MEDICAL RECORDS IN FLORIDA-A FOLLOW UP

As a follow up to the article posted in April 2021 on Florida medical records, we will discuss various issues, aspects, and their consequences.

A common question that clients ask when pursuing a medical malpractice case is, “Can medical records be altered to hide the evidence?” 

Though it seems that doctors and other medical providers accused of malpractice might simply change medical records to protect themselves, there are several reasons why doing so is not reasonable or practical.

Falsifying or altering a medical record is a crime punishable by a fine or even possible license restriction, suspension, or termination. Additionally, altering medical records can make it harder for doctors to prevail in medical malpractice cases. 

Juries do not trust liars, and a questionable change or amendment to a record may imply that something was being covered up. The consequences of discovering an act of altering a medical record are probably worse than the consequences of telling the truth.

Further, it is difficult to get away with falsifying medical records. Usually, in medical settings, documents are shared among a few doctors and nurses, not to mention a patient’s health insurance provider and testing facilities. 

Discrepancies can be spotted among different copies of a document as well as in a patient’s medical bills. With written records, forensic scientists can tell when a document has been changed by looking at inks and indentations in the paper. It is also easy to track changes in electronic documents.

Despite the risks, altered medical records still occur. At times, when a healthcare provider is discovered to have done such an act, difficult cases suddenly become much easier to win. Conversely, cases with much promise are occasionally lost because there is not an accurate record of what happened, preventing lawyers from being able to support their case with sufficient evidence.

Altering a medical record is a crime and can also be used against doctors in medical malpractice cases. However, it is not illegal for medical professionals to make honest updates to records, if they properly mark what they are doing and do not obscure information.

In order to make a correction, physicians should make a new note and include the current date and time. The note should be labeled, “Late Entry,” “Correction,” or “Addendum.” 

The physician or other medical provider should explain the relationship of the note to an earlier one, including the reason for the error, and the source of the new or added information. Records should always reflect who did what. Finally, they should draw a line through the incorrect entry. The old text, however, should still be legible.

If an omission in a medical record is noticed by a physician after a short amount of time and said physician can distinctly remember administering medication or other treatment, a late entry should be made. 

However, if a day or more has passed, it is unlikely that the physician can reliably remember exactly what happened. Filling in missing information after the fact may lead to a misrepresentation of events. As such, filling in omissions may also be an illegal act.

According to Florida Law, a healthcare provider who knowingly or willfully destroys, alters, or otherwise obscures a medical record or other information about a patient to conceal evidence is subject to the following:

For HOSPITAL LICENSING AND REGULATION

 395.302 Patient records; penalties for alteration.

(1) Any person who fraudulently alters, defaces, or falsifies any medical record, or causes or procures any of these offenses to be committed, commits a misdemeanor of the second degree, punishable as provided in s. 775.082 or s. 775.083.

(2) A conviction under subsection (1) is also grounds for restriction, suspension, or termination of license privileges.

 For NURSING HOMES AND RELATED HEALTH CARE FACILITIES

400.1415 Patient records; penalties for alteration.

(1) Any person who fraudulently alters, defaces, or falsifies any medical record or releases medical records for the purposes of solicitation or marketing the sale of goods or services absent a specific written release or authorization permitting utilization of patient information, or other nursing home record, or causes or procures any of these offenses to be committed, commits a misdemeanor of the second degree, punishable as provided in s. 775.082 or s. 775.083.

 (2) A conviction under subsection (1) is also grounds for restriction, suspension, or termination of license privileges.

A medical record is essentially a summary of one’s health history. The primary care physician has a medical record for his patient, but so does every other healthcare facility said patient has used, from specialists to hospitals.

A patient can authorize their medical records be sent to another healthcare provider for continuity of care. Otherwise, one’s medical records will not be consolidated. There has been an effort in recent years to simplify the sharing of medical records between providers through digitization. Electronic health records (EHRs) contain a summary of one’s health and treatment history and can be shared more easily.

However, there still is not a standard nationwide software or process for medical professionals to share information. This means that a patient may have to put in multiple requests if they want a complete copy of their medical record.

Medical records can include the following:

  • Personal Information (name, SSN, etc.);
  • Family Medical History (risk of high blood pressure, anxiety, etc.);
  • Medical History (medical conditions, past illnesses/complaints, pregnancies, immunizations, recreational drug use, allergies, etc.);
  • Referrals;
  • Examination Results (physicals, x-rays, lab reports, scans, etc.);
  • Medication and Treatment History (drugs used, the possibility of drug interaction, success/failure of past treatments, past surgeries, etc.);
  • Medical Directives (patient’s wishes about their medical care if they become unresponsive);
  • Autopsy Report/Death Certificate.

Although patients have the right to access a copy of their medical records, original documents belong to the healthcare or medical facility which created them. 

Doctor’s offices and hospitals are required to keep medical records on the premises in a secure location. They may share patient records electronically with the subject patient’s other providers if granted permission by said patient. This is not an automatic or instantaneous process, however, which is why a patient is often asked questions about their medical history when they go to a new doctor or facility.

Under the Health Insurance Portability and Accountability Act (HIPPA), patients have a right to receive a copy of their medical and billing records. Facilities do charge a fee for copying and mailing records. However, they cannot legally deny a patient a copy of their medical records because they have not paid their fee. It often takes multiple letters and calls to get the facility to send the records.

In a lawsuit, medical records are essential evidence. Insurance carrier or providers can review medical records and will request a copy if a person files a lawsuit. A patient’s personal representative can also collect their medical records, which is especially useful in cases of wrongful death. 

The government and law enforcement also have the right to access medical records in certain situations.

There exist in various other states verdicts and settlements involving lawsuits which represent examples of falsifying medical records.

One question that gets asked is can a patient sue a doctor for lying in the records? A patient may be able to sue a doctor for falsifying medical records, but the said patient needs actual harm to resulting therefrom to have a reasonable likelihood of a settlement or verdict. In all the out of state examples of falsifying medical records, there was underlying harm to the patient.

NOW, as far as violation of the privacy or confidentiality under the foregoing HIPAA law, it must be noted that there is no private cause of action in HIPAA, so it is not possible for a patient to sue for a HIPAA violation. Even if HIPAA Rules have clearly been violated by a healthcare provider, and harm has been sustained as a direct result, it is not possible for patients to seek damages, at least not for the violation of HIPAA Rules.

What the said patient can do is the following:

File a Complaint with OCR-To report HIPAA violations, a patient must file a complaint to the Office of Civil Rights. Note that said patient can file this complaint in writing by e-mail, mail, or through the OCR Complaint Portal. Requirements for filing a HIPAA Privacy Complaint include:

  • File the complaint within 180 days of when a patient discovered that the act a patient is complaining about took place;
  • Ensure to provide extensive details about the patient or the affected individual if done in a representative capacity;
  • Name the covered entitled or third-party associate involved;
  • Provide details of the complaint, describing the acts one believes violate the requirements of the HIPAA rules;
  • Once a patient has submitted their HIPAA Privacy Complaint, the OCR will go ahead and investigate the covered entity.

File a complaint with the DOH-Aside from licensing all healthcare professionals practicing in the state, the Florida Department of Health (DOH) is also tasked with reviewing complaints filed against them. If a FIPA-covered entity is found in violation of patient confidentiality, it can be held liable under the data privacy laws. The Florida Information Protection Act of 2014 (FIPA) came into effect on July 1, 2014, expanding Florida’s existing data breach notification statute requirements for covered entities that acquire, use, store or maintain Floridian’s personal information.  

FIPA modified Florida’s existing data breach notification law and applies to commercial and government entities. FIPA applies to all covered entities. A covered entity is a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity or government entity that acquires, maintains, stores, or uses personal information.

More importantly, FIPA is an extraterritorial law, which means any company that acquires, uses, stores, or maintains the Personally Identifiable Information (PII) of Floridians must comply. This includes covered entities with no physical footprint in Florida. 

File a Report with a Third-Party Payer-Note that patients with Tricare, Medicare, VA, military, or Public Health Service can report or file their complaint to the Office of the Inspector General of that exact agency. However, note that one does not always have the luxury of time when it has to do with filing their complaint after they have discovered a HIPAA violation.

It is advisable the patient file a complaint immediately after discovering the violation. To get the best possible outcome, a patient is recommended to seek the expertise of a competent attorney experienced in this area.

Some common HIPAA violations in the state of Florida include:

Information disclosure: When employees of a covered entity divulge PHI to unauthorized individuals, their employer is believed to have violated HIPAA regulations.

Inadequate PHI access controls: Aside from being barred from disclosing PHI, employees of covered entities are also restricted from accessing patient files if they are not so permitted. Illegal access to patient files is considered a serious HIPAA violation.

Lack of a risk analysis policy: Covered entities are expected to conduct risk analysis regularly to note whether PHI is prone to attacks. Failure to do this is also considered a serious HIPAA violation.

Lack of a risk management policy: Once risks are identified, covered entities are expected to immediately implement a risk management process to manage those risks in a reasonable time- frame. Note that failure to implement a risk management plan is considered a HIPAA violation.

Lack of HIPAA-compliant agreements: Covered entities will also have to enter into HIPAA-compliant agreements with third-party agents, including vendors and business associates. Also, note that not doing this is considered a HIPAA violation.

Failure to PHI on Portable Devices: The inability to protect devices containing PHI, such as using strong passwords and encryption, is noted as a HIPAA violation. Downloading PHI to personal and unprotected devices is also noted as a gross violation in the State of Florida.

Exceeding the deadline for issuing breach notifications: In Florida, covered entities are expected to issue breach notifications within 30 days after finding out about a data breach. Defaulting is essentially considered a HIPAA violation.

Improper disposal of PHI: HIPAA rules mandate covered entities to securely destroy PHI that is no longer needed. Failure to do this is considered a direct HIPAA violation.

Limiting patients from accessing their PHI: Under HIPAA, patients are expected to be granted access to their medical records and get copies on request. Owing to that, denying patients this right is a violation of HIPPA.

Outlined above are some of the few ways to report HIPAA violations in the State of Florida. Although the OCR is the primary organization which receives complaints, a patient can leverage other ways of reporting if they do not feel comfortable going through this type of process.

The Department of Health and Human Services’ Office for Civil Rights – the main enforcer of HIPAA Rules – can issue civil penalties for HIPAA violations. OCR investigates complaints about potential HIPAA violations and investigates data breaches. When individuals are discovered to have violated HIPAA, civil penalties may be appropriate.

Also note that one can report to a supervisor at one’s employment, their company’s Privacy Officer, or the Compliance officer when they suspect there is a HIPAA violation in their organization. Once they receive the complaint, the organization is expected to investigate the violation internally and note whether the complaint meets the threshold for reporting under the breach notification rule.

If one works in healthcare they should have a good working knowledge of HIPAA rules, exercise diligence, and ensure that HIPAA Rules are always followed, but what happens if they violate HIPAA? What are the likely repercussions for accidentally or knowingly violating HIPAA Rules? What happens if HIPAA laws are violated will depend on the type of violation, its severity, the harm caused to others, and the extent to which the subject individual knew that HIPAA Rules were being violated.

If at the time of the violation one was unaware that they make a mistake, the violation was minor, and no harm has been caused, the violation may be dealt with internally. Verbal or written warnings may be issued and further training on HIPAA compliance would be appropriate.

For more serious violations, especially in cases where HIPAA Rules have been knowingly violated, termination is likely. The violation may be reported to licensing boards who can place restrictions on licenses. Suspension and loss of license is also possibility.

The Department of Health and Human Services’ Office for Civil Rights, the main enforcer of HIPAA Rules, can issue civil penalties for HIPAA violations. OCR investigates complaints about potential HIPAA violations and investigates data breaches. When individuals are discovered to have violated HIPAA, civil penalties may be appropriate.

There are four tiers of civil penalties based on the level of knowledge that HIPAA Rules were being violated:

Tier 1 applies to individuals who did not know HIPAA Rules were being violated or by exercising a reasonable level of diligence would not have about a violation of HIPAA. The minimum penalty is $100 per violation up to a maximum of $25,000 for repeat violations.

Tier 2 applies to reasonable cause, which has a minimum fine of $1,000 per violation, up to $100,000 for repeat violations.

Tier 3 apples to violations involving willful neglect of HIPAA Rules when the violation has been corrected within the required timeframe. The minimum fine is $10,000 per violation up to a maximum of $250,000 for repeat violations.

Tier 4 is reserved for willful neglect of HIPAA Rules with no attempt to correct the violation. The minimum penalty is $50,000 per violation up to a maximum of $1.5 million for repeat violations.

The maximum penalty, regardless of the tier, is $50,000 per violation with a cap of $1.5 million.

The Office for Civil Rights can refer violation cases to the Department of Justice when there have potentially been criminal violations of HIPAA Rules. Criminal penalties for HIPAA violations are rare, but they are possible when healthcare employees have knowingly violated HIPAA Rules.

The tiers for criminal penalties are:

Tier 1 – Negligence/Reasonable cause – A fine of up to $50,000 and up to one year in prison

Tier 2 – False pretenses – A fine of up to $100,000 and up to 5 years in prison

Tier 3 – Personal gain or malicious intent – A fine up to $250,000 and up to 10 years in prison.

Consequently, when a patient obtains a copy of their medical records, they should thoroughly review them. Occasionally, one might come across an error or learn that confidential information was improperly disclosed, the foregoing may be a general overview of what direction or avenues they may be able to take.

If you have any additional Questions regarding the foregoing or have any legal issue or concern, please contact the law firm of CASERTA & SPIRITI in Miami Lakes, Florida.