FDA investigates gadolinium-based contrast agents for MRI

The Food and Drug Administration (FDA) has initiated an investigation into the health risk of brain deposits following repeated use of gadolinium-based contrast units (GBCAs) for MRI. Recent medical publications report that deposits of GBCAs remain in the brains of some patients who undergo four or more contrast MRI scans, long after the last administration. It is unknown whether these GBCA deposits are harmful or lead to adverse effects.

GBCAs are mostly eliminated through the kidneys after an MRI. However, studies have confirmed that trace amounts of gadolinium can remain in the brain long-term, even in patients with normal kidney function. This issue affects only GBCAs; it does not apply to other types of scanning agents, such as those that are iodine-based or radioisotopes.

The FDA recommends that health care professionals consider limiting GBCA to clinical circumstances in which the additional information provided by the contrast is necessary. The FDA also urges health care professionals to reassess the use of mrepetitive GBCA MRIs in established treatment protocols.

The full original report, including information on how to report adverse events or side effects related to GBCA use, is available on the FDA website.

You received a notice from the TMB — now what?

A TMB action — how to report

Because the threat of a disciplinary action is all too real, every TMLT policy includes Medefense coverage. Medefense covers legal expenses, fines, and penalties associated with disciplinary actions, such as actions by the TMB, a hospital review committee, or a federal regulatory agency.

If you receive notice of any disciplinary action, you are strongly urged to do the following as possible.

1. Call the Claim Department at 800-580-8658 to report a Medefense claim as soon as you receive the initial letter from the TMB or other disciplinary authority. You have 60 days to report an insured event to receive reimbursement for covered expenses under Medefense.

2. Consider retaining an attorney to help draft your initial response to the TMB.TMLT can provide you with the contact information of attorneys who have experience handling disciplinary proceedings.

Working with an attorney who is knowledgeable of TMB proceedings can result in an early dismissal of the complaint. “I have seen too many examples of cases where the physician responds on his own, or forwards a copy of the medical records without a response. Often the physician’s response does not contain what it should and can actually make matters worse,” says Gregory Myers, an attorney with the Myers and Doyle Law Firm in Houston.

3. If you do not choose an attorney from TMLT’s panel of attorneys, promptly send the following information to TMLT to expedite the payment process under Medefense:

  • copies of all legal expense invoices pertaining to the defense of the claim — the legal or audit expenses should be itemized on an hourly basis showing the services provided, the time incurred, and the hourly rate;
  • copies of all payments made to the attorney or law firm representing the policyholder in the matter; and
  • a copy of the dispositive letter describing the final outcome so the claim can be closed.

Because the TMB can impose a range of disciplinary actions — including revoking or suspending your medical license — it’s important to respond appropriately when you receive a notice of investigation.

At TMLT, we have encountered a number of cases where physicians did not hire an attorney or notify us when they received the initial complaint notice from the TMB. These physicians believed they could prepare a response to the Board and hoped the matter would go away. They learned otherwise when they received a notice of investigation or notice that the matter was set for an Informal Settlement Conference. Ultimately, once an attorney was finally hired, the physician and attorney were at a disadvantage in preparing a defense.

Health and Human Services launches random HIPAA audit surveys

Last year, the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) reported their intentions to survey health care entities and their business associates in order to select subjects for a new “random” audit.

The selection process is now underway!

OCR has begun sending pre-audit screening surveys via email to applicable entities across the state, with questions expected to focus on security risks to protected health information (PHI) and pervasive issues of non-compliance based on OCR’s 2011 and 2012 audit findings and observations.

It is unknown how many of those contacted will actually be selected for the audit; however, sources are projecting that approximately half of those contacted will be audited. If you receive a survey, please don’t ignore it. Respond to it as soon as possible. Failure to do so could potentially “raise a red flag” with HHS, and invite scrutiny or even an independent audit.

If a serious compliance concern is found through an audit, OCR may initiate a full compliance review through its enforcement division that could lead to financial penalties.

The audit program is an attempt by OCR to proactively enforce, assess, and confirm HIPAA compliance efforts, and present new opportunities to “examine mechanisms for compliance, identify best practices, and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews.” (1)

TMLT Resources

If you receive a survey, please contact Cathy Bryant in TMLT’s Product Development and Consultant Services department at cathy-bryant@tmlt.org or 512-425-5910. Cathy will do a high level review to help your Privacy Officer identify areas that may be on the audit.

If you are chosen for an audit, please contact TMLT at 800-580-8658 and ask for the Claims Department.

To help you prepare for a potential audit, TMLT offers the following table with information and solutions related to these audits.

POLICIES AND PROCEDURES – REVIEW AND UPDATEHIPAA and Texas Medical Privacy and Security require you to have updated policies and procedures. 


TMLT Privacy and Security Toolkit

  • The TMLT toolkit guides practices with existing policies through a system-wide review and highlights which revisions may need to be made.
  • The toolkit also helps those practices currently developing policies and procedures to better understand HIPAA rules and Texas law.
  • The toolkit is available online at http://goo.gl/7Jye5K.
NOTICE OF PRIVACY PRACTICES (NPP) – REVIEW AND UPDATERecent changes to the HIPAA Omnibus Rule and Texas Medical Privacy and Security laws require you to revise your Notice of Privacy Practices. 


Notice of Privacy Practices (NPP)

  • The NPP is an important document that tells your patients how you will use and disclose their protected health information (PHI).
  • Changes with Omnibus require you to review and revise your NPP.
  • Changes to Texas law require you to notify patients if you electronically disclose PHI.
  • Sample NPP are available from TMLT Risk Management, TMA and HHS at http://goo.gl/Iv3Izf.
  • Changes to Texas law require you to notify patients if you electronically disclose PHI.
  • TMLT solutions are available in TMLT’s toolkit: http://goo.gl/7Jye5K.
BUSINESS ASSOCIATE (BA) & BUSINESS ASSOCIATE AGREEMENT (BAA) – IDENTIFY ALL BAs & REVIEW AND REVISE BAAsBAs are now held to the same requirements under HIPAA as Covered Entities (CE).During the Random HIPAA Audit, BAs of audited CE will also be subject to an audit. Business Associates and Business Associate Agreements

  • Identify all your BAs or anyone with whom you share your PHI.
  • Determine if you had an existing BAA with them prior to March 26, 2013. If yes, you have until September 22, 2014 to get an updated BAA signed. If not, get a BAA signed as soon as possible.
  • Learn more about BAs and BAAs in TMLT’s Privacy and Security Toolkit.
  • TMLT can conduct a Security Risk Analysis for your practice.
  • The HIPAA Security Rule requires a Security Risk Analysis if you do electronic billing or have EHR. (2)
TRAININGPhysician and Staff HIPAA Training 



TMLT Privacy and Security Toolkit

  •  Texas law is more stringent than Federal Law on training. TMLT’s toolkit includes “Introduction to Developing Physician Office Training.”
  •  TMLT can develop customized training for your office.
  • Again, the toolkit is available at http://goo.gl/7Jye5K.
KNOW YOUR STATE LAW  TMLT Privacy and Security Toolkit

  • The Comparison Tool, included in the toolkit, highlights Texas and federal law differences.

For more information on TMLT’s Toolkit, risk assessments, or consulting services, please contact Stephanie Downing at 1-800-580-8658 or consultingwebmail@tmlt.org.


  1. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/auditpilotprogram.html
  2. http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/

New Certificate of Insurance Service

We would like to help you with your paperwork.

Physicians associated with a hospital are often required to provide a Certificate of Insurance (COI) to the hospital in order to receive or maintain hospital staff privileges. Instead of physicians retrieving, printing and delivering this document themselves, TMLT will now directly provide our policyholders’ COI to their hospital administrators upon request.

With this service, a hospital administrator has the option of retrieving a TMLT policyholder’s COI from our online member portal, myTMLT, or requesting it directly from our Underwriting Department. This service was designed to create more efficiency and greater security for our members’ credentials.

If you, as a policyholder, would like to take advantage of this service or have previously “opted in,” you don’t have to take any further action. Service will be added to your TMLT and TMIC policies beginning June 1, 2015.

However, if you do not want to take advantage of this service, you may “opt out” by contacting the Underwriting Department and requesting that all COIs be sent to you, so that you may then forward them to your hospital administrator yourself.

Whether you decide to opt in or opt out of this service, you may still log in to myTMLT to access and print your COI at any time.

If you have any questions about this service, please contact your agent or call the TMLT Underwriting Department at 800-580-8658.

Passwords: Changing them and saving them

How to make easy-to-remember changes to your password

In part one of this two-part cyber security article, we explored how to make a strong password. Now that you know how to create a good password, keep in mind that you may be required by your IT department or EHR to change your password every few months. The good news is that you don’t necessarily have to change your entire password; you may elect to only change sections of it. For instance, if “Pa$$w0rd” is your password, you could simply implement a new element at the beginning, middle, or end of the password to change it. For instance, you may change “Pa$$w0rd” to “Pa$$w0rrdd2015.”

There are several methods you can use to easily change and remember your passwords. Many use numbers instead of letters. Others like to explore using more special characters. The trick is to use a sequence that works for you. You may notice that each time you change your base password, it looks like less of a word and more of an encrypted message that only you can read.

One tip: you may wish to change one element at a time so that you can easily remember your changes. For example, you may decide to change the location of a capital letter, then add a special character, and then change a number.

Where to save the Pa$$w0rd

Avoid saving your password on your computer login or in a web browser if at all possible. Again, this makes it too easy for hackers to access or steal. Many people make the mistake of saving whole passwords to phones, writing them down, or putting them in a file. If you choose to save your password in writing, use caution. Don’t ever save them on post-it notes on or near computers. This is like putting your front door key under the welcome mat. Consider the same concepts that we use with credit card numbers and bank accounts. Once you figure out what your core password is, don’t ever write the entire word/acronym down. If you must, only write the changes and leave the rest of the password out, or write down clues that only you would understand or know the answer to, such as “my mother’s middle name.”

Read part one, P@$$w0rd! Not password.