Appellate court rules on whether HIPAA trumps state privacy laws

HIPAAWhen it comes to HIPAA, even dead people must be afforded privacy, according to a recent appellate court decision.

The 11th U.S. Circuit Court of Appeals ruled earlier this month in Opis Management Resources LLC v. Secretary Florida Agency for Health Care Administration, that federal rules supersede a Florida statute governing access to health records.

The case involved a group of nursing home operators that argued that Florida Statue § 400.145 was preempted by HIPAA.  That statute allows healthcare organizations to release deceased residents’ medical records in nursing homes to specified individuals. At issue was whether that law is consistent with HIPAA, as well as determining just who those “specified individuals” are.

The case grew out of requests from spouses and attorneys for medical records of deceased nursing home residents. The facilities refused to release the records because those requesting them were not “personal representatives” under the relevant provisions of HIPAA.

The trial court granted summary judgment in favor of the nursing facilities finding that the Florida law provided nursing home residents less protection than required under HIPAA.

The appellate court noted: “Florida statute stands as an obstacle to the accomplishment and execution of the full purposes and objectives of HIPAA in keeping an individual’s protected health information strictly confidential.”

Click here to read the circuit court ruling.

HIPAA violations: When can you sue?

Q.  I just learned that the manager of my doctor’s office told my friend about my recent visit to the office.  I thought that my private health information was supposed to be kept confidential under federal law.  Now my friends are talking about it and I am humiliated. Can I sue the doctor or his office manager? Is there anything else I can do?

A. We get this question frequently. The federal law you are referring to is the privacy standards contained in the Health Insurance Portability and Accountability Act, or HIPAA, and the privacy rules published pursuant to that law. HIPAA rules are intended to protect the privacy of personal health information held by covered entities such as your physician’s office. It gives patients a wide array of rights with respect to the information, while permitting disclosure under certain specified circumstances. Unless the disclosure to your friend was permitted under the privacy rules, such as disclosures to another healthcare provider for purposes of treatment, or disclosures for purposes of payment or operations of the provider, or any of the other permitted disclosures under the rules, a disclosure by the office manager to your friend would not be permitted without your consent or authorization. Violations of HIPAA privacy rules carry significant penalties, including, civil money penalties, criminal fines and prison time.

What most people don’t get about HIPAA is that, as extensive as the statute is, and as serious as its potential penalties are, Congress, in its infinite wisdom, chose not to include a private right of action. That means that private individuals do not have the right to sue others specifically for violating HIPAA.  It’s like giving us the right to sue somebody for speeding. So, what happens when someone is injured due to an accident caused by excessive speed? In that case, there will be no shortage of personal injury attorneys willing to take that case. Why? The answer is easy, the likelihood of significant damages resulting from the injuries caused by the accident.

Now to your HIPPA case: You will not be able to bring a lawsuit to enforce HIPAA privacy standards against your physician or his office manager. However, you may have other options. For example, if you can show some kind of damage as a result of the negligent disclosure of your health information, then it’s possible to proceed on that basis. Alternatively, there may be other laws available upon which you can seek a remedy. For instance, if you receive healthcare benefits from your employer and your insurance company was responsible for making an improper disclosure of your health information, you may have a remedy under ERISA.

Suffice it to say that your available remedies depend upon other factors involved in the improper disclosure. However, there are things you can do under HIPAA to bring attention to possible adequate privacy protections at your doctor’s office. For example, you can file a complaint with the HHS Office of Civil Rights (OCR). The complaint must be filed in writing, either by mail or electronically, within 180 days of when you learned of the violation. The complaint must name the covered entity and describe the violation. The government will then contact the covered entity who will then be required to submit information. The OCR may begin an investigation or take other actions it deems appropriate. If the OCR determines that a serious violation has occurred, then it may impose an appropriate penalty.

If you believe that your right to privacy was violated, contact legal counsel to discuss it. You may be entitled to a remedy, not because the HIPAA rules were violated, but because you may have suffered damages as a result.

OCR Releases Final HIPAA Rules

The Office for Civil Rights (OCR) — the folks who brought us the Health Insurance Portability and Accountability Act of 1996 (HIPAA) –has released new and far-reaching changes to the HIPAA privacy, security and enforcement rules.

The new, final HIPAA rules are, according to an HHS press release, “designed to increase flexibility for and decrease burden on regulated entities.”

The new rule will be published in the Jan. 25 Federal Register and will implement statutory requirements that were enacted in the HITECH Act as part of the American Recovery and Reinvestment Act of 2009.

Among other things, the rule clarifies when breaches of unsecured health information must be reported to HHS. It eliminates the prior breach notification rule’s “harm standard” and replaces it with “a more objective standard.”

Although the new rule is effective March 26, 2013, covered entities and business associates have until Sept. 23, 2013 to comply with its provisions.

Click here to read the HHS press release.

The Patient Brokering Act and fee-splitting

Q: I am a member of a group practice that leases the use of an MRI facility for a fixed monthly fee. I also contract with a radiologist outside of my group to provide the interpretation of the test. My physician group then bills an insurance company for the technical and professional components of the service. The group does not bill the Medicare or Medicaid programs. Is the group violating the law?

A: Yes. The type of arrangement that you described is commonly referred to as a “block lease.” If your group was billing the Medicare or Medicaid programs for this service you would likely be violating the Federal Patient Self-Referral Act ( the “Stark Law”) and the Medicare prohibition on marking up diagnostic tests. Many providers are under the mistaken belief that if they are not billing a federal program like Medicare, they do not have to comply with laws governing this type of relationship. In Florida, we have state laws such as the Patient Brokering Act and prohibitions on fee-splitting, which prohibits this type of block lease arrangement.

Click Here for a full story in PDF format.

What to do in case of patient record theft

Q: I am a physician and my office was recently broken into. The perpetrators stole several patient charts that included confidential medical information about my patients. What are my legal obligations to the patients whose records were stolen?

A: The stolen medical files likely contain private health information as well as private financial information. Federal and state laws require healthcare providers to respond when a patient’s record is lost or stolen. Fortunately, if the necessary steps are taken, a healthcare provider can typically avoid federal and state liability for a stolen patient record.

Click Here for a full story in PDF format.

Health Law Alert October 2008


CMS has proposed new rules in an effort to improve the quality of diagnostic testing services provided to Medicare beneficiaries by physician group practices and other physician entities. If enacted, these rules will require group practices that provide diagnostic testing services to Medicare beneficiaries to enroll as independent diagnostic testing facilities (IDTF’s) and to comply with many of the standards in effect for other IDTF’s. This will severely affect physician practices who presently furnish these services.

The current rules allow group practices and other physician entities to enroll as a “physician office” in order to avoid having to comply with the IDTF standards. If required to enroll as an IDTF, physician practices, including sole proprietorships, clinics and physician group practices, will be required to enroll as an IDTF for each practice location that furnishes diagnostic testing services. This may severely impact those physician groups who currently provide the services because they will be required to comply with most of the IDTF standards, including very restrictive supervision standards and other rigorous quality and performance standards. They will also be prohibited from sharing space with other Medicare suppliers.

Click Here for the full story in PDF format.

Health Law Alert Special Issue

We discussed in our recent October, 2008, Health Law Alert a proposal published by CMS that would require physician entities and group practices that provide diagnostic testing services to Medicare beneficiaries to enroll as independent diagnostic testing facilities (IDTF’s). After receiving an outcry of negative comments from affected groups and physicians, CMS, in its Final 2009 Medicare Physician Fee Schedule, abandoned his proposal. This is tremendous news for affected physician entities and groups because enrolling as an IDTF imposes rather rigorous compliance standards which are presently in effect for other IDTFs. Physician groups may continue to be enrolled as a “physician office” in order to avoid complying with the IDTF standards.

CMS did not completely rule out possibility of future rulemaking. According to CMS, “we are deferring the implementation of the [physician IDTF] proposals while we continue to review the public comments received on this provision and we will consider finalizing this provision in a future rulemaking effort if we deem it necessary.” However, as it stands now, except for mobile entities, physician entities and group practices that provide diagnostic testing services will not be required to enroll as IDTFs. CMS did, however, finalize regulations requiring enrollment for mobile entities that provide diagnostic services.

Look out for our November, 2008, Health Law Alert, coming soon. In that issue, we will outline a number of regulations affecting physician practices contained in the 2009 Medicare Physician Fee Schedule.

For a PDF version, Click Here.

Health Law Alert – November 2009


QUESTION: Can a health care provider charge interest on the late payment of deductibles, copayments, and coinsurance for private pay patients, patient’s insured through plans other than managed care plans, Medicare beneficiaries, or Medicaid recipients?

SHORT ANSWER: A health care provider may charge its private pay patients, its patients insured by managed care plans, its patients insured by plans other than managed care plans, and Medicare beneficiaries interest unless the relevant contract between the health care provider and the carrier specifically precludes charging interest.

DISCUSSION: Interest is assessed as of the date payment was due. For medical service copayments, payment is due on the date that services are rendered. For medical service coinsurance and deductibles, payment is due on the date that the coinsurance or deductible is ascertainable. That is, either upon verification from the patient’s insurance carrier or adjudication by the carrier and issuance of an Explanation of Benefits (“EOB”).

While Florida Statutes and Medicare are silent as to this narrow issue of whether a provider may assess interest for late payment of copayments, deductibles, and coinsurance, we believe that interest is the cost of extending credit, or a missed business opportunity, rather than an attempt to charge the patient in excess of the Medicare allowable. As long as the provider assesses interest for late payments of coinsurance, copayments, and deductibles indiscriminately and provided that the interest does not violate Florida’s usury laws (currently 18% simple interest per annum), charging interest on late payments should not violate federal laws.

It is our recommendation that providers add language regarding interest for late payments to their statement of financial responsibility and authorization to treat forms. But, if you are charging interest on payment plans, be careful to determine whether you qualify as a “creditor” under the pending FTC “Red Flag Rules” which are intended to guard against identity theft. See our brief article below. Please contact us if you would like our assistance with the drafting or modification of these forms.

The Federal Trade Commission, in its announcement released on October 30, 2009, once again, delayed enforcement of the “Red Flags” Rule until June 1, 2010 at the request of Members of Congress. The rule, which was supposed to have taken effect on November 1, 2009, was promulgated under the Fair and Accurate Credit Transactions Act. It is applicable to “financial institutions” and “creditors,” which have “covered accounts.” Entities subject to the Red Flag Rule are required to develop and implement written policies and procedures designed to identify, detect, and respond to certain indications of identity theft referred to by the FTC as “red flags.” Now,
with the new enforcement date delayed until June 1, 2010, financial institutions and creditors have until then to develop and implement their “Red Flag” policies and procedures.

For a copy of the FTC press release, visit our website at

What is a creditor? According to the FTC, a creditor is an entity that regularly accepts deferred payment for goods and services. If you regularly permit patients to pay for your professional services in multiple payments over time or pursuant to a payment plan, you may be a creditor in the eyes of the FTC and may be required to comply with the new Red Flag Rules. You may also be subject to the Red Flag Rules when you maintain medical and billing records containing the patient’s name, address, and other personal identifying and financial information. The standard is whether there is a reasonably foreseeable risk of identity theft associated with those records. Smallbusiness and sole proprietorship accounts are typically viewed as covert accounts that exhibit such risks. Accordingly, most medical practices should adopt procedures to enable them to identify and detect relevant warning signs (“red flags”) of identity theft. Please contact us if you need assistance in developing appropriate policies and procedures to comply with the Red Flag Rules

For a PDF version, Click Here.

The Latest OIG Advisory Opinions

A medical supply/DME company thought it was on to something when it submitted two proposals to the OIG for review that involved the supplier bidding for an exclusive supplier deal with a county operated skilled nursing facility (“SNF”). Both arrangements were substantially similar, but would give the SNF below cost pricing on non-covered items and services in exchange for the exclusive contract and lucrative Medicare contract with the SNF.

Typically, medical supply companies that provide Medicare covered goods and services would bill Medicare directly. Non-covered goods and services will be charged directly to the SNF at a price that would cover the company’s costs and provide a profit. In this case, the SNF published an RFP soliciting bids to be its exclusive supplier of Medicare covered items and services. Each bid was also to include pricing for non-covered items. The supply company in question wanted to know if it could offer below-cost pricing to the SNF for the non-covered items and services.

The OIG, stated that “in evaluating whether an improper nexus exists between the rates offered for items and services and referrals of Federal business in a particular arrangement, we look for indicia that the rate is not commercially reasonable in the absence of other, non-discounted business.” It went on to observe that the proposed arrangement gave rise to an inference that the supplier and the SNF may be “swapping the below-cost rates on business for which the skilled nursing facility bears the business risk (i.e., the Non-Covered Items) in exchange for other profitable non-discounted Federal business (i.e., the Covered Items), from which the supplier can recoup losses incurred on the below-cost business, potentially through overutilization or abusive billing practices.” On that basis, the OIG declared that this type of “swapping” of improper discounts for the exclusive contract for the lucrative Medicare business poses a substantial risk of violating the anti-kickback statute.

The also OIG seemed to issue a not so veiled warning to the SNG that it bears some responsibility here as well by noting the “the SNF may be soliciting improper discounts on business for which it bears risk in exchange for referrals of business for which it bears no risk.” It should go without saying that the anti-kickback laws cut both ways. It is improper to both solicit a kickback and to offer one.


Specializing in all areas of health law including fraud and abuse, bioethics, health care business transactions, HIPAA, compliance programs, pharmaceutical, managed care, clinical trials, medical staff issues, contracting and licensure issues.


(888) 491-1120