HIPAA, HITECH & HIT :: Fox Rothschild LLP

A previous post to this blog by Patricia McManus pointed out that individuals whose protected health information (“PHI”) is stolen, lost, or otherwise inappropriately used, accessed, or left unsecured have no private right of action against the person or entity responsible for the breach under the HIPAA/HITECH laws. That may change for victims of identity theft who can show the theft was caused by a HIPAA breach, at least if the action is brought in the 11^th Circuit.

The 11^th Circuit District Court (Southern District of Florida) decision that came out  on September 5, 2012 involved stolen unencrypted laptops containing PHI of approximately 1.2 million AvMed (health plan) patients. The lower court had dismissed the originally-filed class action because plaintiffs sought "to predicate recovery upon a mere specter of injury: a heightened likelihood of identity theft."  The case was re-filed, naming as plaintiffs a subset of patients whose identities had been actually stolen since the laptop theft, alleging negligence by AvMed in protecting the sensitive information, breach of contract, unjust enrichment, breach of the implied covenant of good faith and fair dealing, and breach of fiduciary duty. 

The District Court's decision to deny AvMed's motion to dismiss plaintiffs' claim that AvMed's data breach caused plaintiffs' identity theft was based on its finding that plaintiffs "sufficiently alleged a nexus between the data theft and the identify theft and therefore meet the federal pleading standards...  ," even though the computers were stolen 10 and 14 months prior to the identity thefts of the two specific plaintiffs named in the action. The court pointed out that both individuals were very protective of their personal data and did not transmit sensitive data electronically or store it on computers. One plaintiff's sensitive information was used to open a Bank of America account and change her address with the US Post Office, while the other plaintiff's sensitive information was used to open an E*Trade Financial account. Neither had experienced identify theft before the theft of the AvMed laptops. 

The court also refused to dismiss the plaintiffs' unjust enrichment claim, which was based on the fact that AvMed received premiums that were payments, at least in part, to protect sensitive information with "data management and security measures that are mandated by industry standards." Plaintiffs alleged AvMed failed to implement or inadequately implemented these policies. 

If plaintiffs are ultimately successful in obtaining refunds of premiums and/or payments from AvMed for damages incurred as a result of the identity thefts, it could set an interesting precedent for future HIPAA breach victims, particularly if the court’s decision relies (as it seemed to rely in this decision) on the fact that the victims could show they were extremely careful not to store or transmit personal information via electronic means.  In this age of intensive use of computers and the Internet for financial transactions, such plaintiffs are probably highly unusual. An individual who makes frequent or even occasional on-line purchases or pays bills electronically and who becomes the victim of  a HIPAA breach might have difficulty demonstrating that a subsequent identity theft was the direct result of the breach. 

• Print
• Comments
• Trackbacks
• Share Link

A Wall Street-based medical collection service has been sued by the Minnesota Attorney General after losing a laptop containing sensitive information about 23,500 patients treated by two hospitals which contracted with the company. More significantly, the AG’s complaint alleges that the company, Accretive Health, Inc., was mining, analyzing and using the data for purposes that were not disclosed to patients and which may adversely affect their access to care. The suit is being reported as the first HIPAA enforcement action by a state attorney general against a business associate.

Accretive Health’s parent company, Accretive, LLC, a private equity firm, has run into legal challenges in Minnesota before due to its vertical integration of the debt collection industry under which they took control of the nation’s largest debt collection enterprise, the largest national collection law firm, and the nation’s largest consumer debt collection arbitration company.  

The company’s laptop, which was stolen from a rental car, allegedly contained patient names, addresses, dates of birth, social security numbers, as well as risk factors developed by Accretive to sort patients by likelihood of inpatient admission, the presence of any of 22 costly health conditions, “frailty” and ability to pay.

According to Attorney General Lori Swanson’s press release, 

“The debt collector found a way to essentially monetize portions of the revenue and health care delivery systems of some nonprofit hospitals for Wall Street investors, without the knowledge or consent of patients who have the right to know how their information is being used and to have it kept confidential.”

Accretive provided comprehensive revenue cycle services to its hospital clients, including patient intake and scheduling, billing and collections. In its contract with one of the hospitals, Fairview Health Services, Accretive offered what it called “Quality and Total Cost of Care” services, allegedly through using “data mining,” “consumer behavior modeling,” and “propensity to pay” algorithms. Under this model, Accretive was paid incentives for cost control and increased revenue.

The AG relied heavily on securities disclosure materials provided by Accretive to its investors, which described its business as including “development of risk scores on individual patients; automated care plans; case management; medical necessity reviews; pharmacy management; length of stay management; discharge planning; population based management; and analytics and reporting of utilization by patient, per patient profit and loss reports, and identification of patient ‘outliers.’” The AG characterizes Accretive’s business model using its own language, which boasted that the company provides risk scoring of patients; focuses on reducing avoidable hospital admissions; identifies the “sickest and most impactable patients” for “proactive management” and identifies “real-time interventions with significant revenue or cost impact.”

In addition to HIPAA violations, the suit alleges violation of state debt collection and consumer protection laws, and asks the court to order Accretive to fully disclose to patients the nature and purpose of the information gathered including to what extent data has been sent to the company’s “Shared Services Blended Shore Center of Excellence” in New Delhi, India. The suit also seeks injunctive relief and damages.

It may be tempting to see this lawsuit as an act of political grandstanding seeking to capitalize on current anti-Wall Street sentiments (and on the widespread resentment of outsourcing of American jobs).  Accretive’s troubled history with Minnesota regulators and its use of impenetrable, Orwellian and vaguely threatening euphemisms for its data analysis services (“impactable patients,” “proactive management,” “real-time interventions”) doesn’t help its case.

However, the case may also validate the maxim “bad cases make bad law.” The type of data allegedly gathered and analyzed by Accretive could potentially be used for nefarious purposes including shunting poorer, sicker patients into a second-class care system, but it could also be used to identify those patients for whom special attention could most effectively improve outcomes. In fact, this is the very type of analytical capability that many providers will need to develop to effectively participate in the emerging post-fee-for-service reimbursement environment typified by Medicare’s ACO Shared Savings Program.  The suit may signify a crackdown on shadowy organizations trafficking in secret health and financial scores for profit without the knowledge of the patients whose data is being bought and sold, but regulators should be cautious not to chill legitimate and transparent use of the multitude of electronic data currently available in ways that may advance cost-effective, high-quality care.

• Print
• Comments
• Trackbacks
• Share Link

In the first settlement of a HIPAA enforcement action brought by a state attorney general under the new authority granted by the HITECH Act, Connecticut Attorney General Richard Blumenthal announced that the state had entered into an agreement with Health Net for failing to secure patient health and financial information.  The AG had brought suit in January based on Health Net's loss of a hard drive containing over 500,000 individuals' records including clinical data, social security numbers, addresses, and other financial information. The company had concluded that the hard drive had been lost due to theft. Compounding the damage, the AG alleged that the company had delayed notifying the affected individuals for over six months.

The press release issued by the AG states:

• Under this settlement, Health Net and its affiliates have agreed to:
  • A “Corrective Action Plan” in which Health Net is implementing several detailed measures to protect health information and other private data in compliance with HIPAA. This plan includes continued identity theft protection, improved systems controls, improved management and oversight structures, improved training and awareness for its employees, and improved incentives, monitoring, and reports.
  • A $250,000 payment to the state representing statutory damages. This payment is intended as a future deterrent to such conduct not only by Health Net, but by other insurers and health care entities that are entrusted with individuals’ private information.
  • An additional contingent payment to the state of $500,000, should it be established that the lost disk drive was accessed and personal information used illegally, impacting plan members.

The full settlement is here: 

• Print
• Comments
• Trackbacks
• Share Link

It's been years since HIPAA became a household term.  Yet, there continues to be a significant amount of confusion about when it applies, what types of uses and disclosures of PHI are  permitted, and if individuals can sue someone for a HIPAA violation.  

The Office for Civil Rights recently published separate guides, one for health care providers and one for patients, to help clarify misunderstandings about when PHI can be released to family and friends involved in a patient's medical care.  Even though HIPAA requires health care providers to protect patient privacy, providers are permitted, in most circumstances, to communicate with the patient’s family, friends, or others involved in their care or payment for care. The provider guidance document is intended to clarify these HIPAA requirements so that health care providers do not unnecessarily withhold a patient’s health information from these persons. The guide also includes common questions and a table that summarizes the relevant requirements. 

There are other helpful resources posted on the government's website to help patients and providers understand HIPAA.  Below is a sample of links that aim to dispel certain misunderstanding about HIPAA:

• Fighting Myths about the Privacy Rule
• Who Must Comply With HIPAA
• 10 Myths about HIPAA and Medical Records Privacy

By far, the most frequent question that I receive from individuals is "can I sue for a HIPAA violation?"  There appears, in my experience, to still be significant confusion regarding the fact that HIPAA does not provide for a private right of action. What this means is that an individual cannot sustain a lawsuit against another person or entity based solely on HIPAA, even if such individual believes his or her PHI has been disclosed in violation of HIPAA.  In such situations, HIPAA provides for a mechanism where the individuals can file a complaint with the federal government.  Individuals can also consult with an attorney to determine if other federal laws or their State's laws may provide for any remedy.

• Print
• Comments
• Trackbacks
• Share Link

Yesterday, the White House Office of the Press Secretary announced that President Bush signed the Genetic Information Nondiscrimination Act of 2008 ("GINA").  The intent of GINA is to protect individuals from employers and insurance companies denying employment, promotions or health coverage to people when genetic tests show they have a predisposition to cancer, heart disease, or other ailments.  But critics of the law are concerned that certain provisions are vague and may expose employers and insurers to frivolous lawsuits.  

The Genetic Information Nondiscrimination in Employment ("GINE") Coalition lobbied and prepared numerous letters to Congress to have certain provisions of GINA revised prior to enactment in order to protect employers' nondiscriminatory practices and legitimate collection and uses of genetic information.  According to Michael Eastman, executive director of labor law policy at the US Chamber of Commerce and a member of the GINE Coalition, the group remains concerned that GINA (1) will not preempt inconsistent state laws, (2)  will award “excessive” punitive and compensatory damages that will likely encourage “unmeritorious litigation," and (3) lacks exceptions to provisions barring the collection of genetic information.  

For a good review of the pros and cons of GINA, see an article published by GenomeWeb Daily News.  For a quick and dirty summary of  legal provisions of GINA, click and read on . . .

• Print
• Comments
• Trackbacks
• Share Link

The National Law Journal reported in its June 2007 issue that The Health Insurance Portability and Accountability Act (HIPAA) is raising new legal fears for health care providers concerning privacy suits. Labor and employment attorneys are concerned that courts have begun to let plaintiffs use HIPAA standards to prove liability in privacy suits, even though the law doesn't currently provide a private right of action. And a new federal crackdown on HIPAA violators is also causing concerns for health care providers.

• Print
• Comments
• Trackbacks
• Share Link