Jail Time for HIPAA "Curiosity" Violation

Posted on May 3, 2010 by Megan Browne

 

HIPAA leads to four months in jail for a former UCLA medical researcher, Huping Zhou.  See the April 27, 2010 press release by the U.S. Attorney’s Office for the Central District of California.  http://www.justice.gov/usao/cac/pressroom/pr2010/079.html.    As the release states, this case made history because the defendant “is the first person in the nation to be convicted and incarcerated for misdemeanor HIPAA offenses for merely accessing confidential records without a valid reason or authorization.”

 

We have seen a number of federal prosecutions and convictions for HIPAA violations, but, until last week, nobody got jail time for merely peeking at others’ confidential person health information without a valid reason or the patients’ authorization.  Also, prior prosecutions typically focused on someone’s use of another’s confidential health information for personal gain.  For example, the day after Mr. Zhou’s sentencing was announced, another U.S. Attorney’s Office announced that a federal grand jury indicted a man for violating HIPAA by conspiring with a hospital employee working in a trauma unit and others to sell patient records and confidential medical information to personal-injury attorneys who would use the information to solicit clients.   http://www.justice.gov/usao/nv/press/april2010/charette04282010.html.

 

Mr. Zhou’s situation is different.  Mr. Zhou, a licensed cardiothoracic surgeon in China, admitted that he accessed and read his direct supervisor’s and coworkers’ medical records without any legitimate reason or authorization.  He did that after he was told that he would lose his job for performance-based reasons unrelated to HIPAA.  Over the next several weeks and continuing beyond the termination of his employment, he kept peeking at records, including those for celebrities, and did some more than 300 times, according to court documents.

 

What is the lesson here?  Healthcare workers and others governed by HIPAA must control their curiosity.  HIPAA demands it and must be respected, at the risk of suffering serious ramifications.  Federal prosecutors have raised the stakes.  So did the HITECH Act of 2009, which was part of the American Recovery and Reinvestment Act of 2009 and amended HIPAA by increasing penalties, among other things.  Expect to see stepped-up enforcement efforts by federal prosecutors, state prosecutors, and the U.S. Department of Health and Human Services’s Office of Civil Rights.  Likewise, employers are increasing monitoring and enforcement in the workplace.  Make no mistake about it:  HIPAA does not demand entity accountability only.  HIPAA holds individuals accountable.

Tags:

New Regulations Clarify HITECH Breach Notification Rules

Posted on November 4, 2009 by Kathy Kravitz

Interim Final Regulations published in the Federal Register on August 24, 2009 (74 Fed. Reg 42740) provide a framework for evaluating potential breaches of Protected Health Information (PHI) in order to determine if it is necessary to send a notification letter to the patient. While not all violations of the pre-existing HIPAA privacy regulations will result in a breach requiring notification under the new HITECH regulations, a violation of the privacy rule is a prerequisite to a breach requiring notification. Thus, determining whether or not a violation of the HIPAA regulations has occurred is the first step in evaluating a breach to determine if notification is necessary.

Continue Reading...
Tags:

HIPAA-steria - The Sequel: First Up; Breach Notification

Posted on September 8, 2009 by Kathy Kravitz

 The new federal stimulus bill, American Recovery and Reinvestment Act of 2009 (ARRA), includes the Health Information Technology for Economic and Clinical Health (HITECH) Act, which contains, among other things, an expansion of HIPAA privacy law requirements for health care providers. The HIPAA provisions go into effect on a rolling schedule over the next several years, and further guidance for compliance will be forthcoming over that time period. Since much is still unknown, hospitals and other health care providers may wish to go about tackling the technical maze of new requirements (and avoiding HIPAA-steria) with an equally graduated, and systematic approach to enforcement. This Alert will focus on the breach notification provision, which is scheduled to go live in September of 2009.

General Rule.  Under HITECH, any hospital or other covered entity which maintains protected health information (PHI) must notify the patient in the event of a breach of the data. Importantly, this provision only applies to data which is “unsecured;” if a breach of “secured” data occurs, no notification is required.

What is a Breach?  A breach is the unauthorized access, use or disclosure of PHI which compromises the security or privacy of the information. There are, however, some important exceptions. For example, a disclosure may not be a breach requiring notification if you would not expect the person to whom the information was disclosed to remember it. This could cover a misdirected fax, depending upon the procedures followed. Also, if an employee acting in good faith, within the scope of his/her job duties, improperly accesses a record, as in the  case of inadvertent or accidental access, this is not reportable so long as there is no further disclosure.

What makes data “secure?”  Per DHHS’ April 27th guidance (74 Fed. Reg. 19006), electronic data is “secure” if encrypted as further specified in the HIPAA Security Rule and in guidelines promulgated by the National Institute of Standards and Technology and available at http://www.csrc.nist.gov/. The encryption method should use a process which transforms data into a form “in which there is a low probability of assigning meaning without the use of a confidential key or process.” As for hard copy records, per the guidance that hard copy PHI is only “secure” if destroyed in a manner which makes it unreadable. 

Form/Timing of Notification.  Notification must be made in writing, by mail or e-mail if that is the patient’s preference. The notification must be made within 60 days of discovery of the breach. If the breach involves disclosure of PHI of 500 or more people, notification also must be made to the media and to DHHS, and the incident will be posted on a DHHS public website.

Further Guidance to Come/Start Date.  On August 24, 2009, DHHS published its final interim rules on breach notification (74 Fed. Reg. 42740). In its April guidance, DHHS asked for public comments, and the final interim rules are expected to address industry comments and concerns. These rules will then apply to breaches occurring 30 days after the publication of the rules, or no later than September 15, 2009.

Next Steps.  Hospital and other health care providers should consult with their health care professional to flesh out a plan for HITECH compliance. Some things to consider in making your plan include:

• Review of Business Associate agreements to ensure that BA’s are required to give timely notice of breaches to allow for your compliance with HITECH’s 60 day deadline for notification.

• Review of most common breach circumstances and reportability; does every misdirected fax require a breach notification? This must be thoroughly analyzed and a policy created to supplement your existing HIPAA compliance program. Policies should be worded broadly enough to allow for analysis of each individual situation.

• Education. While staff may be aware of the need for privacy of PHI, these new requirements, along with HITECH’s substantially increased financial penalties, put a much greater emphasis on the importance of maintaining confidentiality on a day to day basis.

The Future.  At the American Health Lawyers Annual Meeting in early July, a representative from the Office for Civil Rights (OCR) addressed the agency’s enforcement philosophy, saying, “I love the word reasonable,” when asked about the new HIPAA provisions. The commitment to this philosophy will be borne out in the coming months and years.

 

Tags:

Settling Co-Defendants May Be Excluded From Verdict Sheets

Posted on September 8, 2009 by Bob Dennison

Recently the Superior Court of Pennsylvania held that settling co-defendants may be excluded from verdict sheets where the evidence will not support a prima facie case of negligence against a settling co-defendant.  In the matter Hyrcza v. West Penn Allegheny Health System, 2009 WL 1977500 (Pa.Super., July 1, 2009), Plaintiff brought a medical malpractice action on behalf of her decedent against numerous defendants on various theories of liability.  Certain Defendants settled with Plaintiff prior to trial and were omitted from the verdict sheets.  At trial a verdict was entered in favor of plaintiff and against the remaining defendants.  On appeal, the remaining defendants argued the exclusion of the other settling defendants from the verdict sheets denied them a right to have liability apportioned against them.  The Superior court affirmed the trial court ruling that the evidence did not support a prima facie case of negligence against the settling defendants, and therefore they were properly excluded.

Tags:

Health Care Providers Knowingly Seeking Payment for Serious Adverse Events? Not in PA!

Posted on September 7, 2009 by Megan Browne

As of August 9, 2009, health care providers (including hospitals, doctors, nurse midwives, CRNPs,

and others) in Pennsylvania are prohibited from “knowingly” seeking payment for certain

“preventable serious adverse events” or for any services needed to correct or treat the condition

created by the preventable serious adverse event when the event occurred under the provider’s

control. Likewise, private insurers and patients do not have to pay providers for such events. 

 

Governor Rendell signed the Preventable Serious Adverse Events Act into law on June 10,

2009 (Act 1 of 2009). It is the first Pennsylvania law that addresses payment for preventable

serious adverse events, but it is not the first law of its kind that applies to Pennsylvania

health care providers. On January 14, 2008, the Department of Public Welfare (DPW)

issued a Medical Assistance (MA) Bulletin announcing that hospitals would no longer be

paid for certain “preventable serious adverse events,” the rationale being that they were not

“medically necessary services” to patients who receive MA benefits. (In fact, Act 1 of 2009

tracks key definitions used in the MA Bulletin.) The MA Bulletin followed federal regulation

providing that the Centers for Medicare and Medicaid Services would no longer pay for eight

“never events” suffered by Medicare recipients. 

 

Continue Reading...
Tags:

Healthcare Reform Marches On

Posted on June 23, 2009 by Megan Browne

The White House has been working diligently on healthcare reform efforts, as promised during President Obama’s campaign. Around the country, healthcare providers and their attorneys (such as myself) are following and/or participating in the developments. Here is a summary of some activity in the past week:

  • Last week (on June 16, 2009), Peter R. Orszag, Director of the Office of Management and Budget,, posted an entry on the OMB Blog June 16th stating that in addition to the White House’s commitment to ensuring healthcare reform is “deficit neutral”, the healthcare system as a whole needs to adopt best practices that achieve higher quality and lower cost throughout the country. I heard Mr. Orszag give a speech last year in which he made the same pitch for higher quality and efficiency as a necessary part of the effort to lower healthcare costs. This has become a theme of the White House’s health care reform efforts.
  • On the same day (June 16), Douglas W. Elmendorf, Director of the Congressional Budget Office (“CBO”), issued letters to the Chairs of the Senate Budget Committee and the House Ways and Means Committee. The upshot of the letters, as I read them, is that fundamental changes in healthcare delivery and financing are believed to be needed for significant reductions in federal healthcare spending to occur. This is consistent with Mr. Orszag’s message (see above). (I wonder if they coordinated their efforts.) Mr. Elmendorf says: “In the absence of significant changes to policy, rising costs for health care will cause federal spending to grow much faster than the economy, putting the federal budget on an unsustainable path.” Citing an interest by some in policy changes combined with “a mechanism or framework to impose ongoing pressure for achieving efficiencies in the delivery of health care”, he concludes that, absent “meaningful reforms”, “the substantial costs of many current proposals to expand federal subsidies for health insurance would be much more likely to worsen the long-run budget outlook than to improve it.”
  • The CBO’s review of pending reform proposals as described above seems to have put reform effort on a path longer than what the White House had hoped for.
  • Yesterday (June 22), President Obama reported that, over the weekend, an “understanding” about upcoming reform was reached that would close Medicare Part D’s “doughnut hole.” The hole is a gap in prescription drug coverage that requires seniors to pay out-of-pocket for costs between $2,700 and $6,100. The President reports: “So as part of the health care reform I expect Congress to enact this year, Medicare beneficiaries whose spending falls within this gap will now receive a discount on prescription drugs of at least 50 percent from the negotiated price their plan pays.” AARP supports this reform effort. The change reportedly will cost drug manufacturers $80 billion over the next ten years.
  • Yesterday, President Obama also signed into law the Family Smoking Prevention and Tobacco Control Act of 2009  that gives the FDA, for the first time, the power to regulate the tobacco industry. 
  • Potential cuts in Medicaid payments to states, as part of healthcare reform, have been a hot topic over the past couple of days. Senator Dianne Feinstein, from California, stated on CNN’s State of the Union that changing the rate would have a huge impact on her state that would “take down her state.” Not surprisingly, then, she questioned her ability to support such a change. The White House responded by pointing out that California has received billions of dollars in Medicaid assistance as a result of this year’s stimulus bill.
Tags:

Here We Go Again: Another Day, Another Med Mal Insolvency

Posted on March 28, 2008 by Kathy Kravitz

Last month, the NJ Attorney General filed a petition for a declaration of insolvency and liquidation on behalf of MIIX Insurance Company. Despite the "successful cooperation" which characterized the MIIX rehabilitation effort, the AG's office noted that at year end 2007, MIIX's outstanding claims had the potential to "break the bank." One purpose of the proposed order of liquidation was to allow MIIX's remaining claimants to recover from various state guaranty funds. Here in PA, that means The Pennsylvania Property, Casualty Insurance Gaurantee Association , fondly known as PPCIGA (pronounced pi - guh). Our PPCIGA statute is codified at 40 P.S. Section 991.1801 et. seq.

The Superior Court of NJ, Chancery Division, has at this point entered a stay order, which suspends activity on all litigation matters involving MIIX insured, "pending in NJ or elsewhere."

This is probably a good time to review the basic provisions of our PPCIGA statute.

Per the statute, PPCIGA provides $300,000 per claimant in coverage. However, in 2006, the Superior Court clarified that in cases involving multiple PPCIGA insureds, each insured must be given $300,000 in coverage, regardless of the number of claimants. In other words, you would not have a situation where three insured would have only one $300,000 policy between them because there was only one Plaintiff in the case. See: Valley Medical Facilities, Inc. v. Pennsylvania Property and Cas. Ins. Guar. Ass'n , 902 A.2d 547 (2006). 

"Gap" issues can also arise in PPCIGA cases. This occurs when there is a gap between when the PPCIGA coverage of $300,000 ends and the point where the MCARE fund's exposure picks up. It is likely that most of the pending MIIX cases involve primaries of $500,000. Thus, because the MCARE fund does not "drop down" to fill a gap where a full tender is no longer available, the insured is bare for that $200,000 in the event of a verdict in excess of $300,000, or in a settlement context. These issues need to be addressed strategically as soon as possible in any pending litigation.

Another provision of the PPCIGA statute which has been the subject of much consternation is the definition of a "covered claim," which excludes "any first-party claim by an insured whose net worth exceeds twenty-five million ($25,000,000) dollars on December 31 of the year prior to the year in which the insurer becomes an insolvent insurer:.." The key part of this exclusion is the term "first party claim."  A first party claim is a claim by an insured against their own insurer. A medical malpractice claim is a claim by a third party.  Another section, 40 PS Section 991.1816(b)(1), gives PPCIGA the right to recover amounts paid for a covered claim on behalf of any insured whose net worth exceeded $50 million as of 12/31 the year preceding the insurer's insolvency. That means that when all was said and done, PPCIGA may , at their own option, seek indemnification from the insured for monies they paid on the insured's behalf.

Note, both of the above provisions received a lot of airplay at the time of the PHICO insolvency, probably because PHICO went down so fast and hard, leaving many hospital insured high and dry. However, according to a representative of the Hospital and Health System Association of Pennsylvania (HAP), even then, neither provision was, to HAP's knowledge, ever applied against any PA hospital. PPCIGA has, by report, confirmed that this will be its approach this time around as well.

Of course, another potentially problematic provision of the PPCIGA statute is the offset provision. This provision states that all monies paid by other insurers , for example, for medical bills, are to be offset, or minused from any verdict or settlement.   At times, this provision has made it difficult to settle cases where the offset is more than the coverage itself.   Some Plaintiffs attorneys worked around this by stipulating that they will not pursue those medical bills at trial; that essentially nullifies the offset.   However, most of the current MIIX cases are probably post-MCARE, which means that Plaintiffs were barred from recovering medical bills paid by insurance anyhow.   So this time around, offset issues may not be as prevalent. 

The good news is that the MIIX rehabilitation did work out many of the claims, and a mere 500 claims are reportedly still in the pipeline, nationwide. Thus, the rehabilitation may have prevented the mayhem of prior insolvencies. So, another one bites the dust here in PA, but perhaps a bit more gently. Stay tuned!

 
Tags:

Skilled Cross-Examination Greatly Reduces Value of Wrongful-Death Claim

Posted on February 12, 2008 by Megan Browne

In a medical malpractice action, a crucial issue in any case is the value of damages to the plaintiff if liability is established. The Supreme Court of Pennsylvania recently issued an opinion clarifying that a defendant does not have to call a competing expert to respond to the plaintiff’s damages expert in order to avoid having the plaintiff’s expert’s figures considered “proven.” Rather, the defendant can rely on his attorney’s cross-examination skills. The ruling allows defendants the flexibility of deciding whether to call their own expert to challenge a plaintiff’s expert or whether to rely on cross-examination of the plaintiff’s expert. The latter is what the physician-defendant and his group did in Carroll v. Avallone.

Carroll involved a wrongful-death and survival-claim against Dr. Avallone and his medical group filed by the deceased patient’s husband, Mr. Carroll. At trial, Mr. Carroll’s expert damages witness, an actuarial economic consultant, testified that Mrs. Carroll’s lost earning capacity, fringe benefits, and past and future household services were between $832,498 and $1,486,713. 

Dr. Avallone and his group did not call their own damages expert to challenge the plaintiff’s expert. Instead, they relied on their attorney’s cross-examination of the plaintiff’s expert. During cross-examination, the defense attorney challenged the expert’s factual assumptions underlying his numbers, including the assumption that Mrs. Carroll, who was unemployed when she died, would have returned to work in the nursing field. (A valuation of damages in a wrongful-death claim requires the parties to present to the jury evidence about what the decedent would likely have done if he or she had survived. A crystal ball would be very helpful in that context, but the parties and their attorneys proceed without that useful tool.) The defense attorney challenged that assumption, pointing out through cross-examination facts inconsistent with the assumption. For example, she had no plans to return, she had long-term health problems, and she had illegal drugs in her body when she died.

The jury returned a verdict, splitting liability 50/50 between the parties and awarding Mr. Carroll $29,207 on the wrongful-death claim and nothing on the survival claim. The Superior Court of Pennsylvania remanded for a new trial on damages because it concluded that Mr. Carroll’s expert’s damages range was “uncontroverted” because the defense did not present an expert witness to challenge the opinion. Therefore, the appellate court found that the five-figure verdict was not reasonably related to the proven damages (in the range of six or seven figures).

The case went up to the Supreme Court of Pennsylvania upon the defendants’ appeal. That court reversed the Superior Court’s order. The Supreme Court of Pennsylvania explained that the defense attorney’s cross-examination of the expert was sufficient to challenge the evidence and to put it before the jury for consideration. Independent evidence by a separate witness is not required. It held that the Superior Court’s determination that “the failure to present affirmative evidence makes the other party’s opinion evidence uncontroverted, rendering it ‘proven damages’ that must be reflected in the jury’s verdict” was inconsistent with Pennsylvania law.

Tags:

Ready, Set, Go!

Posted on May 10, 2007 by Megan Browne

The race to the courthouse can be a defining moment. 

In Shon v. Karason, 2007 WL 901763 (Pa. Super. Mar. 27, 2007), a patient filed a medical malpractice claim against his podiatrist and the podiatrist's employer.  When a certificate of merit was not filed against the health-care providers within the timeframe required by the Pennsylvania Rules of Civil Procedure, the providers filed a praecipe for entry of judgment of non pros.  The praecipe was filed at 1:26p.m. on July 11, 2007.  At 3:39p.m. (2 hours and 13 minutes later), the plaintiff filed a certificate of merit as to the podiatrist.  Judgment of non pros was entered by the prothonotary upon the praecipe, but the prothy did not docket the praecipe until the next day, July 12.  This effectively put the plaintiff out of court at the trial level because the trial court denied the plaintiff's request to open the judgment.

The case went up on appeal to the Superior Court of Pennsylvania.  One of the arguments that the plaintiff made was that his certificate was timely because it was filed the day before the prothy docketed the praecipe.  The court rejected the argument, as the trial court also did.  It explained that  the prothy has no choice but to enter judgment upon a praecipe that is filed before a certificate of merit is filed (or a motion for more time to file a certificate).  Therefore, the pertinent time is when the praecipe was filed, not when the praecipe was docketed.

Tags:

The Cost of Care

Posted on April 16, 2007 by Eric Suter
Today, the SCOTUS hears argument in Long Island Care at Home v. Coke, No. 06-593.  Although the legal issue is one of administrative law, Coke implicates the Department of Labor's Fair Labor Standards Act exemption for in-home health care services.  Broadly speaking, the exemption at issue, which was struck down by the Second Circuit, excludes in-home health care services from various FLSA requirements, including minimum wage and overtime.  As crafted, the exemption was applicable not only to direct employment relationships between the cared-for and the caregiver, but also where the caregiver was employed by a third party company, such as Long Island Care at Home, the defendant in this action. 

SCOTUSBlog's preview is here.  The Workplace Prof has more.
Tags:

Supreme Court of Pennsylvania Addresses Certificates of Merit

Posted on February 5, 2007 by Megan Browne

The Pennsylvania Rules of Civil Procedure require a plaintiff to file a timely certificate of merit in any professional liability action, including a medical malpractice lawsuit, subject to dismissal of the action.  We have seen a number of procedural issues come up in this context, and the legal landscape is developing.

One argument plaintiffs raise with some frequency in trying to revive a dismissed lawsuit is that the application of the rules was inequitable under the circumstances.  The Supreme Court of Pennsylvania has weighed in on the issue and said that the certificate of merit rules are subject to equitable considerations so long as the rules' requirements are met.  See Womer v. Hilliker, 908 A.2d 269 (Pa. 2006) (Justices Baer's dissent is here).  At least substantial compliance is required, and where a plaintiff does nothing to comply with the rules, equitable considerations cannot save a claim.  The court also said that serving an expert report upon a defendant, in and of itself, is not substantial compliance with the rules.  Generally, we do not expect equitable considerations to save many dismissed lawsuits.

A plaintiff's compliance with the certificate of merit rules must be carefully evaluated.  We can offer valuable assistance to our healthcare clients in this regard.

Tags: ,