two (2) years preceding the physician’s departure. Due, however, to patient privacy and confidentiality considerations, patient names and contact information have to be redacted from the patient notice that’s shared with the physician.
- Contact information to be provided to patients—The employer must, in the event of a physician’s separation of employment, in good faith provide the physician’s last known contact and location information to a patient who (a) requests the physician’s updated contact and location information; and (b) was seen or treated by the physician in the two (2) years preceding the physician’s departure.
- Medical records to be provided to physician—In the event of a physician’s separation of employment (and contingent on receipt of the patient’s consent to the disclosure), the employer is required to provide the physician with access to or copies of any medical record associated with the patients described above in numbered paragraphs (1) or (2). (Note that as with the Physician Noncompete Law, I.C. § 25-22.5-17 also permits the employer to charge a reasonable fee as permitted under state or federal law for creating, copying or transferring a patient medical record.)
- Format of medical records—The employer is prohibited from providing medical records to a requesting physician in a format that materially differs from the format used during the employer’s usual and customary business practices, unless a different format is mutually agreed to by the parties. Note that paper or .pdf copies satisfy the formatting requirements of the Patient Information Protocols.
Watch Out for “Superseding” Obligations under Federal Privacy Laws
Both the Indiana Legislature and the Office for Civil Rights (“OCR”), the federal agency that enforces the federal Health Insurance Portability and Accountability Act, as modified by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act (collectively, “HIPAA”) and related regulations, have a common goal—to ensure that patients are able to access their medical records (i.e., protected health information (“PHI”)) on request.
It is important to recognize, however, that there are some subtle differences between the federal and state requirements; health care entities should work with counsel when navigating these requirements. Examples include the following:
- While OCR permits health care entities to require a written request for access to records and verification of identity, it also views the patient’s right of access to be critical to empowering the individual. Therefore, and as it relates to numbered paragraph (3) above, policies that limit or erect barriers to access are typically not permitted under HIPAA. For example, in the event of a physician departure, a health care entity can’t require use of the health care entity’s specific authorization form or only accept requests through a web portal before turning over medical records to the departing physician.
- Under HIPAA, there are also limitations on the amount that can be charged for records requested by the patient or the patient’s personal representative; those fees are limited to (a) labor for copying the PHI requested; (b) supplies necessary for preparing the copy (i.e., paper or electronic media on which the copy is provided); (c) postage, if the copy is being mailed; and (d) if a summary or explanation of the record is requested, the cost of preparing the summary or explanation. For example, and again as it relates to numbered paragraph (3) above, state law permits a $10 expedited processing fee for medical records but HIPAA does not allow for such a charge.
- As a final point, and especially as it relates to numbered paragraph (4) above, HIPAA requires that the copy of PHI be provided in the form and format requested by the patient, if the PHI can be readily produced in that particular form and format. For example, if the PHI is maintained in an electronic format, then typically a request for electronic access must, under HIPAA, be honored. Therefore, even though the state law Patient Information Protocols allow for production of a paper or .pdf copy, HIPAA requires that if the PHI is maintained in an electronic format, then the health care entity must comply with a patient’s (or physician’s) request for an electronic copy unless it is not possible to do so. As interoperability between electronic records increases, federal regulators will continue to expect health care entities to improve patient access to electronic records in order to facilitate participation in decision-making and reduce barriers to efficient information transfer.
- The Patient Information Protocols go into effect on July 1, 2020.
- The protocols apply to any health care entity that employs physicians (regardless of whether or not a physician noncompete agreement exists).
- Work with legal counsel to assess your options and strategies from a scope of coverage standpoint.
- For example, physicians licensed under I.C. § 25-22.5 et seq. are covered. But with respect to practitioners licensed elsewhere under the Indiana Code, a different conclusion is likely warranted.
- Physician practice groups are covered by the Patient Information Protocols too.
- As noted in Part I of this blog article, tread very carefully when it comes to the medical records, copying charges and medical record formatting provisions of HEA 1004. The differences between state and federal law are subtle and federal law is controlling in many respects.
- Point being, even if you’re 100% compliant with the Patient Information Protocols, you could still be at risk from a HIPAA standpoint.
- Hall Render’s HIPAA, Privacy & Security attorneys are readily available and uniquely positioned to help you navigate these waters.
To learn more about HEA 1004, join Hall Render attorneys Melissa Markey and Dana Stutzman, along with Laura McCaffrey from the Indiana Hospital Association, for a webinar on Thursday, May 28. For more information or to register, click here.
If you have any questions on issues discussed in or related to this post, please contact:
- Dana Stutzman at firstname.lastname@example.org or (317) 977-1425;
- Melissa Markey at email@example.com or (248) 740-7505; or
- Your regular Hall Render attorney.
For more information on Hall Render’s Labor & Employment services, click here.
Hall Render’s attorneys and professionals continue to maintain the most up-to-date information and resources, which are available at our COVID-19 Resource page, through our 24/7 COVID‑19 Hotline at (317) 429-3900 or by contacting your regular Hall Render attorney.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot—outside of an attorney-client relationship—answer specific questions that would be legal advice.