Getting the Vax Facts

By: Dave Davidson

Despite two years of COVID and a year’s worth of vaccinations, there remains some confusion over the privacy of an employee’s vaccination status.  As a healthcare employer, are you permitted to ask your employees if they’re vaccinated?  Do you breach the Health Information Protection and Accountability Act (HIPAA) in doing so?  The quick answers to those questions are: it’s OK for an employer to ask; and as long as the inquiry is made to the employee (and not to a third party or sought from medical records), the employer probably hasn’t violated HIPAA.

First, let’s address HIPAA applicability in general.  As a health care attorney, HIPAA is an integral part of my “filter” in providing legal analysis.  However, it surprises me when I hear people who work outside the health care arena claim HIPAA protection over all kinds of information – and most recently, their COVID-19 vaccination status.  Those protections are from a much broader interpretation of the HIPAA protections than is actually provided.  In a nutshell, HIPAA applies to health plans, health care clearinghouses, and health care providers (along with their business associates).  Unless an employer falls into one of those categories, HIPAA does not play a role.  Nevertheless, health care employers who have employees who are also patients, or employees who have provided Protected Health Information (PHI) to their employer cannot just shrug off their HIPAA obligations when it comes to vaccinations.  PHI must always be safeguarded in accordance with the HIPAA Privacy Rule. Continue reading

Beware The Hypnosis of Crisis

By: Jeff Cohen

One of the biggest challenges faced by addiction treatment providers today, especially in Palm Beach County, Florida, arises in the context of unprecedented pressure by law enforcement via the Sober Home Task Force, newspapers and insurers.  The threat of being targeted by law enforcement is an enormous thing in itself.  Add to that the mainstream media’s insatiable desire for readers, the industry’s drop into insurer red flagging and recoupment, the political football nature of addiction and addiction treatment, and treatment providers can lapse into a state of paralyzed tunnel vision, a sort of mass hypnosis.  Here’s the problem:  providers dealing with the current compliance crisis environment have a lot to lose if they take their eye off the bigger picture.  The more absorbed they become in “crisis mode,” the more likely they will miss important addiction treatment compliance details in an increasingly regulated and changing industry.  Losing the ability to see the entire picture (and trends) and quickly adapting to it can have costly (and even deadly) consequences.

The addiction treatment industry is like any other healthcare provider—enormously and increasingly regulated, highly scrutinized and always dynamic.  The moment it took on features of traditional healthcare (e.g. lab and physician services), it left the relatively warm and fuzzy comfort of behavioral health providers, sorta.  “Sorta” because medical behavioral health (e.g. psychology and counseling) has not had it easy in the past 10 years, as it came under crushing price compression with managed care driven networks and other price cutting middlemen that have often been owned or controlled by insurance companies.  Addiction treatment providers in the pure behavioral health space were “saved” from all this till about three years ago because they were out of network and not the focus of insurer driven price cuts.  As payors (and their price cut incentivized middle men) looked for more ways to drive up profits, the competitive and disorganized addiction treatment sector became a natural (and unprepared) sector to hit.  And they hit it hard!  Clearly, the Perfect Storm.  Addiction treatment providers now have no option but to learn to swim hard and fast in the ever changing river of the healthcare business industry.Continue reading

What is FIPA and How Is FIPA Different From HIPAA?

By: Jackie Bain

FIPA is the Florida Information Protection Act of 2014.  It became elective on July 1, 2014.  Many people consider FIPA to be Florida’s state law counterpart to the Federal Government’s Health Information Protection and Administration Act of 1996 (“HIPAA).  However, FIPA is, in many respects, more far reaching than HIPAA.  Those who transact business in the State of Florida are well-served to be knowledgeable about FIPA.

FIPA affects more than just health care providers and those in the healthcare industry.  Under FIPA, any business that acquires, stores, maintains or uses personal information must take reasonable measures to safeguard that information.  “Personal information” includes the use of a person’s first and last name (or first initial and last name) in conjunction with his or her social security number, driver’s license or other government identification number, bank account number, credit or debit card number and password or pin, medical history, or health insurance policy number.  A convenience store that might have access to a person’s name and credit card number is just as accountable under FIPA as a hospital who might store that person’s medical history and insurance information.Continue reading

$800,000 HIPAA Settlement for Leaving Patient Records on Physician's Front Porch

HIPAAThe Department of Health and Human Services announced this morning that it has entered into a settlement agreement with Parkview Health System, Inc., an Indiana medical group caught up in HIPAA violation case.  Parkview was assisting a retiring physician to transition her patients to new providers.  Parkview was also considering purchasing some of the physician’s patient records.  When Parkview attempted to return between 5,000 and 8,000 patient records to the physician, she was not home to accept their return.  Parkview employees left cardboard boxes containing between 5,000 and 8,000 patient medical records outside of the physician’s home, and within twenty feet of a public road.  In settlement and release of HHS’ claims against Parkview for such a HIPAA violation, Parkview agreed to pay the Department of Health and Human Services $800,000 and enter into a Corrective Action Plan.  The entire Resolution Agreement between Parkview and HHS is available here.

The Cost of Inaccurate Medical Records

medicare backlog

0607-for-the-record-1690On July 8, 2013 the United States Attorney’s Office for the Southern District of Florida issued a Press Release with the headline “Supervisor of $63 Million Health Care Fraud Scheme Sentenced in Florida To 10 Years in Prison”. The Defendant, a 51 year old employee of the Healthcare Provider was the director of medical records. The employee was a certified medical records technician and was found to have overseen the alteration, fabrication and forgery of documents that were used to support claims submitted to Medicare and Medicaid. In addition, the employee was found to have directed therapists to fabricate documents and forged signatures on documents. The defective medical records were used to support claims to Medicare and Medicaid in excess of 63 million dollars.Continue reading

HIPAA Omnibus Final Rules and Penalties

On Friday January 25, 2013, the Department of Health and Human Services published the Final Rule modifying the HIPAA privacy, security, enforcement, and breach notification rules under the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Non-Discrimination Act (“GINA”) as well as other modifications to the HIPAA rules. (See 45 CFR Parts 160 and 164, Federal Register Volume 78 Number 17.)

The omnibus rule actually contains four final rules. The first final modifications to HIPAA which were mandated by “HITECH” include modifications intended to improve the Rules which were issued as a proposed rule on July 14, 2010 include six modifications.

The first omnibus final rule includes direct liability modifications for business associates of covered entities for compliance with certain HIPAA privacy and security rule requirements. Strengthening of limitations on the use and disclosure of protected health information, expanded individuals’ rights to receive electronic copies of their health information, modification and redistribution of entities privacy practices protocols, modification of individual authorization forms and other requirements to facilitate research and disclosure of child immunization proof to schools as well as to enable access to decedent information and lastly the enforcement rules have been modified to address violations such as non-compliance with HIPAA rules due to willful neglect.

The second omnibus final rule adopts changes to the HIPAA enforcement rule that increase the civil monetary penalties in a tiered manner.

The third omnibus final rule involves the breach notification for unsecured protected health information under the “HITECH” act. This rule replaces the prior rules “harm” threshold with a more objective standard.

Finally, the fourth rule prohibits most health plans from using or disclosing genetic information for underwriting purposes.

These final rules take effect this month on March 26, 2013. Covered business entities and business associates must comply with the applicable requirements by September 23, 2013. The penalties for violating the final rules are now as follows:

TABLE 2 – CATEGORIES OF VIOLATIONS AND RESPECTIVE PENTALTY AMOUNTS AVAILABLE

Violation Category – Section 1176 (a)(1)

Each Violation

All such violations of an identical provision in a calendar year

(A)  Did Not Know(B)   Reasonable Cause

(C)   (i)Willful Neglect-Corrected

(C) (ii) Willful Neglect-Not Corrected

$100-$50,0001,000-50,000

10,000-50,000

50,000

$1,500,0001,500,000

1,500,000

1,500,000

Providers need to be aware of the penalties for violating the rules as we most recently reported to you the office of civil rights will not hesitate in sanctioning providers for violating the Act in amounts in excess of $1.5 million.