Category Archives: Risk Management Tips

Telemedicine – Still So Many Unknowns

In the July 14th issue of the New England Journal of Medicine, there was a review article titled “State of Telehealth.” In it, Drs. Dorsey and Topol describe the following three current telemedicine trends:

“The first is the transformation of the application of telehealth from increasing access to health care to providing convenience and eventually reducing cost. The second is the expansion of telehealth from addressing acute conditions to also addressing episodic and chronic conditions. The third is the migration of telehealth from hospitals and satellite clinics to the home and mobile devices.”

The article discusses many barriers to telemedicine, including legal barriers. I think an important barrier not mentioned is the restrictions on prescribing controlled substances. This is an area that not many people are thinking about, and those who are end up thinking about it differently! After discussions with a DEA representative, here is my understanding – NOT TO BE RELIED UPON AS LEGAL ADVICE – just one risk manager’s thoughts on prescribing controlled substances via telemedicine:

Step 1: You have to comply with state prescribing law applicable to all prescribing. In addition to being licensed in the patient’s state, states can require state controlled substance registration in the patient’s state (if different from prescriber’s state), registration with the Prescription Monitoring Program in the patient’s state, or other requirements, such as CME requirements.

Step 2: You have to comply with state law regarding prescribing via telemedicine.Some states specifically prohibit prescribing controlled substances via telemedicine, and some states allow it only under certain circumstances, such as for the treatment of psychiatric disorders.

Step 3: You also have to comply with federal law applicable to all prescribing. Some prescribers are surprised to learn that federal DEA registration is required in each state where controlled substances are prescribed. If the remote patient is out of state, services are deemed rendered in the patient’s state. Federal DEA registration covers multiple prescribing locations within one state, but it does not cover multiple states.

Step 4: You also have to comply with federal law regarding prescribing via the internet. Under the Controlled Substances Act (CSA), no controlled substance … may be delivered, distributed, or dispensed [defined to include prescribing] by means of the Internet without a valid prescription. “Valid prescription” means a prescription that is issued for a legitimate medical purpose in the usual course of professional practice by—a practitioner who has conducted at least one in-person medical evaluation of the patient or a covering practitioner.

There is an exception to the federal one in-person visit requirement for “telemedicine.” BUT the exception for telemedicine is limited to telemedicine as defined by the CSA.The 7 definitions of the practice of telemedicine / 7 exceptions to the in-person visit requirement are:

  1. Patient is remotely treated “while the patient is being treated by, and physically located in, a hospital or clinic [with a federal DEA registration] AND by a practitioner acting in the usual course of professional practice AND acting in accordance with applicable State law AND [has federal DEA registration] in State in which patient is located unless the practitioner [is with the VA or Indian Health Service]” OR
  2. Patient’s remote treatment “is being conducted while the patient is being treated by, and in the physical presence of, a practitioner acting in the usual course of professional practice AND acting in accordance with applicable State law AND [has federal DEA registration] in State in which patient is located, unless the practitioner [is with the VA or Indian Health Service]” OR
  3. Patient is remotely treated by provider with the Indian Health Service OR
  4. Patient is remotely treated during a public health emergency OR
  5. Patient’s remote treatment “is being conducted by a practitioner who has obtained from the Attorney General a special registration…” (No such registration currently exists, but it is on the DEA’s agenda and the American Telemedicine Association has provided input for this special registration.) OR
  6. Patient is remotely treated during a medical emergency (defined) OR
  7. Patient’s remote treatment “is being conducted under any other circumstances” as designated by the Attorney General and the Secretary.

Again, these are just my thoughts – and not legal advice. If you are insured through PRMS, feel free to call your risk manager to discuss this further and receive resources to assist you in navigating these uncharted waters.


Donna Vanderpool, MBA, JD
Vice President

As Vice President of Risk Management, Ms. Vanderpool is responsible for the development and implementation of PRMS’s risk management services for The Psychiatrists’ Program. Ms. Vanderpool has developed expertise in the areas of HIPAA and forensic practice, and has consulted, written and spoken nationally on these and other healthcare law and risk management topics. She most recently contributed to a chapter in Gun Violence and Mental Illness (APPI), authored chapters on telepsychiatry in Mental Health Practice in a Digital World (Springer) andPsychoanalysis Online 2(Karnac). She also has co-edited and contributed chapters to several other clinical textbooks. Prior to joining PRMS in 2000, Ms. Vanderpool practiced criminal defense law, taught business and legal courses, and spent eight years managing a general surgical practice. Ms. Vanderpool received a Bachelor’s degree in Business Administration and Management from James Madison University. She also earned a Master of Business Administration degree and Juris Doctor degree from George Mason University.Follow Donna on LinkedIn.

OCR and Advocate Reach Largest HIPAA Settlement to Date

The Office of Civil Rights (OCR) has announced its latest and largest HIPAA settlement to date.  Advocate Health Care will pay a settlement amount of $5.55 million and adopt a corrective action plan to bring a lengthy OCR investigation to an end.  In 2013, the Illinois-based health system first notified OCR of the theft of four unencrypted desktop computers, collectively housing the PHI of roughly 4 million individuals.  Shortly after the start of OCR’s investigation, Advocate also reported two additional unauthorized disclosures of PHI affecting 4,000 individuals.  OCR found that Advocate failed to conduct accurate risk assessments, obtain business associate agreements, implement appropriate policies and procedures, and reasonably safeguard a portable device.

After avoiding a number of class action suits arising from the breach, Advocate also awaits the conclusion of a separate investigation conducted by the Illinois Attorney General.  Advocate’s breach remains the eighth largest health data breach on record.

The resolution agreement can be viewed here.


Justin A. Pope, JD
Associate Risk Manager

Justin Pope joined PRMS in 2014. Mr. Pope is responsible for researching emerging legal issues, creating online risk management content, and providing advice to individual providers through the Risk Management Consultation Service.

As a law student, he focused primarily on international, administrative, and food law. During his final year at Howard, Mr. Pope gained additional insight into the FDA’s regulatory process while serving as a research assistant to his professor. He has also interned as a legal assistant for both the Ft. Monroe Garrison Office of the Staff Judge Advocate and the Office of the Naval Inspector General, opining on a variety of legal issues, including privacy law. Mr. Pope received his Bachelor of Arts degree in International Affairs from the University of Virginia and his Juris Doctor degree from the Howard University School of Law.

Don’t Forget about the Goldwater Rule

Did you notice the recent Washington Post headline “The American Psychiatric Association issues a warning: No psychoanalyzing Donald Trump?” The article included many examples of psychologists and physicians (including one psychiatrist) who have never evaluated celebrities but have nonetheless commented on their mental health. No matter how tempting, especially given the sometimes outrageous behavior of public figures, the American Psychiatric Association’s 1973 ethical statement known as “the Goldwater Rule,” does not allow psychiatrists to offer opinions about individuals that they have not evaluated. The “warning” referenced by the article appears to be a blog post done by the APA president, Maria Oquendo, MD. In her blog post (“The Goldwater Rule: Why Breaking it is Unethical and Irresponsible”), she goes through the history of the Goldwater Rule:

“During [the 1964 presidential] election, Fact magazine published a survey in which they queried some 12,356 psychiatrists on whether candidate Sen. Barry Goldwater, the GOP nominee, was psychologically fit to be president.  A total of 2,417 of those queried responded, with 1,189 saying that Goldwater was unfit to assume the presidency.  While there was no formal policy in place at the time that survey was published, the ethical implications of the Goldwater survey, in which some responding doctors even issued specific diagnoses without ever having examined him personally, became immediately clear.”

Here is the Goldwater Rule (Annotation 3 under Section 7 of the Principles of Medical Ethics with Annotations Especially Applicable to Psychiatry):

“On occasion psychiatrists are asked for an opinion about an individual who is in the light of public attention or who has disclosed information about himself/herself through public media. In such circumstances, a psychiatrist may share with the public his or her expertise about psychiatric issues in general.  However, it is unethical for a psychiatrist to offer a professional opinion unless he or she has conducted an examination and has been granted proper authorization for such a statement.”

I think it boils down to an ethical prohibition on rendering a professional opinion about a non-patient in the public light with a specific diagnosis and/or prognosis. What is not prohibited is educating the public by providing general information about a condition.

I will point out that some comments in the press that would likely be prohibited by the Rule have been made by psychologists rather than psychiatrists. Psychologists have different ethical rules. Just as an example, under psychiatric ethics, “Sexual activity with a current or former patient is unethical.” [Annotation 1 under Section 2 of the Principles of Medical Ethics with Annotations Especially Applicable to Psychiatry.] However, under the Ethical Principles of Psychologists and Code of Conduct 10.08, “Psychologists do not engage in sexual intimacies with former clients/patients for at least two years after cessation or termination of therapy.”


Donna Vanderpool, MBA, JD
Vice President

As Vice President of Risk Management, Ms. Vanderpool is responsible for the development and implementation of PRMS’s risk management services for The Psychiatrists’ Program. Ms. Vanderpool has developed expertise in the areas of HIPAA and forensic practice, and has consulted, written and spoken nationally on these and other healthcare law and risk management topics. She most recently contributed to a chapter in Gun Violence and Mental Illness (APPI), authored chapters on telepsychiatry in Mental Health Practice in a Digital World (Springer) andPsychoanalysis Online 2(Karnac). She also has co-edited and contributed chapters to several other clinical textbooks. Prior to joining PRMS in 2000, Ms. Vanderpool practiced criminal defense law, taught business and legal courses, and spent eight years managing a general surgical practice. Ms. Vanderpool received a Bachelor’s degree in Business Administration and Management from James Madison University. She also earned a Master of Business Administration degree and Juris Doctor degree from George Mason University.Follow Donna on LinkedIn.

The FTC’s Action Against LabMD: Why Physicians Should Care

The Federal Trade Commission (FTC) has asserted jurisdiction and, after some back and forth, found liability on the part of a laboratory for failure to protect data on its computer networks, resulting in breach of patient confidentiality. The lab’s data security practices were found to be unfair, in violation of the Federal Trade Commission Act. Here’s how the case unfolded:

August 2013: The FTC filed a complaint against LabMD based on two incidents where the lab allegedly failed to protect the security of personal information. In the first incident, a third party was able to access information on approximately 9,300 patients, including names, dates of birth, Social Security numbers, procedure codes, etc. This alleged breach was through a file-sharing application. The second breach involved personal information, including Social Security numbers, found in the possession of individuals who subsequently pleaded “no contest” to identity theft charges. LabMD moved to dismiss the complaint arguing that the FTC cannot enforce HIPAA’s Security Rule. That argument was rejected by the FTC and the case continued, with the FTC arguing that among other things, the company failed to:

  • Have a comprehensive security program to protect consumers’ personal information
  • Use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities on its computer networks
  • Use adequate measures to prevent employees from accessing personal information not needed to perform their jobs
  • Adequately train employees to safeguard personal information
  • Require employees or other users with remote access to the networks to use common authentication-related security measures
  • Maintain and update operating systems of computers and other devices on its networks
  • Employ readily available measures to prevent or detect unauthorized access to person information on its computer networks

November 2015: An Administrative Law Judge (ALJ) within the FTC ruled that LabMD’s alleged failure to institute reasonable data security measures was not likely to cause substantial injury to consumers. The FTC disagreed with the ruling.

July 2016: After another hearing, the FTC Commissioners disagreed with the ALJ and determined that a showing of tangible injury was not necessary for a company’s acts and practices to be unfair, in violation of the FTC Act. The Commissioners specifically noted that the company failed to provide reasonable and appropriate security for stored information and corrections could have been made at relatively low cost.

So breaches involving patient information can result in an investigation by the FTC (for all entities) as well as by OCR (for covered entities under HIPAA).


Donna Vanderpool, MBA, JD
Vice President

As Vice President of Risk Management, Ms. Vanderpool is responsible for the development and implementation of PRMS’s risk management services for The Psychiatrists’ Program. Ms. Vanderpool has developed expertise in the areas of HIPAA and forensic practice, and has consulted, written and spoken nationally on these and other healthcare law and risk management topics. She most recently contributed to a chapter in Gun Violence and Mental Illness (APPI), authored chapters on telepsychiatry in Mental Health Practice in a Digital World (Springer) andPsychoanalysis Online 2(Karnac). She also has co-edited and contributed chapters to several other clinical textbooks. Prior to joining PRMS in 2000, Ms. Vanderpool practiced criminal defense law, taught business and legal courses, and spent eight years managing a general surgical practice. Ms. Vanderpool received a Bachelor’s degree in Business Administration and Management from James Madison University. She also earned a Master of Business Administration degree and Juris Doctor degree from George Mason University.Follow Donna on LinkedIn.

Largest Health Data Breach of 2016

Last week, Banner Health, one of the largest health systems in the country, posted notice of this year’s most substantial health care data breach.  A cyber attack affecting as many as 3.7 million patients, employees, beneficiaries, and customers was discovered almost a month after initially taking place on June 13, 2016.  The breach included patient names, addresses, and social security numbers; food and beverage customer payment card data, internal verification codes, and expiration dates; and provider names, Drug Enforcement Agency numbers, Tax Identification Numbers, and National Provider Identifier numbers.  Banner is currently working with a forensics firm to prevent any additional unauthorized access to protected health information.  They have also contracted with a third party to provide free credit and identity monitoring services to affected individuals for one year.

Based on recent reports, however, remedial steps undertaken by Banner may not be enough to satisfy those parties harmed.  Banner now faces a class action suit filed on behalf of Banner employee Dr. Howard Chen and other affected individuals.  The plaintiffs seek compensation for identity and credit protection and allege Banner failed to implement appropriate security policies.  Further, plaintiffs argue that free monitoring services for one year will do little to protect their confidential information as cyber attackers often wait until years after a hack to exploit victims.

Read more about the breach here.


Justin A. Pope, JD
Associate Risk Manager

Justin Pope joined PRMS in 2014. Mr. Pope is responsible for researching emerging legal issues, creating online risk management content, and providing advice to individual providers through the Risk Management Consultation Service.

As a law student, he focused primarily on international, administrative, and food law. During his final year at Howard, Mr. Pope gained additional insight into the FDA’s regulatory process while serving as a research assistant to his professor. He has also interned as a legal assistant for both the Ft. Monroe Garrison Office of the Staff Judge Advocate and the Office of the Naval Inspector General, opining on a variety of legal issues, including privacy law. Mr. Pope received his Bachelor of Arts degree in International Affairs from the University of Virginia and his Juris Doctor degree from the Howard University School of Law.