We are frequently asked how laws like HIPAA, OSHA, Fraud and Abuse, and others relate to an eyecare business under the designation of “corporate. We are also frequently told by some corporate eyecare business owners these laws simply do not apply to them. Nothing could be further from the truth. No “covered entity” is exempt from HIPAA; no business with employees is exempt from the vast amount of human resource laws; no provider who files a claim for insurance reimbursement is exempt from the laws and tenets of medical reimbursement; no business in America is exempt from OSHA; and, very few healthcare businesses are exempt from the laws regarding patient discrimination, patient disability, fee transparency, and numerous other regulations. In some situations, the application may vary, but no one gets out alive.
Enforcement of healthcare compliance laws is on steroids. The combination of new Washington focused on compliance with a government that is in serious need of money creates a dangerous situation for businesses that continue to ignore the law. Like no time in the past, failure to comply with all these laws is an unacceptable gamble. Eyecare businesses, whether owned and operated by doctors or non-doctors, are considered some of the least compliant healthcare entities. When it comes to the decision of who to investigate – remember the answer to the old riddle “Why does the robber rob the bank? Because that’s where the money is!
Let’s review the major laws and how the application MAY vary based on the structure of the business as well as some unique situations that may complicate compliance in corporate practice.
HIPAA. HIPAA is the most complex application.
Any healthcare business that transmits ANY patient data by ANY electronic means for ANY reason is subject to the regulations in HIPAA. The question in HIPAA is who is the covered entity? The covered entity is the individual, company, or entity that actually makes the transmission of patient data by electronic means. In a corporate practice, this could be the doctor or a non-doctor owner. Even if the doctor or owner contracts with another company to bill insurance, the doctor or owner is still the covered entity and the company billing the insurance is a business associate of the doctor or owner and a business associate agreement is required.
The covered entity is responsible for the protection of patient information. In most cases, individuals or companies outside the practice who may have access to or handle patient information become business associates of the covered entity. In a corporate practice where the optical is owned by someone other than the covered entity, this could be individuals in the optical who manage or have access to the covered entity’s patient schedules or have/demand access to patient records. Again, a business associate agreement would be required.
We have seen unusual situations where shared business operations, including sharing network (computer) operations are in place. These are unique problems that require individual analysis to determine their impact on HIPAA regulations but, in general, the covered entity always remains responsible for the protection of patient information.
CONCLUSION: The owner (layperson or doctor) is the covered entity and must comply with all HIPAA regulations.
OSHA. OSHA is easy.
The owner is bound by all rules of OSHA. No exceptions. Complexities in a corporate setting can arise with shared space and shared employees. In general, if you are using a space where your employees or patients work, a common break area, or common restroom facilities, you should pay close attention to compliance with OSHA regulations in those shared areas. If employees from a separate optical or business come into your “space”, they are visitors and you have the responsibility to have a safe environment for them just like your employees, patients, and other visitors. One caveat, legal counsel has stated that an employed doctor working for a non-compliant business could be held legally responsible for unfortunate incidences related to OSHA (or possibly any compliance area).
Human Resources. Also easy – usually.
If you have employees, you must abide by all the Federal and State employment laws. Sometimes there is “sharing” of employees. In these situations, it all comes down to who pays the employee. Their employer is responsible for everything even if that employee is allowed to come from a separate optical and perform some function in your business. In rare situations, we see actual employee sharing where each entity is paying part of the employee’s wages based on time spent with each entity. Shared employee laws are very complex and we highly recommend professional or legal counsel in those situations. Some businesses use employee leasing and in some cases, the leasing company is the larger corporate entity. Again, it is all about who pays them – their employer is responsible for compliance with the laws.
Fraud and Abuse. Not a pretty picture.
In general, optometrists are rated high on the fraud and abuse scale. This stems from a lack of accurate training about vision and medical reimbursement rules and a plethora of misinformation on the subject in countless blogs. The corporate practice is no different and the rules are no different. The questions relate to whether the optometrist owns the business or is employed by someone else who ones the business. The question does have a simple but relatively unknown answer. The primary responsibility for compliance with vision and medical reimbursement laws and regulations is the owner of the business. But…the attending physician is ultimately responsible for the accuracy of any insurance claim for services they provided. Everyone on the team should have accurate knowledge of the rules and an eye focused on accurate and legal claims submission.
Everything else…
The number of healthcare compliance areas you must be concerned about is rapidly growing. Co-management laws, CE offered to optometrists by ophthalmologists issues, patient discrimination, patient disability regulations, fee transparency – it is a wicked soup. In some situations (disability, discrimination, fee transparency) ultimate responsibility lies with the business owner. Other issues directly related to the doctor like professional relationships with ophthalmology are obviously focused on the doctor.
Despite this, PCS recommendations look at this another way. Regardless of the business “structure”, location, or franchise details, the business should be a true team approach. In that scenario, EVERYONE is concerned about and focused on protecting the business by being fully compliant with the law.