Minor Licensing Violations Could Cost Physicians Medicare Billing Privileges Under Proposed Rule

For physicians and other eligible health care professionals, Medicare enrollment and billing privileges are invaluable and lucrative assets that can form a substantial portion of their revenues, allow them to treat more patients, and expand their career opportunities. Losing those privileges can be a catastrophic blow to a practice.

But a new rule proposed by the Centers for Medicare & Medicare Services (CMS) would dramatically expand CMS’ authority to deny or revoke Medicare privileges, allowing it to substitute its judgment for that of state licensing boards and impose such catastrophic sanctions even for infractions a state board deems relatively minor.

On August 14, 2019, CMS issued what it called a “major proposed rule” addressing a wide range of changes to the Medicaid physician fee schedule and other aspects of participation in the program. If it becomes final, all 808 pages of the proposed rule would represent the most substantial modification to program enrollment and eligibility since the establishment of the regulations in 2006.

CMS Can Impose Harsher Sanctions Than State Boards

In the proposed rule, CMS notes that, at the moment, it cannot make Medicare eligibility and renewal decisions based solely on state board disciplinary actions:

“We currently lack the legal basis to take administrative action against a physician or other eligible professional for a matter related to patient harm based solely on… an administrative action (excluding a state medical license suspension or revocation) imposed by a state oversight board,” such as the Illinois Department of Financial and Professional Regulation (IDFPR).

The new rule would grant CMS such authority and “would permit us to revoke or deny, as applicable, a physician’s or other eligible professional’s… enrollment if he or she has been subject to prior action from a state oversight board… with underlying facts reflecting improper physician or other eligible professional conduct that led to patient harm.”

84 Fed. Reg. at 40723.

As a practical matter, the rule gives CMS the power to review a state board’s conclusions and sanctions and then make its own determination as to whether the physician’s or other professional’s conduct warrants exclusion from Medicare.

This can lead to a situation in which IDFPR deems an infraction to be relatively minor and perhaps deserving of a “slap on the wrist” while CMS could decide to impose a “death sentence” in terms of Medicare eligibility, a conflict CMS readily acknowledges:

“We recognize that situations could arise where a state oversight board has chosen to impose a relatively minor sanction on a physician or other eligible professional for conduct that we deem more serious. We note, however, that we, rather than state boards, is ultimately responsible for the administration of the Medicare program and the protection of its beneficiaries. State oversight of licensed physicians or practitioners is, in short, a function entirely different from federal oversight of Medicare. We accordingly believe that we should have the discretion to review such cases to determine whether, in the agency’s view, the physician’s or other eligible professional’s conduct warrants revocation or denial.”


Making matters worse for sanctioned physicians, a decision by CMS to revoke Medicare privileges results in an automatic cross-termination of participation in Medicaid and other federal payer programs.

The public comment period for the proposed rule closes on September 27, 2019. If the rule is enacted, it becomes that much more critical for physicians facing IDFPR investigations or disciplinary proceedings – even for a “minor” infraction – to retain experienced professional license defense counsel.

Louis R. Fine: Chicago Physician License Defense Attorney

Throughout my career, I have been protecting the livelihoods and professional futures of physicians and other health care providers before the IDFPR, combining insight and experience with zealous and strategic advocacy.

The moment you are contacted by IDFPR or learn that you are under investigation is the moment that you should contact me. I will immediately begin communicating with IDFPR prosecutors and work with you to develop the strategy best suited to achieving the goal of an efficient, cost-effective outcome that avoids any adverse action. Together, we will protect your Illinois physician’s license and get you back to your patients and your career.

Please give me a call at (312) 236-2433 or fill out my online form to arrange for your free initial consultation. I look forward to meeting with you.

HIPAA and IDFPR: Violations of Patient Privacy Can Threaten Your Professional License

The Jussie Smollett saga earlier this year made headlines here in Chicago and throughout the country. It was a juicy tale of a supposed hate crime against an actor, that turned out to be a hoax, that led to criminal charges against Smollett, that were later dropped by State’s Attorney Kimberly Foxx, who then found herself under scrutiny for that decision. But Smollett and Foxx weren’t the only ones in this tale whose conduct raised eyebrows or put them in legal or ethical jeopardy.

Fifty employees, including several nurses, at Northwestern Memorial Hospital lost their jobs and faced disciplinary action because they violated the patient privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA). This included one nurse who did nothing more than search for Smollett’s name in the hospital’s system.

Breaching HIPAA Obligations Is Easy. Dealing With the Fallout Is Not.

If you are a physician or registered nurse, or if you work in healthcare in any capacity, you are no doubt generally aware of HIPAA and the duties it creates to ensure the confidentiality of protected health information (PHI). That fired nurse no doubt knew about HIPAA’s privacy and security rules as well. But her case demonstrates how quickly and inadvertently you can breach your professional obligations as to patient privacy and put your career – and professional license – in peril.

After HIPAA became law in 1996, the U.S. Department of Health and Human Services (HHS) issued a set of national standards governing the use, maintenance, and disclosure of patients’ protected health information. Commonly known as the Privacy Rule, the Standards for Privacy of Individually Identifiable Health Information limit how and to whom PHI can be disclosed.

Additionally, medical professionals and organizations must comply with detailed rules involving the physical and electronic security of PHI (the Security Rule, or Security Standards for the Protection of Electronic Protected Health Information) as well as the Breach Notification Rule which addresses what doctors and healthcare providers need to do in the event of a data breach.

As complex as HIPAA rules can be, violating them couldn’t be easier. It doesn’t require malicious intent (though that makes matters worse) or the knowledge that an act or omission violates HIPAA. In fact, most HIPAA infractions are inadvertent and more a factor of “loose lips sink ships” than anything else. But that doesn’t insulate a doctor or nurse from civil penalties or professional license consequences.

Common HIPAA Privacy Rule Violations

The following are common examples of how medical professionals can and do unknowingly violate HIPAA’s Privacy Rule:

  • Leaving patient files and information in plain view, such as at a nurse’s station or reception desk, so that anyone in proximity may be able to see that information.
  • Social media posts, pictures, or videos that may directly or indirectly reveal information about a patient or their condition, even in “closed” groups. A 2015 ProPublica review uncovered 22 cases of HIPAA-violating photo and video sharing in just the previous three years, with 35 instances of inappropriate image and video sharing found in total. There have been plenty more widely-publicized incidents since then.
  • Sending PHI over messaging apps without patient authorization.
  • Accessing the PHI of patients you are not required to treat
  • Gossiping about specific patients and disclosing their health information to family, friends & colleagues
  • Improper disposal of PHI, such as discarding it in regular trash.

Possible Consequences of a HIPAA Privacy Violation

The Office for Civil Rights (OCR) at DHS is responsible for enforcing HIPAA’s privacy requirements and can impose civil fines and criminal penalties, including possible jail time, for violations. The penalties and/or fines administered by OCR are based on the severity of each HIPAA violation and the knowledge and intent involved. Only willful violations will raise the specter of criminal prosecution, but civil penalties can rise to the level of tens of thousands of dollars.

Additionally, under Illinois’ Medical Patient Rights Act, any physician or healthcare provider who discloses a patient’s PHI without their express consent or as otherwise provided by law is guilty of a petty offense and will be fined $1,000.

If a physician or nurse violates HIPAA in a willful or egregious way, or is negligent in their handling of patient information, the Illinois Department of Financial and Professional Regulation (IDFPR) may take an interest and see such conduct as the basis for disciplinary action.

For example, the Illinois Medical Practice Act provides that the Department may revoke, suspend, place on probation, reprimand, refuse to issue or renew, or take any other disciplinary or non-disciplinary action against a physician for “willfully or negligently violating the confidentiality between physician and patient except as required by law.”

To avoid all of these potential consequences, physicians and nurses must remain vigilant and ever mindful of their patients’ privacy and their obligations under HIPAA.

Louis Fine: Chicago Professional License Defense Attorney

If you have questions or concerns about your duties under HIPAA or find yourself facing an IDFPR investigation or complaint about patient privacy, please contact me immediately. As a former Chief Prosecuting Attorney and administrative law judge for IDFPR, I have seen the serious consequences that an adverse enforcement decision can have on professionals who suddenly find their future in disarray. I can work with you to develop the strategy best suited to achieving the goal of an efficient, cost-effective outcome that avoids any adverse action. Together, we will get you back to your clients and your career.

Please give me a call at (312) 236-2433 or fill out my online form to arrange for your free initial consultation. I look forward to meeting with you.

DISCLAIMER: This email, and any attachments thereto, is the property of the Law Offices of Louis R. Fine and is intended for use only by the addressee(s) named herein and may contain confidential information, legally privileged information and attorney-client work product. If you are not the intended recipient of this email, you are hereby notified that any dissemination, distribution or copying of this email, and any attachments thereto, is strictly prohibited. If you have received this email in error, please notify the sender by email, telephone or fax, and permanently delete the original and any of any email and printout thereof. Thank you.