Vendor’s advice could result in medical malpractice suit

There are several disparate areas in which following a vendor or consultant’s recommendations could lead to liability for an individual physician or physician practice, warns Henry C. Fader, JD, an attorney at Pepper Hamilton in Philadelphia. Here are some scenarios that carry legal risks for physicians:

• A practice’s electronic medical record (EMR) fails to meet criteria for the Centers for Medicare & Medicaid Services’ (CMS’) “meaningful use” payments.

One of the Obama administration’s initiatives is to expand the number of physicians using EMRs with incentive payments, but several criteria must be satisfied, notes Fader.

If a physician hires an information technology vendor to put the EMR into service, and the EMR does not meet the appropriate certification criteria or does not perform particular functions in accordance with the required criteria, the physician might inadvertently make a false claim to the Medicare or Medicaid program when requesting “meaningful use” payments, warns Fader.

“Providers should be certain that the EMR has been certified by appropriate oversight organizations, and that their legal counsel or consultant has the EMR vendor represent in writing that the planned EMR meets the certification standards,” advises Fader.

• A consultant arranges for a practice to share de-identified patient information with a pharmaceutical company to examine prescribing practices with respect to a particular diagnosis.

Suppose the physician provides the consultant with access to the EMR records, and all of the patient-identifying data is loaded on the consultant’s unencrypted laptop. “The laptop is stolen from the consultant’s vehicle. Your practice has now suffered a breach under Health Insurance Portability and Accountability Act [HIPAA] and the HITECH [Health Information Technology for Economic and Clinical Health] laws,” says Fader.

While the consultant would have joint responsibility under HITECH for the breach as a “business associate,” the physician has to explain to patients how the breach occurred, says Fader. “This situation results in loss of reputation as well as potential fines from the Office of Civil Rights,” he says. “Be sure that your legal counsel has reviewed your practice’s business associate agreement to be sure it’s compliant with HITECH requirements.”

• As part of an accountable care organization (ACO) which requires that clinical guidelines be followed and patient satisfaction reported, a practice hires a consultant to assist in the provision of appropriate clinical guidelines for its patients.

“But the consultant is providing advice and recording results that unfortunately enhance the practice’s statistics. These are then used to qualify your patient population for gain-sharing payments,” says Fader.

As a result of using these enhanced statistics due to the consultant’s advice, physicians might have filed a false claim and would need to return the savings to the ACO and the Medicare program, he explains.

“You must be especially vigilant that checks and balances for keeping track of patients in your care through internal controls are put in place from the beginning,” says Fader. “Further, you ought to work with your compliance officer to ensure that appropriate quality measures and shared savings are being reported to CMS.”

• A physician decides to outsource human resources (HR) to a consultant, who handles interviews and completion of employment and benefits paperwork and is supposed to verify credentials, verify references, and perform a criminal background check.

“As practices and facilities attempt to find ways to reduce costs, the HR function can suffer,” says Fader. He gives the following scenario: An employee embezzles funds from the practice’s bank account, and when you notify the police of the loss, they advise you that the employee had been convicted of theft previously.

“When you confirm the situation with the HR consultant, you get the bad news that they never performed the required criminal background check on the employee, costing the practice thousands of dollars in losses,” says Fader.

Fader says that falsification of credentials is common, and that often, important due diligence steps are missed. He recommends:

— verifying transcripts by accepting only originals from an educational institution;

— ordering criminal background checks from the state police;

— checking credit reports and related lien and judgment searches where permissible.

• A consultant hired to assist a surgical practice in becoming more efficient recommends a new approach for obtaining consent.

For example, the consultant might suggest asking patients to indicate “I Agree” on a tablet computer as they are wheeled into surgery. “This device saves much time and effort in obtaining informed consent, but one of your patients sues for medical malpractice, and you have to testify that you provided the patient with informed consent,” says Fader.

In this situation, he says, the plaintiff is likely to move for a directed verdict in favor of the patient since the physician is unable to testify that adequate informed consent was obtained. If informed consent is not deemed adequate by a court, the judge might find as a matter of law that the lack of consent led to the injury and damages, he explains.

“Your indemnification from the vendor may assist in recouping damages, but not overcoming the lack of consent and the resultant loss of the malpractice case,” says Fader.