Ride-hailing companies, like Uber and Lyft, have partnered with many hospitals and providers to offer ridesharing services to patients seeking non-emergency medical transportation (NEMT) to receive various care services. Largely, this strategy makes sense: According to the Community Transportation Association, estimates nearly 3.6 million Americans miss or delay medical care every year due to unreliable transportation. These

 

missed appointments cost health care providers $150 billion a year, with no-show rates as high as 30%, according to SCI Solutions, which provide IT services to the health care industry.

Under such arrangements, however, there is an increased need for caution as ridesharing options become more popular for consumers, and more profitable for providers. Such services create exposure for providers that may not be immediately apparent; and it’s crucial that providers monitor healthcare regulatory issues such as civil monetary penalties law, Anti-Kickback statute, Health Insurance Portability and Accountability Act (HIPAA) and fraud waste and abuse laws.

Healthcare providers must comply with fraud waste and abuse laws. For instance, the Anti-Kickback Statute prohibits the knowing and willful payment to induce or reward patient referrals or the generation of business involving any item or service payable by the Federal health care programs. Providing transportation at little or no cost can potentially be viewed as an inducement or kickback to use the provider. And violations under Anti-Kickback Statute can give rise to civil monetary penalties or false claims act liability.

According to Elizabeth Scarola, a healthcare practice member at legal consulting firm Carlton Fields, any payment that’s likely to influence the selection of a provider or supplier of medical services may be liable for civil penalties — up to $10,000 per violation. And under the Anti-Kickback statute, violations are punishable by civil or criminal fines ranging from $25,000 to $210,000 per episode, and can even yield five years of prison time in certain instances.

According to HIPAA, any

 

entity that uses or discloses protected health information (PHI) on behalf of a covered entity is defined as a Business Associate. A covered entity must obtain satisfactory assurances from a Business Associate that it will safeguard the PHI it receives or creates, also known as a Business Associate Agreement (BAA).

Thus, if healthcare providers are directly providing PHI to ridesharing companies to schedule transportation for patients, such as providing the patient name and home address for pick up or drop off, then a business associate relationship exists pursuant to HIPAA. As a result, healthcare providers must enter into BAAs before these services are used for their patients.

Because Uber would be a Business Associate for purposes of HIPAA under this arrangement, it worked with Clearwater Compliance, a HIPAA compliance company, to create and implement safeguards. For example, Uber Health and Uber data are stored in separate servers, meaning that only select Uber employees and the healthcare providers have access to patient data. Accordingly, a breach in Uber’s servers should not compromise Uber Health’s data. Also, Uber Health drivers are not given any patient information, and rides are requested under “Uber Health,” not the patient’s name.

When it comes to compliance, healthcare providers need to stay vigilante as ridesharing companies hail into the healthcare industry. Thus, the Office of the Inspector General (OIG) at the Department of Health and Human Services (HHS) issued revised compliance guidelines on ride-hailing services. (View Safe Harbors Under the Anti-Kickback Statute and Civil Monetary Penalty Rules) The rules explicitly state appropriate safeguards that providers can take to mitigate fraud and abuse risk.

Author Bradley Byars

Co-Author Shairoz H. Virani