Author Archives: Jeffrey Lynne

About Jeffrey Lynne

Jeffrey C. Lynne is a South Florida native, representing individuals and business entities relating to licensing, accreditation, regulatory compliance, business structure, marketing, real estate, zoning and litigation pertaining to substance abuse treatment facilities and sober living residences. Mr. Lynne has been recognized across the region as a leader in progressive public dialogue about the role that substance abuse treatment has within our communities and the fundamental need and right to provide safe and affordable housing for those who are both in treatment for addiction and alcoholism as well as those who are established in their recovery.

Travel Assistance, Patient Financial Responsibility, and Good Intentions

Last week was the annual Moments of Change conference at The Breakers Hotel in Palm Beach. A beautiful venue for a long-running gathering of providers, clinicians, and industry representatives.

The question which I heard most repeatedly asked on the exhibit floor or in breakout sessions pertained to how to assist patients (I don’t call them “clients”) and their families with the exorbitant out of pocket costs of obtaining quality treatment, such as the cost of travel. In many providers’ minds, financial barriers like this should not prevent a patient from obtaining what is essentially life-saving treatment in a community known for its robust treatment community.

As a result of these financial hardships, providers have tried to find a way to facilitate travel from the patient’s location to their programs. This concept of “travel assistance” is quite controversial in the addiction treatment space because, no matter the intention of the provider, if that offer of “travel assistance” was the reason (inducement) for the patient to choose “x” treatment center, then it is very likely that law enforcement will view such assistance as a violation of the Patient Brokering Act.

In our 10 years working specifically with treatment providers, we have been repeatedly presented with this scenario and asked what is lawful. On our end, we have spent countless hours grappling with the need to develop policies and procedures to clarify, identify, and address compliance concerns regarding financial assistance for patients who have a bona fide financial hardship. Our conclusion to date has remained the same: while the law does not explicitly state that payment of airfare is a de facto inducement or violative of the plain language of the laws against patient brokering, and while we have heard and understand the reasoning provided and the procedure used by providers has been limited to very narrow and strict circumstances, the risk to the provider of arrest is simply too great. In other words, you will have to explain it to the jury, while in the meantime, your business reputation has been soiled in the press. If a provider is not going to 100% scholarship a patient, then any other extension of good-faith credit to a patient may be viewed as illegal by regulators and law enforcement.

Fair? Maybe not. Reality? Absolutely yes.

Stated otherwise, even if at no time was it ever a provider’s intention to sway (induce) the decision-making process of any patient to receive treatment services using travel assistance, and even if such travel arrangements were facilitated solely to provide those specific patients identified as having a bona fide financial hardship with reasonable access to critical addiction treatment services, in today’s environment, law enforcement is going to assume a criminal intent is at play based upon the dozens and dozens of arrests (and reviews of business records) that have been made.  It’s simply the “zero tolerance policy” world that we live in today, based upon the atrocities we have seen by the few who care less about patients and only care about profit.

In summary, while extending credit to a patient or their family who has been legitimately verified as not having the ability to pay may not violate the plain language of Florida’s Patient Brokering Act or the federal Eliminating Kickbacks in Recovery Act, the practice remains highly suspect based upon frequent past abuses uncovered by law enforcement. Therefore, a program that engages in such practices continues to expose itself to great liability of criminal penalties, fines, and damage to reputation.

We understand that many providers have as their overwhelmingly singular goal to provide access to those seeking help, recognizing that some are facing dire financial circumstances and may not at that time have the additional financial resources to travel to their chosen treatment provider. Notwithstanding these good intentions, extending credit to patients to facilitate travel costs, even with legitimate and good faith efforts to determine bona fide financial hardship and robust efforts to collect, is considered suspect and potentially violative of the law.  Accordingly, we continue to be unable to support any practice of providing travel assistance to patients in need.  Sad, but true.

We will continue to advocate for any best practice that connects patients with addiction health care providers, recognizing that the overarching policies behind the state and federal health care laws are often in conflict with present-day realities. Even the Centers for Medicare and Medicaid Services (CMS) has recognized this reality and has been vigorously exploring ways to revamp and rewrite these laws to meet 21st century health care delivery. See

But until then, the conservative course must be the one to follow, if addiction medicine is going to ever receive the due recognition it deserves as an integral part of our national health care model.


Harm Reduction – Supervised Injection Sites

A federal judge ruled on Tuesday, October 2, 2019, that a Philadelphia nonprofit group’s plan to open the first site in the U.S. where people can use illegal opioids under medical supervision does not violate federal drug laws, delivering a major setback to Justice Department lawyers who launched a legal challenge to block the facility.

We had previously discussion this issue on on February 8, 2019 (“US Attorney Sues To Stop Supervised Injection Sites in Philadelphia”) as Florida and other states were approving “needle exchange programs” but “safe injection sites” remained objectionable to the US Attorney for the Eastern District of Pennsylvania.

According to NPR:

U.S. District Judge Gerald McHugh ruled Wednesday that Safehouse’s plan to allow people to bring in their own drugs and use them in a medical facility to help combat fatal overdoses does not violate the Controlled Substances Act.

“The ultimate goal of Safehouse’s proposed operation is to reduce drug use, not facilitate it,” McHugh wrote in his opinion, which represents the first legal decision about whether supervised injection sites can be legally permissible under U.S. law.

The decision means that the country’s first supervised injection site, or what advocates call an “overdose prevention site,” can go forward.

Justice Department prosecutors had sued to block the site, calling the proposal “in-your-face illegal activity.”

While local officials from New York to San Francisco praised the decision, the federal government is expected to appeal.

“The Department of Justice remains committed to preventing illegal drug injection sites from opening,” said Bill McSwain, U.S. Attorney for the eastern district of Pennsylvania. “Today’s opinion is merely the first step in a much longer legal process that will play out. This case is obviously far from over.”

Most studies show that the supervised injection sites can drive down fatal overdoses. These sites are credited with restricting the spread of infectious diseases. And advocates say the facilities help move more people into treatment. The American Medical Association has endorsed launching supervised injection site pilot programs.

Ronda Goldfein, who is Safehouse’s vice president and secretary, said winning judicial approval is a major feat for advocates of the proposed site, which also has the backing of top city officials and former Pennsylvania governor Ed Rendell.

“Philadelphia is being devastated. We’ve lost about three people a day” to opioid overdoses, Goldfein said. “And we say we had to do something better and we couldn’t sit back and let that death toll rise. And the court agreed with us.”

Although federal data show that overdose deaths in 2018 dipped for the first time in years, more than 68,000 people died of overdoses in the U.S. last year, and most of the deaths involved opioids. Public health leaders in localities hardest cit by the opioid crisis have been searching for interventions to save more lives, including sites similar to what Safehouse is planning.

Supervised injection sites exist in Canada and Europe, but no such site has gotten legal permission to open in the U.S. Cities like New York, Denver and Seattle have been publicly debating similar proposals, but many were waiting for the outcome of the court battle in Philadelphia.

Attorneys general from Washington, D.C., and seven states including Michigan, New Mexico and Oregon, in addition to city leaders in five cities, urged the court before the decision to rule in favor of Safehouse.

Legal hurdles are not Safehouse’s only obstacles. The facility is planning to launch in the Philadelphia neighborhood of Kensington, which has been ravaged by the opioid crisis, but some neighbors have resisted welcoming an injection site into their community.

Community activist Amanda Fury said the court decision will not change the hardened battle lines over this issue there.

“I’ve never been in the business of trying to change people’s minds on this,” said Fury, who supports the measure but admits that residents are divided.

“I don’t think that’s where we are in this process anymore. I feel like most people have made up their minds, and it’s going to take a lot more to make people see things in a different way,” she said.

In court, meanwhile, prosecutors have contended that the plan violated a provision of the Controlled Substances Act that makes it illegal to own a property where drugs are being used — known as “the crack house statute.” But backers of Safehouse argued the law was outdated and not written to prevent the opening of a medical facility aimed at saving lives in the midst of the opioid crisis.

“We have consistently said we did not have an illegal purpose. We have a lawful purpose. Our purpose is to save lives,” Goldfein said.

On Wednesday, in a move that surprised observers, McHugh agreed. He wrote that there “is no support for the view that Congress meant to criminalize projects such as that proposed by Safehouse.”

McHugh rejected federal prosecutor’s view that this was an open-and-shut case of a proposal clearly violating federal drug statutes. Instead, he noted that the purpose of Safehouse is not to provide a place for people to engage in unlawful activity.

“Viewed objectively, what Safehouse proposes is far closer to the harm reduction strategies expressly endorsed by Congress,” McHugh wrote.

The case is United States of America v. Safehouse, a Pennsylvania nonprofit, and Jeanette Bowles, as Executive Director, Case No. 2:19-cv-00519-GAM, filed in the Eastern District of Pennsylvania.

** Please make sure to “like” our Facebook page to get more recent and up-to-date daily news relating to SUD, treatment, and recovery housing.

DCF Updates Rules Regulating SUD Treatment Providers

Today (technically on 8/9), DCF released its Final Version of the rewrite of the rules regulating treatment providers, found within Chapter 65D-30 of the Florida Administrative Code.

A copy of the Final Rules is attached and is expected to be considered “final” as of 8/29/2019.

We want to give a shout out to attorney Benjamin Hefflinger, Esq., who also represents providers in this space, for running the attached redline comparison so you can see what has changed (and a lot has changed).

My prior commentary and highlights of the rule changes can be found in prior blog posts.

Since this change impacts how a treatment provider conducts its operations going forward, it is strongly suggested that providers work with their in-house licensing consultants/compliance officers to review the changes to make sure you are adequately informed.

This email and all blog posts are not intended to replace legal advice from a Florida licensed attorney and is being offered for informational purposes only.

Click here for “Chapter 65D-30” Click here for “65D-30 (Compared result)”

EMRs and the Sale of Patient Data, Part 1

Amongst all aspects of regulatory compliance as an addiction treatment provider, the privacy and security of Patient Health Information (“PHI”) as well as protecting Patient Identifying Information (“PII”) appears largely misunderstood. The requirement of privacy and security of patient information stem in part from both HIPAA (the “Health Insurance Portability and Accountability Act” of 1996) and the HITECH Act of 2009 (the “Health Information Technology for Economic and Clinical Health Act”), the latter of which was created to motivate the implementation of electronic health records (“EHR”) and supporting technologies to start to be able to data crunch and see a patient’s “whole health” picture before any given physician. [Note: EHRs are the aggregation of health data from a patient; EMR or Electronic Medical Records, are the electronic equivalent to charting within a health care provider’s office.]

A patient’s PHI is more and more regularly kept as an electronic medical record – a single practice’s digital version of a patient’s chart. An EMR contains the patient’s medical history, diagnoses and treatments by a particular physician, nurse practitioner, specialist, dentist, surgeon or clinic.

In contrast, electronic health records are larger data sets, which are aggregations of data from EMRs, designed and intended to be shared with other providers, so authorized users may instantly access a patient’s EHR from across different healthcare providers and platforms.

Within this space of Health Information Management, the governing laws have essentially two main parts: the Privacy Rule, and the Security Rule.

The Privacy Rule addresses what PHI and PII must be protected from unauthorized disclosure The Security Rule essentially discusses the steps that a provider of holder of PHI and PII must take to secure such data, including in its transmission to another authorized party (often what is referred to as a “Business Associate.”). “Patient Identifying Information” includes “the name, address, social security number, fingerprints, photograph, or similar information by which the identity of a patient can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information.”  Both PHI and PII must be secured and protected.

The Privacy Rule describes the ways in which covered entities can use or disclose PHI, including for research purposes. In general, the Rule allows covered entities to use and disclose PHI for research if authorized to do so by the subject in accordance with the Privacy Rule. In addition, in certain circumstances, the Rule permits covered entities to use and disclose PHI without authorization for certain types of research activities. For example, PHI can be used or disclosed for research if a covered entity obtains documentation that an Institutional Review Board (IRB) or Privacy Board has waived the requirement for authorization or allowed an alteration. The Rule also allows a covered entity to enter into a data use agreement for sharing a limited data set. There are also separate provisions for how PHI can be used or disclosed for activities preparatory to research and for research on decedents’ information.

However, if the data is de-identified, then the data itself is not PHI as a matter of law, and therefore is not protect by HIPAA’s Privacy Rule. PHI excludes health information that is de-identified according to specific standards. Health information that is de-identified can be used and disclosed by a covered entity without authorization or any other permission specified in the Privacy Rule.

De-identified patient data is health information from a medical record that has been stripped of all “direct identifiers”—that is, all information that can be used to identify the patient from whose medical record the health information was derived. According to the Health Insurance Portability and Accountability Act (HIPAA), there are 18 direct identifiers that are typically present in patient medical records. These include: Names; Geographic subdivisions smaller than a state (e.g. street address, city and ZIP code); All dates that are related to an individual (e.g., date of birth, admission); Telephone numbers; Fax numbers; Email addresses; Social Security numbers; Medical record numbers; Health plan beneficiary numbers; Account numbers; Certificate/license numbers; Vehicle identifiers and serial numbers, including license plate numbers;  Device identifiers and serial numbers; Web universal locators (URLs); IP address numbers; Biometric identifiers such as fingerprints and voice prints; Full-face photographic images; and Other unique identifying numbers, characteristics or codes.

According to HIPAA, there are 3 acceptable ways to de-identify patient data. The first is the “safe harbor” option, in which all 18 identifiers are removed. The second is the “statistical” option, in which a retained statistician determines which of the 18 identifiers can be maintained without creating greater than a “very small” risk that the data could be re-identified. The third is the “limited data set” technique, in which the organization removes 16 identifiers and protects what remains with special security precautions.

As a result, both PHI and de-identified health data has been lawfully used for years to help find medical breakthroughs, improve care, estimate the costs of care, and support public health initiatives.

More recently, “big data” companies like Google, Amazon and Apple have been getting into the health care data space. Back in 2016, Google partnered with England’s NHS using Google’s “Deep Mind” subsidiary which was granted access to medical records on 1.6 million patients who had been treated at some time by three major hospitals. The purpose of this data mining was a joint effort between Google and the Royal Free NHS Trust to develop a diagnostic app for detecting acute kidney injury. (see,

However, if one can de-identify the information, meaning, remove those aspects of a chart or file or data set that contains PII, then the rules governing privacy and security effectively go away.

So why does this matter?

This begins the brief discussion of this post – the massive unground economy which has evolved around the brokering of de-identified PII and PHI to third-parties.

“Why would anyone pay for that,” you ask?

The offspring of that evolution in medical data brokering and big number crunching is a not-so-new economy that is using your health care data, and that of your patients, for profit.

One of the most prolific writers and outspoken critics of this underground economy of medical data brokering is Adam Tanner, a fellow at Harvard University’s Institute for Quantitative Social Science and author of “What Stays in Vegas: The World of Personal Data — Lifeblood of Big Business — and the End of Privacy as We Know It” and “Our Bodies, Our Data: How Companies Make Billions Selling Our Medical Records.”  According to an interview Tanner gave to Time Magazine in 2017, “prescription records, blood tests, doctors’ notes, hospital visits and insurance records are all sold to commercial companies, which gather years of health information on hundreds of millions of people,” which de-identified data is then sold to various entities including insurance companies, researchers, and you guessed it, Big Pharma.

In a comprehensive article published in Scientific American written by Adam Tanner, he summarizes it best:

“Health researchers are not the only ones, however, who collect and analyze medical data over long periods. A growing number of companies specialize in gathering longitudinal information from hundreds of millions of hospitals’ and doctors’ records, as well as from prescription and insurance claims and laboratory tests. Pooling all these data turns them into a valuable commodity. Other businesses are willing to pay for the insights that they can glean from such collections to guide their investments in the pharmaceutical industry, for example, or more precisely tailor an advertising campaign promoting a new drug.”

How much are they willing to spend? reported back on May 8, 2019, that the EMR market alone is growing at 6% annually, now topping $31 billion dollars annually.  Within the EMR economy is the recognition that Big Pharma has been willing to pay big bucks for EMR vendor data, such as prescriber habits, outcomes-related data, or connecting the e-prescribing function with copay and formulary data.  Pfizer is on record as stating that, as of 2016, it was spending $12 million dollars annually to acquire anonymized health data.

In addiction medicine, this sharing of information is very important amongst researchers to begin to find long-term cures to heal the addicted brain. For insurance carriers, it may become a source to help identify effective “evidence based outcomes” and modalties.  For Big Pharma, they want to follow who is prescribing MAT (and who is not) to get everyone on their latest and greatest magic pills.

So the takeaway question is this – if you are a health care provider/addiction treatment center, do you know what’s going on with your patient health data you are uploading to your EMR?  And equally important, is your EMR legally selling your acquired data, and then cutting you out?  What about the patients? Who are the “brokers” in this space?

On this point (and a topic of future blog posts on this subject), most states including Florida had adopted laws which provide that such patient data is owned by the health care provider, not the patient (and thus, not the EMR either).

So is your EMR provider controlling or even selling your patients’ data, without your knowledge or consent? And if so, to who, and why?

Thanks again for reading, and please “Like” our Facebook page where we share daily news articles of interest.

Prosecutors bring rare criminal charges against Ohio opioid distributor

Federal prosecutors in Cincinnati filed criminal charges Wednesday against an opioid distributor and two of its top former officers, including its Compliance Officer, accusing them of conspiring with doctors and pharmacies to pour millions of addictive pain pills into Ohio, West Virginia and Kentucky.

The indictment of Miami-Luken, its former president and its former compliance officer was the second time in three months that federal prosecutors have used criminal laws against a drug distributor in their efforts to stem the prescription opioid epidemic. That is a more aggressive posture than the Justice Department has used since 2007, when it began using civil and administrative actions to enforce laws against drug distributors.

“There’s a need, in my opinion, to devote sufficient charges right here and now to stop the dying,” U.S. Attorney Benjamin C. Glassman said about why the agency used criminal statutes. “We have to devote the resources to cut off the supply of the drugs, whether it’s synthetics or it’s prescription opioids or both.”

In April, we also reported that the U.S. attorney in New York brought criminal charges against Rochester Drug Cooperative, another opioid distributor, in the first use of that tactic against a middleman in the drug supply chain.

Many will recall that a 2017 “60 Minutes” report uncovered that DEA investigators wanted criminal charges filed against executives of the largest drug distributor in the United States, McKesson Corp., after they built a case against the firm alleging violations in nine parts of the country. But they were rebuffed by federal prosecutors and the Justice Department, which settled with the company and fined it $150 million.

Read more here.

DCF Releases Further Changes to Treatment Regulations in 65D-30

On June 25, 2019, the Florida Department of Children and Families (DCF) released its latest “Notice of Change” relating to further proposed and revised revisions Chapter 65D-30 of the Florida Administrative Code. These rules govern the licensure, management, regulation, as well as service delivery of care relating to Substance Use Disorders.

DCF first issued its “Notice of Proposed Rules” in December 2017 and held live and video-conferenced public hearings across the state to take public input. This rule re-write was based upon a mandate by the Florida Legislature in 2017.

Since that time, there have been two (2) proposed changes or revisions; one published in October 2018, and now the one published just last week.

Understanding the changes are difficult at best as the 2018 and 2019 revisions to the 2017 proposal are not drafted as a redline of the currently enacted rules (pre-2017 version). There is a lot of back-and-forth cross-referencing required to try to piecemeal the entire thing together. It is a very time-consuming and laborious task that may cause even the most astute reader (or lawyer) to simply throw up their hands (or, simply just throw up).

We are currently unaware of when a hearing on the proposed changes may take place.  For clients who are interested in knowing more, please contact us so that we can work with you on this very important matter.

Below are a few comments on items that we gleaned from the current 2019 proposed revisions. This information is intended simply to make the reader aware of the proposed changes and is not intended to be an analysis of the proposed changes or to be a substitute for clinical, compliance and/or legal counsel to determine the impact any of these proposed changes may have upon ownership, management, operations and service delivery.

Please also note that further revisions to the proposed rule changes beyond the June 25, 2019 version may occur as a result of the recent adoption of HB 369 (2019), signed by the Governor on June 28, 2019, and codified as Chapter 2019-159, Laws of Florida, particularly with regard to expanded Level 2 background screenings as well as the new, revised exemption from disqualification application process and categories, and mandatory timeframes that DCF must now follow.

  • Definition of “Best Practices” –Proposed Rule 65D-30.004(1) continues to mandate all administrative and clinical services now must align with “current best practices,” defined to mean: “the combination of specific treatments, related services, organizational and administrative principles, core competencies, or social values designed to most effectively benefit the individuals served.  Best Practices also include evidence-based practice, which is subject to scientific evaluation for effectiveness and efficacy.  Best Practice standards may be established by entities such as the Substance Abuse and Mental Health Services Administration, national trade associations, accrediting organizations recognized by the Department, or comparable authorities in substance use treatment.”
  • Change of Ownership/Transfer of Licensure –  Proposed Rule 65D-30.0034 is dedicated to the topic of “Change in Status of License.” The 2019 revision offers a further change to what was proposed in 2018 to align with the statute and clarifies that a “change of ownership” occurs when greater than 50% of ownership, shares, membership, or controlling interest of a licensee is in any manner transferred or otherwise assigned.  The 2018 version had stated “51%.”  A change in ownership of less than a majority of the ownership interest in a licensed entity is proposed to only require submittal of a local and Level 2 background check.
  • Clinical Supervisor – The proposed definition seeks to track recent amendments to Florida Statutes and states: “Clinical Supervisor” means a person that manages personnel who provide direct clinical services, or a person who maintains lead responsibility for the overall coordination and provision of clinical services. A “Clinical Supervisor” shall meet the qualifications of a “Qualified Professional” as defined in s. 397.311(34), F.S. For the purposes of this Rule Chapter a Clinical Director is considered a Clinical Supervisor.”
  • License Applications and Renewals –Proposed Rule 65D-30.0036 (“License Application and Renewals”) made some new additions, updated further in the recent 2019 version. Some key takeaways are:
    • Applications require proof of compliance for all licensed facilities, including community housing, with local health, fire, and safety inspections. This seems to be an attempt to eliminate the use of private fire inspectors.
    • In addition to the CEO, now CFOs and Clinical Supervisors must also provide information on their competency and ability to fulfill their roles and compliance with the rules, “including education, previous employment history, and list of references.”
  • Self-Administrative of Medication in Community Housing – within Rule 65D-30.004(7) under “Medical Services” is new language requiring specific standards and criteria for supervision of the self-administration of medicine within a Community Residence setting under a PHP license.  The rule mirrors the same requirements as in clinical settings.
  • Violations and Penalties – Proposed Rule 65D-30.0038 entitled “Violations; Imposition of Administrative Fines; Grounds” adopts statutory penalties enacted in 2017; this 2019 proposed revision to the rule emphasizes that it shall be deemed unlawful to: (i) operate a service without a license; and (ii) fail to inform DCF of a change of ownership within the specified timeframe [5 business days]. These omissions will now incur additionally penalties and fines.
  • Medical Directors & Number of Facilities – DCF has endeavored to try to create a methodology for determining the maximum number of individuals a Medical Director may serve (noting that a “medical director” is only still required for addiction receiving facilities; detoxifications; intensive inpatient treatment; residential treatment; and methadone medication-assisted treatment). This methodology, found within revised Rule 65D-30.004 (“Common Licensing Standards”), subsection (6), breaks down the maximum number of patients that can be under a single Medical Director’s supervision in a chart format, based upon license type.  However, a Medical Director is still not required for outpatient services.
  • Critical Incident Reporting –DCF has attempted to incorporate into rule the IRAS critical incident reporting tool, CFOP 215-6, for ease of reference. Mandatory reporting must now occur within 24 hours of the incident occurring, different than the existing language of “one (1) business day” and continues to include: “Events regarding individuals receiving services or providers that have led to or may lead to media reports.”
  • Delivery of Clinical Services – Proposed Rule 65D-30.0046 entitled “Staff Training, Qualifications, and Scope of Practice” appears to continue to require that all clinical services now be provided by either the Qualified Professional or by persons with specific degrees or recognized certifications.  It remains UNCLEAR however, whether non-clinical staff may still continue to provide therapy and counseling, as well as the new “recovery support services”; “crisis intervention” and “counseling with families, couples, and significant others” even when working “directly under the supervision of a qualified professional.”  It seems that only certain persons may now provide such “counseling services” and includes, but is not limited to: (i) persons with a bachelor’s or master’s degree with a major in a relevant field; (ii) certified addiction professionals, certified by the Florida Certification Board; and (ii) certified addiction counselors, also certified by FCB.
  • Day or Night Treatment with Community Housing (PHP) Licenses – Proposed revisions to Rule 65D-30.0081 states: “The housing must be provided and managed by the licensed service provider, including room and board and any ancillary services needed, such as supervision, transportation and meals.”  This is in response to inquiries as to whether third-parties may provide such Community Housing. What remains unclear is how this is to be implemented. At a minimum, it would seem the treatment center must be the primary tenant on any lease, even if ownership is the same.
  • Residential Treatment – Rule 65D-30.007 is proposed for significant overhaul going back to the original 2017 version of the rules and carrying over into the 2018 revisions (the recent 2019 amendments left the 2018 changes in place). DCF seeks to restructure Residential Level 1 into “Adult Level 1” and “Adolescent Level 1” and does the same with Level 2 programs. DCF continues to seek to eliminate Residential Level 5 programs (we were hoping they would reverse course in the 2019 version based upon overwhelming opposition from providers). It remains to be seen how this will be resolved, such as whether these licenses will be “grandfathered in” particularly in instances where DCF was directly involved in assisting with obtaining the Res. 5 approval to meet nuanced (i.e. discriminatory) local zoning requirements that did not otherwise allow inpatient treatment in their cities.

Again, this information is intended simply to make the reader aware of the proposed changes and is not intended to be an analysis of the proposed changes or to be a substitute for clinical, compliance and/or legal counsel to determine the impact any of these proposed changes may have upon ownership, management, operations and service delivery.

The proposed rule changes are not final and still must go through a process for final adoption.

If you have received this post from someone else and are not a subscriber to our newsletter, please make sure to sign up at, where you can also find other articles, editorials, and commentary of interest.

Click here to find out more

What the New DOJ Compliance Program Guidance Means to Health Care

By Michael W. Peregrine, McDermott Will & Emery LLP;  Katherine Lauer, Latham & Watkins LLP; and Tony Maida, McDermott Will & Emery LLP

Original written for, and published by, the American Health Lawyers Association, May 10, 2019

[Editor’s Note: With the adoption of the SUPPORT Act of 2018 and its inclusion of the “Eliminating Kickbacks in Recovery Act” which now expands federal jurisdiction in the SUD treatment regulatory space to private-pay providers as well, it is far past time for licensed service providers to begin to take very seriously the development of an effective compliance program, consistent with US Department of Justice Guidelines, in order to both mitigate risk, as well as to be able to identify new risk quickly and effectively when it arises.]

The health care compliance industry recently received a new addition to the compliance program guidance library that continues the discussion of the government’s viewpoint on measuring compliance program effectiveness.

The guidance document, entitled “The Evaluation of Corporate Compliance Programs,” was issued by the Department of Justice (DOJ) Criminal Division on April 30, 2019, updating a prior version issued by the Criminal Division’s Fraud Section in February 2017. Ten pages longer than the 2017 version—many of the revisions provide additional context to how DOJ expects prosecutors to analyze a company’s compliance program, while also harmonizing the guidance with other Department guidance and standards.

The 2019 version stresses the adequacy—rather than the simple existence—of a corporation’s compliance program. Whether the organization had any compliance program at the time the misconduct occurred, and the quality of the program, affects the resulting (a) form of any resolution or prosecution; (b) monetary penalty, if any; and (c) compliance obligations contained in any corporate criminal resolution. Prosecutors are instructed to consider whether the compliance program has been tested and proven to prevent or detect misconduct, and whether simple changes and improvements could correct the misconduct that gave rise to the legal issue.

The new guidance document discusses in detail the three main thematic questions that prosecutors should use in evaluating corporate compliance programs: (1) whether the program is well-designed; (2) whether the program has been applied earnestly and in good faith (in other words, effectively implemented); and (3) whether the program actually works in practice. DOJ dispensed with the 2017 document’s structure, moving from a series of questions about the characteristics of a compliance program into a discussion of how these three main thematic questions can be used to draw out information to show that the compliance program is adequate and effective.

Part I: Design

DOJ first examines the compliance program’s design as the starting point for an effectiveness review. One hallmark of a well-designed compliance program is whether the program’s risk assessment program is designed to detect the particular types of misconduct most likely to occur in the company’s line of business and whether that risk assessment is updated periodically. This approach acknowledges that compliance programs need to prioritize risks to properly focus time and resources to the risks that pose greater importance to the business than other, possible, but less likely risks. Much of DOJ’s further discussion of risk assessment and program design keys off of this concept:

  • Policies and procedures—DOJ looks at company policies and procedures for content addressing risks and showing a commitment to a culture of compliance and ethics.
  • Training and communications—Here, DOJ examines whether the program is being disseminated to, and understood by, employees in practice in order to decide whether the compliance program is truly effective, including providing appropriate resources for guidance.
  • Confidential reporting structure and investigation process—DOJ’s review will examine whether the program provides an efficient and trusted mechanism by which employees can anonymously and confidentially report allegations of a breach of the code of conduct, a company policy, or suspected/actual misconduct, as well as an efficient and effective investigation response.
  • Third party management—DOJ will ask whether the program applies risk-based due diligence to vet its third-party relationships, with a focus ranging from specificity of contract terms to the third-party’s reputation.

M&A—Finally, DOJ reviews whether the program ensures comprehensive due diligence of any acquisition targets.

The main lesson from this discussion is DOJ’s focus on the effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment. DOJ expects that an effective compliance program evolves over time as new risks emerge and as the company develops new strategies to address them. The new focus on M&A diligence reflects a pattern that DOJ has seen time and again—those situations where a new owner finds itself saddled with ongoing compliance issues, and the attending liability, when its diligence activities have been insufficient to identify historical non-compliance.

Part II: Implementation

DOJ next moves to discussing the features of effective implementation of a compliance program, including commitment by senior and middle management, autonomy and resources, and incentives and disciplinary measures. Helpfully, DOJ continues to acknowledge that there is no “one size fits all” for compliance program structure and consequent implementation, but that these decisions depend on the size, structure, and risk profile of the particular company. The implementation discussion includes:

Commitment by senior and middle management—Consistent with all of DOJ’s statements on individual accountability (e.g., Yates Memo), DOJ unsurprisingly scrutinizes whether the company’s leadership fosters a culture of ethics and compliance with the law and demonstrates a personal, shared commitment to compliance.

Autonomy and resources—A longstanding issue for the government’s examination of program effectiveness is whether the program gives adequate authority and stature to those charged with day-to-day oversight.
Incentives and disciplinary measures—Another longstanding government concern is whether the program establishes incentives for compliance and disincentives for non-compliance, including clear disciplinary procedures, with a focus on consistency.

A key takeaway from the implementation discussion is a focus on “tone at the top” and other indications of support for the compliance program from gatekeepers, executive leadership, and the board. DOJ will look not only at what senior management says, but at how senior management treats compliance professionals. A company that gives lip service to compliance, but denies its compliance professionals the title, authority, and resources necessary to effectively implement the program will not be viewed favorably.

Part III: Actual Operation

Finally, DOJ ends its thematic analysis with metrics for asking whether the compliance program is in fact operating effectively. Importantly, DOJ acknowledges the fact that some misconduct occurred does not necessarily mean that the compliance program is ineffective. However, consistent with long-held views of the Department of Health and Human Services Office of Inspector General, detection, remediation, and resolution of misconduct is described as an important sign that the compliance program is effective.

Continuous improvement, periodic testing, and review—DOJ’s review concerns whether the program has the capacity to improve and evolve with changes in company business and the environment within which it operates, including whether the company makes meaningful efforts to review its compliance program and ensure it does not lose strength.

Investigation of misconduct—DOJ articulates a strong focus on whether the program has a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents that includes meaningful documentation.

Analysis and remediation of any underlying conduct—Another traditional area for government examination is whether the company is able to conduct a root cause analysis of misconduct and timely and appropriately remediate to address the root causes.

DOJ’s main message with this factor is a strong focus on how the company both detects misconduct and responds to situations in which misconduct is detected. Once again, DOJ focuses on the need for a compliance program to adapt to new risks and develop new controls as the business environment changes. And once again there is a strong message from DOJ that a compliance program must be sufficiently resourced so that the company can effectively and rigorously investigate alleged misconduct.


Given all the risks health care companies face in operating in a highly regulated environment, a well-functioning and effective compliance program is a critical component of a company’s risk management strategy. DOJ’s revised guidance shows DOJ has a consistent view of the importance of an effective and highly functioning compliance program. Health system boards, executive teams, and the compliance and other departments would be well served to review and implement the key takeaways and messages from the revised guidance.

Mr. Peregrine and Mr. Maida are partners in the law firm of McDermott Will & Emery, and Ms. Lauer is a partner in the law firm of Latham & Watkins.

BREAKING NEWS – Florida Legislature Passes Latest Sober Homes Task Force SUD Treatment and Recovery Residence Legislation

Today, the Florida Senate passed and adopted Florida House Bill 369 (HB 369) which was drafted based upon recommendation from State Attorney Dave Aronberg’s Sober Home Task Force.

The legislation is now on its way to Governor Ron DeSantis’ desk for signature.

Below is a summary of the bill and how it affects SUD treatment providers, recovery residences, and lead generators/marketers.

NOTE: unless and until the Governor signs the law, these changes do not take effect. If signed, the law will take effect on July 1, 2019.

  1. Level 2 Background Checks – Disqualifications – Exemptions.

    Certain persons in positions of ownership or employment in a treatment program or recovery residence must pass a Level 2 background screening. If specified crimes are found in the applicants past, they are deemed “disqualified” from such ownership and/or employment.

    Treatment and recovery advocacy groups have been rightfully asserting for years that these disqualifications otherwise exclude the type of workforce that historically occupies this space – persons in recovery who themselves have had run-ins with the law while in active addiction.

    HB 369 seeks to correct this issue by allowing the state to grant “limited exemptions” from disqualification as the result of criminal history for persons who work solely in mental health treatment programs or facilities, or in programs or facilities that treat co-occurring substance use and mental health disorders. The purpose of this expansion by created a “limited exception” is as the result of an acknowledgement from the Legislature that the SUD workforce population often comes from persons in recovery from SUD themselves, and often times have a criminal background as the result of prior drug or alcohol misuse.

    However, and beginning July 1, 2019, the types of offenses to be screened under a Level 2 background check have also been EXPANDED to include those offenses listed in Chapter 408, F.S. (s. 408.809(4)). As a result, persons who may have passed a Level 2 background check in the past under Ch. 435, may now find themselves having to submit a new exemption application.

    That said, HB 369 also expands the crimes for which an individuals may receive an exemption from disqualification without the statutorily imposed waiting period, if they are working with adolescents 13 years of age and older and
    adults with substance use disorders, it being recognized that these crimes are most often associated with active drug misuse.  The specific crimes for which the “waiting period” have been waived are:

    • Prostitution.
    • Burglary (3rd degree felony).
    • Grand theft of the third degree (3rd degree felony).
    • Forgery (3rd degree felony).
    • Uttering forged instruments (3rd degree felony).
    • Related attempt, solicitation, or conspiracy crimes.

    That said, the facts and circumstances of each application for exemption are viewed on a case-by-case basis, meaning that if it seems that the underlying crime was perpetrated not associated with drug or alcohol misuse, but rather in the course of a scheme of criminal behavior, the exemption may still be denied by DCF.

    For individuals who seek an exemption from disqualification for employment in substance abuse treatment following a level 2 background screening, the bill requires DCF to render a decision on the application for exemption from disqualification within 60 days after DCF receives the complete application. Historically, DCF has “taken its time” with review, leaving many, many persons otherwise unemployable for an indefinite period of time.

    Additionally, HB 369 allows individuals to work under supervision for up to 90 days while DCF evaluates their applications for an exemption from disqualification, so long as it has been five or more years, or three or more years in the case of a certified peer specialist or peer specialist seeking certification, since the individuals have completed all nonmonetary conditions associated with their most recent disqualifying offense.

  2. Clinical Supervisors.

    Going forward, persons identified on DCF applications as a facility’s “Clinical Supervisor” must also meet the definition of persons who are “Qualified Professionals.”

    A “Qualified Professional” means “a physician or a physician assistant licensed under chapter 458 or chapter 459; a professional licensed under chapter 490 or chapter 491; an advanced practice registered nurse licensed under part I of chapter 464; or a person who is certified through a department-recognized certification process for substance abuse treatment services and who holds, at a minimum, a bachelor’s degree. A person who is certified in substance abuse treatment services by a state-recognized certification process in another state at the time of employment with a licensed substance abuse provider in this state may perform the functions of a qualified professional as defined in this chapter but must meet certification requirements contained in this subsection no later than 1 year after his or her date of employment.”

    “Clinical Supervisors” are deemed those persons “whose functions include managing personnel who provide direct clinical services or maintaining lead responsibility for the overall coordination and provision of clinical services.”

    Previously, clinical supervisors were not required to be qualified professionals. This revised definition would now require clinical supervisors to meet the requirements of a qualified professional under s. 397.311(34), F.S., meaning only a licensed physician, physician assistant, psychologist, mental health professional, or advanced practice registered nurse, or a certified substance abuse treatment services provider with a bachelor’s degree could hold this title and serve in this role.

  3. “Community Housing” under a “Day or Night Treatment with Community Housing” license (aka “PHP”) Must Now Be FARR Certified.

    HB 369 now requires the residential component of a “day or night treatment facility with community housing” (Rule 65D-30.0081) license to be FARR certified. Currently, such community housing is not required to be certified as recovery residences pursuant to an obscure administrative ruling late last year by DCF.  Under the bill, licensure of PHP programs must now concurrently include FARR certification of the residence itself (likely as a FARR Level 4 program). Additionally, the housing components would need a certified recovery residence administrator to actively manage them and they would be subject to the referral restrictions of s. 397.4873, F.S.

  4. Eviction/Discharge from a Recovery Residence.

    It is well-recognized in the recovery community that a resident of a recovery residence who is disruptive and/or relapses must be removed from the dwelling for the safety and security of the other residents. However, often times local law enforcement was hesitant to remove such an individual under confusion about whether Florida’s Residential Landlord Tenant Act applied (Ch. 83, F.S.), and whether the landlord/recovery residence administrator was required to seek a court order of eviction.

    Under HB 369, the bill allows a certified recovery residence that has a discharge policy approved by FARR to transfer or discharge residents from the recovery residence in accordance with that policy under the following circumstances:

    • The discharge or transfer is necessary for the resident’s welfare;
    • The resident’s needs cannot be met at the recovery residence; and
    • The health and safety of other residents or recovery residence employees are at risk or would be at risk if the resident continues to live at the recovery residence.

    This right to discharge or transfer a resident will supersede any landlord and tenant rights and obligations under Chapter 83, F.S., Florida’s Residential Landlord Tenant Act.

  5. Clarification of Marketing Prohibitions and Contracts.

    For entities that contract with a marketing provider that provides referral services to treatment providers and/or recovery residences, HB 369 makes it a contractual requirement for the marketing provider to disclose the nature of the referral and the list of DCF’s licensed service providers and certified recovery residences. Previously, this obligation was placed on the treatment providers and/or recovery residences themselves, which made no sense, since they had no direct control over the lead generator.

    To understand this change, we look back to the origin of the law from 2017, when the Florida Legislature created s. 397.55, F.S., relating to prohibitions on specified marketing activities by third-party marketers.

    That statute provides in part:

    service provider, an operator of a recovery residence, or a third party who provides any form of advertising or marketing services to a service provider or an operator of a recovery residence may not engage in any of the following marketing practices:

    (a) Making a false or misleading statement or providing false or misleading information about the provider’s or operator’s or third party’s products, goods, services, or geographical locations in its marketing, advertising materials, or media or on its website.
    (b) Including on its website false information or electronic links, coding, or activation that provides false information or that surreptitiously directs the reader to another website.
    (c) Conduct prohibited by s. 817.505 (the Patient Brokering Act).
    (d) Entering into a contract with a marketing provider who agrees to generate referrals or leads for the placement of patients with a service provider or in a recovery residence through a call center or a web-based presence, unless the service provider or the operator of the recovery residence discloses the following to the prospective patient so that the patient can make an informed health care decision:
    1. Information about the specific licensed service providers or recovery residences that are represented by the marketing provider and pay a fee to the marketing provider, including the identity of such service providers or recovery residences; and
    2. Clear and concise instructions that allow the prospective patient to easily access lists of licensed service providers and recovery residences on the department website.

    HB 369 now corrects and clarifies s. 397.55(1)(d) by now placing the burden on the MARKETING PROVIDER to be the responsible party to disclose to prospective patients: (1) Information about the specific licensed service providers or recovery residences that are represented by the marketing provider and pay a fee to the marketing provider, including the identity of such service providers or recovery residences; and (2) Clear and concise instructions that allow the prospective patient to easily access lists of licensed service providers and recovery residences on the DCF website.

    The failure of the MARKETING PROVIDER to clearly provide this information to patients is a crime, a misdemeanor of the first degree. A violation of paragraph (1)(c) is a violation of the prohibition on patient brokering and if a felony.

    Still, it is also a crime for a treatment provider and/or recovery residence to enter into a contract where this requirement is not adhered to.

  6. Patient Brokering.

    HB 369 further clarifies and closes an alleged loophole in the existing statute (817.505), whereby persons were claiming that any payment arrangement not specifically excluded by the federal Anti-Kickback Statute (42 USC s. 1320a-7b(b)), was otherwise permitted by the Patient Brokering Act. To put to bed any such confusion, HB 369 makes it abundantly clear that the Patient Brokering Act would not apply to payment arrangements EXPRESSLY PERMITTED by the AKS (and its regulations adopted pursuant thereto).  In other words, if the payment arrangement is not prohibited by the AKS, that does not mean it is permitted under the Patient Brokering Act.

  7. FARR Decision-making and Due Process.

    Up until now, the right of FARR to deny or condition certification did not have a clear process to challenge such an adverse decision, but for going directly to court. The Florida Legislature, acknowledging that FARR has been delegated executive branch responsibility from DCF, has now provided that any decision by FARR to deny, revoke or suspend a certification, or otherwise impose sanctions, in now reviewable first through a formal administrative process by DCF, pursuant to the laws and rules of Chapter 120, F.S., the Florida Administrative Procedures Act, which includes the opportunity for an impartial hearing before an Administrative Law Judge.

  8. Increased Penalties for Misleading DCF in Applications.

    The Florida Legislature has elected to take a very tough stance against applicants for licensure (or renewal) who are not completely transparent with the agency in their applications, specifically with regard to omitting persons in a position of ownership or otherwise. HB 369 amends s. 397.4075, F.S., to now make it a 3rd degree felony (punishable up to 5 years in prison plus fines) to “inaccurately disclose by false statement, misrepresentation, impersonation, or other fraudulent means, or fail to disclose, in any application for licensure or voluntary or paid employment, any fact which is material in making a determination as to the person’s qualifications to be an owner, a director, a volunteer, or other personnel of a service provider.”

    It is also now a felony to operate or attempt to operate as a service provider with personnel who are in noncompliance with the minimum standards required for licensure.

  9. Peer Specialists.

    Currently there is no statutory definition of or requirements for a peer specialist as it relates to mental health and substance abuse. The bill creates a definition for peer specialists consistent with DCF’s guidelines and guidance
    documents, and requires peer specialists to be certified, except in limited circumstances, to provide DCF-funded support services.

    As the nation faces a shortage of mental health professionals, peers or peer specialists have been used to fill the gap and assist persons with substance use disorders and mental illnesses. In Florida, DCF and Medicaid both allow reimbursement for peer support services but only if provided by certified peer specialists.

    HB 369 accomplishes the following in this regard:

    • Defines “peer specialist” as a person who has been in recovery from a substance abuse disorder or mental illness for at least two years and who uses his or her lived experience to deliver services in behavioral health settings to support others in their recovery, or as a person who has two years’ experience as a family member or a caregiver of a person with a substance abuse disorder or mental illness.
    • Allows a peer specialist who is not yet certified to provide support services for up to a year while he or she is working towards certification; such peer specialists must be supervised by a qualified professional or a certified peer specialists with at least three years of full-time experience at a licensed behavioral health organization.
    • Requires DCF to approve training and continuing education programs for peer specialist certification; DCF must designate one or more credentialing entities that have met nationally-recognized standards for developing and administering certification programs to handle the training and certification of peer specialists.

    DCF guidelines recommend that an individual be in recovery for at least two years to be considered for peer training. In Florida, family members or caregivers can also work and be certified as peer specialists. The Florida Certification Board currently oversees the competency examination and certification process for peer specialists, which requires the individual to have been in recovery for at least two years or have lived experience as a family member or caregiver to another in recovery. To be certified, one must be at least 18 years of age, have a high school diploma or equivalent, complete 40 hours of training, undergo background screening, and
    pass a competency exam.

    As of January 2019, there are 482 actively certified peer specialists.

Editor’s Note: This post is meant to be merely a summary of the law and is not intended to be legal advice. Any specific questions should be directed to legal counsel with regard to changing and revising policies that impact ownership, management and operation of your program.

Feds Bring Heat of Culture of Compliance Into Fight Against Opioid Epidemic

The other day we wrote about the importance of treatment programs hiring educated and trained (and preferably “certified”) compliance professionals into the ranks of management, in order to identify and address non-compliant activities and to make corrections.  While not mandatory, government regulators and prosecutors often look to the implementation of an effective compliance program as a mitigating factor when it comes to penalties and punishment for otherwise non-compliant behavior.

However, merely hiring anyone and naming them as “compliance officer” is both dangerous, and in the case of Rochester Drug Co-Operative Inc,. one such “compliance officer” has been criminally charged for sticking his head in the sand while ownership was distributing millions of doses of opioids to alleged pill mills.

Rochester Drug Co-Op acted as a middleman between laboratories and pharmacie and grew to be one of the nation’s largest drug distributors at the height of its opioid push, supplying 1,300 pharmacies in the northeastern U.S., according to the DOJ. The DOJ claims sales soared from 2012 to 2017 as the company took on pharmacy clients that other distributors refused to service.

Law360 is reporting that William Pietruszewski a “logistics specialist” at Rochester, who was only later “handed” the role of Compliance Officer with little direction and no training, has also been charged with conspiracy to distribute narcotics, conspiracy to defraud and failing to tell the Drug Enforcement Agency about suspicious pharmacy orders. He has agreed to plead guilty.

DOJ said Pietruszewski was managing the warehouse and tracking inventory at Rochester Drug Co-Op when he took on a second role as chief compliance officer. The document suggested compliance was established as an afterthought to profit.

“This historic investigation unveiled a criminal element of denial in RDC’s compliance practices and holds them accountable for their egregious noncompliance according to the law,” DEA special agent Ray Donovan said after the charges were unsealed.

Pietruszewski was charged alongside the company’s chief executive, the role historically liable for business failings. Prosecutors stressed Pietruszewski’s compliance position in public statements and weaved his “woefully inadequate due diligence program” throughout the charging documents filed last week.

“One of the lessons here, certainly, is that one of the first things the government is going to look at is the compliance program,” Tom Hill of Pillsbury Winthrop Shaw Pittman LLP said. “They want to see if it’s designed in an effective way and implemented with the appropriate degree of seriousness and rigor, as opposed to being there for window dressing purposes.”

The weight that prosecutors place on corporate compliance programs has only grown in the quarter-century since the DOJ established expectations for them in criminal sentencing guidelines. Pietruszewski’s case is a shining example, attorneys said, that compliance structure and effectiveness can determine the outcome of a government investigation.

“It continues to seep into the fabric of corporate America,” said Margaret Cassidy, chair of the American Bar Association’s compliance committee. “Even in smaller companies, they’re beginning to realize the vulnerability they have, the risk they have if they don’t develop some sort of ethics and compliance program.”

Experts said compliance programs should be designed to deal with situations like the one alleged at Rochester Drug, where CEO Laurence Doud and another executive — who remained unidentified and uncharged as of Tuesday — are said to have bred a culture of noncompliance.

“The question is if you have enough checks and balances so that, when mistakes happen, you are likely to catch them,” Hill said. He suggested, for starters, that companies must take every internal complaint seriously. Rochester Drug Co-Op failed on that front too, prosecutors claimed.

Read more at:

Why Having a Certified Compliance Professional in Addiction Treatment is Critical

The health care law world has been buzzing over the weekend about the release by HHS of its Notice of Enforcement Discretion, regarding a reduction and cap of Civil Monetary Penalties (CMP) for violations of both HIPAA’s Privacy Rule and its corollary Security Rule.

The new system sets annual limits for these fines based on the organization’s “level of culpability” associated with the HIPAA violation. That means organizations that have taken measures to meet HIPAA’s requirements will face a much smaller maximum penalty than those who are found neglectful.

Many are not aware that HIPAA has both a “privacy” component and a “security” component, the former pertains to use of Protected Health Information (PHI) and the latter of which speaks to the how such information is to be securely stored both in paper form and digitally.

The Health Information Technology for Economic and Clinical Health Act, (the HITECH Act) outlines minimum and maximum civil money penalties for HIPAA enforcement based on four tiers, which take into account whether the organization in question was aware of the violation and whether it had taken steps to abide by HIPAA’s rules. The tiers escalate in severity, from an organization that is unaware of the violation to one that demonstrated “willful neglect” in not correcting violations.

Violation of the HIPAA requirements mandates “self-reporting,” meaning that a health care provider (which includes in this instance addiction treatment providers) must report themselves to HHS of any such breach. Depending on the “level of culpability” there is a fine that is imposed. If a provider does not self-report, the fines are much more punitive and steep.

Last year marked a record year for HIPAA enforcements, as HHS collected an all-time high of $28.7 million from HIPAA-covered entities and their business associates. That surpassed the previous record of $23.5 million, which HHS doled out in 2016.

To avoid all of the pitfalls and landmines that permeate health care generally, a well-trained and experienced Compliance Officer who works with ownership and staff (and preferably a Compliance Committee) is a strong and wise investment. Such persons are tasked with primary responsibility to oversee and coordinate relevant and timely information pertaining to laws, rules and regulations governing matters such HIPAA; billing & coding; employee & vendor compensation; insurance audits; working with investigators; and patient financial responsibility.

A Certified Compliance Officer (CHC or “Certified in Healthcare Compliance”) is a recognized professional in this space who is trained to develop, implement and regularly update arecognized compliance program, which in many instances is viewed as a mitigating factor when determining whether a regulatory breach has occurred, as opposed to criminal activity.

The Health Care Compliance Association (HCCA) is the pre-eminent membership organization for all persons certified in health care compliance to share “best practices” and to network as to the latest trends and news in health care compliance. This organization worked extensively with the Compliance Certification Board (CCB) to develop criteria to determine competence in the practice of compliance, in this instance, in the health care sector.

According to the CCB:

“The healthcare world can be a high-risk and challenging environment that demands a proactive compliance approach. Being certified in this dynamic, changing profession can help mitigate compliance-related risks. An individual who actively holds the Certified in Healthcare Compliance (CHC)® is someone with knowledge of relevant regulations and expertise in compliance processes sufficient to assist the healthcare industry organizations in understanding and addressing legal obligations, and promote organizational integrity through the operation of effective compliance programs.”

The time is right for the addiction treatment and recovery residence industries to elevate what it means to have a “Compliance Officer” on staff, to be more than simply someone who ensures DCF licensure is up-to-date. Specific training and qualifications should be sought for such important positions within a program, no differently than in medical health care.

In my 9+ years of working extensively within the addiction treatment space, I have often met persons identified as a client’s “Compliance Officer” but came to realize many did not have the full scope of training to be able to anticipate and navigate the daily landmines and pitfalls that operating a health care business brings. Hiring a staff member who is certified in health care compliance should be viewed as an essential hire in addiction treatment to begin to lift this segment out of the shadows and into respectable health care as well as within the larger “recovery community” of service providers.

Hiring a competent certified compliance officer is but a small investment to make in exchange for the peace of mind that all aspects of a treatment provider’s operations, including any recovery residential services, meet the both the letter and the intent of the law.

For more information, visit the HCCA’s website at