healthcare law

All posts tagged healthcare law

The Risk Of Not Paying Attention to HIPAA Violations

by admin on October 30, 2019 No comments

On October 23, 2019, the U.S. Department of Health and Human Services has imposed a civil money penalty of over $2 million against Jackson Health System in Florida for repeated HIPAA violations.

The HIPAA violations mentioned in the HHS Press Release include:
1-Loss of paper patient records in December 2012;
2-Loss of additional paper patient records in January 2013;
3-A media report containing patient information (a photo shared on social media);
4-Employees accessing the information of one patient without a job related purpose;
5- An employee’s improper access and sale of patient records in 2011.

“OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” said OCR Director Roger Severino. The state of the compliance program allowed for the failure of several HIPAA requirements, including provision of timely and accurate HIPAA breach notifications, performance of regular risk assessments, investigation of identified risks, audits of system activity records, and imposing appropriate restrictions on workforce members’ access to patient information. The government’s final determination is available here.

When a HIPAA breach is discovered and reported, the government will often take the time to review a covered entity’s history of compliance or non-compliance. This may include an investigation into prior issues, effectiveness of policies and procedures, and employee issues. Overlooking one suspected breach may result in the imposition of sanctions on any later breach. This is why it’s so important for a healthcare business to understand its HIPAA obligations and take them seriously.

When was the last time your business conducted a security risk assessment to understand its potential risk areas for security breaches? If you’ve never had one, or haven’t had one recently, the time is now to conduct one. “When was your last security risk assessment?” is often the first thing that the government will ask in response to a breach.

Federal fines for noncompliance with HIPAA are based on the level of negligence perceived by the Federal government at the time of the breach. Fines and penalties range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million. Simply put, your healthcare business can’t afford to bury its head and hope that it won’t be hit.

Why Overlooking Website Terms of Use and Privacy Policy Pages Can Cost You

by admin on October 11, 2019 No comments

By: Jacqueline Bain

As many healthcare businesses invest in their websites, two areas that are often added as a quick afterthought (or overlooked completely) are the Terms of Use and Privacy Policy. But a potential slip up in these areas can cost you dearly.

Terms of Use

This section is a contract between you and the users of your website regarding what they can expect from the website and how they will act while on the website. You can use this section to protect you and your business from a variety of potential disasters including (but not limited to): limitless liability and intellectual property infringement.

You can use this section to limit any liability that you might create by having a website. For instance, if you give some medical advice (i.e., “Lowering your cholesterol reduces your risk for a heart attack.”), you can use your Terms and Conditions to limit a user’s reliance on that advice without additional medical intervention (“We are not your treating physician—if you have questions about your cholesterol levels, contact your physician.”).

You can also use this section to inform your users about any intellectual property protections that you might have. If your technology or services have pending or protected status, you’ll need to make your users aware of this information.

Finally, this section should establish the laws under which your website agrees to be governed. Even if the internet knows no boundaries, your website should establish its own. If your business is located in Florida, you can choose to be bound by Florida and Federal laws. It could limit any potential exposure in other states or nations.

Privacy Policy

This section is required by law to inform your website users what kind of data you will collect and how you will use it. A well-crafted Privacy Policy helps you avoid liability under a complex array of state and federal laws dealing with users’ private information.

The Children’s Online Privacy Protection Act (COPPA) protects minors under the age of 13 from having personal information collected without parental consent. How can a website operator be expected to know whether a user is 13 or under? If you plan on collecting any information from your uses, your Terms and Conditions should have a section prohibiting anyone under age 13 from accessing and using your site. It’s a simple fix that can potentially save you huge penalties.

What information will you collect? Does your website use cookies? Will you share any data with outside sources? If yes, your privacy policy is where you tell that to your users!

In healthcare, a website’s Privacy Policy is hugely important. With laws like HIPAA and its state counter parts, including the Florida Information Protection Act, healthcare providers are held to a higher privacy standard than almost any other industry. Take the time to work with your legal advisors to ensure that your privacy policy is tailored to your business and contains language consistent with what you are actually doing to safeguard information.

Two Big Changes to Florida’s Patient Brokering Act Affect All Healthcare Facilities and Providers

by admin on August 14, 2019 No comments

Has your attorney ever told you to do your best to comply with certain safe harbors to the Federal Anti-Kickback Statute, and you’ll be likely to survive scrutiny under the Florida Patient Brokering Act (the PBA)? If you’ve heard that, it’s time to re-examine that relationship. In the last month, the Patient Brokering Act has been amended, and then interpreted by a court of law in a way that affects all healthcare providers.

The Patient Brokering Act has been used in recent years to prosecute abuses in the addiction treatment industry. Other healthcare providers subject to the act have largely been uninvolved in these prosecutions. However, the PBA has been remolded 4 times in the past 5 years as a means to tailor it to allow for prosecutions of bad actors in healthcare, including addiction treatment. One item should be made clear: the PBA applies to any facility at all that is licensed by the Agency for Healthcare Administration (AHCA) or practitioner licensed by the Department of Health (DOH), including physicians, surgery centers, home health agencies, skilled nursing facilities, hospitals, DME providers, diagnostic imaging facilities, clinical laboratories, pharmacies and many other. During the legislative process, barely any healthcare industry representatives (from any provider group) showed up to any legislative workshops or produced counterbalancing input or language proposals that reflected a broader perspective.

State Patient Brokering Act Cases to Throw out Legal Advice as Defense

by admin on October 9, 2018 No comments

By: Jeff Cohen

There are two criminal cases pending in Palm Beach County that threaten to put a bullet in the heart of healthcare professionals and businesses and also the law practices that advise them. Both State v. Simeone and State v. Kigar have a motion from the State pending before them to block any testimony that the defendants received legal advice concerning a contract entered into by an addiction treatment facility and a sober home. The State alleges that the contract violates the state Patient Brokering Act (PBA) because it was essentially a ruse whereby the addiction treatment facility was just paying for the sober home to refer patients. Now the State wants to make sure that the entire issue of the defendants being advised by counsel never sees the light of day.

How is this possible? How can it be that a client can seek legal counsel, get advise (and presumably follow it), and then be blocked from presenting that evidence? The State argues that the PBA has no wording that requires them to prove intent. And if intent isn’t an element to be proven, the argument goes, then evidence of the client intending not to violate the law by getting advice beforehand is inadmissible!

State Court Ruling on Patient Brokering Act Threatens Healthcare Facilities and Providers

by admin on July 25, 2018 No comments

A recent ruling by a state trial court handling the Palm Beach County Sober Home Task Force prosecutions against providers of addiction treatment and sober home services is creating lots of confusion and alarm around the state and could have very far reaching consequences for the entire healthcare industry well beyond addiction treatment.

The issue presented by the prosecution focuses on whether a person charged with violating the state’s Patient Brokering Act (PBA) can be found guilty even if he/she didn’t know what he was doing was unlawful. The PBA broadly prohibits paying someone for patient referrals, very much like the federal Anti-Kickback statute. If allowed, the client would have gotten legal advice, paid for it, followed it, and still not be able to show a judge or jury that, despite all their best efforts, they simply followed the law as instructed.

Can a healthcare facility or provider be guilty of violating a criminal law [the PBA] if they’d gotten legal advice and followed it? Traditionally, the answer would be a clear “no.” The argument against the State’s position would be something like “How can someone intend to violate a criminal law if they got legal advice regarding how to comply with it and then followed that advice?” The argument of the state might look something like “We don’t even think the judge or jury ought to be able to hear that the person got legal advice and followed it.” The court punted the issue to the appellate court.

Clinical Laboratory Licensure: Florida Repeals State Licensure

by admin on June 5, 2018 No comments

By: Karina Gonzalez

Effective July 1, 2018, Florida’s recent legislation SB 622 repeals the entirety of Chapter 483, Part I of the Florida statutes, and removes the state licensure requirement for clinical laboratories operating in-state and out-of-state. Section 97 of SB 622, approved by the Governor on March 19, 2018, repeals the entirety of Chapter 483, Part I of the Florida statutes, and so eliminates section 59A-7.024(1).

Healthcare Enforcement Trends: 2017 in Review & What to Expect in 2018

by admin on February 28, 2018 No comments

Attorney Matthew Fischer

Change is a predominant force in healthcare and healthcare organizations must plan for shifts within an ever changing regulatory environment. Given this current climate, it is important to understand that enforcement will continue to be a priority. This webinar presented by Attorney Matthew Fischer will cover the latest trends in criminal enforcement, administrative enforcement, and litigation under the False Claims Act. It is imperative to understand these changes to ensure compliance, mitigate risks, and protect your bottom lines.

Major areas to be discussed –

DOJ Criminal Enforcement Actions: In July 2017, the DOJ announced the largest ever healthcare fraud enforcement action in its history. The DOJ brought charges against 412 individuals. This action was focused heavily on the distribution of medically unnecessary prescription drugs along with other theories of embezzlement, theft, and fraudulent billing.
Enforcing Quality of Care Standards Using the False Claims Act (FCA): Included in its arsenal, DOJ is increasing scrutiny on nursing homes utilizing new theories under the FCA. These types of cases take two forms, worthless services and false certification cases. Both involve circumstances where some care was provided to a patient but the care was so poor that the services were essentially valueless.
HHS Enforcement Activity: The amount of actions taken by HHS are up compared to 2016 (i.e., exclusions, civil monetary penalties, and corporate integrity agreements). HHS OIG focused exclusions on business owners and executives of pharmacies. Moratoria on certain providers continued in 2017 such as home health agencies and non-emergency ambulance providers.
HHS Office of Civil Rights (OCR) / HIPAA Enforcement: The fines imposed by OCR in 2017 exceeded 2016. OCR has ramped up scrutiny of cybersecurity and providers’ responses to data breaches. As part of its efforts, OCR issued its first cyber-attack “quick-response” guidance in June 2017.

Healthcare Compliance: Providers MUST Have Corporate Compliance Programs

by admin on January 18, 2018 No comments

By: Jacqueline Bain

How serious is the federal government that corporate compliance is necessary for healthcare providers?

In late 2015, the Department of Justice (DOJ) hired the agency’s first Compliance Counsel. Then, in early 2017, the DOJ published “common questions” that US Attorneys should ask as part of a criminal investigation when the DOJ evaluates a company’s compliance program. The “common questions” published by the DOJ describe specific factors that prosecutors should consider in conducting an investigation of a corporate entity, determining whether to bring charges, and negotiating plea or other agreements. These factors include “the existence and effectiveness of the corporation’s pre-existing compliance program” and the corporation’s remedial efforts “to implement an effective corporate compliance program or to improve an existing one.”

Starting Healthcare Business: What to Consider

by admin on August 1, 2017 No comments

By: Jeff Cohen

As a healthcare business lawyer, I’ve seen nearly everything entrepreneurs think might be a good idea. They usually come to me when starting a healthcare business with questions like:

Do you like an LLC better than an Inc., and if so why;
Does the Stark Law (or the Anti-Kickback Statute) allow us to do this?;
Is it ok to allocate ownership and profit distribution differently?;
Will insurers pay for this?; and
WWMT? (What Would Medicare Think?).

These are great questions. And they’re off base. In fact, they’re not only off base. They’re also out of order. Here’s one for you–

HIPAA Security Basics: Keeping your Medical Web-Based Business Compliant

by admin on May 16, 2017 No comments

By: Shobha Lizaso

Medical web-based businesses have been on the rise, while the number of HIPAA enforcement actions by the US Department of Health and Human Services (HHS) has risen exponentially as well. Since the beginning of this year, HHS has announced several large settlements with companies that failed to comply with HIPAA Compliance requirements. For example, in January, HHS announced a $2.2 million settlement with a health insurance company when a breach resulted from a stolen portable USB device containing PHI. Also, In February, HHS announced a penalty of $3.2 million against a medical center for a breach that arose from a theft of an unencrypted laptop containing PHI. This enforcement activity is becoming the norm, so it is best to ensure that your medical website is legally compliant.

If you are handling any PHI on or through your website, you must ensure that your website is up to speed with HIPAA compliance. Here are some recommendations to address the security and privacy of PHI that your website may manage (please note that this is not a comprehensive list):

(561) 455-7700