Health law is the federal, state, and local law, rules, regulations and other jurisprudence among providers, payers and vendors to the healthcare industry and its patient and delivery of health care services; all with an emphasis on operations, regulatory and transactional legal issues.
Attention Florida prescribers and dispensers – did you know that a new law mandating electronic prescribing goes into effect on January 1, 2020?
More specifically, Florida House Bill 831, which was signed by Governor DeSantis in June 2019, requires prescribers to generate and transmit all prescriptions electronically upon licensure renewal or by July 1, 2021, whichever is earlier, unless an exemption applies.
If a practitioner is licensed to prescribe a medicinal drug, and such practitioner either (i) maintains a system of electronic health records; or (ii) is an owner, employee or contractor of a licensed healthcare facility or practice that maintains a system of electronic health records and are prescribing in their capacity as an owner, employee or contractor of the licensed healthcare facility; then they must electronically transmit their prescriptions
Essentially, as of January 1, 2020, practitioners must transmit all prescriptions electronically upon the earlier of license renewal or by July 1, 2021, unless: read more
It’s probably fair to say that most healthcare providers are aware of the federal Anti-Kickback Statute and the Stark Law (and if you’re not, please call me immediately!). Those two laws, along with the False Claims Act, are the sources of the huge fines and penalties that make the headlines for governmentally discovered “fraud.” However, there are a number of other regulatory provisions out there that the Office of Inspector General (OIG) is regularly policing.
One of these laws, with its origins in the Social Security Act, is the prohibition against providers hiring individuals or entities who have been excluded from participation in governmental health care programs such as Medicare or Medicaid. Hiring an excluded person or company can expose a provider/employer to Civil Monetary Penalties, which can result in significant financial hardship to the provider. And although this may seem like a simple rule to follow, recent enforcement activity shows that it may be fairly easy for an excluded person to “fall through the cracks” and wind up as your employee. read more
On October 23, 2019, the U.S. Department of Health and Human Services has imposed a civil money penalty of over $2 million against Jackson Health System in Florida for repeated HIPAA violations.
The HIPAA violations mentioned in the HHS Press Release include: 1-Loss of paper patient records in December 2012; 2-Loss of additional paper patient records in January 2013; 3-A media report containing patient information (a photo shared on social media); 4-Employees accessing the information of one patient without a job related purpose; 5- An employee’s improper access and sale of patient records in 2011.
“OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” said OCR Director Roger Severino. The state of the compliance program allowed for the failure of several HIPAA requirements, including provision of timely and accurate HIPAA breach notifications, performance of regular risk assessments, investigation of identified risks, audits of system activity records, and imposing appropriate restrictions on workforce members’ access to patient information. The government’s final determination is available here.
When a HIPAA breach is discovered and reported, the government will often take the time to review a covered entity’s history of compliance or non-compliance. This may include an investigation into prior issues, effectiveness of policies and procedures, and employee issues. Overlooking one suspected breach may result in the imposition of sanctions on any later breach. This is why it’s so important for a healthcare business to understand its HIPAA obligations and take them seriously.
When was the last time your business conducted a security risk assessment to understand its potential risk areas for security breaches? If you’ve never had one, or haven’t had one recently, the time is now to conduct one. “When was your last security risk assessment?” is often the first thing that the government will ask in response to a breach.
Federal fines for noncompliance with HIPAA are based on the level of negligence perceived by the Federal government at the time of the breach. Fines and penalties range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million. Simply put, your healthcare business can’t afford to bury its head and hope that it won’t be hit.
This section is a contract between you and the users of your website regarding what they can expect from the website and how they will act while on the website. You can use this section to protect you and your business from a variety of potential disasters including (but not limited to): limitless liability and intellectual property infringement.
You can use this section to limit any liability that you might create by having a website. For instance, if you give some medical advice (i.e., “Lowering your cholesterol reduces your risk for a heart attack.”), you can use your Terms and Conditions to limit a user’s reliance on that advice without additional medical intervention (“We are not your treating physician—if you have questions about your cholesterol levels, contact your physician.”).
You can also use this section to inform your users about any intellectual property protections that you might have. If your technology or services have pending or protected status, you’ll need to make your users aware of this information.
Finally, this section should establish the laws under which your website agrees to be governed. Even if the internet knows no boundaries, your website should establish its own. If your business is located in Florida, you can choose to be bound by Florida and Federal laws. It could limit any potential exposure in other states or nations.
The Children’s Online Privacy Protection Act (COPPA) protects minors under the age of 13 from having personal information collected without parental consent. How can a website operator be expected to know whether a user is 13 or under? If you plan on collecting any information from your uses, your Terms and Conditions should have a section prohibiting anyone under age 13 from accessing and using your site. It’s a simple fix that can potentially save you huge penalties.
HHS found that a home health agency incorrectly billed Medicare and did not comply with Medicare Billing requirements for beneficiaries that were not homebound and for others that did not require skilled services at all.
In August and September 2018, physicians and the owner of a home health agency were each sentenced on multiple counts of conspiracy and healthcare fraud and ordered to pay $6.5 million in restitution. One physician was sentenced to 132 months in prison following trial. A physician who pled guilty was sentenced to 27 months in prison following a guilty plea. The home health agency owner was sentenced to 42 months in prison. The defendants paid and received kickbacks in exchange for patients and billed Medicare more than $8.9 million for services that were medically unnecessary, never provided, and/or not otherwise reimbursable. Additionally, certain defendants provided prescriptions for opioid medications to induce patient participation in the scheme.
In September 2018, the co-owner and administrator of a home health agency was sentenced to 24 months in prison, ordered to pay over $2.2 million in restitution, and ordered to forfeit over $1.1 million. The co-owners participated in a home healthcare fraud conspiracy that resulted in Medicare paying at least $2.2 million on false and fraudulent claims. The owners and their co-conspirators paid kickbacks to doctors and patient recruiters in exchange for patient referrals, billed Medicare for services that were medically unnecessary, and caused patient files to be falsified to justify the fraudulent billing.
Back in February 2018, the owner of more than twenty home health agencies was sentenced to 240 months in prison and ordered to pay $66.4 million in restitution, jointly and severally with his co-defendants, after pleading guilty to one count of conspiracy to commit health care fraud and wire fraud. A patient recruiter for the home health agencies, who also owned a medical clinic and two home health agencies of her own, was sentenced to 180 months in prison. Another patient recruiter, who also was the owner of two home health agencies, was sentenced to 115 months in prison. These conspirators paid illegal bribes and kickbacks to patient recruiters in return for the referral of Medicare beneficiaries many of whom did not need or qualify for home health services. Medicare paid approximately $66 million on those claims.
Illegal kickbacks in exchange for referrals of Medicare beneficiaries, lack of medical necessity for home health services, failing to meet the guidelines, fraudulent billing, billing for services beneficiaries did not receive and fraudulent documentation continues to plague the home healthcare industry.
In a fraudulent operation that the Department of Justice calls, “unprecedented”, elderly or disabled patients nationwide were lured into providing their DNA for testing in a widespread genetic testing fraud scheme powered by a large telemarketing network. The doctors involved were paid to write orders prescribing the testing without any patient interaction or with only a brief telephone conversation.read more
The Fourth District Court of Appeal just ruled that the fact that a person received and acted on the advice of a lawyer is inadmissible when being prosecuted for violating the Florida Patient Brokering Act.
Florida Patient Brokering Act
The Court found that the Act is a “general intent” crime, not a “specific intent” crime because it does not specifically say it’s illegal to do the specified things “knowingly and willingly” (or words to that effect). Had the law contained such language, it would have been considered to be a “specific intent crime,” thus entitling the accused to introduce into evidence the fact that the person got legal advice before engaging in the targeted conduct.
The ruling ALSO creates an opportunity for the Legislature to reexamine the law to see if specific intent language makes sense. We strongly believe that it should, since the federal law the Act was originally modeled on (the Anti-Kickback Statute) contains such specific intent-type language. And while the Act has exceptions that would still apply to prosecuted individuals, the ruling underscores the importance of reexamining any and all compensation arrangements between healthcare providers, especially those connected in any way to patient referrals or business generation.
At the end of June, Governor DeSantis signed into law various additions and clarifications to the requirements of offices and clinics allowing liposuction procedures. Should your office perform these types of procedures, please review below and speak with an attorney about your obligations.
Mandatory State Registration: On or before January 1, 2020, every office in which a physician performs a liposuction procedure removing more than 1,000 cubic centimeters of supernatant fat must register with the State in order to perform such a surgery in office. (Exceptions are made for offices that maintain State licenses under either Chapter 390 or Chapter 395, Florida Statutes.)
On June 3, 2019, the Department of Health and Human Services Office of the Inspector General (the “OIG”) issued a Fraud Alert titled: Genetic Testing Scam. Though the alert is short, the fact that the alert itself was issued is important. The OIG doesn’t often issue fraud alerts, so taking an affirmative step like this shows an increased likelihood of regulatory action.
Physicians, take note. If you are working with a laboratory
providing genetic testing services, be sure that laboratory is (1) running
those specimens on its own equipment; (2) only sending out testing equipment
after receiving your order; and (3) has in place policies and procedures
designed to accurately bill for the services it performs and other compliance
The opportunities to use technology to provide healthcare services seem to be growing as fast as technology itself. This is especially true in the area of care being provided by a “remote” provider. In fact, an AMA study released in May 2019 indicated that telehealth was the fastest growing “place of care” in the country, outpacing urgent care centers, retail clinics, and ambulatory surgery centers. Unfortunately, the laws governing telehealth have not always kept up with the pace of that growth, and questions remained about how it could be provided in Florida. However, the Florida legislature did something about that this year, by passing House Bill 23, which Governor Ron DeSantis signed into law on June 25, 2019. The act, which is primarily codified in Florida Statutes §456.47, took effect on July 1, 2019 and answers many outstanding questions. These questions are addressed below.
Constitutes Telehealth in Florida and Who can Practice It?
The new law sets out a straightforward, and broad, definition of telehealth. Basically, telehealth in Florida is the use of telecommunication technology by a telehealth provider to provide healthcare services. These services can include assessment, diagnosis, consultation, treatment, monitoring, transfer of medical data, education, public health services and health administration. Voice-only telephone calls, emails and faxes are specifically excluded from the definition. Obviously those activities are still permissible, but they fall outside the definition.