Banner
Home → Compliance Update

Compliance Update
OIG Opinion Applies Access to Care Exception Print E-mail
Written by Vitale Health Law   
Monday, 27 March 2017 00:00

Can a hospital system provide free or reduced-cost lodging and meals to certain financially needy patients, or would such an arrangement (a) constitute either a violation of the federal anti-kickback statute or (b) constitute grounds for the imposition of civil monetary penalties because it would violate a provision of the Social Security Act that prohibits remuneration to a federal healthcare program beneficiary that might influence the beneficiary's selection of a particular provider?

That was the question recently answered in an Advisory Opinion issued by the U.S. Department of Health and Human Services Office of the Inspector General (OIG).

The requestor, whose name is redacted, owns and operates an academic medical center consisting of four hospitals and a number of hospital-based clinics. One of those hospitals operates a Level I trauma center and provides care to patients, some of whom live in rural and medically underserved areas. 

Read More>> 
 
Last Updated on Tuesday, 28 March 2017 14:39
 
Patient Privacy Concerns in Our Social Media World Print E-mail
Written by Chanel A. Mosley, Esq.   
Monday, 06 March 2017 16:15

Social media is now at the very core of our culture and gone are the days when websites like Myspace and Facebook were nothing more than a guilty pleasure of adolescents and college students.  Social media outlets like Facebook, Twitter, Instagram, Snapchat, and numerous others are now utilized not only by our younger generations, but also corporate giants, local businesses, celebrities, and just about everyone, everywhere.  The use of social media in the professional healthcare setting is widely accepted, but with it comes ever growing concerns about patient privacy and the consequences associated with the unauthorized use and disclosure of protected health information.  Consider the following scenarios:
  • A nursing student creates a post on her Myspace page that details her experience with a mother's birth of her child.  Although the post does not contain the mother's name, the student's Myspace page indicates the hospital at which the birth occurred, the date of the birth, and details of the medical treatment administered during the birth.
  • A nurse posts a statement on her Facebook page excitedly sharing that she met a celebrity at work today and identifies the celebrity by name.
  • A receptionist at a physician's office snaps a photo of a patient in the waiting room and posts it on Facebook with a comment that he is drug-seeking.  The comment also contains the name of the patient's employer and details regarding the patient's referral to another medical provider.
  • A medical student obtains video of a physician inserting a chest tube into a patient and posts the video on YouTube.  The patient's face is visible in the video.
  • Employees of a nursing home use Snapchat to record and transmit videos of themselves harassing the residents.
Each of these scenarios implicates serious patient privacy concerns that have the potential to expose the health care provider, as well as the provider's employer, to a variety of administrative, civil, and potentially criminal penalties.  It does not matter that the social media posts omit the patient's name or other identifiers.  Rather, the Health Insurance Portability and Accountability Act (HIPAA) defines protected health information to include individually identifiable health information, meaning any health information created or received by the health care provider that relates to the past, present or future physical or mental health or condition of a patient.  § 45 C.F.R. §§ 164.501, 164.502, 160.103.  Therefore, social media posts containing information regarding a patient's physical or mental health, or condition will likely constitute HIPAA violations if disclosed to unauthorized users for a purpose unrelated to the patient's treatment or other limited exceptions. 

In the first scenario, irrespective of the fact that the Myspace post contains no information regarding the patient's name, the patient-specific information in the post discusses the patient's pregnancy and healthcare, and was found by a Federal District Court to implicate patient privacy concerns.  In the second scenario, although the nurse did not identify the celebrity as a patient or specify the treatment provided, her profile page identifies the hospital at which she works and the date on which the post was made.  The remaining three scenarios are much easier to identify, as the patient's identity is clearly depicted.

From the employer's perspective, HIPAA violations involving social media require the employer to take action.  For example, notification must be sent to the individual patient within a set period of time after discovery of the violation, and this information is ultimately submitted to the U.S. Department of Health and Human Services.  Based upon the matter at issue, employers may be subject to civil monetary penalties and, if warranted, criminal fines.  Importantly, the individual employee who made the unauthorized disclosure may also be subject to these civil and criminal penalties. 

Not only do these social media posts implicate possible civil and criminal fines under HIPAA, but they also expose the health care provider to potential disciplinary actions by the Department of Health.  For example, a physician engaging in such conduct may be faced with an administrative action and possible discipline on his or her license, including the assessment of fines, by the Board of Medicine.  Further, the employee responsible, and likely the employer, may find themselves faced with the threat of litigation in a civil lawsuit filed by the patient.  Causes of action sounding in breach of privacy or fiduciary duty, negligent hiring and supervision, or defamation are possible as a result of the social media post.  In those instances, employers and employees alike may spend thousands of dollars and countless hours defending the lawsuits.

To avoid these unfortunate situations, employers should take preventative measures to ensure that employees are fully aware of the possible repercussions associated with posting patient information on social media sites.  It is also a good business practice for the employer to implement policies concerning employee use of social media, and to educate employees on the importance of avoiding any situations which implicate patient privacy concerns.  An example of this guidance is the ethical opinion issued by the American Medical Association in 2011 concerning physician use of social media and networking applications online.  This opinion highlights the importance of refraining from posting any information that may contain identifiable patient information.  By ensuring that all employees are abiding by such guidelines, employers are in a much better position to avoid the unauthorized use and disclosure of protected health information on social media.

Chanel A. Mosley is an attorney in the Orlando, Florida office of Marshall Dennehey Warner Coleman & Goggin.  She devotes her practice to the defense of claims involving medical malpractice, long-term care, and other healthcare and general liability matters.  She can be reached at camosley@mdwcg.com or through the firm's website at www.marshalldennehey.com.

Last Updated on Monday, 06 March 2017 16:22
 
HIPAA Compliance in 2017: The Heat is on Print E-mail
Written by Vitale Health Law   
Tuesday, 21 February 2017 19:04

The doctor-patient relationship has always involved a certain level of privacy. But over the years, the stakes for healthcare providers who violate patient privacy have increased exponentially. Barely two months into 2017 and already we are seeing increased activity.

According to a newly released report from Protenus, in conjunction with databreaches.net, January saw 31 healthcare data breaches disclosed resulting in the exposure of 388,307 patient and health plan member records.

The largest healthcare data breach reported last month involved CoPilot Provider Support Services, Inc. and impacted 220,000 individuals. However, the breach actually occurred in October 2015, with CoPilot discovering the incident two months later in December 2015. The Department of Health and Human Services' Office for Civil Rights, however, was only notified of the breach in January 2017, well outside the 60-day deadline for reporting breaches.

According to the report, the average number of days between the breach occurring and the incident being reported to OCR was 174 days. It took an average of 123.5 days for healthcare organizations to discover a breach had occurred.

Those healthcare entities affected by data breaches are finding themselves having to pay significant penalties. Case in point, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), recently announced the first HIPAA settlement based on the untimely reporting of a breach of unsecured protected health information.

Presence Health, one of the largest healthcare networks serving Illinois, agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a corrective action plan.

Read More>>

Last Updated on Monday, 13 March 2017 17:18
 
Court Strikes Down Florida Law Barring Doctors From Discussing Guns With Patients Print E-mail
Written by FHI's Week in Review   
Monday, 20 February 2017 15:50

Rebecca Hersher reports for NPR on 2/17/17:

A federal appeals court says doctors in Florida must be allowed to discuss guns with their patients, striking dow portions of a Florida law that restricts what physicians can say to patients about firearm ownership.

In a 10-1 decision, the full panel of the 11th U.S. Circuit Court of Appeals found that the law, known as the Privacy of Firearm Owners Act, violates the First Amendment rights of doctors.

Read more in the current issue of Week in Review>> http://conta.cc/2kR7cwN
 
Health Care Regulation Debate Rekindled Print E-mail
Written by The News Service of FL via Health News Florida   
Friday, 20 January 2017 18:42

Florida lawmakers could be preparing for a renewed debate about easing regulations in the state's health-care industry.

A House panel last week began considering the "certificate of need" process - a long-controversial system that requires state regulatory approvals before facilities such as hospitals and nursing homes can be built. Also, bills have been filed in the House and Senate that address issues such as the regulation of ambulatory surgical centers and clearing the way for "direct primary care" agreements between doctors and patients.

The issues are not new: House leaders in recent years have repeatedly sought to scale back certificate-of-need laws and make other regulatory changes. The House and Senate, however, have not agreed on the issues, which have been closely watched by lobbyists for sometimes-competing parts of the health-care industry.

House leaders have backed eliminating the certificate-of-need process for hospitals, arguing that such a free-market approach would improve access to care.

Read More>>

Last Updated on Tuesday, 14 February 2017 14:49
 
<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>

Page 3 of 44


Banner
Website design, development, and hosting provided by
Netphiles