Print Page | Contact Us | Sign In | Join
AmSpa Now
Blog Home All Blogs

New Ohio Law Provides Affirmative Defense to HIPAA Liability in Data Breaches

Posted By Administration, Friday, November 30, 2018

By Robert J. Fisher, Attorney, ByrdAdatto

If you work in a medical spa, you are undoubtedly using the internet in more ways than one. In the age of electronic health records, online patient portals, and rapidly expanding telemedicine, there is an ever growing amount of personal and medical information available to be illegally accessed by wrongdoers with keyboards. As a result, federal and state governments and agencies have taken the “stick” approach by penalizing those who fail to protect their data, such as the $16 million payment Anthem made to the federal government in August for a breach that exposed the personal information of nearly 79 million people, and by recognizing a private cause of action for individuals to sue companies who violate HIPAA standards (see our previous article here).

In contrast, Ohio has recently taken the “carrot” approach by passing the Cybersecurity Safe Harbor Act (“Cyber Act”) that takes a new angle on the data breach issue by incentivizing companies to develop data security plans by offering legal protection rather than by fear of penalty. In the first law of its kind, the Cyber Act allows companies to use an affirmative defense against tort claims resulting from a data breach if an adequate cyber-protection program was in place at the time of the breach.

However, for a company to use the safe harbor, its cyber-protection protocol must meet the criteria set forth by the Cyber Act. Specifically, healthcare companies and practices must meet sector-specific laws and standards such as HIPAA and HITECH both in the written plan protocol, and its implementation. Additionally, the Cyber Act is not one size fits all as each security plan must be tailored in complexity and scope based on certain factors such as structure of the company, sensitivity of information, cost effectiveness of security improvements, and availability of tools.

While this law is specific to Ohio, it may be a sign of laws to come nationwide that would further encourage healthcare companies to protect themselves from suit by implementing strengthened data protection plans. Further, it indicates that HIPAA continues to be the standard on which healthcare companies need to base their compliance programs, regardless of whether HIPAA specifically applies to them. As such, we continue to recommend that all healthcare companies and medical practices protect themselves by preparing and enacting a HIPAA compliant data protection plan, or having their current plan audited for sufficiency.

For more information on best practices, laws and regulations, attend The 2019 Medical Spa Show in Las Vegas, NV.

Robert J. Fisher’s passion for healthcare traces back to his high school days of shadowing doctors. His passion evolved in college to study as a pre-med major. The last major evolution of Robert’s interest in health care was the transition to an interest in health care law. With this education, a business attorney for a father, and a renowned orthopedic surgeon for a father-in-law, Robert has the pedigree for success as a business and health care attorney at ByrdAdatto.

Tags:  ByrdAdatto  Med Spa Law 

Share |
PermalinkComments (0)
 

Medical Provider Health Care Laws and Your Med Spa

Posted By Administration, Friday, October 12, 2018

By Michael S. Byrd, JD, Partner, ByrdAdatto

Is your med spa compliant with health care laws and regulations? Owners and operators of a clinical practice must navigate traditional business and employment laws similar to any other business. On top of this, clinical providers must operate in the heavily regulated and often confusing world of health care laws. The following is a list of the primary health care laws and regulations that affect providers:

  • Patient Protection & Affordable Care Act
  • Affordable Care Act Implementation
  • Out-of-network Referrals
  • Medicare-Medicaid Anti-Fraud & Abuse Amendments
  • Anti-Kickback Statute
  • Management Service Organizations
  • Anti-Referral Regulations (Stark II)
  • The False Claims Act (FCA)
  • Increased Joint Venture Activity and Market Consolidation
  • Occupational Safety and Health Administration Regulations (OSHA)
  • Joint Commission on Accreditation of Healthcare Organizations (JCAHO)
  • Physician Payments Sunshine Act (Sunshine Act)

The essence of almost all health care law is patient protection. Because of this, many traditional business strategies are problematic or even prohibited in health care. We do not advise our clients to memorize each of these laws. At the same time, the “head in the sand” strategy to avoid health care compliance does not usually end well.  Communicating business arrangements and strategies with your counsel are key to compliance.  Most health care compliance problems stem from a lack of knowledge of the law and lack of communication with counsel regarding the activities of the clinical practice.

Compliance in healthcare requires a commitment. While ByrdAdatto can prepare a plan or structure an arrangement to navigate compliance obstacles, compliance does not end with the documentation. Rather, health care compliance starts with the documentation and continues with the day to day operation of the practice.

For more information on your state’s laws and regulations, attend an AmSpa Medical Spa & Aesthetic Boot Camp and be the next med spa success story.

Michael S. Byrd , JD, is a partner with the law firm of ByrdAdatto. With his background as both a litigator and transactional attorney, Michael brings a comprehensive perspective to business and health care issues. He has been named to Texas Rising Stars and Texas Super Lawyers, published by Thompson Reuters, for multiple years (2009-2016) and recognized as a Best Lawyer in Dallas by D Magazine (2013, 2016).

Tags:  ByrdAdatto  Med Spa Law 

Share |
PermalinkComments (0)
 

When Do You Need a Medical Spa Business Attorney?

Posted By Administration, Friday, September 21, 2018

By Michael S. Byrd, Partner, ByrdAdatto

Compliance is cool, but do you have a compliance plan? Are you aware of any state laws that could affect your med spa ownership structure? A common problem among clients is the struggle with this common question: When do you need to hire a business attorney? Consistent with the adage “an ounce of prevention,” our most successful business clients follow the 5/50 rule.

The 5/50 rule is actually a choice we present to our clients when this very question is posed. The choice is whether the client would like to pay $5 now to proactively structure their business, set up compliance protocols, or address legal issues in their business. The alternative choice is to do nothing now and pay $50 to clean up the mess later. Though admittedly we should adjust the rule to realistic dollar comparisons, the 5/50 ratio is realistic. In making the choice more personal by drawing an analogy to one’s personal health, we ask our clients whether they would rather stick to an annual wellness treatment plan and pay the associated costs or go to the doctor and react to a stage 4 cancer diagnosis.

Our clients often then ask how to know whether they are properly using legal counsel to guide their business. A great litmus test is to look at budget and spending for legal counsel for the business. If a business has budgeted or spent under $12,000 in an uneventful year for legal fees, the business is not utilizing legal counsel proactively. Most on-going businesses spend between $18,000-$30,000 per year when using counsel to advise and proactively address the legal needs of the business. Smaller businesses or single-owner physician practices may spend less, but still be in the $12,000 range on the low end.

The first step to change how and when legal counsel is used is to shift thinking in budgeting and shift thinking on utilization. Good attorneys think strategically and creatively and can be a great confidante for new business ideas or issues.  Start calling your business attorney as a sounding board to work through these ideas and issues.  It does not have to be lonely at the top.

ByrdAdatto has created a platform to ease this transition. Specifically, our Access+ monthly retainer program creates a set monthly fee for a defined scope of work suitable for the typical needs of a business. The key to this program is unlimited access by phone and email to the attorneys at ByrdAdatto. The hope is that this will incentivize proactive communication with us to help keep the business on the 5 side of the 5/50 rule.

For more ways to build and run your medical spa practice legally and profitably attend an AmSpa Medical Spa & Aesthetic Boot Camp and be the next med spa success story.

Michael S. Byrd , JD, is a partner with the law firm of ByrdAdatto. With his background as both a litigator and transactional attorney, Michael brings a comprehensive perspective to business and health care issues. He has been named to Texas Rising Stars and Texas Super Lawyers, published by Thompson Reuters, for multiple years (2009-2016) and recognized as a Best Lawyer in Dallas by D Magazine (2013, 2016).

 

Tags:  AmSpa's Med Spa & Aesthetic Boot Camps  ByrdAdatto  Med Spa Law 

Share |
PermalinkComments (0)
 

Connecticut Allows Private Cause of Action for HIPAA Violations

Posted By Administration, Friday, September 14, 2018

Jay Reyero, JD, Partner, ByrdAdatto

As a medical facility, any med spa must be HIPAA compliant. While HIPAA does not contain a rule or regulation providing an individual a remedy for a breach nor are violations of HIPAA a specific cause of action, HIPAA is increasingly being accepted as the standard of care with respect to handling confidential patient information. 

In a recent Supreme Court decision, Connecticut joined the list of other states recognizing a private cause of action against health care providers for HIPAA violations.

In the case, a healthcare provider received a subpoena requesting production of all the medical records of one of its patient involved in a paternity suit. In response to the subpoena the healthcare provider mailed a copy of the medical records to the court. As a result, the other party of the paternity suit obtained access to the medical records and began harassing the patient. The patient sued on multiple negligence counts and breach of contract.

In its opinion, the Connecticut Supreme Court concluded that “a duty of confidentiality arises from the physician-patient relationship and that unauthorized disclosure of confidential information obtained in the course of that relationship gives rise to a cause of action sounding in tort against the health care provider, unless the disclosure is otherwise allowed by law.” To determine whether disclosure was allowed by law, the Supreme Court pointed to the requirements under HIPAA for responding to a subpoena because:

“to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.”

While most healthcare providers think of HIPAA as only an enforcement tool utilized by the Federal Government, this case further demonstrates the increasing use of HIPAA as the standard of care when it comes to common-law causes of action. Regardless of whether HIPAA is applicable to a particular healthcare provider, all healthcare providers need to be cognizant of its rules and regulations, as they may be held to such standards and rules. 

HIPAA isn’t the only standard that could come into play as typically there are other standards such as state law, licensing board rules, and ethical rules. Healthcare providers would be wise to reevaluate their policies and procedures and ensure they are in line with the applicable rules and standards to ensure the proper handling of confidential patient information within their organization. AmSpa members can check their state’s medical aesthetic legal summary to find the laws governing their practice.

For more information on patient privacy requirements in medical spas sign up for AmSpa’s live webinar on the topic, free to AmSpa members.

Jay Reyero, JD, is a partner at the business, healthcare, and aesthetic law firm of ByrdAdatto. He has a background as both a litigator and transactional attorney, bringing a unique and balanced perspective to the firm’s clients. His health care and regulatory expertise involves the counseling and advising of physicians, physician groups, other medical service providers and non-professionals. Specific areas of expertise include Federal and State health care regulations and how they impact investments, transactions and various contractual arrangements, particularly in the areas of Federal and State anti-referral, anti-kickback and HIPAA compliance.

 

Tags:  ByrdAdatto  Med Spa Law 

Share |
PermalinkComments (0)
 
Contact Us

224 N Desplaines, Ste. 600S
 Chicago, IL 60661

Phone: 312-981-0993

Fax: 888-827-8860

Mission

AmSpa provides legal, compliance, and business resources for medical spas and medical aesthetic practices.

Follow Us: