Sarasota Sheriff Wants Patients to Waive HIPAA Privacy Rights

By Danielle M. Murray, J.D.

Law enforcement has been working hard to bust pill mills and stop prescription drug abuse. Pharmacists and pain management doctors are under intense scrutiny by various law enforcement agencies, including the Drug Enforcement Administration (DEA) and the Department of Health (DOH), for their role in giving out controlled substances.

“Doctor shopping” is a common phrase used to describe patients who see multiple doctors in a short period of time in an attempt to dupe doctors into giving them prescriptions for controlled substances. Doctors have been hampered somewhat by HIPAA privacy laws and have been unable to report suspicious patients to law enforcement agencies.

Sarasota County has a solution for that. According to the Sarasota Herald-Tribune, the county has devised a form, entitled “Authorization for Release of Protected Health Information,” and distributed it to pain management physicians. This form is to be signed voluntarily by patients and would allow doctors to discuss concerns with law enforcement. According to the sheriff’s office, the form intended to be limited to the patient’s name and the doctor’s concerns, and not to allow the release of medical records or other protected information.

To see the form for yourself, click here.

Physicians Not In Favor of the Form.

Critics say that the form is a blatant violation of patient rights and is simply a way for law enforcement to get around constitutional protections, such as search warrants.

It appears that some physicians agree with the critics. Not a single waiver has been returned to the Sarasota Sheriff’s Office.

In a Sarasota Herald-Tribune article, a pain management clinic owner states that his clients sign a contract that waives their rights if the clinic is approached by an investigator. He states “I understand HIPAA and am a firm believer in their rights, but if they’re doing something illegal, they’re jeopardizing my license.”

To see the full article from the Sarasota Herald-Tribune, click here.

Providers are at Risk.

The clinic owner is correct. Providers are at risk for their patients’ inappropriate prescription use. We have seen cases where providers are faced with criminal and civil liability when a patient overdoses on medication, whether intentional or not.

Click here to read a previous blog post on one Florida doctor who gave up his license due to allegations of malpractice and overprescribing pills.

In Orlando, Florida, a drug trafficking ring used fake prescriptions to access drugs at pharmacies around the city, and the responsible pharmacists are now facing disciplinary action for filling those prescriptions. There is a major crackdown underway to stop pill mills.

Recently the Polk County Sheriff’s Office issued 25 arrest warrants in connections to a pill mill investigation (click here to read the blog on this story). The big pharmacy chains are getting hit as well. A Walgreens distribution center in Florida was recently served with an immediate suspension order from the DEA (click here for that blog), and the DEA also pulled the controlled substance licenses from two Central Florida CVS Pharmacies (click here to read more).

Do Not Violate HIPAA.

Providers must be careful not to violate HIPAA. HIPAA violations may also result in administrative and civil action against you and your license, especially if the patient can prove they were damaged by the leak. A patient who was arrested due to the provider’s HIPAA violation would likely be able to show damages and cause action against the provider’s license.

You can read more on HIPPA violations on our two-part blog series. Click here to read part one and click here to read part two.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

What do you think of the “Authorization of Release of Protected Health Information” form? Do you think it goes too far? Please submit any thoughtful comments below.

Source:

Williams, Lee. “Sheriff wants doctors to have patients sign away rights.”  Sarasota Herald-Tribune. (October 1, 2012). From: http://www.heraldtribune.com/article/20121001/ARTICLE/121009975/2416/NEWS?p=all&tc=pgall 

About the Author: Danielle M. Murray is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area.  www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

 

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.

Copyright © 1996-2012 The Health Law Firm. All rights reserved.

By |2024-03-14T10:00:38-04:00June 1, 2018|Categories: Department of Health, HIPAA, Pain Management, The Health Law Firm Blog|Tags: , , , , , , , , , , , , , , , , , , , , , , |1 Comment
Read More

Cyber Attack at Community Health Systems Affects 4.5 Million Patients-Could This be a New Trend?

Patricia's Photos 013By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar  in Health Law

On August 18, 2014, Community Health Systems, a Tennessee-based hospital chain that has 206 hospitals in 29 states, announced that its computer system was hacked. According to a number of news reports, an outside group of hackers, originating in China, used highly sophisticated malware and technology to steal 4.5 million patients’ non-medical data. The hackers were able to obtain patients’ names, Social Security numbers, addresses, birth dates, and telephone numbers.

According to the Orlando Sentinel, in Florida, St. Cloud Surgical Associates, St. Cloud Medical Group, and Urology Associates of St. Cloud were among the practices where medical data was stolen. The article did not mention how many patients in Florida were affected. Click here to read the story from the Orlando Sentinel.

How Community Health Systems will Handle Being Hacked.

According to The New York Times, Community Health Systems believes the attacks happened from April to June 2014. The company will be notifying affected patients and agencies under the Health Insurance Portability and Accountability Act (HIPAA).

The hospital system is now working with a security company to investigate the incident and help prevent future attacks. Federal law enforcement agents are also investigating the incident. Click here to read the entire article from The New York Times.

Because this breach affected more than 500 individuals, it will soon be posted on the Office for Civil Rights (OCR) Department of Health and Human Services’ (HHS) Wall of Shame. The law requires that any breach involving 500 or more individuals be publicly posted. To learn more on the Wall of Shame, click here for my previous blog.

Protect Your Practice As Best You Can From Cyber Attacks.

Cyber hacking in the medical community appears to be a crime of opportunity. Quickly there are becoming two types of companies: those that have been hacked and those that will be hacked.

While there is no way to guarantee protection from extrusion and external sources, there are steps that can be taken. For medical practices, many of these are required as part of a HIPAA risk assessment. Some areas to focus on include:

–    Background checks;
–    Comprehensive policies and procedures;
–    Vigilance when it comes to monitoring and data-leakage prevention tools; and
–    Employee education.

Medical practices are going to become bigger targets as the health care industry transitions to electronic health records. In addition, the hacking community is figuring out it is easier to hack a hospital or private practice, than it is a bank and you get the same information. To learn more on HIPAA risk assessments, click here.

Comments?

How do you protect your medical practice from hackers? Do you have regular risk assessments? Why or why not? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Sources:

Perlroth, Nicole. “Hack of Community Health Systems Affects 4.5 Million Patients.” The New York Times. (August 18, 2014). From: http://nyti.ms/1pFpujC

Kutscher, Beth. “Chinese Hackers Hit Community Health Systems; Other Vulnerable.” Modern Healthcare. (August 18, 2014). From: http://bit.ly/1BxsLqH

Jacobson, Susan. “St. Cloud Medical Patients’ Information Among Millions Stolen in Cyber Attack.” (August 18, 2014). From: http://www.orlandosentinel.com/business/os-hospital-data-breach-st-cloud-20140818,0,3157319.story

Rose, Rachel. “Protecting Your Medical Practices From Cyber Threats.” Physicians Practice. (July 17, 2014). From: http://www.physicianspractice.com/blog/protecting-your-medical-practice-cyberthreats

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

By |2024-03-14T10:00:58-04:00June 1, 2018|Categories: Health Care Industry, HIPAA, Hitech Act, In the News, The Health Law Firm Blog|Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , |Comments Off on Cyber Attack at Community Health Systems Affects 4.5 Million Patients-Could This be a New Trend?
Read More

Don’t Ring in the New Year with a HIPAA Audit – Safeguard Yourself Now

1 Indest-2008-1By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

Here’s a scary reminder: There are people attempting to hack into electronic health systems every second of every day. Thankfully, most of these attempts are unsuccessful due to the preventive technologies in place to safeguard such information. However, electronic data will never be 100 percent secure.

Electronic health records promised was intended to be a tool for doctors to share patient data, reduce prescription drug errors, and allow patients convenient access to their records. However, since the transition to digital medical records, there have been concerns from patients about privacy, security and identity theft.

Recently, the Office for Civil Rights (OCR) announced that the agency will ramp up its Health Insurance Portability and Accountability Act (HIPAA) privacy and security audit program in 2015 for covered entities and business associates. These audits will focus on device encryptions, media controls, data transmission security protocols, and staff training on HIPAA policies and procedures.

Now is the time to ensure compliance.

Real World Privacy Breaches Happen All the Time.

On December 2, 2014, OCR and Anchorage Community Mental Health Services, Inc. (ACMHS), settled alleged violations of the HIPAA Security Rule. OCR started an investigation into ACMHS’s compliance with HIPAA after receiving a notification about a breach of unsecured electronic patient information affecting 2,743 individuals. The breach resulted from malware that compromised ACMHS’s information technology resources. According to the settlement, ACMHS must pay a $150,000 fine and enter into a resolution agreement and corrective action plan (CAP).

In November 2014, Beth Israel Deaconess Medical Center in Massachusetts agreed to a $100,000 settlement after a physician’s laptop was stolen from the hospital. The computer was not issued by the hospital and had not been encrypted in accordance with the hospital’s policies. However, the hospital was aware that the physician used the device. The laptop contained the health information and personal information, including Social Security numbers, of nearly 4,000 individuals. It’s alleged the hospital took three months to notify affected patients about the breach, which is a violation of HIPAA. (HIPAA requires such notifications to take place within 60 days.)

Tips to Protect Yourself and Your Business.

Again, the HIPAA audit program will be resuming after the first of the year. Accordingly, hundreds of covered entities and business associates will be receiving inquiries that could lead to an onsite audit. The audit requirements will be very difficult for organizations that have not planned in advance. Here are three easy-to-implement steps to prepare your practice.

1. Review the latest HIPAA policies and procedures. Make sure your office is meeting the latest privacy and security criteria. Identify gaps, update documents, and retrain staff on HIPAA policies and procedures. Don’t forget to document your educational efforts. Click here for a link to the latest policies and procedures.

2. Contact your business associates. Ask each of them to provide your practice with an updated Business Associate Agreement and list of all subcontractors they use. For business associates, the 2015 HIPAA audits will focus on risk analysis, risk management and updated policies and procedures for breach notification.

3. Have a risk assessment performed on your practice. To learn more about risk assessments, click here for a previous blog.

Also, a violation of the HIPAA privacy and security provisions does carry civil and criminal penalties. Anyone who is a health care professional or facility, should be aware of these legal provisions. Click here to read my previous blog.

HIPAA is Not One Size Fits All.

Protecting patient data is not a one-size-fits-all method, meaning that security measures and access to electronic records should not necessarily be uniform. There needs to be processes and check points in place at practices to ensure that the electronic health record system and its many users consistently meet HIPAA policies and procedures. Health care practices must be vigilant that when they integrate other medical practices and facilities into their organization that they extend these measures to incorporate new employees, new sites and locations, and various technologies.

As demonstrated throughout this blog, the risks of non-compliance simply outweigh the costs of sound preparation. If you’d like more information, contact a health law attorney experienced in these matters.

Comments?

Are you worried about the next round of HIPAA audits? Are you concerned about HIPAA violations? How are you ensuring compliance within your practice? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Sources:

Van Terheyden, Nick and Faix, Rob. “Digital Health Records: Pain and Gain.” Orlando Sentinel. (December 12, 2014). From: The Orlando Sentinel News Section on page A20.

“Beth Israel Agrees To Pay $100K To Settle 2012 Data Breach Case.” iHealthBeat. (November 25, 2014). From: http://www.ihealthbeat.org/articles/2014/11/25/beth-israel-agrees-to-pay-100k-to-settle-2012-data-breach-case?view=print

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.


“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

By |2024-03-14T10:00:58-04:00June 1, 2018|Categories: Electronic Health Record, HIPAA, The Health Law Firm Blog|Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , |Comments Off on Don’t Ring in the New Year with a HIPAA Audit – Safeguard Yourself Now
Read More

Appeals Court Upholds Medical Malpractice Law Changes

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

On July 21, a state appeals court in Tallahass2 Indest-2009-1ee upheld the constitutionality of a controversial change in Florida’s medical malpractice law. It ruled that some privacy rights are waived when patients pursue medical malpractice lawsuits. A federal appeals court last year also upheld the change in Florida’s law.

The decision by a three-judge panel of the First District Court of Appeal resulted from a 2013 change in the medical malpractice law. The Republican-controlled Florida Legislature passed the amendments to the laws after a lobbying dispute between groups like doctors and plaintiffs’ attorneys.

Ex Parte Communications Play a Major Role.

The disputes in whether the changes were constitutionally valid centered around what is known as “ex parte communications.” The amended statute allowed doctors being sued for malpractice (or their attorneys) to speak with the patients’ other physicians, whether the patient consents or not. The new law also requires patients to sign forms authorizing the release of medical information before filing malpractice claims.

Ex parte communications allow a patient’s personal health information be obtained and used in a case. Other doctors who have treated the patient could provide the information. Additionally, without the patient’s knowledge or the patient’s attorney present, a disclosure of medical information could occur.

This Ruling Stemmed From a 2013 Case in Escambia County.

In 2013, Emma Gayle Weaver of Escambia County, Florida wanted to file a medical-malpractice lawsuit against a physician. According to court documents, her concern was about the constitutionality of the ex parte provision of the law. She challenged having to disclose her medical information to the other physician she was suing in order to bring her case.

The challenge raised legal questions about privacy rights given to all citizens by the Florida Constitution. But the panel of appeal judges disagreed that the ex parte provision violates her privacy rights.

The appeal decision, written by Judge James Wolf, stated: “It is well-established in Florida and across the country that any privacy rights that might attach to a claimant’s medical information are waived once that information is placed at issue by filing a medical malpractice claim. Thus, by filing the medical malpractice lawsuit, the decedent’s medical condition is at issue.”

To read more about the Weaver v. Myers decision, click here.

Another Issue Was Addressed.

Another issue questioned whether the ex parte change violated the constitutional separation of powers. The contention dealt with whether the Legislature overstepped the role of the Florida Supreme Court. But the appeals court ruled that the change was not procedural but rather was “integral to the substantive pre-suit notice” requirements that are in the law and mandated before the filing of a medical malpractice case.

The Federal Appeals Court Also Said the Law Doesn’t Violate HIPAA.

Last year, the 11th U.S. Circuit Court of Appeals upheld the ex parte change in a ruling that focused on whether the 2013 law violates the federal Health Insurance Portability and Accountability Act (HIPAA), which prevents disclose of personal medical information. The federal appeals court said the law did not violate HIPAA, a decision also cited in the First District Court of Appeal’s decision.

Comments?

Do you agree the court’s ruling? Do you think this provision violates privacy rights? Please leave any thoughtful comments below.

Consult With a Health Law Attorney Experienced in the Representation Health Care Professionals.

The attorneys of The Health Law Firm provide legal representation to physicians, nurses, nurse practitioners, CRNAs, dentists, pharmacists, psychologists and other health providers in academic disputes, contract negotiations, license applications, board certification applications and hearings, credential hearings and civil and administrative litigations.

To contact The Health Law Firm, please call (407) 331-6620 and visit our website at www.TheHealthLawFirm.com.

Source:

Saunders, Jim. “Appeals court upholds waiver of privacy rights in malpractice cases.” (July 22, 2015). Palm Beach Post. From: http://www.palmbeachpost.com/news/news/state-regional-govt-politics/florida-appeals-court-backs-controversial-medical-/nm48m/

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida area.  www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

KeyWords: Medical malpractice, medical malpractice defense attorney, medical malpractice defense lawyer, Florida defense attorney, Florida defense lawyer, health law attorney, health law lawyer, privacy rights, privacy rights violation, appeals court, Health Insurance Portability and Accountability Act, HIPAA, health law, The Health Law Firm

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2015 The Health Law firm. All rights reserved.

By |2024-03-14T10:01:01-04:00June 1, 2018|Categories: In the News, The Health Law Firm Blog|Tags: , , , , , , , , , , , , , |Comments Off on Appeals Court Upholds Medical Malpractice Law Changes
Read More

HIPAA Basics For Licensed Health Care Professionals: Privacy, Security, and Breach Notification Rules

4 Indest-2009-3By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The Department of Health and Human Services (HHS) recently issued a Health Insurance Portability and Accountability Act (HIPAA) fact sheet for health care professionals and organizations. The overview is titled “HIPAA Basics for Providers: Privacy, Security and Breach Notification Rules” and is intended to provide HIPAA covered entities such as physicians, health care facilities and other licenced health care professionals with a basic overview of HIPAA’s rules and responsibilities. Click here to view the HIPAA fact sheet.

HIPAA Privacy Rule.

The privacy rule is established as a standard for the protection of protected health information (PHI) by covered entities. It gives patients vital rights with respect to their health information. The following is protected information under this rule:

1. The individual’s past, present or future physical or mental health or condition;

2. The provision of health care to the individual; or

3. The past, present or future payment for the provision of health care to the individual.

PHI also includes common identifiers, such as name, address, birth date and Social Security Number.

HIPAA Security Rule.

This rule specifies safeguards that covered entities are required to implement to protect the confidentiality, integrity and availability of health information. To properly enforce this rule, covered entities must develop policies and procedures to protect the security of electronic protected health information (ePHI). This includes analyzing risks and creating solutions that are appropriate for the situation. For more information from HHS on the implementation of the security standards, click here.

HIPAA Breach Notification Rule.

Affected individuals, HHS and in certain cases, the media are required to be notified of a breach of PHI. The rule includes the following guidelines:

1. Most notifications must be provided without unreasonable delay and no later than 60 days following the discovery of the breach.

2. Smaller breaches affecting fewer than 500 individuals may be submitted to HHS in a log or other documentation annually.

3. Business associates of covered entities are also required to notify the covered entity of breaches.

To view the breach notification timelines included in the HIPAA fact sheet, click here.

Who is Required to Comply With HIPAA Rules?

The following covered entities must follow HIPAA standards and requirements:

1. Covered Health Care Providers: Any provider of medical or other health care services or supplies who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard. This includes doctors, chiropractors, dentists, pharmacies, psychologists, clinics and nursing homes.

2. Health Plans: Any individual or group plan that provides or pays the cost of health care. This includes company health plans, government programs for health care such as Medicaid and Medicare, along with the military and health insurance companies.

3. Health Care Clearinghouses: A public or private entity that processes another entity’s health care transactions from a standard format to a non-standard format or vice versa. This includes billing services, community health management information systems, repricing companies and value-added networks.

4. Business Associates: Provide services to covered entities and are extensions of the previous entities listed, including legal services, billing, financial services and accreditation.

Enforcement and Repercussions.

The HHS Office for Civil Rights enforces the HIPAA Privacy, Security and Breach Notification Rules. Violation of these rules may result in civil and in some cases criminal penalties. HIPAA violations can also lead to Medicare exclusion which is often a death sentence for a health care provider. To read a previous blog I wrote on the penalties of HIPAA violations, including a chart outlining the penalty structure, click here.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, or corrective action plans , please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620.

Sources:

Hamlet, Julie. “HHS ISSUES HIPAA “BASICS” FACT SHEET”. Foster Swift. (September 2, 2015). Web

Department of Health and Human Services. “HIPAA Basics for Providers: Privacy, Security and Breach Notification Rules”. (May, 2015). Web

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

KeyWords: Health Insurance Portability and Accountability Act (HIPAA), HIPAA, HIPAA compliance, data security, protected health information (PHI), electronic protected health information, Patient privacy, U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR), patient rights, HIPAA compliance audit, HIPAA violation, penalties for HIPAA violation, criminal penalties for HIPAA violation, civil penalties for HIPAA violation, HIPAA compliance, privacy, defense attorney, defense lawyer, Medicare exclusion, HIPAA defense attorney, HIPAA violation help, HIPAA attorney, HIPAA lawyer, compliance plans, health law firm, The Health Law

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2015 The Health Law Firm. All rights reserved.

 

By |2024-03-14T10:01:01-04:00June 1, 2018|Categories: In the News, The Health Law Firm Blog|Tags: , |1 Comment
Read More

Avoiding HIPAA Violations

Michael L. Smith HeadshotBy Michael L. Smith, JD, RRT

Every respiratory therapist knows that the Health Insurance Portability and Accountability Act (HIPAA) requires hospitals and health care providers to maintain the confidentiality of their patients’ protected health information (PHI). RTs may not know that the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is investigating HIPAA violations and imposing sanctions on hospitals and other covered entities for violations. RTs also may not know that the Department of Justice is criminally prosecuting particularly egregious HIPAA violations.

HIPAA violations still occur despite the fact that we have years of training and experience in protecting patient privacy. Hospitals and health care systems take HIPAA violations seriously and frequently terminate employees for those violations. RTs can avoid violating HIPAA, and the consequences associated with a violation, by avoiding the following mistakes.

Never use a patient’s PHI for personal gain. Unfortunately, this example is not too obvious to include here. A nurse in Arkansas pled guilty to criminal charges of deliberately misusing a patient’s PHI for personal gain. The nurse provided PHI on a patient to her husband so that her husband could use the information in a lawsuit involving the patient. The nurse pleaded guilty to wrongful disclosure of the patient’s health information. Another hospital employee inCalifornia pleaded guilty to selling celebrity medical information to at least one media outlet. Numerous celebrity medical records were involved, but the prosecuting attorney did not release the names of the celebrities.

Never snoop in a patient’s medical records. A hospital inHouston fired 16 employees for snooping into the medical records of an acquaintance out of curiosity. A hospital inArkansas suspended a doctor and fired two employees who snooped into the records of a local newscaster to satisfy their own curiosity. RTs should know that hospitals track the computer activity of their employees and their medical staff. Those same hospitals fire employees who inappropriately access patient records.

Never share PHI with people who have no legitimate reason to know the information. The OCR investigated a hospital and an employee in its surgical department based upon that employee providing a surgery schedule to a hospital supervisor. The surgery schedule included the name and PHI of one of the supervisor’s employees who was scheduled for surgery. The supervisor had no legitimate reason to know about his employee’s PHI.

Never share your computer passwords and log on information. Most hospitals have a policy requiring their employees to keep their computer passwords and log on information confidential. Those same hospitals are monitoring their employees’ computer activity using those same passwords and log on information. RTs who share their passwords and log on information with other people will eventually be required to explain instances of inappropriate access to PHI and the violation of their hospitals’ policies.

Never leave a computer unattended without logging off of the computer. Many hospitals have written policies requiring employees to log off their computers before leaving those computers unattended. RTs should not leave a computer unattended without logging off even if their hospital does not have a written policy.

Never communicate PHI to a patient by a method that the patient has not approved. RTs should confirm where their patients have authorized them to leave PHI. The OCR has investigated complaints against health care providers who left telephone messages including PHI at a patient’s home telephone number when the patient gave specific instructions to only be contacted through a cellular number.

Never discuss a patient’s PHI in such a manner that other individuals with no right or need to know the information can overhear the information. A hospital disciplined two of its employees for discussing a patient’s PHI with the patient in the waiting room, which allowed other patients and visitors to overhear the discussion. The patient’s complaint was investigated by the OCR, which found the hospital employees did not take reasonable efforts to avoid the disclosure of PHI. RTs are often treating patients in emergency rooms and other areas that do not provide the best privacy. Only discuss what you absolutely must discuss with the patient in order to provide care. If possible, those patients should be moved to a more private area before discussing PHI.

Never leave a patient’s paper records open and available for prying eyes. Paper records containing PHI are still common and will continue to exist for the foreseeable future. RTs need to remember that HIPAA requires hospitals and health care providers to have reasonable safeguards in place to protect patient records including paper records. RTs should follow their employer’s policies and procedures on paper records including the policies on the destruction of paper records.

RTs can avoid violating HIPAA by only accessing the records they need to provide appropriate care to their patients and by using reasonable safeguards to protect those patient records.

Michael L. Smith, JD, RRT is board certified in health law by The Florida Bar and practices at The Health Law Firm in Altamonte Springs, Florida. This article is for general information only and is not a substitute for formal legal advice.

 

This article was originally published in Advance for Respiratory Care and Sleep Medicine.

By |2024-03-14T10:00:25-04:00June 1, 2018|Categories: In the Know, The Health Law Firm Blog|Tags: , , , , , |Comments Off on Avoiding HIPAA Violations
Read More

Patient Privacy Breach at Nemours Follows Florida Hospital Information Leak

After a patient privacy breach at Florida Hospital a few weeks ago, another patient records scare has hit Florida – this time at Nemours.

According to the Orlando Sentinel, information belonging to Central Florida patients of Nemours Children’s Health System has gone missing.

Computer back-up tapes containing old patient billing information have disappeared from the Wilmington, Del., office of Nemours. These tapes were not password protected and stored in a locked cabinet. Company officials believe the cabinet may have been removed when the office was  remodeled in August.

Stored in the missing tapes are patient names, addresses, dates of birth, social security numbers, insurance information, medical diagnoses and treatment codes, as well as bank account information. If stolen, this information could result in identity theft.

The information of more than 1 million patients treated from 1994 to 2004 by a Nemours physician or at a Nemours facility in Florida, Delaware or Pennsylvania was contained on the missing tapes. Approximately 50% of the affected patients are from Florida.

Nemours has sent letters to patients whose information may have been compromised and is offering these patients a year of free credit monitoring and identity-theft protection.

Although Nemours is taking appropriate steps in response to this situation, a major  patient privacy breach should not be happening so frequently. This is the second major privacy breach in the last few weeks in Florida, which instills little confidence in patients in the Florida health care system. Health care providers need to be proactive in maintaining patient confidentiality. Patients trust health care providers with the most personal and sensitive details and should have reassurance that unauthorized personnel will never see this information. There should never be any reason that this information gets leaked.

A privacy breach not only impacts patients, but also health care professionals (physicians, nurses, pharmacists, administrators, etc.) who come under attack. When blame is shifted around a health care facility, the work environment may become tense and stressful, especially for those who have access to patient records.

For more information about patient privacy breaches, see this article on confidential medical records.

By |2024-03-14T10:00:25-04:00June 1, 2018|Categories: In the News, The Health Law Firm Blog|Tags: , , , , , , , |Comments Off on Patient Privacy Breach at Nemours Follows Florida Hospital Information Leak
Read More

Are You Ready for HIPAA and HITECH Audits?

The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) is launching a pilot program this month to make sure covered entities are in compliance with HIPAA privacy and security rules and breach notification standards, according to the OCR. The OCR will perform up to 150 audits to assess HIPAA compliance.

The HITECH Act requires HHS to perform periodic audits to check for HIPAA compliance. The audits will be conducted from November 2011 through December 2012. Initially these audits will likely focus on hospitals and insurance companies, but HMEs could also be a target.

Though early audits are likely to be educational, in order to get a basic assessment of where providers stand in regards to HIPAA, that doesn’t mean there won’t be repercussions for violations. Because the privacy rule has been established since 2001 and the security rule has been established since 2003, providers can not be completely excused for missteps.

HIPAA violations can result in severe penalties (per section 1177 of HIPAA) including:

• a fine of up to $50,000, or up to 1 year in prison, or both; (Class 6 Felony)
• if the offense is committed under false pretenses, a fine of up to $100,000, up to 5 years in prison, or both; (Class 5 Felony)
• if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine up to $250,000, or up to 10 years in prison, or both. (Class 4 Felony)
• Civil fines can also be imposed by the Secretary of DHHS with a maximum is $100 for each violation, with the total amount not to exceed $25,0000 for all violations of an identical requirement or prohibition during a calendar year. (Class 3 Felony).

Since the final rule for the HITECH Act hasn’t been finalized, the OCR can only expect providers to make decent judgments about the provisions in the interim final rule.

Providers need to review where they’re at with privacy and security compliance and make any improvements. This pilot program of audits will likely be expanded (and the more violations the OCR encounters, the larger the likelihood of strict enforcement), so all providers should be aware of current practices and how to ensure compliance.

For more information about HIPAA and other healthcare audits, visit www.TheHealthLawFirm.com.

By |2024-03-14T10:00:27-04:00June 1, 2018|Categories: Health Care Industry, HIPAA, Hitech Act, The Health Law Firm Blog|Tags: , , , , , , |Comments Off on Are You Ready for HIPAA and HITECH Audits?
Read More

Alleged HIPAA Privacy Violations at the Center of a Recent Physician Group Settlement with HHS

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

A small physician group has reached a settlement with the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) over alleged Health Insurance Portability and Accountability Act of 1996 (HIPAA) violations. The settlement was reached on April 17, 2012 and requires Phoenix Cardiac Surgery (PCS) to pay OCR $100,000 and enter into a one-year corrective action plan (CAP).

The Resolution Agreement and Corrective Action Plan can be viewed here.

HIPAA Complaint Against PCS Stemmed from Internet Calendar Postings

OCR’s investigation of PCS was launched in 2009 after a complaint was received. Click here to view a HIPAA complaint that you can file online. The complaint alleged that PSC had disclosed protected health information (PHI) on patients on the Internet. After investigating the complaint, the OCR alleged that PCS violated the HIPAA privacy and security rules. According to the OCR, PCS posted clinical and surgical appointments on a publicly accessible, Internet calendar. The OCR also alleged that PCS employees e-mailed protected health information to their personal e-mail accounts.

Furthermore, PCS allegedly did not have adequate administrative, physical and technical safeguards in place to protect patient data. The OCR alleged that PCS did not appoint a security officer as required by HIPAA or perform an accurate and thorough risk assessment, also required by HIPAA. The CAP required by the settlement will require PCS to implement policies to ensure full compliance with HIPAA’s privacy and security rules.

Are You In Compliance with HIPAA?

The Health Insurance Portability and Accountability Act of 1996, sometimes referred to as the Kennedy-Kassenbaum Act, was enacted into law as Public Law (P.L.) 104-191, 110 Stat. 1936. Among its many different provisions, it included basic minimums to ensure the privacy of personal medical information. Its main privacy provisions are codified in federal law in different sections of the U.S. Code.

Medical Practices Should Use Caution When Working With Electronic Health Information

This case provides a good example of the downside of information technology (IT). While electronic health information assists in increasing accessibility and efficiency, it can also increase a practice’s risk of violating HIPAA’s Privacy Rule and Security Rule.

All medical practices that utilize electronic health information need to ensure that they have effective IT security, education, policies and procedures in place to protect themselves from HIPAA’s violations.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Sources Include:

HHS Press Office. “HHS Settles Case with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards.” U.S. Department of Health and Human Services. (Apr. 17, 2012). Press Release. From
http://www.hhs.gov/news/press/2012pres/04/20120417a.html

Lewis, Nicole. “Online Calendar Mistakes Cost Doctors Group $100,000.” Information Week. (Apr. 23, 2012). From
http://www.informationweek.com/news/healthcare/security-privacy/232900727

Sterling, Robyn. “HHS Settlement for Lack of HIPAA Safeguards.” Proskauer Privacy Law Blog. (Apr. 25, 2012). From
http://www.jdsupra.com/post/documentViewer.aspx?fid=e548966a-d7eb-4f47-a0af-de15db487dbb/

About the Author:  George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone:  (407) 331-6620.

By |2024-03-14T10:00:30-04:00June 1, 2018|Categories: HIPAA, The Health Law Firm Blog|Tags: , , , , , , , , , , , , , , |Comments Off on Alleged HIPAA Privacy Violations at the Center of a Recent Physician Group Settlement with HHS
Read More
“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A.
The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 2022 The Health Law Firm. All rights reserved.
FacebookInstagramLinkedInTwitterYouTube
Toggle Sliding Bar Area
Go to Top