Are You Worried About Health Care Compliance Consequences? Have They Gone Too Far?

By Lance O. Leider, J.D., LL.M., The Health Law Firm

From large hospital systems to solo practitioners, there is no escaping health care compliance in the industry. The concept of compliance can spark different thoughts in different people. For example, some believe it is an unnecessary government intrusion and others believe it’s a way to improve the quality and costs of health care.

No matter your thoughts on health care compliance and government oversight, regulation of the health care industry will never be eliminated. In fact, we expect it to increase as more quality-based requirements are implemented.

We believe compliance and regulations are necessary, but we have to wonder if sometimes these laws go too far.

Those Cute Baby Photos Can Cost You.

As an example of laws going too far, photos of cooing newborn babies used to cover the bulletin boards of doctors’ offices. However, under the Health Insurance Portability and Accountability Act (HIPAA), these baby photos are considered protected health information, along the same lines as a medical chart or social security number. A report by The New York Times indicates many offices have removed these types of photos or moved them to private portions of the office. According to the Office for Civil Rights (OCR) Department of Health and Human Services (HHS), doctors’ offices are not allowed to post these photos without a specific written authorization from the parent.

To read more on this topic, click here.

Health Care Compliance Overview.

Health care compliance is the ongoing process of meeting or exceeding the legal, ethical and professional standards applicable to a particular health care organization or provider. Health care compliance requires health care organizations and providers to develop effective processes, policies, and procedures to define appropriate conduct, train the organization’s staff, and then monitor the adherence to the processes, polices and procedures.

Health care compliance covers numerous areas including patient care, billing, reimbursement, managed care contracting, OSHA, and HIPAA privacy and security to new a few.

To read a basic overview of health care compliance for organizations and providers, click here.

How to Deal with Compliance Overkill.

The primary purpose of health care compliance is to improve patient care. It is nearly impossible to overstate the complexity of health care compliance. Health care organizations and providers are not only required to comply with Medicare rules and regulations, but they are also required to comply with numerous other federal and state health care laws, rules and regulations.

When dealing with compliance issues, our recommendation is to use your common sense and best judgment. Fear usually leads to absurd situations. With all the fear and propaganda out there it is important to stick to your instincts and put patient care first.

Health care compliance is cumbersome, many may agree too cumbersome. However, it is here to stay.

Do you think health care compliance has gone too far? How do you try to keep up with health care compliance laws and regulations? Are you worried about compliance consequences?

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Sources:

Hartocollis, Anemona. “Baby Pictures at the Doctor’s? Cute, Sure, but Illegal.” The New York Times. (August 9, 2014). From: http://www.nytimes.com/2014/08/10/nyregion/baby-pictures-at-doctors-cute-sure-but-illegal.html?_r=0

Kirsch, M.D., Michael. “The Consequences of Zero Tolerance: Why HIPAA is Overkill.” Kevin M.D. (January 1, 2014). From: http://www.kevinmd.com/blog/2014/01/consequences-tolerance-hipaa-overkill.html

About the Author: Lance O. Leider is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714, Phone: (407) 331-6620.

KeyWords: Health Insurance Portability and Accountability Act (HIPAA), HIPAA Omnibus Rule, HIPAA compliance, HIPAA lawyer, HIPAA compliance attorney, data security lawyer, protected health information (PHI), Patient privacy, U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR), patient rights, HIPAA compliance audit, privacy defense attorney, health care compliance lawyer, compliance defense attorney, healthcare compliance defense lawyer, health care defense lawyer, HIPAA attorney, HIPAA lawyer, compliance plans, health law firm, The Health Law Firm, health law defense attorney, health care professional defense attorney, legal representation for healthcare professionals, reviews of The Health Law Firm, The Health Law Firm attorney reviews

“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999.
Copyright © 2018 The Health Law Firm. All rights reserved.

By |2024-03-14T10:00:21-04:00October 27, 2018|Categories: The Health Law Firm Blog|Tags: , , , , , , , , , , , , , , , , , , , , , , , , , |Comments Off on Are You Worried About Health Care Compliance Consequences? Have They Gone Too Far?
Read More

Health Care Professionals Take Note of the New HIPAA Rules

Patricia's Photos 013By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law, and Lance O. Leider, J.D., The Health Law Firm

With the popularity of electronic health records (EHRs), social media and everything in between, the U.S. Department of Health and Human Services (HHS) has released stronger rules and protections governing patient privacy. On January 17, 2013, the HHS announced the omnibus rule to strengthen the privacy and security protection established under the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

Click here to read the entire 563-page rule.

Now, I can’t say that I’ve read the entire document yet, but I can tell you about the major parts of the omnibus rule, and what it means to you.

It is Your Responsibility to Keep Patient Information Safe.

HHS is expanding the government’s jurisdiction over healthcare providers, health plans and other entities that process health insurance claims to include their contractors and subcontractors with whom providers share protected health information. As the industry embraces new care delivery models, including accountable care organizations (ACOs) and integrated delivery systems, data is exchanged between physicians, hospitals and additional providers to improve care and reduce costs. This all has to be done while keeping patient data safe. According to the HHS, some of the largest breaches involve business associates and not the covered entities themselves.

The government is committed to doing more HIPAA compliance audits and collecting more fines.  The fines the government collects will help to fund the audit process. Because of this rule, we will see audits of business associates and their subcontractors, not just covered entities.

Under the new rule, penalties have been increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation.

The “Wall of Shame” is a Public Display of Breaches.

The changes also improve the Health Information Technology for Economic and Clinical Health (HITECH) breach notification requirements by making it clear when breaches must be reported to the Office for Civil Rights (OCR), according to the HHS.

Once reported to the OCR, the breaches are then placed on what is commonly known in the healthcare industry as the “Wall of Shame.” It’s a comprehensive list of privacy breaches each affecting more than 500 people. We’re currently working on a “Wall of Shame” blog, so more on that later.

Patient Demographics and Marketing.

One part of the final rule also sets new regulations for how patient information can be used for marketing and fundraising. It ensures that such information cannot be sold without a patient’s permission. According to an article in Fierce Healthcare, this provision is a huge win for patient advocates and privacy groups who blast hospitals for mining patient data to target affluent or privately insured patients. Hospitals using health and demographic data from patients’ records to target advertising could be in hot water.

Click here to read the entire Fierce Healthcare article.

If Your are Unsure, Get a HIPAA Risk Assessment.

Since the HIPAA laws have changed, you need to edit your privacy forms and procedures. Many health providers simply don’t have the time to re-review their policies and revise documents. A HIPAA risk assessment is a thorough review and analysis of areas where you may have risk of violating the HIPAA laws.  Federal regulations require that covered entities have this assessment done. A HIPAA risk assessment can significantly reduce, if not entirely eliminate, your exposure to regulatory and litigation sanctions.

When the OCR auditor comes to visit your office to check for HIPAA compliance, they will ask for your risk assessment. Do you have one? Does your staff know who your HIPAA compliance officer is? Call an experienced health law attorney to complete a risk assessment of your practice today. To learn more on HIPAA risk assessments, click here to read a blog we wrote.

Take a Closer Look at Your Privacy Practices.

Healthcare providers, now is the time to revise your Notice of Privacy. The final rule will be effective on March 26, 2013. Covered entities and their business associates will have until September 21, 2013, to comply.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Sound Off.

What do you think about the new HIPAA rules? Do you think these updates were necessary? Do you think it will be difficult for health professionals to comply? Please leave any thoughtful comments below.

Sources:

HHS Press Office. “New Rule Protects Patient Privacy, Secures Health Information.” U.S. Department of Health and Human Services. (January 17, 2013). From: http://www.hhs.gov/news/press/2013pres/01/20130117b.html

Struck, Kathleen. “HIPAA Rules Fortify Patient Privacy.” MedPage Today. (January 21, 2013). From: http://www.medpagetoday.com/PracticeManagement/InformationTechnology/36940

Conn, Joseph. “New Rule: Hospital, Physician Partners Face Penalties for Privacy Leaks.” Modern Healthcare. (January 17, 2013). From: http://www.modernhealthcare.com/article/20130117/NEWS/301179957/new-rule-hospital-physician-partners-face-penalties-for-privacy&utm_source=home&utm_medium=web&utm_campaign=most-popular-box

Caramenico, Alicia. “New HIPAA Rule a Delicate Balance Between Privacy, Sharing.” Fierce Healthcare. (January 18, 2013). From: http://www.fiercehealthcare.com/story/new-hipaa-rule-delicate-balance-between-privacy-sharing/2013-01-18

Authors: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

Lance O. Leider is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714, Phone:  (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.

Copyright © 1996-2012 The Health Law Firm. All rights reserved.

By |2024-03-14T10:00:45-04:00June 1, 2018|Categories: HIPAA, Hitech Act, In the Know, The Health Law Firm Blog|Tags: , , , , , , , , , , , , , , , |1 Comment
Read More

Don’t Ring in the New Year with a HIPAA Audit – Safeguard Yourself Now

1 Indest-2008-1By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

Here’s a scary reminder: There are people attempting to hack into electronic health systems every second of every day. Thankfully, most of these attempts are unsuccessful due to the preventive technologies in place to safeguard such information. However, electronic data will never be 100 percent secure.

Electronic health records promised was intended to be a tool for doctors to share patient data, reduce prescription drug errors, and allow patients convenient access to their records. However, since the transition to digital medical records, there have been concerns from patients about privacy, security and identity theft.

Recently, the Office for Civil Rights (OCR) announced that the agency will ramp up its Health Insurance Portability and Accountability Act (HIPAA) privacy and security audit program in 2015 for covered entities and business associates. These audits will focus on device encryptions, media controls, data transmission security protocols, and staff training on HIPAA policies and procedures.

Now is the time to ensure compliance.

Real World Privacy Breaches Happen All the Time.

On December 2, 2014, OCR and Anchorage Community Mental Health Services, Inc. (ACMHS), settled alleged violations of the HIPAA Security Rule. OCR started an investigation into ACMHS’s compliance with HIPAA after receiving a notification about a breach of unsecured electronic patient information affecting 2,743 individuals. The breach resulted from malware that compromised ACMHS’s information technology resources. According to the settlement, ACMHS must pay a $150,000 fine and enter into a resolution agreement and corrective action plan (CAP).

In November 2014, Beth Israel Deaconess Medical Center in Massachusetts agreed to a $100,000 settlement after a physician’s laptop was stolen from the hospital. The computer was not issued by the hospital and had not been encrypted in accordance with the hospital’s policies. However, the hospital was aware that the physician used the device. The laptop contained the health information and personal information, including Social Security numbers, of nearly 4,000 individuals. It’s alleged the hospital took three months to notify affected patients about the breach, which is a violation of HIPAA. (HIPAA requires such notifications to take place within 60 days.)

Tips to Protect Yourself and Your Business.

Again, the HIPAA audit program will be resuming after the first of the year. Accordingly, hundreds of covered entities and business associates will be receiving inquiries that could lead to an onsite audit. The audit requirements will be very difficult for organizations that have not planned in advance. Here are three easy-to-implement steps to prepare your practice.

1. Review the latest HIPAA policies and procedures. Make sure your office is meeting the latest privacy and security criteria. Identify gaps, update documents, and retrain staff on HIPAA policies and procedures. Don’t forget to document your educational efforts. Click here for a link to the latest policies and procedures.

2. Contact your business associates. Ask each of them to provide your practice with an updated Business Associate Agreement and list of all subcontractors they use. For business associates, the 2015 HIPAA audits will focus on risk analysis, risk management and updated policies and procedures for breach notification.

3. Have a risk assessment performed on your practice. To learn more about risk assessments, click here for a previous blog.

Also, a violation of the HIPAA privacy and security provisions does carry civil and criminal penalties. Anyone who is a health care professional or facility, should be aware of these legal provisions. Click here to read my previous blog.

HIPAA is Not One Size Fits All.

Protecting patient data is not a one-size-fits-all method, meaning that security measures and access to electronic records should not necessarily be uniform. There needs to be processes and check points in place at practices to ensure that the electronic health record system and its many users consistently meet HIPAA policies and procedures. Health care practices must be vigilant that when they integrate other medical practices and facilities into their organization that they extend these measures to incorporate new employees, new sites and locations, and various technologies.

As demonstrated throughout this blog, the risks of non-compliance simply outweigh the costs of sound preparation. If you’d like more information, contact a health law attorney experienced in these matters.

Comments?

Are you worried about the next round of HIPAA audits? Are you concerned about HIPAA violations? How are you ensuring compliance within your practice? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Sources:

Van Terheyden, Nick and Faix, Rob. “Digital Health Records: Pain and Gain.” Orlando Sentinel. (December 12, 2014). From: The Orlando Sentinel News Section on page A20.

“Beth Israel Agrees To Pay $100K To Settle 2012 Data Breach Case.” iHealthBeat. (November 25, 2014). From: http://www.ihealthbeat.org/articles/2014/11/25/beth-israel-agrees-to-pay-100k-to-settle-2012-data-breach-case?view=print

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.


“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

By |2024-03-14T10:00:58-04:00June 1, 2018|Categories: Electronic Health Record, HIPAA, The Health Law Firm Blog|Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , |Comments Off on Don’t Ring in the New Year with a HIPAA Audit – Safeguard Yourself Now
Read More

Breach of HIPAA Privacy Regulations May be a Basis for Negligence Actions

By Shelby Root and George F. Indest III, J.D., M.P.A., LL.M., Board Certified by the Florida Bar in Health Law

00011_RT8Given the advances in information technology, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted by Congress as a comprehensive legislative and regulatory scheme to ensure basic protections of patients’ right of privacy regarding their health information. HIPAA, standing alone, does not provide a private right of action. It also preempts contrary state laws. A recent case in the Supreme Court of Connecticut, Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 102 A.3d 32 (Conn. 2014), addressed these issues. The decision answered the question of whether HIPAA preempts state law claims for negligence and negligent infliction of emotional distress against a healthcare provider who released medical records in the course of complying with a subpoena.

The Facts of Byrne v. Avery Center for Obstetrics and Gynecology, P.C.

During May 2004, Byrne started a personal relationship with Andro Mendoza, which lasted four months. At some point during May 2004 and July 12, 2005, the Avery Center provided Byrne with gynecological and obstetrical care and treatment. During the visit she was given the center’s privacy policy regarding protected health information. The policy, and the law, state that a patient’s health information will not be disclosed without their authorization. After Byrne’s relationship with Mendoza ended she instructed the center not to release her medial records to him.

On May 31, 2005, Mendoza filed paternity actions against Byrne. The Avery Center was served with a subpoena requesting its presence, along with Byrne’s medical records, at Probate Court. The center did not alert Byrne of the subpoena, file a motion to quash or appear in court. Instead, it mailed a copy of Byrne’s medical file to the court.

The Supreme Court of Connecticut’s Holding.

The Supreme Court of Connecticut reasoned that the fact a state law that allows an individual to file a civil action to protect their privacy exist does not mean that the law conflicts with the HIPAA penalty provisions. Therefore, the court concluded that HIPAA does not preempt causes of action when they are based on a state common or statutory law due to a healthcare provider’s breach of confidentiality.

The court found that a number of federal and state courts have ruled that a breach of the HIPAA Privacy Rule may be the basis for a breach of a duty of care in state court negligence actions. A patient’s private right of action does not conflict with or complicate healthcare provider’s compliance with HIPAA. In fact, negligence claims in state courts are furthering HIPAA’s goal of deterring wrongful disclosure of patient’s healthcare information. To view a past blog on a HIPAA violation case in California, click here.

Editors’ Comments on Byrne.

This is the latest of several recent cases where state courts have allowed cases to proceed against health care providers who breached the medical confidentiality of their patients, based in part on the HIPAA Privacy Regulations. In this case, the court correctly held that, although HIPAA does not afford a private right of action by itself, it does establish the duty that is owed by a healthcare provider to its patients to protect their medical information. With this duty being established, the plaintiff can then proceed under a straight negligence tort cause of action.

It is also noteworthy that the HIPAA Privacy Regulations are just one source of “evidence” or standards that can be used to establish th duty owed by medical professionals and theories.

This case also helps to put to rest the spurious defense that HIPAA might “preempt” such a cause of action that is brought under state law. We have seen this theory used by defendants just about any time a federal statute or federal regulation might come into play in a tort law suit. The court correctly determined that this defense theory was not valid.

If anything, HIPAA has better defined and strengthened a duty that has been owed to patients by physicians, nurses, health professionals and health facilities since the time of Hippocrates.

Comments?

What are your thoughts on the Supreme Court of Connecticut’s ruling? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and instiuttions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Source:

Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 102 A.3d 32 (Conn. 2014). From:

http://scholar.google.com/scholar_case?case=6869878125055474806&q=Byrne+v.+Avery+Center+for+Obstetrics+and+Gynecology,+P.C.,+102+A.3d+32+(Conn.+2014)&hl=en&as_sdt=40006

About the Authors: Shelby Root is a summer associate at The Health Law Firm. She is a student at Barry University College of Law in Orlando. George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

KeyWords: Health Insurance Portability and Accountability Act, HIPAA, HIPAA Privacy Rules, HIPAA compliance, protected health information, patient privacy, patient rights, HIPAA violation, penalties for HIPAA violation, civil penalties for HIPAA violation, privacy, defense attorney, defense lawyer, HIPAA defense attorney, HIPAA violation help, HIPAA attorney, HIPAA lawyer, compliance plans, health law, The Health Law Firm

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2015 The Health Law firm. All rights reserved.

By |2024-03-14T10:01:00-04:00June 1, 2018|Categories: In the News, The Health Law Firm Blog|Tags: , , , , , , , , , , , , , , , , , , |1 Comment
Read More
“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A.
The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 2022 The Health Law Firm. All rights reserved.
FacebookInstagramLinkedInTwitterYouTube
Toggle Sliding Bar Area
Go to Top