Health law is the federal, state, and local law, rules, regulations and other jurisprudence among providers, payers and vendors to the healthcare industry and its patient and delivery of health care services; all with an emphasis on operations, regulatory and transactional legal issues.
In the beginning of June, 2020, the Department of Justice (“DOJ”) revised its Evaluation of Corporate Compliance Programs Guidance Document. The Document is designed to assist prosecutors in making informed decisions as to whether, and to what extent, the company’s compliance program is effectivefor purposes of determining, when a compliance violation has occurred, the appropriate form of any resolution or prosecution and monetary penalty. It also guides a prosecutor as to the company’s compliance obligations contained in any criminal resolution. The Document has been revised on three occasions since 2017, telegraphing the DOJ’s intent to prosecute those businesses without compliance plans, or without effective compliance plans, more harshly than those taking steps to identify and remedy risks.
A healthcare business’ failure to have in place a compliance program designed to detect and respond to potential fraud and security risks places it at a serious risk of civil and criminal liability. When a compliance issue is investigated, charged and resolved, DOJ prosecutors are instructed to consider whether the business has invested in and improved its corporate compliance program and internal controls systems. They must also determine whether those improvements have been tested to demonstrate that they would prevent or detect similar misconduct in the future. According to the DOJ, there are three fundamental questions that a prosecutor should ask when determining whether a business’ compliance plan is sound:read more
Out of network physician owned specialty hospitals are unique in that there are less stringent legal requirements on the facility, but patient care obligations remain the same. This means that patient care must be prioritized over profits and all actions taken by the hospital and any physician investor must showcase that order of priority.
Given the amount of scrutiny placed in physician owned specialty hospitals in the past two decades, these facilities are well served to identify and implement a process to remedy compliance concerns. Even when a facility does not submit claims to any Federal health insurance provider and is out of network with all commercial insurance companies, it is still required to follow the laws of the state where it is located.
The best plan for surviving scrutiny in such situations is to have a plan. Proactively seek out applicable laws and regulations, and determine how your hospital will abide by them. Compliance can be tailored to fit your facility.
Overutilization and Self-Referrals
A physician who shares ownership in a hospital may have a financial incentive to refer patients for services if he or she receives a percentage of the revenue generated. Laws including the Federal Stark Law and Anti-Kickback Statute were promulgated to combat unnecessary referrals. A 2003 study by the Department of Health and Human Services concluded that physician-investor referrals to hospitals in which they have an investment interest are similar to those physicians without investment interests. Nevertheless, the fear of overutilization and unnecessary self referral remains at the forefront of the regulators’ minds at both the State and Federal level. read more
On October 23, 2019, the U.S. Department of Health and Human Services has imposed a civil money penalty of over $2 million against Jackson Health System in Florida for repeated HIPAA violations.
The HIPAA violations mentioned in the HHS Press Release include: 1-Loss of paper patient records in December 2012; 2-Loss of additional paper patient records in January 2013; 3-A media report containing patient information (a photo shared on social media); 4-Employees accessing the information of one patient without a job related purpose; 5- An employee’s improper access and sale of patient records in 2011.
“OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” said OCR Director Roger Severino. The state of the compliance program allowed for the failure of several HIPAA requirements, including provision of timely and accurate HIPAA breach notifications, performance of regular risk assessments, investigation of identified risks, audits of system activity records, and imposing appropriate restrictions on workforce members’ access to patient information. The government’s final determination is available here.
When a HIPAA breach is discovered and reported, the government will often take the time to review a covered entity’s history of compliance or non-compliance. This may include an investigation into prior issues, effectiveness of policies and procedures, and employee issues. Overlooking one suspected breach may result in the imposition of sanctions on any later breach. This is why it’s so important for a healthcare business to understand its HIPAA obligations and take them seriously.
When was the last time your business conducted a security risk assessment to understand its potential risk areas for security breaches? If you’ve never had one, or haven’t had one recently, the time is now to conduct one. “When was your last security risk assessment?” is often the first thing that the government will ask in response to a breach.
Federal fines for noncompliance with HIPAA are based on the level of negligence perceived by the Federal government at the time of the breach. Fines and penalties range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million. Simply put, your healthcare business can’t afford to bury its head and hope that it won’t be hit.
This section is a contract between you and the users of your website regarding what they can expect from the website and how they will act while on the website. You can use this section to protect you and your business from a variety of potential disasters including (but not limited to): limitless liability and intellectual property infringement.
You can use this section to limit any liability that you might create by having a website. For instance, if you give some medical advice (i.e., “Lowering your cholesterol reduces your risk for a heart attack.”), you can use your Terms and Conditions to limit a user’s reliance on that advice without additional medical intervention (“We are not your treating physician—if you have questions about your cholesterol levels, contact your physician.”).
You can also use this section to inform your users about any intellectual property protections that you might have. If your technology or services have pending or protected status, you’ll need to make your users aware of this information.
Finally, this section should establish the laws under which your website agrees to be governed. Even if the internet knows no boundaries, your website should establish its own. If your business is located in Florida, you can choose to be bound by Florida and Federal laws. It could limit any potential exposure in other states or nations.
The Children’s Online Privacy Protection Act (COPPA) protects minors under the age of 13 from having personal information collected without parental consent. How can a website operator be expected to know whether a user is 13 or under? If you plan on collecting any information from your uses, your Terms and Conditions should have a section prohibiting anyone under age 13 from accessing and using your site. It’s a simple fix that can potentially save you huge penalties.
Employers are approaching us in increasing numbers regarding their obligations toward employees battling substance abuse. Two federal laws primarily govern the space, the Americans with Disabilities Act and the Family and Medical Leave Act. Note that state laws may be more restrictive, so we encourage our clients to reach out to local attorneys to determine if additional legal protections are available to employees in their state.
The Americans with Disabilities Act (ADA) covers businesses with 15 or more employees to protects workers from discrimination based on a qualifying disability or a perceived disability, which is defined to include alcoholism and illegal drug use. However, to be eligible, the ADA protects only workers who either (i) have successfully been rehabilitated and are no longer using illegal drugs or misusing alcohol; or (ii) are currently participating in a rehabilitation program and are no longer using illegal drugs or misusing alcohol. Importantly, the ADA does not protect any employee who is presently battling alcoholism and illegal drug use and is not participating in a treatment program. An employee in the throes of substance abuse who is not actively seeking treatment is not protected by the ADA. read more
Thinking about selling a medical practice? Here are some steps for preparing your business in advance of a transaction.
Visit your financial planner.
Be sure that you can afford to leave the business, if you are retiring. Most times, buyers will require a comprehensive non-compete and you should be absolutely certain that you are financially prepared to retire or sell before you sign that restrictive covenant.
Visit your accountant.
Get your financial history in order. Review and re-review your tax returns and profit statements for the past three years to ensure that the business is appropriately reflected in those records. Take the time to clean up any “creative” bookkeeping so that the buyer is given a complete and accurate picture of the business they are buying into. You are likely going to have to make a representation that your financial disclosures are true, so take the time to get comfortable with that representation early on. read more
You might have recently received a holiday gift of a direct-to-consumer genetic testing kit from Ancestry.com or 23andMe.com (or any other number of companies). So exciting! In our melting pot society, one can’t help but be curious about where they come from and if they are more likely than any other person to be subject to any number of ailments.
Not so fast though! Before you swab yourself and send away your genes for testing, you might consider what you’re exposing yourself to. Direct-to-consumer genetic testing companies, which provide genetic testing directly to consumers without any intervening healthcare provider, are not bound by HIPAA. They are not considered “covered entities”, and therefore not required to use the same protections for genetic information the way a hospital or your doctor would. read more
Earlier this year, Jeff and Autumn and I had a conversation about my motivations and passions outside of the law. We all knew that I was professionally passionate about compliance but they didn’t know that I’ve been personally passionate about veterans and their stories since I was in college. I majored in European history and concentrated on modern history including, of course, World War II. The final for one class was to write the story of someone who lived through the war, whether in military service or on the home front. I’ve been hooked on seeking out veterans’ personal stories of the war ever since.
A couple of years ago, a friend went on her first Honor Flight, and its something I’ve wanted to do ever since. Honor Flight’s primary purpose is to honor our veterans by taking them to visit their war memorials in Washington D.C. Honor Flight was founded by Earl Morse, Physician Assistant and Retired Air Force Captain who worked in a Department of Veteran Affairs clinic in Springfield, OH. When the World War II Memorial opened in 2004, Earl asked one of his patients who had served in World War II if he would be visiting his memorial. He was disheartened to learn that the vet couldn’t afford to travel to his memorial. Earl also happened to be an amateur pilot, and arranged for several small planes to transport his patient and his comrades to the memorial erected to honor them. Now, 14 years later, Honor Flight has hubs all over the nation and a waiting list of 35,000 World War II, Korea and Vietnam veterans waiting for their chance to fly. The flights are entirely free for veterans. read more
On May 19, 2018, Delray Beach medical spa owner Jennifer Aspen was booked into the Palm Beach County Jail and charged with practicing medicine without a license. Ms. Aspen is the manager of Mermaid’s Skin & Wellness, a medical spa located in Delray Beach, Florida. The charges against Ms. Aspen stem from the fact that a Delray Beach police officer presented to Mermaid’s Skin & Wellness for a testosterone shot. Ms. Aspen stated to the officer that she would perform the injection. Ms. Aspen is a certified nursing assistant in the State of Florida. Her license is currently listed as “delinquent” on the Department of Health’s website, meaning that (as of today) she failed to renew her license after its May 30, 2018 expiration date. Certified nursing assistants are not generally allowed to administer testosterone in the State of Florida.
One of the legal issues that presents frequently in our office is med spa compliance; who can open and operate a medical spa if it is just a cash business, meaning that it does not submit claims for reimbursement to any government or commercial payor. Misunderstandings run rampant in the medical spa industry and many times patients are administered treatment from persons who are not supposed to be providing it. read more
Monty Ray Grow was a defensive back on the Florida Gators’ football team from 1990 until 1993. He contracted to play for the Kansas City Chiefs in 1994 and then for the Jacksonville Jaguars in 1995 and 1996. On February 5, 2018, he was convicted by a federal jury in Miami for his chief role in a massive healthcare marketing scheme designed to defraud Tricare.
Tricare is a health benefit program that provides civilian benefits for U.S Armed Forces military personnel, retirees, their dependents, and some military reservists. Tricare is a Department of Defense Program.
In September 2014, Grow entered into an agreement with a compounding pharmacy in Pompano Beach, Florida, wherein the pharmacy would pay Grow’s marketing company a commission equal to fifty percent (50%) of what the pharmacy netted in Tricare reimbursement from Grow’s referral of Tricare beneficiaries to the pharmacy. (Later on, Grow became an employee of the pharmacy.) Grow then used his commission to offer and pay recruiters to convince Tricare beneficiaries to use this pharmacy. Additionally, Grow offered and paid Tricare beneficiaries themselves to use this pharmacy. read more