Skip to main content

Know the Risks When Using Uber Health, Lyft

News  |  By John Commins  
   March 05, 2018

Ride-hailing services provide a reliable means to transport patients to care, but the potential downsides could include hacking risks and violations of anti-kickback laws.

Healthcare providers who want to use Uber Health, Lyft and other ride-hailing companies for their patients should first understand the potential risks and liabilities that could come with it.

Erica Mallon, a healthcare transactional and regulatory attorney with Tampa-based Carlton Fields, says ride-hailing services create exposure for providers that may not be immediately apparent.

In particular, she said, providers must be aware of anti-kickback laws and civil monetary penalties from fraud and abuse that could arise if providers offer Medicare, Medicaid or Tricare beneficiaries free or discounted transportation.

"That is one area that providers need to be very, very careful with," Mallon says. "That is a law that is targeted at providers and it has significant repercussions if they do not take the appropriate safeguards to ensure that they are not providing free and discounted transportation to induce beneficiaries to pursue medical services at their facilities."

"I could envision providers posting an ad on TV that says 'If you need dialysis services come to us and we will provide free transportation from anywhere in the 11-county radius,'" Mallon says.

"With just the advertisement for free or discounted transportation, particularly when you are looking to bring in patients from outside your immediate radius that wouldn't otherwise seek you out for services, there is significant risk there," she says.  

Last year, the Office of the Inspector General at the Department of Health and Human Services issued revised compliance guidelines on ride-hailing services, and Mallon recommends reading them before using the services. 

"They explicitly state appropriate safeguards that providers can take to mitigate fraud and abuse risk. It relates to advertising for services, the cost of the transportation, who the transportation targets," she says.

"While it is not necessarily a death sentence if the provider doesn't meet each of those elements, the best way providers can protect themselves is to meet those safe harbors that were set forth by the government," she says.

There are other potential problems. For example, who’s liable if a patient is injured in a ride-hailing automobile crash, or assaulted by a driver?

"If a patient experienced a rogue driver, would they name the provider who coordinated the ride for them in a potential lawsuit? Maybe. Probably," Mallon says. "Does that mean it would hold up in court? Maybe not. But, certainly it is a risk that providers need to consider as they enter this space."

Uber Health says it is HIPAA compliant, with safeguards to protect patient confidentiality. Uber drivers are told only a patient’s name, the pick-up and drop-off addresses, and won't know if a passenger is using Uber Health.

Mallon doesn't dispute the claim but adds that "we haven't seen enough details to make us comfortable with it."

Hackers are another concern.

"If providers are linking to Uber platforms from their own electronic medical records is there is some cyber-security risk that would allow hackers to enter the EMR," Mallon says. "We have seen many savvy hackers making their way into a provider's EMR through a variety of ways."

Providers who are considering using ride-sharing agreements should read up on the OIG guidelines, and do a risk assessment "to decide how this impacts their practice, their patients, what increased risks does it create and is it worth it," Mallon says. "That may be a case-by-case basis."

If providers decide to work with ride-sharing services, Mallon recommends having a business associate agreement in place that specifies that the provider is the covered entity and the ride-hailing company is the business associate.

"The more we use technology, the increased risk is there," Mallon says. "That doesn't mean that providers shouldn't pursue these opportunities, but they need to consider the risk."

John Commins is a content specialist and online news editor for HealthLeaders, a Simplify Compliance brand.

Get the latest on healthcare leadership in your inbox.