Remedies for Violation of HIPAA Privacy Rights and Medical Confidentiality – Part 1

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

I receive many questions and e-mails about possible violations of the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Regulations and Security Regulations, and breaches of confidentiality of medical records and medical information.  I will attempt to explain and clarify this issue a little in this short blog.

More detailed information on HIPAA Privacy Regulations and Security Regulations, can be found at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html

There is no private cause of action allowed to an individual to sue for a violation of the federal HIPAA or any of its regulations.  This means you do not have a right to sue based on a violation of HIPAA by itself.  However, you may have a right to sue based on state law.  See below.

1.  File a HIPAA Privacy Complaint with the Office of Civil Rights (OCR).

As a first step, you may desire to file a HIPAA Privacy Complaint with the federal government.  These are usually required to be filed within 180 days of the event (there are limited exceptions).  They are usually all taken and fully investigated.  If it is an egregious or a repeat violation, it may even result in an investigation by the Federal Bureau of Investigation (FBI) and criminal charges being filed against those responsible.  However, in most cases if there is a valid complaint, the federal government will assess administrative fines against those responsible.  In almost all cases, a report will be made back to you of what is found and what actions have been taken.

If you decide to file a HIPAA Privacy Complaint, this is done with the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (DHHS).  You may do this online.  The Complaint form is found at: http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html

If you follow this process and receive a finding that verifies the violation, you may find it easier to retain an attorney to take your case.  Please note, there is only a very short period of time in which you are allowed to file such a complaint after you have discovered it.  So be sure to do this right away.

2.  File a Complaint Against the Physician Involved with the Florida Department of Health (DOH).

The Florida Department of Health (DOH) licenses all physicians, nurses and health professionals in the state of Florida.  It is also responsible for investigating complaints against them.  The various professional boards (Board of Medicine, Board of Nursing, etc.) are under the DOH.

If there was a violation or breach of patient confidentiality or medical records confidentiality, this may also be a violation of the state’s laws on patient or medical records confidentiality. This is true in most states, not just Florida.

If there was a violation or breach of patient confidentiality by a licensed health care professional, you may also file a complaint with the appropriate state licensing board or agency about this, as well.  In Florida, for example, if a licensed health professional did this, you may decide to report this to the Florida DOH.  If they are licensed in a different state, you may have to follow that state’s procedure for filing a complaint.

For Florida, you may call the Florida DOH at (888) 419-3456 or (850) 245-4339, or you may use the online complaint form found at: http://www.doh.state.fl.us/mqa/enforcement/enforce_csu.html

The Florida DOH will investigate the complaint and will usually have an expert witness review it.  If there is a finding against the physician (or other licensed health professional) you can ask for a copy of the DOH expert’s report.  This may result in your obtaining a free expert witness review of the case.  The expert witness might even agree later to testify as an expert witness if there is a civil lawsuit filed (however, this is something your attorney would have to work out with the expert witness).

3.  File Grievance or Report to Third Party Payer (Medicare, Tricare, VA, Insurance Co.).

If you are a Medicare patient, TRICARE/CHAMPUS patient, Veterans Administration (VA) patient, Public Health Service patient, or military patient, you may also report this to the Office of the Inspector General (OIG) of that specific agency.

If you are a member of a managed care plan or have health insurance, you may desire to file a member grievance or complaint with the insurance company.  Every physician who accepts Medicare is subject to the Medicare Program’s peer review system.  You may file a complaint directly with Medicare and ask for it to be reviewed by the Medicare peer review program.

More on HIPPA Violations to Come.

In a future blog, I will continue to explain and clarify HIPPA violations.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone:  (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.

Copyright © 1996-2012 The Health Law Firm. All rights reserved.

 

Remedies for Violation of HIPAA Privacy Rights and Medical Confidentiality – Part 2

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

I receive many questions and e-mails about possible violations of the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Regulations and Security Regulations, and breaches of confidentiality of medical records and medical information. 

More detailed information on HIPAA Privacy Regulations and Security Regulations, can be found at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html

There is no private cause of action allowed to an individual to sue for a violation of the federal HIPAA or any of its regulations.  This means you do not have a right to sue based on a violation of HIPAA by itself.  However, you may have a right to sue based on state law. 

To read the first part of this blog, click here. To continue learning more on HIPAA Privacy Rights and Medical Confidentiality, see below.

4.  State Laws and Law Suits (Civil Recovery).

If there was a violation or breach of patient confidentiality or medical records confidentiality, this may also be a violation of the state’s laws on patient or medical records confidentiality.  In most states this would give you a legal cause of action for invasion of privacy or for negligence.

The biggest problem usually encountered in this type of case and the reason most attorneys will not even consider taking one is the lack of documented  provable damages (again, I emphasize the words “documented” and “provable”).

5.  The Key is Documented, Provable Damages.

Unless you have actual bills and receipts, you don’t have this.  In most cases, unless you can prove that you have suffered actual damages by proof such as:

a.  Doctors’ bills you have paid

b.  Mental health counseling fees you have paid

c.  The purchase of credit protection insurance

d.  The purchase of identification theft insurance

e.  The costs you have paid because your identity was stolen

f.   Lost pay from time off (with the pay stubs, W-2 forms, etc., to prove the amount)

g.  Lost pay from a lost job (with the pay stubs, W-2 forms, etc., to prove the pay lost)

h.  Attorney’s fees paid as a direct result of the breach of privacy (key word being “direct result”)

i.  Other actual out-of-pocket expenses, you may have a difficult time proving a case in a court of law

If you have these keep good, detailed documentation.  Obtain good, legible receipts for everything.

Unless you have these, you will have great difficulty in finding a plaintiff’s attorney to take such a case.  It is doubtful that you would have a provable case, as well.  There are exceptions to every case, however.

If you do feel that you have a valid case with documented damages, we urge you to contact and retain a plaintiff’s attorney to file suit on your behalf as soon as possible.  You have only a short period of time to bring up such a case, after which your rights to do so will be extinguished forever.

We would urge you to consider carrying out actions #1, #2 and #3 in Part 1.  If these organizations do not find in your favor, then it is even less likely that a judge or jury would find in your favor.

The Difference Between Hourly Attorney vs. Contingency Fee Attorney.

Our statements above hold true mainly because most attorneys who would take such a case are plaintiff’s attorneys who take cases for a contingency fee (a percentage of the amount they win).  In such a case, if an attorney spends 100 hours preparing for trial (actually a low number), wins your case, and you only have $500 worth of provable damages (if the contingency fee agreement is for 40%, a fairly standard amount) then that attorney only gets $200, or $2.00 per hour.  I don’t know any attorney who will work for that amount.  (This is a very simplistic illustration to make the point; it does not even take into account the legal costs involved, which the client is usually responsible for paying.)

An attorney who charges by the hour may be more likely to take the case (but he/she may also be hard to find for this type of case), and may require a retainer fee of $5,000 to $15,000 paid up front just to get started.

If you have a civil case for liability, you only have a short, limited time to file it.  You must do so within the applicable time period or you will lose the right to do so forever.

Remember, there is only a short time in which to take any action that may be necessary and if you fail to do so, your rights may be lost forever.

Again, this is not legal advice, just general information.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone:  (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.Copyright © 1996-2012 The Health Law Firm. All rights reserved.

Patients Like to Read Doctors’ Notes Online

By Danielle M. Murray, J.D.

According to the Orlando Sentinel, a study published in the Annals of Internal Medicine shows that patients like to read their doctors’ notes.  In the study, published in April of 2012, doctors put their notes online, and gave patients online access to the file.  While some patients had privacy concerns, ninety-nine percent (99%) of them requested to keep access to the file after the study was over.

To read the entire article from the Orlando Sentinel, click here.

Doctors Did Not Feel Overwhelmed by Having to Put Notes in Computer.

Patients interviewed for the study felt that the notes reiterated important points that they had discussed with their doctors.  Study participants were able to be reminded of key information, and many said they felt that they were more compliant with the doctors’ recommendations.

Doctors didn’t report feeling limited or overwhelmed by having to take notes in the computer system used for the study, and they continued to allow access to the notes following the study.

Non-Electronic Options for Doctors’ Offices.

If a doctor does not feel comfortable using an online system, or simply does not have the time or money to convert to an electronic system, the article suggests that doctors can simply add a new procedure to their current, handwritten record-keeping system.  Doctors can have staff routinely make a copy of the patient’s notes and mail the notes, or have the notes picked up by the patient, within a set time after the visit.

Keep in Mind Your Responsibilities as A Doctor.

As a health attorney advising physicians, medical groups and medical facilities, I have to look at the legal risks of such arrangements.

While putting records online or even creating an app for patients to access records is convenient, such an arrangement can inadvertently allow the records to fall into the hands of third parties.  I don’t know of many doctors’ offices with in-house staff to manage their document server and online secure servers for such an undertaking.  Even so, streamlining the process generally requires special software, which was created by and likely monitored by a third-party software developer.

I would first suggest that any health professional looking to digitize or allow remote access to records have a contract ready for their technology associate to sign.  The contract should clearly state the obligations of each party, and it should incorporate all Health Insurance Portability and Accountability Act (HIPAA) privacy and security responsibilities.  I would not suggest piecing something like this together on your own; seek counsel, such as experienced health law attorneys, to do this for you.

If you are unsure about HIPAA privacy rights, click here for part one and click here for part two of a blog series on possible violations.

Contact Health Law Attorneys Experienced with Investigations of Health Professionals and Providers.
The attorneys of The Health Law Firm provide legal representation to physicians, nurses, nurse practitioners, CRNAs, dentists, pharmacists, psychologists, health facilities and other health providers in Department of Health (DOH) investigations, OCR HIPAA audits, breach of privacy investigations, HIPAA risk assessments, Drug Enforcement Administration (DEA) investigations, FBI investigations, Medicare investigations, Medicaid investigations and other types of investigations of health professionals and providers.

To contact The Health Law Firm, please call (407) 331-6620 or (850) 439-1001 and visit our website at www.TheHealthLawFirm.com.

Comments?

As a health professional, do you make notes available to your patients? Does putting such notes online worry you? Please leave any thoughtful comments below.

Source:

Pittman, Genevra. “Patients Like Reading Their Doctors’ Notes: Study.” Orlando Sentinel. (October 1, 2012). From: http://www.orlandosentinel.com/health/sns-rt-us-patients-like-reading-their-doctors-notes-stbre-20121001,0,925182.story

About the Author: Danielle M. Murray is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714

 
“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.

Copyright © 1996-2012 The Health Law Firm. All rights reserved.

Sarasota Sheriff Wants Patients to Waive HIPAA Privacy Rights

By Danielle M. Murray, J.D.

Law enforcement has been working hard to bust pill mills and stop prescription drug abuse. Pharmacists and pain management doctors are under intense scrutiny by various law enforcement agencies, including the Drug Enforcement Administration (DEA) and the Department of Health (DOH), for their role in giving out controlled substances.

“Doctor shopping” is a common phrase used to describe patients who see multiple doctors in a short period of time in an attempt to dupe doctors into giving them prescriptions for controlled substances. Doctors have been hampered somewhat by HIPAA privacy laws and have been unable to report suspicious patients to law enforcement agencies.

Sarasota County has a solution for that. According to the Sarasota Herald-Tribune, the county has devised a form, entitled “Authorization for Release of Protected Health Information,” and distributed it to pain management physicians. This form is to be signed voluntarily by patients and would allow doctors to discuss concerns with law enforcement. According to the sheriff’s office, the form intended to be limited to the patient’s name and the doctor’s concerns, and not to allow the release of medical records or other protected information.

To see the form for yourself, click here.

Physicians Not In Favor of the Form.

Critics say that the form is a blatant violation of patient rights and is simply a way for law enforcement to get around constitutional protections, such as search warrants.

It appears that some physicians agree with the critics. Not a single waiver has been returned to the Sarasota Sheriff’s Office.

In a Sarasota Herald-Tribune article, a pain management clinic owner states that his clients sign a contract that waives their rights if the clinic is approached by an investigator. He states “I understand HIPAA and am a firm believer in their rights, but if they’re doing something illegal, they’re jeopardizing my license.”

To see the full article from the Sarasota Herald-Tribune, click here.

Providers are at Risk.

The clinic owner is correct. Providers are at risk for their patients’ inappropriate prescription use. We have seen cases where providers are faced with criminal and civil liability when a patient overdoses on medication, whether intentional or not.

Click here to read a previous blog post on one Florida doctor who gave up his license due to allegations of malpractice and overprescribing pills.

In Orlando, Florida, a drug trafficking ring used fake prescriptions to access drugs at pharmacies around the city, and the responsible pharmacists are now facing disciplinary action for filling those prescriptions. There is a major crackdown underway to stop pill mills.

Recently the Polk County Sheriff’s Office issued 25 arrest warrants in connections to a pill mill investigation (click here to read the blog on this story). The big pharmacy chains are getting hit as well. A Walgreens distribution center in Florida was recently served with an immediate suspension order from the DEA (click here for that blog), and the DEA also pulled the controlled substance licenses from two Central Florida CVS Pharmacies (click here to read more).

Do Not Violate HIPAA.

Providers must be careful not to violate HIPAA. HIPAA violations may also result in administrative and civil action against you and your license, especially if the patient can prove they were damaged by the leak. A patient who was arrested due to the provider’s HIPAA violation would likely be able to show damages and cause action against the provider’s license.

You can read more on HIPPA violations on our two-part blog series. Click here to read part one and click here to read part two.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

What do you think of the “Authorization of Release of Protected Health Information” form? Do you think it goes too far? Please submit any thoughtful comments below.

Source:

Williams, Lee. “Sheriff wants doctors to have patients sign away rights.”  Sarasota Herald-Tribune. (October 1, 2012). From: http://www.heraldtribune.com/article/20121001/ARTICLE/121009975/2416/NEWS?p=all&tc=pgall 

About the Author: Danielle M. Murray is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area.  www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

 

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.

Copyright © 1996-2012 The Health Law Firm. All rights reserved.

Ex-Hospital Employee Admits to Stealing and Selling Confidential Patient Information

By Lance O. Leider, J.D., and George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

On October 22, 2012, a former Florida Hospital employee admitted to stealing patient information that was used to target customers for lawyers and chiropractors, according to a number of sources. The man allegedly pleaded guilty in Orlando federal court to one count of conspiracy and one count of wrongful disclosure of health information, according to the Department of Justice (DOJ). By accessing this information the man violated criminal provisions of the Health Insurance Portability and Accountability Act (HIPAA).

To read a press release on the guilty plea from the DOJ, click here.

You may remember the news story about a privacy breach at Florida Hospital back in October 2011. The breach involved more than 700,000 patient records that were accessed by the ex-employee between 2009 and 2011. We previously wrote about that story. Click here to read the blog.

Patients Received Calls from Lawyer and Chiropractor Referrals. 

Federal investigators said the ex-hospital worker was looking specifically for information on car accident victims. He would allegedly sell that information to co-conspirators.

According to the Federal Bureau of Investigation (FBI) affidavit, some patients would receive calls offering lawyer or chiropractor referrals about a week after their hospital visit.

The FBI also allegedly found payments from co-conspirators to the former hospital employee.

To read the FBI affidavit, click here.

Will the Ex-Employee Get Prison Time?

According to the Orlando Sentinel, the ex-Florida Hospital worker faces up to 15 years in federal prison for these criminal charges.

Click here to read the entire article from the Orlando Sentinel.

The man will be sentenced on January 14, 2013. Be sure to check our blog for updates to this story.

Be Sure to Get a HIPAA Risk Assessment to Avoid Violations.

As a health provider you know that you must safeguard and protect confidential patient medical information to avoid civil and criminal penalties against you and your practice. A HIPAA Risk Assessment is a thorough review and analysis of areas where you may have risk of violating the HIPAA laws. We recently wrote a blog on this subject, click here to view it.

HIPAA Privacy Complaints Are Effective.

Many individuals whose privacy is breached fail to realize how effective a HIPAA Privacy Complaint can be. These complaints, which can be filed online to the Office of Civil Rights (OCR), are fully investigated. Stiff civil fines and even criminal prosecutions may result.

Since the time period is short for filing these (180 days), the first step you should take, if your medical privacy is breached, should be to file a HIPAA Privacy Complaint.

Contact Health Attorneys Experienced in the Confidentiality of Medical Records.

Our attorneys provide advice and legal opinions on confidentiality of medical records and medical information, including HIPAA Privacy Regulation, and are available to testify as expert witnesses on these issues.

For a list of applicable Federal and Florida legal authorities on “super-confidential” medical information such as mental health, HIV and drug or alcohol treatment records click here.

To contact The Health Law Firm please call (407) 331-6620 or (850) 439-1001 and visit our website at www.TheHealthLawFirm.com.

Comments?

Have you been following this story? Do you think the ex-hospital employee should receive the maximum sentence? Please leave any thoughtful comments below.

Sources:

Pavuk, Amy. “Ex-Hospital Employee Pleads Guilty to Stealing Patient Information.” Orlando Sentinel. (October 22, 2012). From: http://www.orlandosentinel.com/news/local/breakingnews/os-florida-hospital-patient-records-arrest-20121022,0,5057291.story

Department of Justice. “Former Florida Hospital Employee Pleads Guilty To Data Theft.” DOJ. (October 22, 2012). Press Release From: ttp://www.justice.gov/usao/flm/press/2012/oct/20121022_Munroe.html

About the Authors: Lance O. Leider is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714, Phone:  (407) 331-6620.

George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone:  (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.

Copyright © 1996-2012 The Health Law Firm. All rights reserved.

Florida Man Sentenced to Prison for Role in Florida Hospital Data Theft

Lance Leider headshotBy Lance O. Leider, J.D., The Health Law Firm

A Davenport, Florida, man was sentenced to four years in prison for paying off two Florida Hospital employees to illegally access patient records, according to the Department of Justice (DOJ). A judge sentenced Sergie Kusyakov on April 10, 2013. He was charged with conspiracy and wrongful disclosure of individual identifiable health information.

Click here to read the press release from the DOJ.

Ex-Employees Sold Patient Information to a Co-Conspirator.

Mr. Kusyakov’s sentence stems from a privacy breach at Florida Hospital back in October 2011. The breach involved thousands of patient records that were illegally accessed between 2009 and 2011. Apparently Mr. Kusyakov was paying hospital employee Dale Munroe and his wife to illegally access thousands of records of patients treated at multiple Florida Hospital locations. Mr. Munroe was sentenced in January 2013. Click here to read a previous blog on that story.

Mr. Munroe was allegedly fired in July 2011, after it was learned he accessed the records of a doctor fatally shot in a parking garage. Investigators then found that Mr. Munroe had accessed more than 700,000 patient records, most of whom had been involved in vehicle accidents. Mr. Munroe then sold the records to Mr. Kusyakov, who was associated with two chiropractic clinics. The information was then used to solicit the patients for lawyers and chiropractors. After Mr. Munroe was fired, his wife began stealing patient information. She will be sentenced in July.

HIPAA Privacy Complaints Do Result in Action.

The act of accessing patient records is a direct violation of the Health Insurance Portability and Accountability Act (HIPAA). Many individuals whose privacy is breached fail to realize how effective a HIPAA Privacy Complaint can be. These complaints, which can be filed online to the Office of Civil Rights (OCR), a federal agency, are fully investigated. Stiff civil fines and even criminal prosecutions may result. In serious cases, the FBI investigates them.

Since the time period is short for filing these (180 days), the first step you should take, if your medical privacy is breached, is to file a HIPAA Privacy Complaint with the OCR. Also file a complaint with the hospital or health care provider and with the state agency that licenses the health care provider.

Contact Health Attorneys Experienced in the Confidentiality of Medical Records.

Our attorneys provide advice and legal opinions on confidentiality of medical records and medical information, including HIPAA Privacy Regulation, and are available to testify as expert witnesses on these issues.

To contact The Health Law Firm please call (407) 331-6620 or (850) 439-1001 and visit our website at www.TheHealthLawFirm.com.

Comments?

What do you think of Mr. Kusyakov’s sentence? Please leave any thoughtful comments below.

Sources:

Pavuk, Amy. “Man Sentenced to Federal Prison for Role in Florida Hospital Theft.” Orlando Sentinel. (April 11, 2013). From: http://www.orlandosentinel.com/news/local/breakingnews/os-florida-hospital-patient-data-theft-20130410,0,3261544.story

Department of Justice. “Davenport Man Sentenced to 4 Years in Prison of Theft of Patient Information.” Department of Justice. (April 10, 2013). From: http://www.justice.gov/usao/flm/press/2013/apr/20130410_Kusyakov.html

About the Author: Lance O. Leider is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714, Phone: (407) 331-6620.

The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.

Copyright © 1996-2012 The Health Law Firm. All rights reserved.

Relocating, Selling or Closing Your Medical Practice? Be Sure to Comply with Florida Law

00011_RT8By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

Relocating, selling or retiring is never an easy decision for a physician. On top of patients’ anxiety about their doctor leaving, there are also legal hoops you will be required to jump through. It’s important to know what is expected of you as you relocate, sell or retire from a practice. The last thing any doctor on his or her way out would want is a letter from the Florida Department of Health (DOH) informing him or her that when the practice closed he or she failed to follow the proper procedures under Florida law. Even in retirement, the Florida DOH can fine a physician or health care provider. And believe me that does happen.

This blog is intended to help any physician or health care provider relocating, retiring or terminating a practice. It will explain the necessary steps that need to be taken under Rule 64B8-10.002, Florida Administrative Code.

Notifying Patients of Relocation or Termination of a Practice.

When a licensed physician terminates practice or relocates and is no longer available to patients, patients should be notified of such termination, sale or relocation. The physician is required to publically announce the event by publishing an announcement once during each week for four consecutive weeks in the newspaper of the greatest general circulation in each county in which the physician practices. So for example, if you live in the Orlando, Florida, area, you would want to publish the notice in the Orlando Sentinel. The newspaper notification must announce the date of termination, sale or relocation and an address where patients can obtain a copy of their medical records.

A copy of the notice must be mailed to the Florida Board of Medicine within a month of the date of relocation or termination of the medical practice. It would be in your best interest to obtain and keep a copy of your notice from the newspaper, just in case the board audits you or someone files a complaint.

Signs at the Office are Optional.

The physician may, but is not required to, place a sign at a location in the office to notify patients by letter of the termination, sale or relocation of the practice. The sign or notice will advise patients of their opportunity to transfer or receive their records. Again, this is optional.

Keeping Medical Records.

Under Section 458.331(1)(m), Florida Statutes, a physician must keep adequate written medical records for a period of five years from the last patient contact, so medical record storage options, which must properly conform with state and federal privacy regulations, will have to be considered. Alternatively, the sale of a practice necessitates an execution of the proper medical record transfer agreement as part of the transaction.

Also keep in mind, a physician planning to close, sell or relocate a medical practice must consider how to effectively notify employees about termination and must properly maintain employee records and other medical billing records after the practice has closed its doors.

Notifying All Appropriate Groups.

On top of informing the Florida Board of Medicine, physicians may also be required to notify other licensing authorities. This may include the Drug Enforcement Administration (DEA), Florida DOH, Center for Medicare and Medicaid Services (CMS), the Florida Agency for Health Care Administration (AHCA), and other local business licensing authorities.

These rules can be confusing and complex. To ensure you have completely complied with Florida law, consult with a health law attorney experienced in these matters.

Contact Health Law Attorneys Experienced in Business Transactions and Contracts.

At the Health Law Firm we provide legal services for all health care providers and professionals. This includes physicians, nurses, dentists, psychologists, psychiatrists, mental health counselors, Durable Medical Equipment suppliers, medical students and interns, hospitals, ambulatory surgical centers, pain management clinics, nursing homes, and any other health care provider. We represent facilities, individuals, groups and institutions in contracts, sales, mergers and acquisitions.

The services we provide include reviewing and negotiating contracts, business transactions, professional license defense, representation in investigations, credential defense, representation in peer review and clinical privileges hearings, Medicare and Medicaid audits, commercial litigation, and administrative hearings.

To contact The Health Law Firm, please call (407) 331-6620 or (850) 439-1001 and visit our website at www.TheHealthLawFirm.com.

Comments?

Have you gone through the process of selling, relocating or retiring? How did you comply with all the rules? Please leave any thoughtful comments below.

Source:

Rule 64B8-10.002, F.A.C., Medical Records of Physicians Relocating or Terminating Practice; Retention, Disposition, Time Limitations.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2012 The Health Law Firm. All rights reserved.

Affinity Health Plan Settles with Government in Photocopier HIPAA Breach Incident Involving Patient Medical Information

8 Indest-2008-5By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The U.S. Department of Health and Humans Services (HHS) Office of Civil Rights (OCR), and Affinity Health Plan, Inc. (Affinity), reached a settlement for more than $1.2 million for potential violations of the Health Insurance Portability and Accountability Act (HIPAA). The alleged violations related to a photocopier previously leased by Affinity. The photocopier had an internal hard drive which stored copies of documents, including medical records, which had been photocopied by Afinity. The photocopier was returned to the leasing company and then later purchased from that same company by CBS Evening News. Apparently CBS Evening News then discovered the medical records on the photocopier hard drive.

According to the HHS, Affinity filed a breach report with the HHS OCR on April 15, 2010. This is required under the Health Information Technology for Economic and Clinical Health (HITECH) Act.

To read the entire press release from the HHS, click here.

Affinity is a not-for-profit managed care plan serving the New York metropolitan area.

Alleged Violations Stemmed from Failing to Clear Photocopier Hard Drive.

Affinity was allegedly informed by a representative of CBS Evening News, that as part of an investigation, CBS purchased a photocopier previously leased by Affinity. CBS allegedly informed Affinity that the photocopier still contained medical information on its hard drive. The OCR estimated that up to 344,579 individuals may have been affected by the breach. The OCR’s investigation found that Affinity impermissibly disclosed the protected health information of these individuals when it returned multiple photocopiers to leasing agents without deleting the data stored on the hard drives.

Affinity Must Try to Retrieve All Hard Drives in Previously Used Photocopiers.

According to HealthIT Security, on top of the $1,215,780 payment, Affinity must also try to recover all its previously used photocopiers that are still in the custody of the leasing company. Affinity must also conduct a risk analysis of its electronic protected health information for security risks and vulnerabilities.

Click here to read the article from HealthIT Security.

Warning to HIPAA Covered Entities Regarding Risk Assessments.

This settlement is an important reminder about equipment designed to retain electronic information. HIPAA covered entities are responsible for making sure all personal information is wiped from the hardware before it is recycled, thrown away or sent back to a leasing agent. Entities are also required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have safeguards in place to protect this information.

HIPAA laws have most likely changed since you last edited your privacy forms and procedures. Many health providers simply do not have the time to re-review their policies and revise documents. In a perfect practice, this would be done every six months.

To learn more on HIPAA risk assessments, click here.

Be Sensitive to Technical Equipment Containing Internal Memory.

In today’s technological society everyone must be continually vigilant about the machines and equipment used. Many different types of devices now contain internal memory chips and hard drives that may store data that is difficult to erase. These may include, for example, photocopiers, scanners and fax machines, in addition to computers and servers. Security videos and communications monitoring systems may also maintain such information. Backup tapes and modern cell phones are other possible examples. These should be professionally cleaned of all data or destroyed before discarding them.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

What do you think of this settlement? Does your office and/or practice have an annual security risk assessment? Do you think risk analyses are important? Please leave any thoughtful comments below.

Sources:

Office of Civil Rights. “HHS Settles with Health Plan in Photocopier Breach Case.” U.S. Department of Health and Human Services. (August 14, 2013). From: http://www.hhs.gov/news/press/2013pres/08/20130814a.html

Ouellette, Patrick. “OCR, Affinity Health Plan Reach HIPAA Violation Agreement.” HealthIT Security. (August 14, 2013). From: http://healthitsecurity.com/2013/08/14/ocr-affinity-health-plan-reach-hipaa-violation-agreement

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone:  (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2012 The Health Law Firm. All rights reserved.

New Requirements Released for Physician Medical Records Related to Compounded Medications

MLS Blog Label 2By Michael L. Smith, R.R.T., J.D., Board Certified by The Florida Bar in Health Law and George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

On September 5, 2013, the Florida Board of Medicine and the Florida Board of Osteopathic Medicine published new requirements for medical record documentation related to compounded medications administered to patients in an office setting.  These standards become effective September 9, 2013. The standards are contained in Florida Administrative Code Rules adopted by each board.

We believe the updated requirements are a result of the recent recalls of tainted compounded medications that have spread across the country and infected thousands of patients. These new standards will make it easier for health care professionals to trace drug reactions and spot tainted batches of medications quickly. The new changes apply to the exact documentation required anytime a compounded medication is administered to a patient.

For the Florida Board of Medicine this is an update to Rule 64B8-9.003, Florida Administrative Code. For the Florida Board of Osteopathic Medicine this is an update to Rule 64B15-15.004, Florida Administrative Code.

New Medical Records Standards.

According to the Florida Board of Medicine and the Florida Board of Osteopathic Medicine, when compounded medications are administered to a patient in the office the medical record documentation must contain, at a minimum:

1.  The name and concentration of medication administered;
2.  The lot number of the medication administered;
3.  The expiration date of the medication administered;
4.  The name of the compounding pharmacy or manufacturer;
5.  The site of administration on the patient;
6.  The amount of medication administered; and
7.  The date the medication was administered.

New Standards Most Likely Triggered by Tainted Compounded Medications.

These new standards are being implemented about a year after a nationwide outbreak of fungal meningitis linked to contaminated drugs made by a compounding pharmacy in Massachusetts. Click here to read our previous blog. Florida is no stranger to allegations of tainted compounded products. In May 2013, Franck’s pharmacy in Ocala, Florida, was accused of distributing eye medications that contained a fungal infection. Click here for the first blog and here for the second blog on this.

It’s likely these updated requirements are a direct result of the recent issues with compounded medications and compounding pharmacies. In the event a health care professional’s office receives a batch of tainted compounded medicine, these medical record standards will help the health care professional track which patients received the tainted medications. Also, authorities, such as the Department of Health (DOH) and U.S. Food and Drug Administration (FDA), will be able to easily track and send recalls to the offices that receive tainted compounded medications.

Contact Health Law Attorneys Experienced in the Representation of Health Professionals and Providers.

The attorneys of The Health Law Firm provide legal representation to physicians, nurses, nurse practitioners, CRNAs, pain management doctors, dentists, pharmacists, psychologists and other health providers in Department of Health (DOH) investigations, Drug Enforcement Administration (DEA) investigations, FBI investigations, Medicare investigations, Medicaid investigations and other types of investigations of health professionals and providers.

To contact The Health Law Firm, please call (407) 331-6620 or (850) 439-1001 and visit our website at www.TheHealthLawFirm.com.

Comments?

Had you heard of these updates? Do you think these requirements will help officials track tainted medications? Please leave any thoughtful comments below.

About the Authors: Michael L. Smith, R.R.T., J.D., is Board Certified by The Florida Bar in Health Law. He is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone:  (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2012 The Health Law Firm. All rights reserved.

Two Laptops Containing Information of 729,000 Patients Stolen from California Hospital Group

6 Indest-2008-3By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The personal health information of around 729,000 patients has been compromised following the theft of two laptops. The password-protected computers were taken from an administration building of AHMC Healthcare Inc., a hospital group in Alhambra, California. According to the Los Angeles Times, the laptops contain data from patients treated at six different AHMC Healthcare hospitals. Surveillance video shows that the theft occurred on October 12, 2013, but hospital officials did not discover the laptops were missing until two days later.

To read the article from the Los Angeles Times, click here.

Laptops Contain Patient Information, But No Evidence Information Has Been Hacked.

According to the hospital group, the laptops contain data including patients’ names, Medicare/insurance identification numbers, diagnosis/procedure codes, and insurance/patient payment records. Some of the files allegedly contain the Social Security numbers of Medicare patients.

So far, there is no evidence the information has been accessed or used, according to the CBS affiliate in Los Angeles. Click here to read the article from the CBS affiliate.

However, given that this just occurred a few days ago, it is probably too early to tell, anyway.

Breach Must Be Reported to the Department of Health and Human Services.

Hospitals are required, under federal law, to report potential medical data breaches involving more than 500 people to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The OCR is responsible for investigating all allegation of violations of HIPAA Privacy and Security Regulations.

According to the Los Angeles Times, AHMC Healthcare has already asked for an auditing firm to perform a security risk assessment. Hospital administrators are also expediting a policy to encrypt all laptops.

HIPAA Omnibus Final Rule Effective September 23, 2013–Get a Risk Assessment.

The HIPAA Omnibus Final Rule went into effect on September 23, 2013. By now, hospitals, physicians and all covered entities must comply with the HIPAA Omnibus Final Rule. The amendments to the rule are available on the HHS OCR website. I previously wrote a blog series about the HIPAA Omnibus Final Rule. Click here for part one, click here for part two and here for part three.

Covered entities should be performing HIPAA risk assessments to identify their security risks and implement protections before a data breach occurs. HIPAA has always required covered entities to perform HIPAA risk assessments. Very often, the first question the OCR asks when investigating a possible HIPAA violation is what risk assessment the health care provider has performed.

The objectives of an adequate HIPAA risk analysis are:

1. Identify the scope of the analysis – the analysis should include all the risks and vulnerabilities to the confidentiality, availability and integrity of all electronic health information regardless of its location.
2. Gather data – the covered entity must identify every location where electronic data is stored.
3. Identify and document potential threats and vulnerabilities – the covered entity should consider natural threats, human threats and environmental threats.
4. Assess current security measures – the covered entity must examine and assess the effectiveness of its current measures.
5. Determine the likelihood of threat occurrence – the covered entity should evaluate each potential threat and prioritize its plan to address each threat.
6. Determine the potential impact of threat occurrence – the covered entity should assess the possible outcomes of each identified threat such as unauthorized disclosure of confidential information.
7. Determine the level of risk – the covered entity should categorize each risk and plan its procedures to mitigate any damage cause by each risk.
8. Identify security measures and finalize documentation – the covered entity should thoroughly document all the steps it used in its risk assessment process.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

What do you think if this alleged HIPAA violation? Do you have policies and procedures in place to protect your patients’ right to privacy? Have you received a HIPAA risk assessment lately? Please leave any thoughtful comments below.

Sources:

Winton, Richard. “Laptop Thefts Compromise 729,000 Hospital Patient Files.” Los Angeles Times. (October 21, 2013). From: http://www.latimes.com/local/la-me-hospital-theft-20131022,0,1936078.story#axzz2iRg6Rh3Y

Los Angeles CBS. “Laptops Containing Patient Information Stolen from Alhambra Hospital.” Los Angeles CBS. (October 22, 2013). From: http://losangeles.cbslocal.com/2013/10/22/laptops-containing-patient-information-stolen-from-alhambra-hospital/

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2012 The Health Law Firm. All rights reserved.

Go to Top