The Risk Of Not Paying Attention to HIPAA Violations

HIPAA, HIPAA violations, HIPAA compliance

By Jacqueline Bain

On October 23, 2019, the U.S. Department of Health and Human Services has imposed a civil money penalty of over $2 million against Jackson Health System in Florida for repeated HIPAA violations.

The HIPAA violations mentioned in the HHS Press Release include:
1-Loss of paper patient records in December 2012;
2-Loss of additional paper patient records in January 2013;
3-A media report containing patient information (a photo shared on social media);
4-Employees accessing the information of one patient without a job related purpose;
5- An employee’s improper access and sale of patient records in 2011.

“OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” said OCR Director Roger Severino. The state of the compliance program allowed for the failure of several HIPAA requirements, including provision of timely and accurate HIPAA breach notifications, performance of regular risk assessments, investigation of identified risks, audits of system activity records, and imposing appropriate restrictions on workforce members’ access to patient information. The government’s final determination is available here.

When a HIPAA breach is discovered and reported, the government will often take the time to review a covered entity’s history of compliance or non-compliance. This may include an investigation into prior issues, effectiveness of policies and procedures, and employee issues. Overlooking one suspected breach may result in the imposition of sanctions on any later breach. This is why it’s so important for a healthcare business to understand its HIPAA obligations and take them seriously.

When was the last time your business conducted a security risk assessment to understand its potential risk areas for security breaches? If you’ve never had one, or haven’t had one recently, the time is now to conduct one. “When was your last security risk assessment?” is often the first thing that the government will ask in response to a breach.

Federal fines for noncompliance with HIPAA are based on the level of negligence perceived by the Federal government at the time of the breach. Fines and penalties range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million. Simply put, your healthcare business can’t afford to bury its head and hope that it won’t be hit.

Florida Physician Supervision for Non-Physician Providers

ekra law

florida physician supervisionBy: Chase Howard

In Florida, a licensed physician can provide supervision of healthcare providers that are not physicians under certain circumstances. Understanding who a physician can cover and under what circumstances can help protect your license and avoid receiving a complaint by the Florida Department of Health.

In every case, when a physician agrees to supervise another provider, Florida law requires certain documentation and notice to be filed.Continue reading

Protecting Your License Against Adverse Action

election of rightsBy: Susan St. John

If you have ever been the recipient of a Florida state agency’s (i.e. Department of Health, AHCA, etc.) notice regarding an adverse action, such as a Notice of Intent to Deny, licensure application, renewal or change of ownership, you probably received an Election of Rights form along with the agency’s notice. The Election of Rights form must be completed and returned to the agency within 21 days of receiving the agency’s notice. In completing the Election of Rights form, you are given three options to choose from in deciding how you want to respond to the agency’s notice.

Under Option One you admit to the allegations of facts and law contained in the agency’s notice of intended action and waive the right to object and have a hearing. This is akin to an admission of guilt, that the agency is right in its decision, and you agree to a final order that supports the agency’s actions, including imposition of fines and punishment against you. Option One is generally not in your best interest.Continue reading

$800,000 HIPAA Settlement for Leaving Patient Records on Physician's Front Porch

HIPAAThe Department of Health and Human Services announced this morning that it has entered into a settlement agreement with Parkview Health System, Inc., an Indiana medical group caught up in HIPAA violation case.  Parkview was assisting a retiring physician to transition her patients to new providers.  Parkview was also considering purchasing some of the physician’s patient records.  When Parkview attempted to return between 5,000 and 8,000 patient records to the physician, she was not home to accept their return.  Parkview employees left cardboard boxes containing between 5,000 and 8,000 patient medical records outside of the physician’s home, and within twenty feet of a public road.  In settlement and release of HHS’ claims against Parkview for such a HIPAA violation, Parkview agreed to pay the Department of Health and Human Services $800,000 and enter into a Corrective Action Plan.  The entire Resolution Agreement between Parkview and HHS is available here.

Score One for the Florida Physician!

New legislation placing tighter restriction on out of state M.D., D.O., and D.D.S. expert witnesses became effective July 1, 2011.  HB 479 adds registration requirements for out of state or Canadian physicians wishing to serve as expert witnesses in Florida legal settings.  With a $50 application fee and an application to the Florida Department of Health an expert witness will receive a certificate to provide expert testimony.  The law also gives the respective boards authority to discipline, both licensed in this state and those with a certificate for providing deceptive or fraudulent expert witness testimony.  Lastly, such expert witnesses who submit a pre-suit verified expert medical report no longer are immune from discipline.

Haven’t Thought Much About Compliance Lately? The Government Has


It is estimated that health care fraud is a $60 billion a year business fueled by illegal conduct such submitting false claims and paying kickbacks to physicians and suppliers. Until recently, if large health care organizations were the targets of fraud investigations, these companies, as their penance, typically wrote a big check to the government and continued business as usual. Things have changed.

While indicting and convicting health care executives is not a new practice, officials at the Department of Health and Human Services (“DHHS”) and the Department of Justice (“DOJ”) are said to be frustrated with the frequent occurrence of repeat violations and they are ramping up their strategy. Lately there have been aggressive new initiatives rolling out to combat rampant health care fraud and the government is increasingly bringing criminal charges against executives even if they were not complicit in the fraud scheme, but could have stopped it if they had known.

What’s more striking is that in addition to civil monetary penalties and criminal indictments, the government is taking great efforts to exclude convicted executives from being involved in companies that do business with federal health programs. A recent bill introduced to Congress under the name of the “Strengthening Medicare Anti-Fraud Measures Act of 2011 (the “Act”), increases DHHS’ existing powers and allows them to seek to exclude owners, officers and mangers of companies that are convicted of health care fraud from federal healthcare programs even if they left the company prior to any conviction of the entity.

In addition to the expansion of the permissive exclusion afforded by the Act to DHHS, regulators and law enforcement officials are going to be increasingly utilizing current permissive exclusion remedies. DHHS’ bold move appears to be based on the rationale that the permissive authority of Secretary of DHHS or the Office of the Inspector General of DHHS to exclude individuals is a much easier process than criminal proceedings.

The impact of this aggressive new government strategy will likely have even further reaching consequences for convicted healthcare business owners and executives. For instance, an exclusion from being part of a business that works with federal health care programs would be a career ending blow for most executives. It should also be emphasized that smaller organizations are not in any way immune from enforcement activity. In fact, with newly increased enforcement budgets, authorities have the means and the time to target organizations of all sizes.

Law makers and regulators are hopeful that by ramping up the enforcement of existing laws and expanding the scope of DHHS’ power, it will act as a powerful deterrent against overt acts and will compel corporate executives to take proactive steps in preventing fraudulent activities and affirmatively addressing fraudulent practices when discovered. It is vitally important now more than ever, to have an active compliance program in place. A strong compliance program can not only detect and prevent fraudulent or negligent activities but also will typically be considered as a mitigating factor if an organization is culpable of fraudulent activity. The Florida Healthcare Law Firm works with health care organizations of all sizes to assist in the audit, development and implementation of effective compliance programs.


What To Charge When Medicare is a Secondary Payer

The advent of more entrepreneurial opportunities for physicians will cause them to wonder how to deal with Medicare patients when Medicare is the secondary payer. For instance, physicians treating Medicare patients under a Letter of Protection (LOP) need to know how to deal with the Medicare secondary payer issue.
The Department of Health and Human Services, back in 1996, issued a memorandum addressing the issues comprehensively. The memo is available on our website (www.floridahealthcarelawfirm.com), and the only piece of information missing is the requirement that Medicare claims be submitted within twelve (12) months from the date of service.