Health law is the federal, state, and local law, rules, regulations and other jurisprudence among providers, payers and vendors to the healthcare industry and its patient and delivery of health care services; all with an emphasis on operations, regulatory and transactional legal issues.
On October 23, 2019, the U.S. Department of Health and Human Services has imposed a civil money penalty of over $2 million against Jackson Health System in Florida for repeated HIPAA violations.
The HIPAA violations mentioned in the HHS Press Release include: 1-Loss of paper patient records in December 2012; 2-Loss of additional paper patient records in January 2013; 3-A media report containing patient information (a photo shared on social media); 4-Employees accessing the information of one patient without a job related purpose; 5- An employee’s improper access and sale of patient records in 2011.
“OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” said OCR Director Roger Severino. The state of the compliance program allowed for the failure of several HIPAA requirements, including provision of timely and accurate HIPAA breach notifications, performance of regular risk assessments, investigation of identified risks, audits of system activity records, and imposing appropriate restrictions on workforce members’ access to patient information. The government’s final determination is available here.
When a HIPAA breach is discovered and reported, the government will often take the time to review a covered entity’s history of compliance or non-compliance. This may include an investigation into prior issues, effectiveness of policies and procedures, and employee issues. Overlooking one suspected breach may result in the imposition of sanctions on any later breach. This is why it’s so important for a healthcare business to understand its HIPAA obligations and take them seriously.
When was the last time your business conducted a security risk assessment to understand its potential risk areas for security breaches? If you’ve never had one, or haven’t had one recently, the time is now to conduct one. “When was your last security risk assessment?” is often the first thing that the government will ask in response to a breach.
Federal fines for noncompliance with HIPAA are based on the level of negligence perceived by the Federal government at the time of the breach. Fines and penalties range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million. Simply put, your healthcare business can’t afford to bury its head and hope that it won’t be hit.
This section is a contract between you and the users of your website regarding what they can expect from the website and how they will act while on the website. You can use this section to protect you and your business from a variety of potential disasters including (but not limited to): limitless liability and intellectual property infringement.
You can use this section to limit any liability that you might create by having a website. For instance, if you give some medical advice (i.e., “Lowering your cholesterol reduces your risk for a heart attack.”), you can use your Terms and Conditions to limit a user’s reliance on that advice without additional medical intervention (“We are not your treating physician—if you have questions about your cholesterol levels, contact your physician.”).
You can also use this section to inform your users about any intellectual property protections that you might have. If your technology or services have pending or protected status, you’ll need to make your users aware of this information.
Finally, this section should establish the laws under which your website agrees to be governed. Even if the internet knows no boundaries, your website should establish its own. If your business is located in Florida, you can choose to be bound by Florida and Federal laws. It could limit any potential exposure in other states or nations.
The Children’s Online Privacy Protection Act (COPPA) protects minors under the age of 13 from having personal information collected without parental consent. How can a website operator be expected to know whether a user is 13 or under? If you plan on collecting any information from your uses, your Terms and Conditions should have a section prohibiting anyone under age 13 from accessing and using your site. It’s a simple fix that can potentially save you huge penalties.
HHS found that a home health agency incorrectly billed Medicare and did not comply with Medicare Billing requirements for beneficiaries that were not homebound and for others that did not require skilled services at all.
In August and September 2018, physicians and the owner of a home health agency were each sentenced on multiple counts of conspiracy and healthcare fraud and ordered to pay $6.5 million in restitution. One physician was sentenced to 132 months in prison following trial. A physician who pled guilty was sentenced to 27 months in prison following a guilty plea. The home health agency owner was sentenced to 42 months in prison. The defendants paid and received kickbacks in exchange for patients and billed Medicare more than $8.9 million for services that were medically unnecessary, never provided, and/or not otherwise reimbursable. Additionally, certain defendants provided prescriptions for opioid medications to induce patient participation in the scheme.
In September 2018, the co-owner and administrator of a home health agency was sentenced to 24 months in prison, ordered to pay over $2.2 million in restitution, and ordered to forfeit over $1.1 million. The co-owners participated in a home healthcare fraud conspiracy that resulted in Medicare paying at least $2.2 million on false and fraudulent claims. The owners and their co-conspirators paid kickbacks to doctors and patient recruiters in exchange for patient referrals, billed Medicare for services that were medically unnecessary, and caused patient files to be falsified to justify the fraudulent billing.
Back in February 2018, the owner of more than twenty home health agencies was sentenced to 240 months in prison and ordered to pay $66.4 million in restitution, jointly and severally with his co-defendants, after pleading guilty to one count of conspiracy to commit health care fraud and wire fraud. A patient recruiter for the home health agencies, who also owned a medical clinic and two home health agencies of her own, was sentenced to 180 months in prison. Another patient recruiter, who also was the owner of two home health agencies, was sentenced to 115 months in prison. These conspirators paid illegal bribes and kickbacks to patient recruiters in return for the referral of Medicare beneficiaries many of whom did not need or qualify for home health services. Medicare paid approximately $66 million on those claims.
Illegal kickbacks in exchange for referrals of Medicare beneficiaries, lack of medical necessity for home health services, failing to meet the guidelines, fraudulent billing, billing for services beneficiaries did not receive and fraudulent documentation continues to plague the home healthcare industry.
I am a successful physician who works for a thriving practice that is affiliated with a local hospital or Ambulatory Surgical Center (“ASC”). The hospital/ASC was so impressed with my professionalism and skills that they retained me to perform certain additional duties and services for them. Of course, they are paying me for my time and services. This is great, I love my work, I am generating two sources of respectable income – all is good.
Not so fast!
As can sometimes be the case, all is good while there is smooth sailing and while the money is coming in. However, once there is a bump in the road, a hiccup in a procedure, or a third party employee files a complaint with the Equal Employment Opportunity Commission (“EEOC”); the Florida Commission on Human Relations (“FCHR”); Department of Labor (“DOL”) or any federal or state agency complaining about some alleged incident in their workplace. Their filing of a lawsuit can be against you individually, against your practice or against the hospital/ASC. Not to mention, a lawsuit can be filed by a patient or third party against the practice or the hospital/ASC. Then what? read more
A Final Rule recently issued by CMS will require Medicare, Medicaid, and CHIP (Children’s Health Insurance Program) providers and suppliers to disclose current and previous affiliations (direct or indirect) with a provider or supplier that: (1) has uncollected debt; (2) has been or is excluded by the OIG (Office of Inspector General) from Medicare, Medicaid or CHIP, or (3) has had its billing privileges with either of these three programs denied or revoked. Such provider affiliations may lead to enrollment being denied if it poses a risk to fraud, waste or abuse. read more
Deciding you want to open your own medspa or start a medical practice is the first and most important step in creating something unique and building a brand. Understanding how to properly “start” that business from a legal perspective, and doing so correctly can be the difference between success and failure.
As a physician in a private, solo-practice, or the business owner of a medspa startup, proper strategy is key. Understanding your corporate structure, developing a business plan, and compliance with the laws will help eliminate pesky obstacles that will slow your growth.
When working with start-ups the following steps should be given plenty of time and attention. read more
In Florida, a licensed physician can provide supervision of healthcare providers that are not physicians under certain circumstances. Understanding who a physician can cover and under what circumstances can help protect your license and avoid receiving a complaint by the Florida Department of Health.
In every case, when a physician agrees to supervise another provider, Florida law requires certain documentation and notice to be filed. read more
Ransomware attacks are impacting the healthcare community’s HIPAA security at a staggering rate. If a practice has data stolen from their network and they did not report the breach to The Office of Civil Rights (OCR), they could be subject to massive fines for the lack of reporting. Specific steps must be followed to determine if ePHI (electronic protected health information) was compromised. This often involves hiring a forensics company and working with a Cybersecurity company to harden the practice’s infrastructure. When you are the victim of an attack once, you will mostly likely be a victim again because of vulnerabilities in your network that enabled the attack vector (or payload) to infiltrate your system. You cannot simply restore your data and hope for the best. read more
As you may have heard, the State Hemp Plan, SB 1020, has passed the Florida House and Senate and is waiting for Governor DeSantis’ action (approval or veto) or inaction (no veto). The Governor’s approval or failure to veto SB 1020 means SB 1020 will become law. So what does this mean for Florida?
SB 1020 is meant to bring Florida’s laws regarding the cultivation and processing of hemp in line with the Federal Farm Bill of 2018 which removed hemp from the DEA’s list of controlled substances and legalized the industrial use of hemp. Currently, hemp is listed as a controlled substance under Florida law. SB 1020 will change that and allow cultivation of hemp and distribution and retail sale of hemp extract. read more
There has been much talk about the future of health care real estate investment trusts (REIT) and the evolution of the real estate market, as well as the way patient care is being provided in today’s world. With greater demand for outpatient and ambulatory surgical centers, the healthcare REIT market is forecasted to be a bullish market. Additional reasons for positive forecasts include an aging population with greater demand, a track record of high performance, and cost of equity capital. Investing in income-generating real estate can be a great way to increase net worth. For many, investing in real estate, particularly commercial real estate, seems to be out of reach financially. However, with the right partnerships and guidance, it is possible. REITs (pronounced “reets”) allow mall investors today to pool their resources with other small investors in order to invest in large-scale commercial real estate as a group.