Georgia's Trusted Healthcare
& Medical Provider Attorneys

DJ Jeyaram Quoted in Leading National Medicaid Publication

Screen shot 2016-08-26 at 2.03.18 PMDJ was quoted in the national “Part B News” publication – a leading industry information source for healthcare practice managers and physicians.

Check out DJ’s quotes below in the article: “Negotiate For Patient Record Access When Rival Practices Close:”

Negotiate For Patient Record Access When Rival Practices Close

Increase your patient census and practice revenue when a nearby practice closes by striking a deal for limited access to patient records without paying for the privilege.

In fact, in some cases, the closing practice may pay you.

One of the valuable tangible assets of a practice sale is the patient records that come with it. While the purchaser can’t under HIPAA treat these records as their own until the patients affirm via signed waivers that they want to adopt the new provider, the fact that the buyer is holding the records provides an enormous incentive for them to do so.

It isn’t necessary for the buyer to purchase the entire assets of the practice either, notes Patrick Stanley, an attorney with Comitz | Beethe in Scottsdale, Ariz. Patient records may be included in a limited asset purchase agreement. As with a complete purchase, the retiring practice would then give patients notice and direct them to the purchaser to retrieve their records or, if they choose, continue their care with the new practice. Remember that the patients would have to sign on and have the final say. Note: Laws on the disposition of medical records may vary by state.

How to take custody of records

Vasilios “Bill” Kalogredis, chairman of the health law department of Lamb McErlane in West Chester, Pa., says he has negotiated several arrangements between practices that were closing down and practices that wanted to pick up their patients.

“I see this a lot,” says Kalogredis. “A solo practitioner is retiring and he can’t sell the practice, or he’s leaving one state for another. Hospitals and other practices may not want to buy, but they’re interested in the patients.”

Propose a “custodial” arrangement if buying the practice or part of it is too rich for your blood. In that case, your practice just takes responsibility for the safe- keeping of the other practice’s records. Under such an agreement, when the retiring practice gives notice to its patients, it also would inform them that they can retrieve their records from you and that you also are available to provide continuity of care.

The custodial agreement also should address the length of time that the records will be retained, says D.J. Jeyaram, owner and health care attorney at Jeyaram & Associates in Atlanta.

Consult your legal counsel and malpractice insurance carrier before entering into an agreement to make sure you’re handling things properly from the legal and ethical perspectives, Kalogredis suggests.

Some practices may even receive a fee for accepting this responsibility. But note that while receiving a fee for the storage of medical records would be kosher, an arrangement whereby you pay a fee for the right to store the records “could be seen as remuneration for referrals under the federal anti-kickback statute or its state equivalents,” says Jeyaram.

Mind HIPAA rules

Note that in a custodial arrangement, you would be only holding the patient records — they’re not really your records unless and until the patient releases them to you. “HIPAA only allows for the exchange of protected health information (PHI) without a written release if the transfer is between current or prior health care providers for the purposes of providing treatment,” says Jeyaram.

In this circumstance, under HIPAA, you would be a business associate (BA) of the transferring practice that remains the covered entity, says Jeyaram, and you should execute a business associate agreement (BAA) (PBN 7/11/16).

The BAA, which ensures HIPAA compliance in the transfer and storage of records, should be referenced in the custody agreement, Jeyaram says.
Note that though it varies by state, responsibility for retention of medical records is usually seven years or longer; be prepared to follow through on that if you accept responsibility.

Remember: A custodial arrangement gives you a good shot at inheriting these patients, but it’s not “exclusive” — in some states and under some contracts, other providers from the closed-down practice may take their patient lists with them and reach out to these patients too. In the end, it’s always the patient’s choice (PBN 5/2/16). — Roy Edroso (

Visit to learn more.CompressedPartBNewsNegotiatePatientRecords8.16-min.pdf”CompressedPartBNewsNegotiatePatientRecords8.16-min.pdf”

Healthcare Providers: Your Business Associates Could Cost You Millions

HIPAAHealthcare providers must ensure business associates adequately safeguard private health information

The Department of Health and Human Services (HHS) recently entered into a HIPAA settlement with a Minnesota hospital for $1.5 million because the hospital failed to have a written business associate agreement with one of its contractors.

Business associates are non-covered-HIPAA entities that require access to protected health information (PHI) to perform services for covered entities, often a contractor or subcontractor. The hospital’s policies failed to ensure the business associate adequately protected consumer’s PHI.

While HIPAA applies to certain covered entities, those entities must also ensure that any business associates also adequately secure PHI. HHS found that the Minnesota hospital overlooked two important aspects of the HIPAA rules.

  1. The hospital did not have a written, compliant business associate agreement with one of its IT contractors, and
  2. The hospital failed to have an accurate and thorough risk analysis of its entire IT infrastructure.

HHS investigated after the hospital reported that a laptop was stolen from an employee of the business associate. The laptop contained password protected but unencrypted PHI for almost 10,000 individuals.

The $1.5 million settlement underscores the importance of HIPAA compliance. Healthcare providers must ensure they have compliance agreements with anyone who has access to protected health information. One example of this is when a healthcare provider contracts IT services. Without compliance agreements, companies can be responsible for hefty fines even if a business associate actually causes the PHI security breach.

If you need help creating policies or contracts to protect safeguard private healthcare information, we can help. Please contact Jonathan Anderson at or 678.325.3872.

Need Proof As To Why You Need To Conduct HIPAA Risk Assessments? Read On

HIPAAAn employee’s stolen laptop with unencrypted files led to a HIPAA investigation and ultimately a $750,000 settlement

The Department of Health and Human Services (HHS) recently issued a press release announcing a settlement with a 13-physician radiation oncology practice related to HIPAA violations. Cancer Care Group, P.C. settled allegations of HIPAA noncompliance for an amount of $750,000. One of the major factors that led HHS to conclude that Cancer Care was in widespread non-compliance with the HIPAA Security Rule was the practice’s failure to conduct a proper risk analysis.

HHS investigated the practice because of a HIPAA breach that occurred in 2013. The breach occurred when a laptop bad was stolen from an employee’s car. The laptop contained unencrypted files which included patient Protected Health Information (PHI) such as names, addresses, birth dates, Social Security numbers, and clinical information.

HHS notes that if Cancer Care had conducted an enterprise-wide risk analysis, they could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI and adopted policies and procedures to reduce such risk. HHS Office of Civil Rights Director, Jocelyn Samuels emphasizes that “organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information.”

HHS also notes that Cancer Care should have had a comprehensive device and media control policy in place. Failure to have a policy that outlined employee responsibilities when removing devices containing ePHI from the facility contributed to the breach.

This settlement is another reminder that health care practices should not ignore their obligation to conduct periodic comprehensive risk assessments. Failure to do so might put practice patient information at risk of breach and could be costly for the practice if it is investigated by HHS.

The full HHS Press Release is available here, and the Cancer Care Settlement Agreement is available here.

Please contact Danielle Hildebrand at or (678) 325-3872 if you have questions about conducting a risk assessment for your practice.

CMS Considers ICD-10 Test Run A Success

ICD 10 Success

With less than a month to go until the October 1 deadline for implementation of ICD-10 codes, many providers are nervous and wary of the readiness of the Centers for Medicare and Medicaid Services (CMS) systems.

According to CMS, there is little to worry about. CMS recently released the results of its July ICD-10 end-to-end testing and announced a success rate of 87%.

Approximately 1,200 voluntarily providers participated in the test.  

  • Of the 29,286 test claims received, 25,646 were accepted. (This is an 87% success rate.)
  • 1.8% of the test claims were rejected due to invalid submission of ICD-10 diagnoses or procedure codes.
  • 2.6 % of test claims were rejected due to invalid submission of ICD-9 diagnosis procedure code.  
  • Zero rejects due to front-end CMS issues.

If you are a provider, these statistics should be comforting. However, the 13% error rate is still a cause for concern. Add that number to that fact that the ICD-10 codes will have 68,000 diagnosis and procedure codes FIVE times the number of ICD-9 codes, and it can be a bit overwhelming.

Remember that that upon implementation, ICD-10 codes will be required for all HIPAA covered entities.  

Please contact Kimberly Sheridan at or 678-708-4702 if you have questions about ICD-10 implementation.

Avoid Being A Target Of HIPAA Audits | Here’s How

HIPAA AuditPhase 2 OCR HIPAA Audits Are Here – What Providers Should Do to Prepare

The Office of Civil Rights (OCR) has taken the first step in the next round of HIPAA audits.

OCR has begun to send out surveys in order to collect information from providers, health plans, and clearinghouses in preparation for phase 2 of their HIPAA audits. From the hundreds of entities receiving surveys, OCR will select over 200 providers and over 100 health plans to be audited.

It is more important than ever to make sure that you have complied with the HIPAA Rules. Here are the top 3 areas every provider should address:

1. When was the last time you conducted a Risk Assessment? If it has been more than a year or two, you should conduct a comprehensive Risk Assessment now.

If you are a small to medium sized office you can take advantage of HHS’s security risk assessment tool available on their website: SRA Tool

2. Have you recently reviewed your HIPAA policies and procedures to ensure that they are up to date and are being followed? There are three main areas that need to be addressed in your policies: Security Standards, Privacy Standards and Breach Notification Standards.

    • Security Standards – focus on how you keep Protected Health Information (PHI) secure, whether it is stored and/transmitted electronically or in some other form. Your practice must have appropriate safeguards in place (for example, requiring the use of secure passwords to access electronic health records and encrypting all devices that might contain e-PHI).
    • Privacy Standards – do you conduct periodic trainings for personnel regarding privacy practices? Do you have records that such trainings have been completed by all personnel? Is your Notice of Privacy Practices current and made available to your patients?
    • Breach Notification Standards – do you have a policy in place that outlines the steps for identifying and reporting a breach? Such a policy should address steps to take to investigate and contain the problem, as well as a means for identifying how many people were affected, who those individuals are, and how to send out breach notices. Keep in mind that under the Breach Notification Rule, providers must provide notice of a breach within a certain time frame. Your procedures for responding to a breach should allow for adequate time to meet this deadline.

3. Keeping track of your Business Associates and Business Associate Agreements – During the audit process OCR might ask for a list of business associates and their contact information. All providers should have this readily available. It is also important to have written Business Associate Agreements that are up to date and can be made available to OCR upon request.

If you have any questions about any HIPAA requirements or the approaching OCR audits our attorneys can help. Please contact Danielle Hildebrand at


The information on this site should not be construed as formal legal advice and is not intended to create or constitute a lawyer-client relationship.


ICD-10 Deadline Less Than 3 Months Away – Need Help?

CMS Announces Measures To Help Ease Transition

The countdown to the ICD-10 has begun in earnest, and the Centers for Medicaid & Medicare Services (CMS) has made it clear that it will not back down on the deadline of October 1, 2015. However, CMS announced on July 6, that it is adopting policies to help ease the transition to ICD-10.

The ICD-9 code sets used to report medical diagnoses and inpatient procedures will be replaced by ICD-10 code. ICD-10 will affect diagnosis and inpatient procedure coding for everyone covered by the Health Insurance Portability Accountability Act (HIPAA), not just those who submit Medicare or Medicaid claims.

Although the American Medical Association (AMA)  has long opposed the ICD-10 conversion, it issued a joint press release with CMS on July 6. The press release addresses some of the AMA’s concerns and offers some concessions by CMS. To assuage concerns from healthcare providers about inadvertent coding errors that could lead to audits and penalties, CMS has named a CMS ICD-10 Ombudsman to triage and answer questions about the submission of claims. The ICD-10 Ombudsman will be located at CMS’s ICD-10 Coordination Center. CMS has also released provider training videos and an outline of its implementation plan.

Additionally, CMS has announced that for one year past the Oct. 1, 2015, deadline, it will reimburse for incorrectly coded claims as long as that erroneous code is in the same broad family as the right one.

Providers should note that claims for services provided on or after the compliance date will need to be submitted with ICD-10 diagnosis codes; but claims for services provided prior to the compliance date should be submitted with ICD-9 diagnosis codes.

It is important for providers to have their practices ready to implement ICD-10 on October 1, 2015. If you need help with the ICD-10 transition and implementation, call Jeyaram & Associates’ Kimberly Sheridan at 678-708-4703.

More Providers Audited for HIPAA Compliance – Are You Ready?

The number of entities audited for HIPAA compliance has increased. Are you prepared if OCR comes knocking on your door?

Under the HITECH Act, the Department of Health and Human Services is required to conduct periodic audits to ensure that entities are complying with HIPAA. Phase 1 audits concluded in 2012. Now OCR has released information on Phase 2 and more audits are set to begin around October of this year.

HIPAA Covered Entities and Business Associates selected for audits will be asked to quickly produce policies and procedures, executed business associate agreements and other HIPAA-related documentation so that it can be reviewed by OCR to determine if any deficiencies exist. OCR has noted that it intends to focus on the deficiencies identified through Phase 1 audits. These include lack of proper policies and procedures, presence of security risks, failing to conduct a security risk assessment, and failing to have business associate agreements on file.

Small providers should also take note—according to OCR, small providers tended to have more deficiencies than larger providers. OCR has also revealed other details regarding the 2nd audits, OCR will be conducting the audits internally. They have also increased the number of entities to be audited to 400 entities, 350 of which will be Covered Entities and the remaining 50 will be Business Associates. Some of the audits will focus on the Privacy Rule, others on the Breach Notification Rule, and the remainder will focus on compliance with the Security Rule.

If your organization is a covered entity or business associate under HIPAA you want to make sure that you are prepared in case you are one of the entities subject to an audit this Fall. Steps you will want to take include:

  • Have all your HIPAA policies and procedure updated and on file
  • Make sure all your Business Associate Agreements reflect the 2013 changes to the HIPAA Rules and have those agreements properly executed and on file
  • Conduct a security risk assessment if you have not already and ensure that security risks are addressed
  • Engage an experienced healthcare law firm to proactively help you review the aforementioned items to help you identify any potential deficiencies

To view OCR’s Presentation on Phase 2 Audits, click here: OCR Audits Phase 2 by Linda Sanches, Senior Advisor for Health Information 

For more information contact DJ Jeyaram at or Danielle Hildebrand at 

Are YOU Compliant With New HIPAA Rules?

imgres-6It has been half a year since the new HIPAA Rules were fully implemented, are you compliant?

If you are a healthcare provider or work with healthcare providers you should already know that last year the Department of Health and Human Services published the HIPAA Omnibus Rule expanding the reach of HIPAA enforcement and bolstering notification requirements. Under the rule, business associates must comply with most of the requirements that previously only applied to covered entities.

Furthermore, HHS can now impose penalties directly on business associates, which range from $100 to $50,000 per violation.

Covered entities also have new requirements that they must follow. For example, such entities must provide notifications to the affected individuals and to HHS when a breach has occurred. If a large group of individuals are affected the entities must also notify the media. Furthermore, the definition of a breach is more expansive—an impermissible use or disclosure of protected health information (PHI) is presumed to be a “breach,” unless the HIPAA-covered entity demonstrates there is a low probability that the PHI has been compromised.

Entities that deal with protected health information in the form of electronic health records should also be aware that such entities have become an attractive target for hackers. The information in a medical record is extremely valuable on the black market making protected health information of patients susceptible to theft.

Given the new obligations and penalties under the Omnibus Rule and the increasing vulnerability of protected health information it is more important than ever to ensure that the proper measures are in place to prevent breaches. HIPAA-covered entities and business associates need to consider whether they are in a position to protect against and appropriately respond to breaches through periodic risk assessments and implementation of HIPAA-compliant policies and procedures.

Some threshold questions that your entity will want to ask include:

• Do you have a current written HIPAA policy that reflects the practices of the organization?

• Does your HIPAA policy address what is to be done in the event of a breach?

• Does your policy provide a proper means of assessing whether a breach has occurred?

You can view the Omnibus Rule, including the changes to the Privacy Rule, Security Rule and Breach Notification Rule here: – HIPAA Omnibus Rule

ICD-10 Deadline for Healthcare Providers Fast Approaching – Jeyaram & Associates Can Help

ICD DeadlineThe October 1, 2014 deadline to switch to the ICD-10 codes set is less than five months away. This mandatory requirement replaces the ICD-9 codes set used to report medical diagnoses and inpatient procedures.

All healthcare providers covered by the Health Insurance Portability Accountability Act (HIPAA) must adhere to this new requirement. Please note, the change to ICD-10 does not affect CPT coding for outpatient procedures and physician services.

All healthcare practices currently using the ICD-9 codes must transition to the new codes. The transition to the new codes set will take several months. If you have not started the transition, we strongly urge to begin now. 

ICD consists of two parts:

1. ICD-10-CM for diagnosis coding
2. ICD-10-PCS for inpatient procedure coding 

ICD-10-CM is for use in all U.S. health care settings. Diagnosis coding under ICD-10-CM uses 3 to 7 digits instead of the 3 to 5 digits used with ICD-9-CM, but the format of the code sets is similar.

ICD-10-PCS is for use in U.S. inpatient hospital settings only. ICD-10­ PCS uses 7 alphanumeric digits instead of the 3 or 4 numeric digits used under ICD-9-CM procedure coding. Coding under ICD-10-PCS is much more specific and substantially different from ICD-9-CM procedure coding.

The Centers for Medicare and Medicaid Web site provides detailed check lists to help healthcare providers make the transition. However, if you have questions or need help with the transition to the ICD-10 codes set, Jeyaram & Associates can help. Contact DJ Jeyaram at or 678-708-4705.