Most health care providers are familiar with the concept of a “credit balance”. A credit balance can occur when a health care provider is overpaid for a service that was provided. Sometimes the credit balance can occur when a patient or the patient’s third-party insurer pays too much for the service provided. Other times a credit balance may occur when there is more than one insurer and both insurers pay for the same service. For a variety of innocent reasons credit balances are not uncommon in a health care practice.Continue Reading Credit Balances – It’s Not Yours to Keep
Health Care Law
It has long been established that non-compete agreements are enforceable only when justified by a “legitimate business interest.” A recent decision of the Florida Supreme Court held that home health care referral sources can be a protected legitimate business interest for purposes of this requirement of Florida law.Continue Reading Home Health Care Referral Sources Can be Legitimate Business Interests Under Florida’s Non-Compete Statute
In August, 2017, the Centers for Medicare & Medicaid Services (“CMS”) announced a major change in how it will approach the selection of Medicare claims for improper payment review.Continue Reading Centers for Medicare and Medicaid Services Announces Transition to Targeted Probe and Educate Strategy
On May 8, 2017, the Eleventh Circuit Court of Appeals issued its opinion in the case of Silva v. Baptist Health South Florida, Inc. This decision is of importance to the health care industry as it establishes the standard under Title III of the Americans with Disabilities Act, 42 U.S.C. §§ 12181-12189 (“ADA”) and Section 504 of the Rehabilitation Act of 1973, 29 U.S.C. § 794 (“Rehab Act”) for the sufficiency of communication with hearing impaired persons in conjunction with the provision of medical services.Continue Reading Effective Communication With Hearing Impaired Persons in Conjunction With the Provision of Medical Services – Silva v. Baptist Health South Florida, Inc.
In a statement released on April 24, 2017, the U.S. Department of Health and Human Services, Office of Civil Rights (OCR), has shown once again the level of expectations that exist for covered entities and business associates. As discussed below, OCR has shown that it will not just limit its review to a particular alleged violation of the HIPAA Privacy and Security Rules but rather will take an enterprise wide view of the compliance efforts of covered entities and business associates.Continue Reading HIPAA Policies and Procedures – Make sure they are in final form.
In a statement released on April 12, 2017, the U.S. Department of Health and Human Services, Office of Civil Rights (OCR), has shown that it expects covered entities of all sizes to adhere to the HIPAA privacy and security rules. While many of the fines levied by OCR in the past have involved large covered entities such as hospitals and health plans, OCR’s most recent enforcement action resulted in a $400,000 settlement to be paid by a federally qualified health center in Colorado.Continue Reading HIPAA Fines – Not Just for Hospitals and Health Insurers
On January 31, 2017, the Supreme Court of Florida issued an opinion regarding the interplay of Amendment 7 (Art. X, § 25, Fla. Const.) and the Federal Patient Safety and Quality Improvement Act (42 U.S.C. §§ 299b-21 to 26) (“FPSQIA”). This decision is of extreme importance to the health care industry in Florida as it will significantly impact the peer review activities of hospitals and other health care providers within the state. Continue Reading Amendment 7 and the Federal Patient Safety and Quality Improvement Act – Charles v. Southern Baptist Hospital of Florida, Inc.
Florida residents have a new safeguard in the form of a state law requiring companies and government agencies to protect individuals’ personal information stored electronically.
Continue Reading New Florida law a response to breaches in data security
Late in August of 2013 the Federal Trade Commission filed a complaint against medical testing company LabMD, Inc., alleging that the company failed to reasonably protect the security of consumers’ personal data, including medical information. In November of 2013, LabMD filed a Motion to Dismiss the complaint, arguing, among other things, that the FTC did not have the authority to regulate a private company’s data security practices as “unfair…acts or practices” under the FTC Act (15 U.S.C. §45(a)(1)). Included in LabMD’s argument was the contention that Congress, by enacting HIPAA, stripped the FTC of any authority that the FTCA over data security. The FTC Commissioners found LabMD’s arguments unpersuasive and in a January 16, 2014 order denied the Motion to Dismiss.
Health care providers and business associates should take heed that, while such enforcement has been rare, the FTC does have the authority to take action to protect consumers in data security matters that would normally be considered within the exclusive province of the Office of Civil Rights. HIPAA covered entities and business associates that handle patient information should remain vigilant in their efforts to maintain appropriate safeguards for patient information.
Board Certified in Health Law
On December 24, 2013 the HHS Office of Civil Rights (“OCR”) and Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts entered into a Resolution Agreement whereby the practice agreed to settle potential violations of the HIPAA privacy and security rules. The potential violations of HIPAA resulted from the theft of an unencrypted thumb drive, containing the ePHI of approximately 2,200 patients, from the car of a practice employee.
Upon being notified of the breach the OCR conducted an investigation and determined that the practice had failed to conduct and accurate and thorough analysis of potential risks to ePHI in the care of the practice. The OCR further determined that the practice did not have adequate written policies and procedures and did not adequately train employees.
The Resolution Agreement entered into between the practice and the OCR requires the practice to make a $150,000.00 payment to the OCR as well as implement a corrective action plan. The Resolution Agreement is not an admission of liability by the practice.
A copy of the Resolution Agreement may be found at:
Physician practices should view this settlement as clear indication that OCR expects the compliance of all covered entities and not just large entities such as hospitals, universities and managed care entities. Physician practices that are not yet in compliance with the HIPAA privacy and security rules should take the appropriate steps to come into compliance.