The EEOC Catches the Flu: A Cautionary Tale for Employers With Mandatory Flu Vaccination Programs

Katherine M. Flett

By Katherine M. Flett

flu shotAfter enduring one of the worst flu seasons in nearly a decade, there is no question why more employers are instituting mandatory flu vaccination programs. In fact, mandatory flu vaccination programs are increasingly popular for healthcare employees.

No current laws in Missouri or Illinois mandate all health care employees to be vaccinated against the flu. That being said, nursing home employers in Missouri are required to either offer the flu shot to all employees and volunteers who have direct contact with residents, or provide the employees and volunteers with information about how they can obtain the flu shot independently. Similarly, health care employers in Illinois are required to provide all employees with education on influenza, as well as the opportunity to receive the vaccine. Some states, such as California and Maryland, require hospitals to publish their employee vaccination rates to the public.

When instituting a mandatory flu vaccination program, however, an employer should be aware of the possible ramifications of denying or terminating employment for refusal to comply with a mandatory flu vaccination program on the basis of religious beliefs.  Continue reading »

The Intersection of HIPAA and Cloud Storage

Katherine M. Flett

By Katherine M. Flett

Our ever-evolving technological society is raising new questions about how to reconcile complex health data protection laws with cloud storage.  Storage of data in the “cloud” allows users to store, maintain, and manage data remotely on the internet.  Its advantages include accessibility of the cloud-stored data from any location via the internet, emergency back-up capacity, and even cost savings.  An online search for HIPAA-compliant cloud storage companies reveals that there is no shortage of companies who advertise their “HIPAA-compliant cloud services.”  It is important to remember that working with a company who claims their cloud storage “is HIPAA compliant,” does not excuse you from meeting HIPAA requirements.  Due diligence is required when selecting such a company and entering into appropriate contractual arrangements with the companies.

The Department of Health and Human Services’ Office for Civil Rights (“OCR”) is responsible for overseeing protection of sensitive health data under the Health Insurance Portability and Accountability Act, as amended (“HIPAA”). OCR issued guidance on October 6, 2016, explaining how to safeguard electronic health information protected by HIPAA in today’s widespread cloud networking environment.

HIPAA applies to “covered entities,” and this article will focus on one such covered entity, the health care provider.  Most health care providers do not perform all of their health care functions by themselves and instead often use a range of services offered by others, called “business associates” under HIPAA.  Health care providers are permitted to disclose protected health information (“PHI”) to these business associates (“BA”) as long as they obtain satisfactory assurances that the BA will use the information only for the purposes for which it was engaged by the health care provider, will safeguard the information from misuse, and will help the health care provider comply with some of the health care provider’s duties under HIPAA, through the execution of business associate agreements.

Continue reading »

New Requirements for Health Care Providers Under Missouri’s Health Care Cost and Transparency Act

Katherine M. Flett

By Katherine M. Flett

On May 25, 2016, Missouri Senate Bill 608 was passed by the Missouri House and Senate.  The Bill adds new requirements to the provision known as the “Health Care Cost and Transparency Act.” Beginning July 1, 2017, the new law requires all licensed health care providers, facilities, and imaging centers to provide an estimate on the cost of a particular health care service or procedure within three business days of a written request from the patient, along with a medical treatment plan from the patient’s health care provider. The estimate must only include those services within the direct control of the health care provider and the amount that will be charged to a patient if all of the charges are paid in full by the patient, without a public or private third-party paying for any portion of the charge. Further, these provisions do not apply to charges for hospital emergency departments.

If health care providers provide publicly available links to the estimated costs or post such costs on a publicly available website, they are not required to provide cost estimates to patients upon written request.

Beginning also July 1, 2017, hospitals will be required to make publicly available the amount that would be charged, without discounts, for each of the 100 most prevalent diagnosis-related groups, as defined by Medicare. Continue reading »

HIPAA Non-Compliance Results in Largest Single-Entity Settlement to Date

Katherine M. Flett

By Katherine M. Flett

On August 4, 2016, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) entered into a settlement agreement with Advocate Health Care Center (Advocate) in which Advocate agreed to pay $5.5 million to settle multiple violations of the Health Insurance Portability and Accountability Act (HIPAA).  This is the largest HIPAA settlement against a single entity to date, and according to OCR, is due to the severity of the violations and the length of time that those violations continued.

According to OCR’s press release, OCR began its investigation of Advocate in 2013, after Advocate submitted three breach notification reports relating to three separate instances of breach of unsecured electronic protected health information (ePHI).  The combined breaches resulted in unsecured access to over four million patients’ information. Continue reading »

Another State Rules That Patients Can Sue For Negligence for Violating HIPAA Regulations

Health Care Law Practice Group

By Health Care Law Practice Group

The Connecticut Supreme Court has now joined Missouri, West Virginia and North Carolina in rulings connecting HIPAA with negligence lawsuits by patients.

In a case of first impression in Connecticut, the state’s Supreme Court ruled that a patient can sue a medical office for HIPAA negligence if it violates the patient’s privacy when improperly releasing the medical records to a third party. There is no dispute that HIPAA does not create a private cause of action. Increasingly, however, HIPAA can provide the standard of care for a medical office in how it releases confidential medical records and can be found negligent if it releases such medical records contrary to the requirements of the HIPAA regulations. Continue reading »

Hacked Hospital Network Includes Outstate Missouri Hospitals

Health Care Law Practice Group

By Health Care Law Practice Group

4.5M Records Stolen, HIPAA violation

In June 2014, hackers in China used high-end, sophisticated malware to launch criminal cyber-attacks to access patient information from a national hospital system. Community Health Systems, Inc. (“CHS”), operates 206 hospitals across the U.S. in 29 states, including four located in Missouri (Kennett, Kirksville, Moberly, and Poplar Bluff). The breached data is considered protected health information under the Health Insurance Portability and Accountability Act (“HIPAA”).

In a filing with the U.S. Securities and Exchange Commission, CHS said the attacker was an “Advanced Persistent Threat” group which bypassed CHS’ security measures, successfully copying and transferring certain data outside CHS. Although CHS has confirmed that this data did not include patient credit card, medical, or clinical information, the breach does include patient names, addresses, birth dates, telephone numbers and Social Security numbers. CHS has been working closely with federal law enforcement authorities in connection with their investigation and potential prosecution of those determined to be responsible for this attack.

Under various state and federal laws, CHS is obligated to notify affected patients. The Department of Health and Human Services provides a web page describing the breach notification requirements of covered entities to effected individuals, the Secretary of Health and Human Services, and, in certain circumstances, to the media. Continue reading »

Mizzou Story Highlights Tension Between Doctor-Patient Privilege and Protecting the Patient

Health Care Law Practice Group

By Health Care Law Practice Group

A story concerning the death of a female athlete by suicide, her alleged rape, and the role played by the university she attended in the tragic facts has placed the issue of patient confidentiality squarely in the headlines.  The story highlights the care that must be taken to protect a patient’s ability to speak candidly and honestly to his or her medical provider without fear that such information will be divulged to anyone else without the patient’s permission.

The female student athlete had committed suicide in 2011, approximately 16 months after her alleged rape in 2010 by another student athlete at the school.  According to an email posted to Mizzou’s website on January 24, 2014, an ESPN producer of “Outside the Lines” wanted to know if University of Missouri officials planned to investigate or notify law enforcement about the alleged rape.  Just hours before publishing the story, the ESPN producer asked university officials: Continue reading »

HIPAA vs. Florida and HIPAA Wins!

Health Care Law Practice Group

By Health Care Law Practice Group

In a battle between a state statute and the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (42 U.S.C. § 1320d to d-9), the Eleventh Circuit Court of Appeals has held that a Florida statute is preempted by HIPAA because it is an obstacle to the “accomplishment and execution of the full purposes and objectives of HIPAA in keeping an individual’s protected health information strictly confidential.” OPIS Management Resources, LLC, et al. v. Secretary Florida Agency for Health Care Administration, No. 12-12593 (11th Cir. April 9, 2013).

OPIS, and the other plaintiff parties, are operators and managers of skilled nursing facilities in Florida. In the course of their operations, the nursing facilities received requests from spouses and attorneys-in-fact for the medical records of deceased nursing home residents. Because the parties requesting the records were not “personal representatives” pursuant to HIPAA and its implementing regulations, the facilities refused to disclose the records.  As a result, the requesting parties filed complaints with the U.S. Department of Health and Human Services Offices for Civil Rights, which concluded that the nursing facilities acted properly.

The Florida Agency for Health Care Administration, however, issued citations against the nursing facilities for violating Florida law by refusing to release the records because the state statute requires licensed nursing homes to release a former resident’s medical records to the spouse, guardian, surrogate, or attorney-in-fact of any such resident. Fla. Stat. § 400.145(1). Because of the conflicting interpretations of the relevant laws, the nursing facilities filed a complaint for declaratory judgment. The district court granted the nursing facilities’ motion for summary judgment, explaining that the Florida statute affords nursing home residents less protection than is required by the federal law; therefore, the state law is preempted by HIPAA.

Stricter Federal HIPAA Law Trumps State Law

At the heart of the issue is whether the state statute, in which the “unadorned text…. authorizes sweeping disclosures, making a deceased resident’s protected health information available to a spouse or other enumerated party upon request, without any need for authorization, for any conceivable reason and without regard to the authority of the individual making the request to act in a deceased resident’s stead,” conflicts with federal law, according to Judge Susan H. Black. Finding that it does conflict, the jurist wrote, the state law “frustrates the federal objective of limiting disclosures of protected health information” and is therefore “preempted by the more stringent privacy protections” imposed by federal law. Continue reading »

New Family and Medical Leave Act Guidance for Families of Adult Children with Disabilities

Estate Planning Practice Group

By Estate Planning Practice Group

Families now have clarification on when parents may use leave to care for an adult child with a mental or physical disability.

On January 14, 2013, the Wage and Hour Division of the Department of Labor issued additional guidance to help employers determine eligibility of employees to take leave under the Family and Medical Leave Act (FMLA) when the employee has an adult child with a mental or physical disability incapable of self-care due to a serious health condition.

Generally,  entitlement to FMLA leave ends when a child is 18 years old. “Incapable of self-care” means that the individual requires active assistance or supervision to provide daily self-care in three or more of the “activities of daily living” or “instrumental activities of daily living.” Continue reading »

Employers and the Health Reform Law

Employment Law Practice Group

By Employment Law Practice Group

On June 28, 2012, the Supreme Court, in a 5-4 decision, upheld the Patient Protection and Affordable Care Act (the “Act”), more commonly known as the health reform law, including the highly controversial individual mandate. While the Court limited the Act’s planned expansion of Medicaid, the decision was overwhelmingly a “win” for President Obama.

Now that President Obama has been elected to a second term, those who resisted implementing the first set of provisions (waiting for the Court to rule) will have to begin earnestly working to comply with both provisions already in effect and forthcoming provisions, including key provisions which require compliance in 2014: the individual mandate and the employer mandate.

Provisions currently in effect include:

  • No lifetime limits on coverage.
  • Restrictions on annual limits.
  • No “rescissions,” meaning health plans cannot cancel coverage once you are sick unless you committed fraud when you applied for coverage.
  • Dependent care coverage is provided up to age 26 for adult children without employer-sponsored coverage.
  • Federal small business tax credits have also been available for employers who provide coverage, with credits differing depending on the size of the company and increasing to 50 percent in 2014.
  •  Many consumer employees have already experienced not having to pay out-of-pocket costs for certain preventative services, such as breast cancer screenings and cholesterol tests, and the disqualification of over-the-counter drugs as medical expenses for Flexible Spending Accounts (FSAs) and Health Savings Accounts (HSAs).
  • Insurers will have to provide rebates to consumers if they spend less than 80 to 85 percent of premium dollars on medical care.

The impact of both the individual mandate and the employer mandate will not be fully known until closer to 2014; however, there has been great speculation about who will be most impacted. Continue reading »

Skip to content