hipaa | The Health Law Firm Blog

Don’t Ring in the New Year with a HIPAA Audit – Safeguard Yourself Now

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

Here’s a scary reminder: There are people attempting to hack into electronic health systems every second of every day. Thankfully, most of these attempts are unsuccessful due to the preventive technologies in place to safeguard such information. However, electronic data will never be 100 percent secure.

Electronic health records promised was intended to be a tool for doctors to share patient data, reduce prescription drug errors, and allow patients convenient access to their records. However, since the transition to digital medical records, there have been concerns from patients about privacy, security and identity theft.

Recently, the Office for Civil Rights (OCR) announced that the agency will ramp up its Health Insurance Portability and Accountability Act (HIPAA) privacy and security audit program in 2015 for covered entities and business associates. These audits will focus on device encryptions, media controls, data transmission security protocols, and staff training on HIPAA policies and procedures.

Now is the time to ensure compliance.

Real World Privacy Breaches Happen All the Time.

On December 2, 2014, OCR and Anchorage Community Mental Health Services, Inc. (ACMHS), settled alleged violations of the HIPAA Security Rule. OCR started an investigation into ACMHS’s compliance with HIPAA after receiving a notification about a breach of unsecured electronic patient information affecting 2,743 individuals. The breach resulted from malware that compromised ACMHS’s information technology resources. According to the settlement, ACMHS must pay a $150,000 fine and enter into a resolution agreement and corrective action plan (CAP).

In November 2014, Beth Israel Deaconess Medical Center in Massachusetts agreed to a $100,000 settlement after a physician’s laptop was stolen from the hospital. The computer was not issued by the hospital and had not been encrypted in accordance with the hospital’s policies. However, the hospital was aware that the physician used the device. The laptop contained the health information and personal information, including Social Security numbers, of nearly 4,000 individuals. It’s alleged the hospital took three months to notify affected patients about the breach, which is a violation of HIPAA. (HIPAA requires such notifications to take place within 60 days.)

Tips to Protect Yourself and Your Business.

Again, the HIPAA audit program will be resuming after the first of the year. Accordingly, hundreds of covered entities and business associates will be receiving inquiries that could lead to an onsite audit. The audit requirements will be very difficult for organizations that have not planned in advance. Here are three easy-to-implement steps to prepare your practice.

1. Review the latest HIPAA policies and procedures. Make sure your office is meeting the latest privacy and security criteria. Identify gaps, update documents, and retrain staff on HIPAA policies and procedures. Don’t forget to document your educational efforts. Click here for a link to the latest policies and procedures.

2. Contact your business associates. Ask each of them to provide your practice with an updated Business Associate Agreement and list of all subcontractors they use. For business associates, the 2015 HIPAA audits will focus on risk analysis, risk management and updated policies and procedures for breach notification.

3. Have a risk assessment performed on your practice. To learn more about risk assessments, click here for a previous blog.

Also, a violation of the HIPAA privacy and security provisions does carry civil and criminal penalties. Anyone who is a health care professional or facility, should be aware of these legal provisions. Click here to read my previous blog.

HIPAA is Not One Size Fits All.

Protecting patient data is not a one-size-fits-all method, meaning that security measures and access to electronic records should not necessarily be uniform. There needs to be processes and check points in place at practices to ensure that the electronic health record system and its many users consistently meet HIPAA policies and procedures. Health care practices must be vigilant that when they integrate other medical practices and facilities into their organization that they extend these measures to incorporate new employees, new sites and locations, and various technologies.

As demonstrated throughout this blog, the risks of non-compliance simply outweigh the costs of sound preparation. If you’d like more information, contact a health law attorney experienced in these matters.

Comments?

Are you worried about the next round of HIPAA audits? Are you concerned about HIPAA violations? How are you ensuring compliance within your practice? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Sources:

Van Terheyden, Nick and Faix, Rob. “Digital Health Records: Pain and Gain.” Orlando Sentinel. (December 12, 2014). From: The Orlando Sentinel News Section on page A20.

“Beth Israel Agrees To Pay $100K To Settle 2012 Data Breach Case.” iHealthBeat. (November 25, 2014). From: http://www.ihealthbeat.org/articles/2014/11/25/beth-israel-agrees-to-pay-100k-to-settle-2012-data-breach-case?view=print

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

Appeals Court Upholds Medical Malpractice Law Changes

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

On July 21, a state appeals court in Tallahassee upheld the constitutionality of a controversial change in Florida’s medical malpractice law. It ruled that some privacy rights are waived when patients pursue medical malpractice lawsuits. A federal appeals court last year also upheld the change in Florida’s law.

The decision by a three-judge panel of the First District Court of Appeal resulted from a 2013 change in the medical malpractice law. The Republican-controlled Florida Legislature passed the amendments to the laws after a lobbying dispute between groups like doctors and plaintiffs’ attorneys.

Ex Parte Communications Play a Major Role.

The disputes in whether the changes were constitutionally valid centered around what is known as “ex parte communications.” The amended statute allowed doctors being sued for malpractice (or their attorneys) to speak with the patients’ other physicians, whether the patient consents or not. The new law also requires patients to sign forms authorizing the release of medical information before filing malpractice claims.

Ex parte communications allow a patient’s personal health information be obtained and used in a case. Other doctors who have treated the patient could provide the information. Additionally, without the patient’s knowledge or the patient’s attorney present, a disclosure of medical information could occur.

This Ruling Stemmed From a 2013 Case in Escambia County.

In 2013, Emma Gayle Weaver of Escambia County, Florida wanted to file a medical-malpractice lawsuit against a physician. According to court documents, her concern was about the constitutionality of the ex parte provision of the law. She challenged having to disclose her medical information to the other physician she was suing in order to bring her case.

The challenge raised legal questions about privacy rights given to all citizens by the Florida Constitution. But the panel of appeal judges disagreed that the ex parte provision violates her privacy rights.

The appeal decision, written by Judge James Wolf, stated: “It is well-established in Florida and across the country that any privacy rights that might attach to a claimant’s medical information are waived once that information is placed at issue by filing a medical malpractice claim. Thus, by filing the medical malpractice lawsuit, the decedent’s medical condition is at issue.”

To read more about the Weaver v. Myers decision, click here.

Another Issue Was Addressed.

Another issue questioned whether the ex parte change violated the constitutional separation of powers. The contention dealt with whether the Legislature overstepped the role of the Florida Supreme Court. But the appeals court ruled that the change was not procedural but rather was “integral to the substantive pre-suit notice” requirements that are in the law and mandated before the filing of a medical malpractice case.

The Federal Appeals Court Also Said the Law Doesn’t Violate HIPAA.

Last year, the 11th U.S. Circuit Court of Appeals upheld the ex parte change in a ruling that focused on whether the 2013 law violates the federal Health Insurance Portability and Accountability Act (HIPAA), which prevents disclose of personal medical information. The federal appeals court said the law did not violate HIPAA, a decision also cited in the First District Court of Appeal’s decision.

Comments?

Do you agree the court’s ruling? Do you think this provision violates privacy rights? Please leave any thoughtful comments below.

Consult With a Health Law Attorney Experienced in the Representation Health Care Professionals.

The attorneys of The Health Law Firm provide legal representation to physicians, nurses, nurse practitioners, CRNAs, dentists, pharmacists, psychologists and other health providers in academic disputes, contract negotiations, license applications, board certification applications and hearings, credential hearings and civil and administrative litigations.

To contact The Health Law Firm, please call (407) 331-6620 and visit our website at www.TheHealthLawFirm.com.

Source:

Saunders, Jim. “Appeals court upholds waiver of privacy rights in malpractice cases.” (July 22, 2015). Palm Beach Post. From: http://www.palmbeachpost.com/news/news/state-regional-govt-politics/florida-appeals-court-backs-controversial-medical-/nm48m/

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

KeyWords: Medical malpractice, medical malpractice defense attorney, medical malpractice defense lawyer, Florida defense attorney, Florida defense lawyer, health law attorney, health law lawyer, privacy rights, privacy rights violation, appeals court, Health Insurance Portability and Accountability Act, HIPAA, health law, The Health Law Firm

By The Health Law Firm|2024-03-14T10:01:01-04:00June 1, 2018|Categories: In the News, The Health Law Firm Blog|Tags: appeals court, Florida defense attorney, Florida defense lawyer, Health Insurance Portability and Accountability Act, health law, health law attorney, health law lawyer, hipaa, medical malpractice, medical malpractice defense attorney, medical malpractice defense lawyer, privacy rights, privacy rights violation, the health law firm|Comments Off

HIPAA Basics For Licensed Health Care Professionals: Privacy, Security, and Breach Notification Rules

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The Department of Health and Human Services (HHS) recently issued a Health Insurance Portability and Accountability Act (HIPAA) fact sheet for health care professionals and organizations. The overview is titled “HIPAA Basics for Providers: Privacy, Security and Breach Notification Rules” and is intended to provide HIPAA covered entities such as physicians, health care facilities and other licenced health care professionals with a basic overview of HIPAA’s rules and responsibilities. Click here to view the HIPAA fact sheet.

HIPAA Privacy Rule.

The privacy rule is established as a standard for the protection of protected health information (PHI) by covered entities. It gives patients vital rights with respect to their health information. The following is protected information under this rule:

1. The individual’s past, present or future physical or mental health or condition;

2. The provision of health care to the individual; or

3. The past, present or future payment for the provision of health care to the individual.

PHI also includes common identifiers, such as name, address, birth date and Social Security Number.

HIPAA Security Rule.

This rule specifies safeguards that covered entities are required to implement to protect the confidentiality, integrity and availability of health information. To properly enforce this rule, covered entities must develop policies and procedures to protect the security of electronic protected health information (ePHI). This includes analyzing risks and creating solutions that are appropriate for the situation. For more information from HHS on the implementation of the security standards, click here.

HIPAA Breach Notification Rule.

Affected individuals, HHS and in certain cases, the media are required to be notified of a breach of PHI. The rule includes the following guidelines:

1. Most notifications must be provided without unreasonable delay and no later than 60 days following the discovery of the breach.

2. Smaller breaches affecting fewer than 500 individuals may be submitted to HHS in a log or other documentation annually.

3. Business associates of covered entities are also required to notify the covered entity of breaches.

To view the breach notification timelines included in the HIPAA fact sheet, click here.

Who is Required to Comply With HIPAA Rules?

The following covered entities must follow HIPAA standards and requirements:

1. Covered Health Care Providers: Any provider of medical or other health care services or supplies who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard. This includes doctors, chiropractors, dentists, pharmacies, psychologists, clinics and nursing homes.

2. Health Plans: Any individual or group plan that provides or pays the cost of health care. This includes company health plans, government programs for health care such as Medicaid and Medicare, along with the military and health insurance companies.

3. Health Care Clearinghouses: A public or private entity that processes another entity’s health care transactions from a standard format to a non-standard format or vice versa. This includes billing services, community health management information systems, repricing companies and value-added networks.

4. Business Associates: Provide services to covered entities and are extensions of the previous entities listed, including legal services, billing, financial services and accreditation.

Enforcement and Repercussions.

The HHS Office for Civil Rights enforces the HIPAA Privacy, Security and Breach Notification Rules. Violation of these rules may result in civil and in some cases criminal penalties. HIPAA violations can also lead to Medicare exclusion which is often a death sentence for a health care provider. To read a previous blog I wrote on the penalties of HIPAA violations, including a chart outlining the penalty structure, click here.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

For more information about HIPAA violations, or corrective action plans , please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620.

Sources:

Hamlet, Julie. “HHS ISSUES HIPAA “BASICS” FACT SHEET”. Foster Swift. (September 2, 2015). Web

Department of Health and Human Services. “HIPAA Basics for Providers: Privacy, Security and Breach Notification Rules”. (May, 2015). Web

KeyWords: Health Insurance Portability and Accountability Act (HIPAA), HIPAA, HIPAA compliance, data security, protected health information (PHI), electronic protected health information, Patient privacy, U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR), patient rights, HIPAA compliance audit, HIPAA violation, penalties for HIPAA violation, criminal penalties for HIPAA violation, civil penalties for HIPAA violation, HIPAA compliance, privacy, defense attorney, defense lawyer, Medicare exclusion, HIPAA defense attorney, HIPAA violation help, HIPAA attorney, HIPAA lawyer, compliance plans, health law firm, The Health Law

By The Health Law Firm|2024-03-14T10:01:01-04:00June 1, 2018|Categories: In the News, The Health Law Firm Blog|Tags: Health Insurance Portability and Accountability Act (HIPAA), hipaa|1 Comment

Avoiding HIPAA Violations

By Michael L. Smith, JD, RRT

Every respiratory therapist knows that the Health Insurance Portability and Accountability Act (HIPAA) requires hospitals and health care providers to maintain the confidentiality of their patients’ protected health information (PHI). RTs may not know that the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is investigating HIPAA violations and imposing sanctions on hospitals and other covered entities for violations. RTs also may not know that the Department of Justice is criminally prosecuting particularly egregious HIPAA violations.

HIPAA violations still occur despite the fact that we have years of training and experience in protecting patient privacy. Hospitals and health care systems take HIPAA violations seriously and frequently terminate employees for those violations. RTs can avoid violating HIPAA, and the consequences associated with a violation, by avoiding the following mistakes.

Never use a patient’s PHI for personal gain. Unfortunately, this example is not too obvious to include here. A nurse in Arkansas pled guilty to criminal charges of deliberately misusing a patient’s PHI for personal gain. The nurse provided PHI on a patient to her husband so that her husband could use the information in a lawsuit involving the patient. The nurse pleaded guilty to wrongful disclosure of the patient’s health information. Another hospital employee inCalifornia pleaded guilty to selling celebrity medical information to at least one media outlet. Numerous celebrity medical records were involved, but the prosecuting attorney did not release the names of the celebrities.

Never snoop in a patient’s medical records. A hospital inHouston fired 16 employees for snooping into the medical records of an acquaintance out of curiosity. A hospital inArkansas suspended a doctor and fired two employees who snooped into the records of a local newscaster to satisfy their own curiosity. RTs should know that hospitals track the computer activity of their employees and their medical staff. Those same hospitals fire employees who inappropriately access patient records.

Never share PHI with people who have no legitimate reason to know the information. The OCR investigated a hospital and an employee in its surgical department based upon that employee providing a surgery schedule to a hospital supervisor. The surgery schedule included the name and PHI of one of the supervisor’s employees who was scheduled for surgery. The supervisor had no legitimate reason to know about his employee’s PHI.

Never share your computer passwords and log on information. Most hospitals have a policy requiring their employees to keep their computer passwords and log on information confidential. Those same hospitals are monitoring their employees’ computer activity using those same passwords and log on information. RTs who share their passwords and log on information with other people will eventually be required to explain instances of inappropriate access to PHI and the violation of their hospitals’ policies.

Never leave a computer unattended without logging off of the computer. Many hospitals have written policies requiring employees to log off their computers before leaving those computers unattended. RTs should not leave a computer unattended without logging off even if their hospital does not have a written policy.

Never communicate PHI to a patient by a method that the patient has not approved. RTs should confirm where their patients have authorized them to leave PHI. The OCR has investigated complaints against health care providers who left telephone messages including PHI at a patient’s home telephone number when the patient gave specific instructions to only be contacted through a cellular number.

Never discuss a patient’s PHI in such a manner that other individuals with no right or need to know the information can overhear the information. A hospital disciplined two of its employees for discussing a patient’s PHI with the patient in the waiting room, which allowed other patients and visitors to overhear the discussion. The patient’s complaint was investigated by the OCR, which found the hospital employees did not take reasonable efforts to avoid the disclosure of PHI. RTs are often treating patients in emergency rooms and other areas that do not provide the best privacy. Only discuss what you absolutely must discuss with the patient in order to provide care. If possible, those patients should be moved to a more private area before discussing PHI.

Never leave a patient’s paper records open and available for prying eyes. Paper records containing PHI are still common and will continue to exist for the foreseeable future. RTs need to remember that HIPAA requires hospitals and health care providers to have reasonable safeguards in place to protect patient records including paper records. RTs should follow their employer’s policies and procedures on paper records including the policies on the destruction of paper records.

RTs can avoid violating HIPAA by only accessing the records they need to provide appropriate care to their patients and by using reasonable safeguards to protect those patient records.

Michael L. Smith, JD, RRT is board certified in health law by The Florida Bar and practices at The Health Law Firm in Altamonte Springs, Florida. This article is for general information only and is not a substitute for formal legal advice.

This article was originally published in Advance for Respiratory Care and Sleep Medicine.

By The Health Law Firm|2024-03-14T10:00:25-04:00June 1, 2018|Categories: In the Know, The Health Law Firm Blog|Tags: florida attorney, health attorney orlando, hipaa, medical attorney florida, medical law firm, respiratory therapist|Comments Off

Purpose of Florida E-FORCSE Prescription Database Not for Disciplinary or Criminal Prosecution Purposes Against Physicians, Pharmacists or Other Health Professionals

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

As you are no doubt aware now, Florida has an active prescription drug monitoring program (PDMP). It is called the “Electronic-Florida Online Reporting of Controlled Substances Evaluation” or “E-FORCSE.” More often it is referred to simply as the “prescription drug database” by Florida physicians.

The Florida Legislature adopted the E-FORCSE system in Florida by Section 893.055, Florida Statutes.

Section 893.055(7)(b), Florida Statutes, States Access to Program’s Database is Limited to Program Manager.

A pharmacy, prescriber, or dispenser shall have access to information in the prescription drug monitoring program’s database which relates to a patient of that pharmacy, prescriber, or dispenser in a manner established by the department as needed for the purpose of reviewing the patient’s controlled substance prescription history. Other access to the program’s database shall be limited to the program’s manager and to the designated program and support staff, who may act only at the direction of the program manager or, in the absence of the program manager, as authorized. Access by the program manager or such designated staff is for prescription drug program management only or for management of the program’s database and its system in support of the requirements of this section and in furtherance of the prescription drug monitoring program. Confidential and exempt information in the database shall be released only as provided in paragraph (c) and s. 893.0551. . . .

Data from E-FORCSE Not Intended to be Used to Bring Disciplinary Action Against Health Care Practitioners.

Most notably, it was not the intent of the Legislature for any state or federal agency to use the data from the E-FORCSE system primarily as evidence for the purpose of taking licensure or disciplinary action against physicians, dentists, pharmacists or other licensed health professionals.

Unfortunately, we have seen cases where, contrary to the Legislature’s intent, data from E-FORCSE has been recited in a case against a licensed health professional as an example of “substandard performance,” “falling below the standard of care,” or professional “negligence.” Additionally, we have been informed of the alleged use of the E-FORCSE system by state and federal law enforcement authorities in criminal investigations and prosecutions of licensed health professionals. However, the exact wording of Sections 893.055 and 893.0551, Florida Statutes, should be carefully analyzed in determining under what conditions access and use of the information are authorized.

Defending Against E-FORCSE Data’s Being Used Against a Health Care Practitioner.

If you are a physician, dentist or pharmacist, and data from E-FORCSE is used in or discussed in any complaint investigation, license investigation, Drug Enforcement Administration (DEA) investigation, criminal investigation, administrative complaint, charge sheet or indictment, you should ask your attorney to research the advisability of filing a motion to strike it. In addition, your attorney should also consider filing a motion in limine, before any major hearing or trial, to exclude all use or mention of the data and E-FORCSE system.

In addition, the attorney for the licensed health professional may explore the possibility of moving to exclude any and all information and evidence derived from the unauthorized use of the E-FORCSE databank under the “fruit of the poisonous tree” doctrine. To date, we have not seen any cases where this has been done.

Again the exact language of Sections 893.055 and 893.0551, Florida Statutes, should be consulted to determine whether access and use have been properly authorized.

Information on Florida’s Prescription Drug Monitoring Program from the Florida Department of Health.

The information below is taken from an informational pamphlet distributed by the Florida Department of Health (DOH) called “E-FORCSE; Florida’s Prescription Drug Monitoring Program.” It is available online, at www.e-forcse.com.

Florida’s Prescription Drug Monitoring Program Facts.

E-FORCSE will take in controlled substance dispensing data from pharmacies and health care practitioners, and will make the information available to all health care practitioners who can then use the database to guide their decisions when prescribing and dispensing certain highly-abused prescription drugs. With this information, health care practitioners may be able to identify patients who are “doctor shopping”—obtaining multiple prescriptions for the same controlled substance from multiple health care practitioners. Doctor shopping is a felony in Florida.

Who is Required to Report Controlled Substance Dispensing Information to E-FORCSE?

Any health care practitioner who has dispensed a controlled substance in schedule II, III and IV, as defined in section 893.03, Florida Statutes-like OxyContin, Percocet, Vicodine, etc., will be required to report to the database. This includes pharmacies licensed under chapter 465, Florida Statutes, (including mail order and Internet pharmacies that dispense controlled substances into Florida) and health care practitioners licensed under chapters 458, 459, 461, 462, 465, or 466, Florida Statutes.

Who is Not Required to Report Controlled Substance Dispensing Information to E-FORCSE?

A health care practitioner who:

– Administers a controlled substance directly to a patient if the amount is adequate to treat the patient during that particular treatment session;
– Administers a controlled substance to a patient or resident receiving care as a patient, at a hospital, nursing home, ambulatory surgical center, hospice or intermediate care facility for the developmentally disabled;
– Administers or dispenses a controlled substance in the health care system of the Florida Department of Corrections;
– Administers a controlled substance in the emergency room of a licensed hospital;
– Administers or dispenses a controlled substance to a patient under the age of 16; and
– Dispenses a one-time, 72-hour re-supply of a controlled substance.

How Can E-FORCSE Help Improve a Patient’s Standard of Care?

– It allows the health care practitioners to choose and prescribe controlled substances that will not negatively interact with medicines prescribed by other health care practitioners.
– Pharmacists can determine for their patients if their health care practitioners have prescribed controlled substances that might negatively interact when used together.
– Health care practitioners can determine if their patient has had multiple prescriptions for the same drugs from multiple health care practitioners. This identifies those patients potentially engaged in the crime of doctor shopping. When health care practitioners intervene, they can help their patients find treatment.

How Can E-FORCSE Help Improve the Public Health of Florida?

Health care practitioners can identify a potentially illegal diversion pattern for drugs when they request and receive a Patient Activity Report (PAR). A PAR can alert health care practitioners to doctor shopping. In addition, this information can assist law enforcement, medical regulatory boards and the Attorney General’s Medicaid Fraud Control Unit (MFCU) with active investigations into criminal activity regarding controlled prescription drugs.

Who Has Access to the Information Stored in E-FORCSE?

A health care practitioner who is subject to licensure or regulation by the DOH under chapter 458, chapter 459, chapter 461, chapter 462, chapter 464, chapter 465, or chapter 466, Florida Statutes, will have direct access to their specific patient’s information. Other direct access to information will be limited to the E-FORCSE program manager and designated staff for the purpose of program management.

Indirect access may be requested by the following organizations upon being verified and authenticated by E-FORCSE staff.

– DOH or appropriate health care regulatory boards who are involved in a specific investigation involving a designated individual for one or more prescribed controlled substances;
– The Attorney General (AG) for Medicaid fraud cases involving prescribed controlled substances; and
– A law enforcement agency during active investigations regarding potential criminal activity, fraud or theft of prescribed controlled substances.

Are Health Care Practitioners Required to Access E-FORCSE Before Prescribing a Controlled Substance?

Health care practitioners will not be required to access E-FORCSE before prescribing a controlled substance. It will be voluntary; however, physicians are encouraged to use it as a tool to improve patient care.

Is E-FORCSE Compliant with the Federal Health Insurance Portability and Accountability Act (HIPAA)?

Yes, in addition to meeting the federal HIPAA requirements, E-FORCSE will meet all required DOH security requirements.

What is the Penalty for Disclosure of Confidential Information in the E-FORCSE Database?

A health care practitioner or other individual who has access to the information in the E-FORCSE database who discloses confidential information will be committing a third-degree felony.

Contact Health Law Attorneys Experienced with Investigations of Health Professionals and Providers.

The attorneys of The Health Law Firm provide legal representation to physicians, nurses, nurse practitioners, CRNAs, pain management doctors, dentists, pharmacists, psychologists and other health providers in Department of Health (DOH) investigations, Drug Enforcement Administration (DEA) investigations, FBI investigations, Medicare investigations, Medicaid investigations and other types of investigations of health professionals and providers.

To contact The Health Law Firm, please call (407) 331-6620 and visit our website at www.TheHealthLawFirm.com.

Comments?

As a health care practitioner, do you use E-FORCSE? Why or why not? Please leave any thoughtful comments below.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

KeyWords: prescription drug monitoring program, PDMP, Florida prescription drug monitoring program, Electronic-Florida Online Reporting Controlled Substance Evaluation, E-FORCSE, E-FORCSE data, prescription database, physician, doctor, pharmacist, dentist, health care professional, health care provider, health care practitioner, Florida Legislature, prescriber, cases against licensed health care professionals, substandard performance, falling below the standard of care, professional negligence, criminal investigation, criminal investigation of a physician, prosecution of health care professional, prosecution of physician, compliant investigation, license investigation, Drug Enforcement Administration, DEA, DEA investigation, administrative complain, charge sheet or indictment, defense attorney, defense lawyer, Florida defense attorney, Florida defense lawyer, Florida Department of Health, DOH, doctor shopping, controlled substance, Attorney General, AG, Medicaid Fraud Control Unit (MFCU), dispensing controlled substances, reporting to E-FORCSE, who can access E-FORCSE, Health Insurance Portability and Accountability Act, HIPAA, E-FORCSE HIPAA compliant, health law firm, The Health Law Firm

By The Health Law Firm|2024-03-14T10:01:19-04:00May 15, 2018|Categories: Pharmacy Law Blog|Tags: administrative complain, AG, Attorney General, cases against licensed health care professionals, charge sheet or indictment, compliant investigation, controlled substance, criminal investigation, criminal investigation of a physician, dea, DEA investigation, defense attorney, defense lawyer, dentist, dispensing controlled substances, doctor, doctor shopping, doh, drug enforcement administration, E-FORCSE, E-FORCSE data, E-FORCSE HIPAA compliant, Electronic-Florida Online Reporting Controlled Substance Evaluation, falling below the standard of care, Florida defense attorney, Florida defense lawyer, florida department of health, Florida legislature, Florida prescription drug monitoring program, health care practitioner, health care professional, health care provider, Health Insurance Portability and Accountability Act, health law firm, hipaa, license investigation, Medicaid Fraud Control Unit (MFCU), PDMP, pharmacist, physician, prescriber, prescription database, prescription drug monitoring program, professional negligence, prosecution of health care professional, prosecution of physician, reporting to E-FORCSE, substandard performance, the health law firm, who can access E-FORCSE|Comments Off

Avoid Costly HIPAA Violations with a HIPAA Risk Assessment

By Danielle M. Murray, J.D.

As a health care provider or owner of a health facility, you know about the Health Insurance Portability and Accountability Act (HIPAA) of 1996. You know that you must safeguard and protect confidential patient medical information to avoid civil and criminal penalties against you and your practice. Did you know that you may need a HIPAA Risk Assessment?

All Health Care Providers Face the Risk of Being Audited.

The Office for Civil Rights (OCR) is stepping up enforcement around the country of “covered entities” and business associates. OCR auditors will send a letter informing you that within 30 days, they will be in your office reviewing your organization and interviewing your key staff members. If the auditor finds flaws with your office, you will be made aware of them, and then re-reviewed later, if you are not first fined or otherwise sanctioned. It is a very real and likely situation that many practices, facilities, and their business associates will be faced with in the coming months and years.

Frequently, an investigation into HIPAA violations is started due to disgruntled employees, patient complaints, theft or loss of records, security breaches, and improper disclosure.

A HIPAA Risk Assessment is Required.

A HIPAA Risk Assessment is a thorough review and analysis of areas where you may have risk of violating the HIPAA laws. Federal regulations require that covered entities have this assessment done. Specifically, the regulation says that covered entities must:
[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

To see this regulation in full, go to http://law.justia.com/cfr/title45/45-1.0.1.3.70.3.33.4.html.

Auditors Do Not Care About the Size of Your Practice.

Large and small practices have been targeted by HIPAA Compliance Audits. UCLA was fined $865,000 because some of its employees improperly peeked into hospitalized celebrities’ medical records. The Alaska Department of Health and Social Services was fined $1,700,000 when a USB hard drive full of protected health information was stolen from an employee’s car. In another case, a specialty physician practice in Arizona was fined $100,000 because it used a public internet calendar to post clinical and surgical appointments.

All of these stories had something in common: they did not conduct a HIPAA risk assessment, they did not implement administrative safeguards, and they were fined a lot of money. Could your practice afford that sort of cost? Not to mention the potential criminal liability that comes with privacy violations.

HIPAA Risk Assessments Will Show You Weak Areas.

A HIPAA risk assessment can significantly reduce, if not entirely eliminate, your exposure to regulatory and litigation sanctions. It will identify areas for improvement and allow them to be corrected before an auditor finds the issue and causes unwanted problems for you and your practice.

HIPAA laws have likely changed since you last edited your privacy forms and procedures. Many health providers simply don’t have the time to re-review their policies and revise documents. In a perfect practice, this would be done every 6 months.

When the OCR auditor comes to visit your office to check for HIPAA compliance, they will ask for your Risk Assessment. Do you have one? Does your staff know who your HIPAA compliance officer is? Call an experienced health law attorney to complete a risk assessment of your practice today.

For more on HIPAA, read our two-part blog. Click here for part one and here for part two.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

What are your thoughts? Is HIPAA working? Not working? Has HIPAA increased the protection of your health information? What could be done to improve it? Please leave any thoughtful comments below.

About the Author: Danielle M. Murray is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714

By The Health Law Firm|2024-03-14T10:01:43-04:00May 15, 2018|Categories: Dental Law, Dentist Defense attorney, Dentistry Law, Licensure matters|Tags: administrative, civil, compliance, criminal, defense attorney, defense lawyer, doctor, fines, Health Insurance Portability and Accountability Act, hipaa, HIPAA audit protocol, HIPAA compliance, HIPPA audits, license, licensed clinical social worker, licensed mental health counselor, mental health, physician, policy, practice, privacy, psychologist, psychology, risk assessment, sanctions, security|Comments Off