Health law is the federal, state, and local law, rules, regulations and other jurisprudence among providers, payers and vendors to the healthcare industry and its patient and delivery of health care services; all with an emphasis on operations, regulatory and transactional legal issues.
On October 23, 2019, the U.S. Department of Health and Human Services has imposed a civil money penalty of over $2 million against Jackson Health System in Florida for repeated HIPAA violations.
The HIPAA violations mentioned in the HHS Press Release include: 1-Loss of paper patient records in December 2012; 2-Loss of additional paper patient records in January 2013; 3-A media report containing patient information (a photo shared on social media); 4-Employees accessing the information of one patient without a job related purpose; 5- An employee’s improper access and sale of patient records in 2011.
“OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” said OCR Director Roger Severino. The state of the compliance program allowed for the failure of several HIPAA requirements, including provision of timely and accurate HIPAA breach notifications, performance of regular risk assessments, investigation of identified risks, audits of system activity records, and imposing appropriate restrictions on workforce members’ access to patient information. The government’s final determination is available here.
When a HIPAA breach is discovered and reported, the government will often take the time to review a covered entity’s history of compliance or non-compliance. This may include an investigation into prior issues, effectiveness of policies and procedures, and employee issues. Overlooking one suspected breach may result in the imposition of sanctions on any later breach. This is why it’s so important for a healthcare business to understand its HIPAA obligations and take them seriously.
When was the last time your business conducted a security risk assessment to understand its potential risk areas for security breaches? If you’ve never had one, or haven’t had one recently, the time is now to conduct one. “When was your last security risk assessment?” is often the first thing that the government will ask in response to a breach.
Federal fines for noncompliance with HIPAA are based on the level of negligence perceived by the Federal government at the time of the breach. Fines and penalties range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million. Simply put, your healthcare business can’t afford to bury its head and hope that it won’t be hit.
This section is a contract between you and the users of your website regarding what they can expect from the website and how they will act while on the website. You can use this section to protect you and your business from a variety of potential disasters including (but not limited to): limitless liability and intellectual property infringement.
You can use this section to limit any liability that you might create by having a website. For instance, if you give some medical advice (i.e., “Lowering your cholesterol reduces your risk for a heart attack.”), you can use your Terms and Conditions to limit a user’s reliance on that advice without additional medical intervention (“We are not your treating physician—if you have questions about your cholesterol levels, contact your physician.”).
You can also use this section to inform your users about any intellectual property protections that you might have. If your technology or services have pending or protected status, you’ll need to make your users aware of this information.
Finally, this section should establish the laws under which your website agrees to be governed. Even if the internet knows no boundaries, your website should establish its own. If your business is located in Florida, you can choose to be bound by Florida and Federal laws. It could limit any potential exposure in other states or nations.
The Children’s Online Privacy Protection Act (COPPA) protects minors under the age of 13 from having personal information collected without parental consent. How can a website operator be expected to know whether a user is 13 or under? If you plan on collecting any information from your uses, your Terms and Conditions should have a section prohibiting anyone under age 13 from accessing and using your site. It’s a simple fix that can potentially save you huge penalties.
Employers are approaching us in increasing numbers regarding their obligations toward employees battling substance abuse. Two federal laws primarily govern the space, the Americans with Disabilities Act and the Family and Medical Leave Act. Note that state laws may be more restrictive, so we encourage our clients to reach out to local attorneys to determine if additional legal protections are available to employees in their state.
The Americans with Disabilities Act (ADA) covers businesses with 15 or more employees to protects workers from discrimination based on a qualifying disability or a perceived disability, which is defined to include alcoholism and illegal drug use. However, to be eligible, the ADA protects only workers who either (i) have successfully been rehabilitated and are no longer using illegal drugs or misusing alcohol; or (ii) are currently participating in a rehabilitation program and are no longer using illegal drugs or misusing alcohol. Importantly, the ADA does not protect any employee who is presently battling alcoholism and illegal drug use and is not participating in a treatment program. An employee in the throes of substance abuse who is not actively seeking treatment is not protected by the ADA. read more
Thinking about selling a medical practice? Here are some steps for preparing your business in advance of a transaction.
Visit your financial planner.
Be sure that you can afford to leave the business, if you are retiring. Most times, buyers will require a comprehensive non-compete and you should be absolutely certain that you are financially prepared to retire or sell before you sign that restrictive covenant.
Visit your accountant.
Get your financial history in order. Review and re-review your tax returns and profit statements for the past three years to ensure that the business is appropriately reflected in those records. Take the time to clean up any “creative” bookkeeping so that the buyer is given a complete and accurate picture of the business they are buying into. You are likely going to have to make a representation that your financial disclosures are true, so take the time to get comfortable with that representation early on. read more
You might have recently received a holiday gift of a direct-to-consumer genetic testing kit from Ancestry.com or 23andMe.com (or any other number of companies). So exciting! In our melting pot society, one can’t help but be curious about where they come from and if they are more likely than any other person to be subject to any number of ailments.
Not so fast though! Before you swab yourself and send away your genes for testing, you might consider what you’re exposing yourself to. Direct-to-consumer genetic testing companies, which provide genetic testing directly to consumers without any intervening healthcare provider, are not bound by HIPAA. They are not considered “covered entities”, and therefore not required to use the same protections for genetic information the way a hospital or your doctor would. read more
Earlier this year, Jeff and Autumn and I had a conversation about my motivations and passions outside of the law. We all knew that I was professionally passionate about compliance but they didn’t know that I’ve been personally passionate about veterans and their stories since I was in college. I majored in European history and concentrated on modern history including, of course, World War II. The final for one class was to write the story of someone who lived through the war, whether in military service or on the home front. I’ve been hooked on seeking out veterans’ personal stories of the war ever since.
A couple of years ago, a friend went on her first Honor Flight, and its something I’ve wanted to do ever since. Honor Flight’s primary purpose is to honor our veterans by taking them to visit their war memorials in Washington D.C. Honor Flight was founded by Earl Morse, Physician Assistant and Retired Air Force Captain who worked in a Department of Veteran Affairs clinic in Springfield, OH. When the World War II Memorial opened in 2004, Earl asked one of his patients who had served in World War II if he would be visiting his memorial. He was disheartened to learn that the vet couldn’t afford to travel to his memorial. Earl also happened to be an amateur pilot, and arranged for several small planes to transport his patient and his comrades to the memorial erected to honor them. Now, 14 years later, Honor Flight has hubs all over the nation and a waiting list of 35,000 World War II, Korea and Vietnam veterans waiting for their chance to fly. The flights are entirely free for veterans. read more
On May 19, 2018, Delray Beach medical spa owner Jennifer Aspen was booked into the Palm Beach County Jail and charged with practicing medicine without a license. Ms. Aspen is the manager of Mermaid’s Skin & Wellness, a medical spa located in Delray Beach, Florida. The charges against Ms. Aspen stem from the fact that a Delray Beach police officer presented to Mermaid’s Skin & Wellness for a testosterone shot. Ms. Aspen stated to the officer that she would perform the injection. Ms. Aspen is a certified nursing assistant in the State of Florida. Her license is currently listed as “delinquent” on the Department of Health’s website, meaning that (as of today) she failed to renew her license after its May 30, 2018 expiration date. Certified nursing assistants are not generally allowed to administer testosterone in the State of Florida.
One of the legal issues that presents frequently in our office is med spa compliance; who can open and operate a medical spa if it is just a cash business, meaning that it does not submit claims for reimbursement to any government or commercial payor. Misunderstandings run rampant in the medical spa industry and many times patients are administered treatment from persons who are not supposed to be providing it. read more
Monty Ray Grow was a defensive back on the Florida Gators’ football team from 1990 until 1993. He contracted to play for the Kansas City Chiefs in 1994 and then for the Jacksonville Jaguars in 1995 and 1996. On February 5, 2018, he was convicted by a federal jury in Miami for his chief role in a massive healthcare marketing scheme designed to defraud Tricare.
Tricare is a health benefit program that provides civilian benefits for U.S Armed Forces military personnel, retirees, their dependents, and some military reservists. Tricare is a Department of Defense Program.
In September 2014, Grow entered into an agreement with a compounding pharmacy in Pompano Beach, Florida, wherein the pharmacy would pay Grow’s marketing company a commission equal to fifty percent (50%) of what the pharmacy netted in Tricare reimbursement from Grow’s referral of Tricare beneficiaries to the pharmacy. (Later on, Grow became an employee of the pharmacy.) Grow then used his commission to offer and pay recruiters to convince Tricare beneficiaries to use this pharmacy. Additionally, Grow offered and paid Tricare beneficiaries themselves to use this pharmacy. read more
In 2015, Assistant Attorney General Leslie Caldwell spoke publicly about the importance for every healthcare provider to not only have a compliance program on its shelf, but also being sure that the compliance program is “tailored to the unique needs, risks and structure of each business or industry.” Assistant Attorney General Caldwell explained, “the adequacy of a compliance program is a factor when [the DOJ] decide[s] how and whether to prosecute a company. The lack or insufficiency of a compliance program can have real consequences for a company when a violation of law is discovered.” read more
On December 29, 2017, the Department of Children and Families (DCF) submitted comments for proposed changed to rule 65D-30, governing licensed substance abuse service providers. The proposed rule includes significant changes as compared to old 65D-30, and should be reviewed as soon as possible by all DCF-licensed substance abuse service providers. Comments must be received by DCF on or before January 19, 2018, and can be submitted via the form at the bottom of THIS LINK .The proposed changes are substantial, and we strongly recommend someone in each licensed service provider reviews them as soon as possible in order to ensure timely compliance.
This article will focus on changes in the licensing component of DCF’s rules. read more