Tag: nurses

HIPAA and IDFPR: Violations of Patient Privacy Can Threaten Your Professional License

Posted on by Louis Fine

The Jussie Smollett saga earlier this year made headlines here in Chicago and throughout the country. It was a juicy tale of a supposed hate crime against an actor, that turned out to be a hoax, that led to criminal charges against Smollett, that were later dropped by State’s Attorney Kimberly Foxx, who then found herself under scrutiny for that decision. But Smollett and Foxx weren’t the only ones in this tale whose conduct raised eyebrows or put them in legal or ethical jeopardy.

Fifty employees, including several nurses, at Northwestern Memorial Hospital lost their jobs and faced disciplinary action because they violated the patient privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA). This included one nurse who did nothing more than search for Smollett’s name in the hospital’s system.

Breaching HIPAA Obligations Is Easy. Dealing With the Fallout Is Not.

If you are a physician or registered nurse, or if you work in healthcare in any capacity, you are no doubt generally aware of HIPAA and the duties it creates to ensure the confidentiality of protected health information (PHI). That fired nurse no doubt knew about HIPAA’s privacy and security rules as well. But her case demonstrates how quickly and inadvertently you can breach your professional obligations as to patient privacy and put your career – and professional license – in peril.

After HIPAA became law in 1996, the U.S. Department of Health and Human Services (HHS) issued a set of national standards governing the use, maintenance, and disclosure of patients’ protected health information. Commonly known as the Privacy Rule, the Standards for Privacy of Individually Identifiable Health Information limit how and to whom PHI can be disclosed.

Additionally, medical professionals and organizations must comply with detailed rules involving the physical and electronic security of PHI (the Security Rule, or Security Standards for the Protection of Electronic Protected Health Information) as well as the Breach Notification Rule which addresses what doctors and healthcare providers need to do in the event of a data breach.

As complex as HIPAA rules can be, violating them couldn’t be easier. It doesn’t require malicious intent (though that makes matters worse) or the knowledge that an act or omission violates HIPAA. In fact, most HIPAA infractions are inadvertent and more a factor of “loose lips sink ships” than anything else. But that doesn’t insulate a doctor or nurse from civil penalties or professional license consequences.

Common HIPAA Privacy Rule Violations

The following are common examples of how medical professionals can and do unknowingly violate HIPAA’s Privacy Rule:

  • Leaving patient files and information in plain view, such as at a nurse’s station or reception desk, so that anyone in proximity may be able to see that information.
  • Social media posts, pictures, or videos that may directly or indirectly reveal information about a patient or their condition, even in “closed” groups. A 2015 ProPublica review uncovered 22 cases of HIPAA-violating photo and video sharing in just the previous three years, with 35 instances of inappropriate image and video sharing found in total. There have been plenty more widely-publicized incidents since then.
  • Sending PHI over messaging apps without patient authorization.
  • Accessing the PHI of patients you are not required to treat
  • Gossiping about specific patients and disclosing their health information to family, friends & colleagues
  • Improper disposal of PHI, such as discarding it in regular trash.

Possible Consequences of a HIPAA Privacy Violation

The Office for Civil Rights (OCR) at DHS is responsible for enforcing HIPAA’s privacy requirements and can impose civil fines and criminal penalties, including possible jail time, for violations. The penalties and/or fines administered by OCR are based on the severity of each HIPAA violation and the knowledge and intent involved. Only willful violations will raise the specter of criminal prosecution, but civil penalties can rise to the level of tens of thousands of dollars.

Additionally, under Illinois’ Medical Patient Rights Act, any physician or healthcare provider who discloses a patient’s PHI without their express consent or as otherwise provided by law is guilty of a petty offense and will be fined $1,000.

If a physician or nurse violates HIPAA in a willful or egregious way, or is negligent in their handling of patient information, the Illinois Department of Financial and Professional Regulation (IDFPR) may take an interest and see such conduct as the basis for disciplinary action.

For example, the Illinois Medical Practice Act provides that the Department may revoke, suspend, place on probation, reprimand, refuse to issue or renew, or take any other disciplinary or non-disciplinary action against a physician for “willfully or negligently violating the confidentiality between physician and patient except as required by law.”

To avoid all of these potential consequences, physicians and nurses must remain vigilant and ever mindful of their patients’ privacy and their obligations under HIPAA.

Louis Fine: Chicago Professional License Defense Attorney

If you have questions or concerns about your duties under HIPAA or find yourself facing an IDFPR investigation or complaint about patient privacy, please contact me immediately. As a former Chief Prosecuting Attorney and administrative law judge for IDFPR, I have seen the serious consequences that an adverse enforcement decision can have on professionals who suddenly find their future in disarray. I can work with you to develop the strategy best suited to achieving the goal of an efficient, cost-effective outcome that avoids any adverse action. Together, we will get you back to your clients and your career.

Please give me a call at (312) 236-2433 or fill out my online form to arrange for your free initial consultation. I look forward to meeting with you.

DISCLAIMER: This email, and any attachments thereto, is the property of the Law Offices of Louis R. Fine and is intended for use only by the addressee(s) named herein and may contain confidential information, legally privileged information and attorney-client work product. If you are not the intended recipient of this email, you are hereby notified that any dissemination, distribution or copying of this email, and any attachments thereto, is strictly prohibited. If you have received this email in error, please notify the sender by email, telephone or fax, and permanently delete the original and any of any email and printout thereof. Thank you.

Beware of “Aiding and Abetting” the Unlicensed Practice of Medicine

Posted on by Louis Fine

“Aiding and abetting” are two words often associated with criminal law, as in, “The getaway car driver was charged with aiding and abetting the bank robbery.” But for physicians as well as many other professionals who are required to be licensed by the Illinois Department of Financial and Professional Regulation (IDFPR), aiding and abetting the unlicensed practice of their profession can also mean severe disciplinary action, including license revocation.

For physicians in particular, aiding and abetting the unlicensed practice of medicine can be a potentially disastrous minefield, as the permissible and seemingly innocuous delegation of certain tasks to assistants or others can inadvertently lead to IDFPR concerns.

Included among the over 40 enumerated bases for disciplinary action set forth in the Illinois Medical Practice Act (225 ILCS 60/1 et seq.) is “aiding and abetting an individual not licensed under this Act in the practice of a profession licensed under this Act.”

What Exactly is the “Practice of Medicine”?

The problem arises because the Medical Practice Act, despite its title, nowhere defines exactly what the “practice of medicine” entails. Section 22 of the Medical Practice Act directs the IDFPR to adopt rules that set forth standards to be used in determining several violations and terms under the Act. However, it does not require the Department to set forth explicit standards defining the practice of medicine.

As one court explained, the reason the legislature did not define “the practice of medicine” in the definitions section of the Act is “because a flexible definition of the practice of medicine is required in a statute intended to govern various healers from osteopaths to herb doctors. Siddiqui v. IDFPR, 718 N.E.2d 217 (4th Dist. 1999).

Not every act performed by a physician constitutes the practice of medicine. Duties such as changing bandages, administering injections, drawing blood, and taking blood pressure are often performed by nonphysicians. However, the fact that licensed professionals other than physicians may be permitted to perform certain medical procedures under the supervision of a licensed physician does not render the performance of those same procedures by unsupervised and unlicensed individuals outside the ambit of the Medical Practice Act. People v. Bickham, 621 N.E.2d 86 (1993).

Delegation of “Patient Care Tasks” to Qualified or Supervised Individuals Can Be Permitted

Similarly, Section 54.2 of the Medical Practice Act specifically allows physicians to delegate authority to certain individuals:

  • Physicians can delegate patient care tasks to a licensed practical nurse, a registered professional nurse, or other licensed person practicing within the scope of his or her individual licensing Act.
  • Physicians can also delegate such tasks to physician assistants or advanced practice nurses.
  • In an office or practice setting and within a physician-patient relationship, a physician may delegate patient care tasks or duties to an unlicensed person who possesses appropriate training and experience provided a health care professional, who is practicing within the scope of such licensed professional’s individual licensing Act, is on site to provide assistance.
  • No physician may delegate any patient care task or duty that is statutorily or by rule mandated to be performed by a physician.

Diagnosis, Treatment Plan, and Prescriptions Cannot Be Delegated

What cannot be delegated, and what do not constitute “patient care tasks,” are the diagnosis of illnesses, and the development of treatment plans, including prescribing drugs. Siddiqui v. IDFPR, 718 N.E.2d 217 (4th Dist. 1999). For example, the Pharmacy Practice Act of 1987 provides that a pharmacist may advise or counsel patients on the use of drugs or devices and provide health information related to them, however, the pharmacist’s role does not extend to deciding whether to prescribe drugs. This requires a medical judgment as to the needs of the patient, the effect of the drug, and the effectiveness of other types of treatment.

Physicians should ensure that they have developed specific protocols and procedures that define the permissible roles and actions of nurses, assistants, and others in their practice and be wary of delegating any tasks that may involve the diagnosis and the use of professional medical judgment in deciding on a course of treatment.

Louis R. Fine: Chicago Physician License Defense Attorney

Throughout my career, I have been protecting the livelihoods and professional futures of physicians and other health care providers before the IDFPR, combining insight and experience with zealous and strategic advocacy.

The moment you are contacted by IDFPR or learn that you are under investigation is the moment that you should contact me. I will immediately begin communicating with IDFPR prosecutors and work with you to develop the strategy best suited to achieving the goal of an efficient, cost-effective outcome that avoids any adverse action. Together, we will protect your Illinois physician’s license and get you back to your patients and your career.

Please give me a call at (312) 236-2433 or fill out my online form to arrange for your free initial consultation. I look forward to meeting with you.

Illinois Nurses: Take Care of How You Treat the IDFPR or Risk Losing Everything

Posted on by Louis Fine

There are lots of things you can look forward to in the mail – birthday cards, paychecks, that cool thing you just ordered from Amazon. But if you are a nurse in Illinois, an unexpected envelope from the Illinois Department of Financial and Professional Regulation (IDFPR) is not one of them. There’s a good chance that the envelope contains either a complaint which a patient has lodged against you and/or a notice that you are under investigation for alleged violations of your professional obligations.

Whether you are a Registered Professional Nurse (RN), Licensed Practical Nurse (LPN), or Advanced Practice Nurse (APN), don’t panic if that envelope does come and make sure you avoid these other IDFPR “don’ts” as well. But you’d rather not get such potentially devastating news in the first place.

In addition to the many bases for disciplinary action that are related to the performance of your duties as a nurse, there are also many ways to get in trouble related to your duties to the IDFPR. The IDFPR does not like being ignored, lied to, or denied information relevant to your license and professional history. Here are three ways your interactions with the IDFPR can lead them to threaten your ability to continue practicing:

  • Ignoring the IDFPR. Burying your head in the sand is the worst possible thing you can do if and when the IDFPR contacts you. You are subject to discipline if you:
    • Fail, within 90 days, to provide a response to a request for information in response to a written request made by the IDFPR by certified mail.
    • Fail to report to the IDFPR any final disciplinary action taken against you by another licensing jurisdiction, any peer review body, any health care institution, any professional or nursing society or association, any governmental agency, any law enforcement agency, or any court or a nursing liability claim related to acts or conduct similar to acts or conduct that would constitute grounds for action as defined in this Section.
    • Fail to report to the IDFPR your surrender of a license or authorization to practice nursing or advanced practice nursing in another state or jurisdiction.
    • Failing, within 60 days, to provide information in response to a written request made by the Department.
  • Burying bad news. If you are disciplined in another jurisdiction, you need to report that to the IDFPR. They say the cover up is always worse than the crime, so make sure that you:
    • Report to the IDFPR any final disciplinary action taken against you by another licensing jurisdiction, any peer review body, any health care institution, any professional or nursing society or association, any governmental agency, any law enforcement agency, or any court or a nursing liability claim related to acts or conduct similar to acts or conduct that would constitute grounds for action as defined in this Section.
    • Report to the IDFPR your surrender of a license or authorization to practice nursing or advanced practice nursing in another state or jurisdiction.
  • Lying. Period. You lie or intentionally deceive the IDFPR, you will lose your license; it’s just that simple. Specifically:
    • Material deception in furnishing information to the Department.
    • Fraud, deceit or misrepresentation in procuring or applying for a renewal of your license.
    • Attempting to subvert or cheat on a licensing examination.
    • The use of any false, fraudulent, or deceptive statement in any document connected with your practice.
    • Willfully making or filing false records or reports in your practice, including but not limited to false records to support claims against the medical assistance program of the Department of Healthcare and Family Services (formerly Department of Public Aid) under the Illinois Public Aid Code.

In addition to your communications directly with the IDFPR, your communications to the world at large through social media can put your license at risk. What you post on Facebook, Twitter, Instagram or other social media platforms can be used as evidence against you in any disciplinary action brought by the IDFPR. Depending on what you post, you social media use can itself be a basis for discipline if it violates patient confidentiality, reflect immoral conduct relating to your practice, or otherwise violates any other basis for discipline as set forth in the Illinois Nurse Practice Act.

Louis R. Fine: Chicago Nursing License Defense Attorney

If you’re a licensed Illinois nurse, the moment you are contacted by IDFPR or learn that you are under investigation is the moment that you should contact me. I will immediately begin communicating with IDFRP prosecutors and work with you to develop the strategy best suited to achieving the goal of an efficient, cost-effective outcome that avoids any adverse action. Together, we will protect your license and get you back to your patients and your career.

Please give me a call at (312) 236-2433 or fill out my online form to arrange for your free initial consultation. I look forward to meeting with you.