New Compliance Requirements for Florida Hospitals with Emergency Departments

Posted by Steve Alder

Florida Governor Ron De Santis has signed the “Live Healthy” legislative package into law, which enhances current policies and includes $716 million in health care investments. The purpose of the legislative package is to strengthen Florida’s health care workforce, broaden access to quality health care, and foster innovation in the industry. The new laws introduce new compliance requirements for hospitals with emergency departments.

The bills signed by Governor DeSantis on March 21, 2024, are:

  • SB 7016, which creates and expands training programs that will help to develop and retain Florida’s health care workforce.
  • SB 7018, which harnesses the innovation and creativity of entrepreneurs and industry leaders to meet the needs and challenges of Florida’s evolving health care system.
  • SB 1758, which formalizes some of the great work already underway within the Agency for Persons with Disabilities through the First Lady’s Hope Florida initiative.
  • SB 330, which creates a new category of teaching hospitals dedicated to advancing behavioral health care through research, collaborating with our colleges and universities, and partnering with the state of Florida to address acute behavioral health care needs.
  • SB 322, which creates public record and meeting exemptions for personal identifying information for practitioners participating in the Interstate Medical Licensure Compact, the Audiology and Speech-Language Pathology Interstate Compact, and the Physical Therapy Licensure Compact.

“We are taking action to bolster our health care workforce to keep pace with our state’s unprecedented growth,” said Governor DeSantis. “I applaud Senate President Passidomo for her dedication to this cause, which contributes to positioning Florida as the freest and healthiest state in the nation.”

New Compliance Requirements for Florida Hospitals with Emergency Departments

One of the bills, SB 7016, introduces new rules for hospitals with emergency departments (EDs), including hospitals with off-campus EDs. In Florida, many patients use EDs for non-emergent care or seek emergency care that could have been avoided if they received regular primary care. The bill requires hospitals with EDs to submit a diversion plan to the state that details how they will help these patients access the appropriate care setting if they present to the ED with a non-emergent condition or indicate that they do not have regular access to primary care.

The nonemergency care access plans (NCAPs), which must not conflict with the Emergency Medical Treatment and Labor Act, will require state approval by July 1, 2025, after which hospitals will be required to submit their plans annually and demonstrate that they are effective. If the NCAP does not receive state approval, it must be updated before a license is granted or renewed.

For Medicaid patients, the NCAP must include outreach to the patient’s Medicaid managed care plan, and at least one of the following:

  1. A partnership agreement with at least one local federally qualified health center or another primary care setting. Staff at the ED must proactively seek to establish a relationship between the patient and the federally qualified health center or primary care setting if the patient indicates they do not have regular access to primary care.
  2. The establishment and operation of a hospital-owned urgent care center within or in close proximity to the hospital ED, to which the patient can be diverted if, after an initial screening, the patient requires non-emergent healthcare services.

The post New Compliance Requirements for Florida Hospitals with Emergency Departments appeared first on HIPAA Journal.

Med-Data Settles Data Breach Lawsuit for $7 Million

Posted by Steve Alder

The Spring, TX-based revenue cycle management company Med-Data has agreed to a $7 million settlement to resolve all claims stemming from a data breach between 2018 and 2019 that involved the protected health information of approximately 136,000 individuals.

Between December 2018 and September 2019, an employee of Med-Data uploaded patient data to the public-facing software development hosting platform GitHub. The files were added to personal folders on GitHub Arctic Code Vault and contained the protected health information of patients of several of its clients. The exposed data included names, addresses, dates of birth, Social Security numbers, diagnoses, medical conditions, claims information, dates of service, subscriber IDs, medical procedure codes, provider names, and health insurance policy numbers. Med-Data removed the files when it was alerted to the data exposure and offered the affected individuals complimentary credit monitoring and identity protection services.

A lawsuit was filed in response to the data breach that claimed Med-Data failed to adequately protect the sensitive data it obtained from its clients and did not issue timely notifications when the breach was discovered. Med-Data chose to settle the lawsuit and the settlement has received preliminary court approval. There are two tiers to the settlement. The first tier allows affected individuals to claim up to $5,000 to cover documented, unreimbursed losses incurred due to the data breach, including out-of-pocket expenses such as bank fees, credit costs, and communication expenses, up to five hours of lost time at $25 per hour, and losses due to identity theft, identity theft, and medical identity theft.

Alternatively, class members can opt for the second tier, which will provide a cash payment of up to $500 to cover time spent in response to the data breach, including monitoring credit reports, signing up for credit monitoring services, changing passwords, and other actions. Claims will be paid pro rata, depending on the number of claims received.

Regardless of the tier chosen, class members can also claim a 3-year membership to a health data and fraud monitoring service (Medical Shield Premium), which includes a $1 million identity theft insurance policy (Pango). Class members have until April 26, 2024, to object to or exclude themselves from the settlement, and the final approval hearing has been scheduled for September 11, 2024.

The post Med-Data Settles Data Breach Lawsuit for $7 Million appeared first on HIPAA Journal.

Roper St. Francis Healthcare Settles Data Breach Lawsuit for $1.5 Million

Posted by Steve Alder

Roper St. Francis Healthcare has agreed to a $1.5 million settlement to resolve a class action lawsuit that was filed in response to a data breach in 2020. Roper St. Francis Healthcare is a South Carolina-based healthcare system with 4 hospitals and more than 117 healthcare facilities in the state. In late October 2020, Roper St. Francis Healthcare discovered three email accounts had been compromised after employees responded to phishing emails. The email accounts were accessed by unauthorized individuals between October 14 and October 29, 2020. The compromised accounts contained the protected health information of 89,761 patients, including names, medical record numbers, patient account numbers, dates of birth, and limited treatment and clinical information, such as dates of service, locations of service, providers’ names, and billing information.

A lawsuit was filed in response to the breach that claimed Roper St. Francis Healthcare was negligent by failing to implement reasonable and appropriate cybersecurity measures, and that Roper St. Francis Healthcare should have been aware that it was vulnerable to cyberattacks as it had experienced multiple data breaches in the past. Roper St. Francis Healthcare disagreed with the plaintiffs’ claims and chose to settle the lawsuit with no admission of wrongdoing.

Under the terms of the settlement, individuals who were notified about the data breach by Roper St. Francis Healthcare may claim up to $325 as reimbursement for data breach-related expenses, including credit costs and bank fees, and up to four hours of lost time at $20 per hour. If extraordinary losses have been incurred due to identity theft and fraud, claims may be submitted up to a maximum of $3,250. All class members are entitled to one year of credit monitoring services, in addition to those already offered in the individual notifications about the data breach. The deadline for exclusion from and objection to the settlement is April 30, 2024, and the final approval hearing has been scheduled for May 2, 2024.

The post Roper St. Francis Healthcare Settles Data Breach Lawsuit for $1.5 Million appeared first on HIPAA Journal.

Avem Health Partners Agrees $1.45 Million Settlement to Resolve Class Action Data Breach Lawsuit

Posted by Steve Alder

A $1.45 million settlement has been agreed by Avem Health Partners to resolve claims related to a 2022 data breach involving the protected health information of 271,303 individuals. Avem Health Partners is an Oklahoma City-based provider of administrative and technology services to healthcare organizations. On May 16, 2022, hackers were found to have gained access to the servers of one of its vendors, 365 Data Centers. The unauthorized access occurred on May 14, 2022, and Avem Health Partners was notified about the data breach on September 9, 2022.

The exposed data included names, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, and diagnosis and treatment information, and the affected individuals were notified by Avem Health Partners in December 2022. Legal action – Bingaman, et al. v. Avem Health Partners Inc. – was taken over the breach with the plaintiffs alleging their protected health information was negligently maintained and had appropriate cybersecurity measures been implemented, the breach could have been prevented. Avem Health Partners chose to settle the lawsuit with no admission of wrongdoing.

Claims will be accepted from individuals who were notified about the data breach by Avem Health Partners. Claims may be submitted for up to $7,000 to cover out-of-pocket expenses incurred due to the data breach, including credit expenses, bank fees, losses to identity theft and fraud, and up to five hours of lost time at $25 per hour. Individuals who do not submit claims to cover losses will be eligible to receive a cash payment of up to $100, although that amount may be reduced depending on the number of claims received.

Regardless of the option chosen, class members will be eligible to receive three years of identity theft protection and credit monitoring services, which include a $1 million identity theft insurance policy. The deadline for objection to and exclusion from the settlement is April 25, 2024, and the final approval hearing has been scheduled for May 10, 2024.

The post Avem Health Partners Agrees $1.45 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.