A Chicago record storage and disposal company has been named in a complaint filed by the Illinois Attorney General as a result of the negligent disposal of a medical practice’s patient records in an unlocked dumpster.   The complaint alleges that FileFax, Inc. violated the Illinois Consumer Fraud and Deceptive Business Practices Act by failing to handle the records entrusted to it for secure disposal by the practice, Suburban Lung Associates, as required by the Illinois Personal Information Protection Act as well as HIPAA.

Not only did FileFax allegedly discard the records in its unlocked dumpster adjacent to its place of business, but more incredibly, a FileFax employee permitted another individual to remove 1,100 pounds of records and take them to another facility for recycling.  The recycler, Shred Spot, recognized the documents as protected health records and refused to recycle them.  After consulting his trade association, the National Association for Information Destruction, Shred Spot owner Paul Kaufmann contacted the office of Attorney General Lisa Madigan, according to the Chicago Tribune.

Adding to the perfect storm, shortly after the records were delivered to Shred Spot, Dave Savini, an investigative reporter for CBS Chicago, took a film crew to the dumpster outside of the FileFax facility which remained full of Suburban Lung’s records and remained unlocked, accessible by the general public.  He noted:

“It is an identity thief’s dream, and a nightmare for patients. Medical files, tossed in the trash, contain personal information including drivers’ licenses, Social Security numbers and even medical histories.”

Watch his report here:savini-medical-files[1]
Illinois Attorney General agents and representatives of the Department of Health and Human Services then conducted a site visit of the Shred Spot facility, and documented the return of the records to the practice.

FileFax faces civil penalties and injunctive relief under the AG’s suit including a $50,000 fine for violation of the Consumer Fraud Act and an additional $10,000 for each violation that involved a senior citizen, plus costs of investigation and prosecution, along with another civil penalty of $50,000  for improperly disposing of sensitive personal information and protected health information under the state’s Personal Information Protection Act.  At this point it is not clear what additional sanctions may be sought by HHS under HIPAA.  Further, Suburban Lung Associates may face vicarious liability for the negligence of its business associate, FileFax.

My partners Elizabeth Litten and Michael Kline were quoted by Marla Durben Hirsch in the July 27, 2015 issue of Part B News in an article entitled “Faulty record disposal by business associate exposes physician practice” (subscription required).

“Reporters love to dumpster dive. It’s more sexy [than some other HIPAA violations],” says Kline. “It’s a horror show for the covered entity. And if there’s no business associate agreement, it’s even worse,” he adds.

In the interview, they emphasized the need to treat record storage and disposal companies as seriously as other third-party contractors handling patient-related items, to verify a vendor’s HIPAA compliance efforts before engaging them and to continue monitoring their compliance.

“Consider medical information as other waste, as if it’s toxic. If it’s not disposed of properly, there could be liability,” says Litten.

Further, a covered entity’s business associate agreement is its best defense when a business associate drops the ball.  “You need to know that the business associate knows and complies with HIPAA and state law,” says Litten.

In addition, business associates should be required to report to covered entities within a few days of discovering a breach, and should be required to pay for any costs incurred by the covered entity they have caused, including credit monitoring.

My partner Elizabeth Litten and I were recently interviewed for an article entitled “Connecticut ‘opens floodgates’ for HIPAA litigation” published in “Privacy this Week” by DataGuidance. The full text of the article can be found in the November 13, 2014 issue of “Privacy this Week,” but a discussion of the article is set forth below.

On November 11, 2013, the Connecticut Supreme Court ruled in the case of Byrne v. Avery Center for Obstetrics and Gynecology, P.C. that (i) an action for negligence arising from a health care provider’s breach of patient privacy is not preempted by the HIPAA statute and regulations, which do not permit a private right of action to be brought by an individual under HIPAA, and (ii) HIPAA regulations may well inform the applicable standard of care in certain circumstances. Elizabeth and I have previously posted blog entries respecting the Byrne case that may be read here and here, respectively.

Elizabeth pointed out, “The precedents this case sets may have exponential repercussions and may twist the decision in extreme illogical directions.”

I observed that the Byrne case may have opened the floodgates of litigation because the decision may have established a new level of punishment that is not present under the federal HIPAA law itself.  Just consider the liability a doctor could incur if he or she mistakenly leaves a document with personal health data on the wrong nurse station desk. If, for example, someone improperly accesses that information and uploads the data to the Internet, we have a data breach under HIPAA standards – which in turn may be an act of negligence under state tort or malpractice law with liability to the doctor under the principles of the Byrne case.

Elizabeth also stated that there is fear that some of the things HIPAA tries to regulate, such as transparency in data breaches, may be undermined. If individuals can resort to state law to seek compensation for data breaches, companies may see benefits in not complying with the transparency finality of HIPAA. “Furthermore there are many other federal standards with implications in data protection, such as the Family Educational Rights and Privacy Act (FERPA), that could follow the case of HIPAA,” Elizabeth noted.

I added my view that it would not be surprising if HIPAA is taken to the United States Supreme Court to delimit its preemption scope. We certainly haven’t seen the end of it.  The Connecticut case may provide a new avenue for an individual plaintiff to sue for a health data breach under state law by using HIPAA indirectly when he or she cannot sue under HIPAA itself directly.  This blog will continue to follow the Byrne case and other cases involving HIPAA and other federal and state law interactions and potential conflicts.

A previous post to this blog by Patricia McManus pointed out that individuals whose protected health information (“PHI”) is stolen, lost, or otherwise inappropriately used, accessed, or left unsecured have no private right of action against the person or entity responsible for the breach under the HIPAA/HITECH laws. That may change for victims of identity theft who can show the theft was caused by a HIPAA breach, at least if the action is brought in the 11th Circuit.

The 11th Circuit District Court (Southern District of Florida) decision that came out  on September 5, 2012 involved stolen unencrypted laptops containing PHI of approximately 1.2 million AvMed (health plan) patients. The lower court had dismissed the originally-filed class action because plaintiffs sought "to predicate recovery upon a mere specter of injury: a heightened likelihood of identity theft."  The case was re-filed, naming as plaintiffs a subset of patients whose identities had been actually stolen since the laptop theft, alleging negligence by AvMed in protecting the sensitive information, breach of contract, unjust enrichment, breach of the implied covenant of good faith and fair dealing, and breach of fiduciary duty. 

 

The District Court’s decision to deny AvMed’s motion to dismiss plaintiffs’ claim that AvMed’s data breach caused plaintiffs’ identity theft was based on its finding that plaintiffs "sufficiently alleged a nexus between the data theft and the identify theft and therefore meet the federal pleading standards…  ," even though the computers were stolen 10 and 14 months prior to the identity thefts of the two specific plaintiffs named in the action. The court pointed out that both individuals were very protective of their personal data and did not transmit sensitive data electronically or store it on computers. One plaintiff’s sensitive information was used to open a Bank of America account and change her address with the US Post Office, while the other plaintiff’s sensitive information was used to open an E*Trade Financial account. Neither had experienced identify theft before the theft of the AvMed laptops. 

 

The court also refused to dismiss the plaintiffs’ unjust enrichment claim, which was based on the fact that AvMed received premiums that were payments, at least in part, to protect sensitive information with "data management and security measures that are mandated by industry standards." Plaintiffs alleged AvMed failed to implement or inadequately implemented these policies. 

 

If plaintiffs are ultimately successful in obtaining refunds of premiums and/or payments from AvMed for damages incurred as a result of the identity thefts, it could set an interesting precedent for future HIPAA breach victims, particularly if the court’s decision relies (as it seemed to rely in this decision) on the fact that the victims could show they were extremely careful not to store or transmit personal information via electronic means.  In this age of intensive use of computers and the Internet for financial transactions, such plaintiffs are probably highly unusual. An individual who makes frequent or even occasional on-line purchases or pays bills electronically and who becomes the victim of  a HIPAA breach might have difficulty demonstrating that a subsequent identity theft was the direct result of the breach. 

A Wall Street-based medical collection service has been sued by the Minnesota Attorney General after losing a laptop containing sensitive information about 23,500 patients treated by two hospitals which contracted with the company. More significantly, the AG’s complaint alleges that the company, Accretive Health, Inc., was mining, analyzing and using the data for purposes that were not disclosed to patients and which may adversely affect their access to care. The suit is being reported as the first HIPAA enforcement action by a state attorney general against a business associate.

 

Accretive Health’s parent company, Accretive, LLC, a private equity firm, has run into legal challenges in Minnesota before due to its vertical integration of the debt collection industry under which they took control of the nation’s largest debt collection enterprise, the largest national collection law firm, and the nation’s largest consumer debt collection arbitration company.  

 

The company’s laptop, which was stolen from a rental car, allegedly contained patient names, addresses, dates of birth, social security numbers, as well as risk factors developed by Accretive to sort patients by likelihood of inpatient admission, the presence of any of 22 costly health conditions, “frailty” and ability to pay.

 

According to Attorney General Lori Swanson’s press release

 

“The debt collector found a way to essentially monetize portions of the revenue and health care delivery systems of some nonprofit hospitals for Wall Street investors, without the knowledge or consent of patients who have the right to know how their information is being used and to have it kept confidential.”

 

Accretive provided comprehensive revenue cycle services to its hospital clients, including patient intake and scheduling, billing and collections. In its contract with one of the hospitals, Fairview Health Services, Accretive offered what it called “Quality and Total Cost of Care” services, allegedly through using “data mining,” “consumer behavior modeling,” and “propensity to pay” algorithms. Under this model, Accretive was paid incentives for cost control and increased revenue.

 

The AG relied heavily on securities disclosure materials provided by Accretive to its investors, which described its business as including “development of risk scores on individual patients; automated care plans; case management; medical necessity reviews; pharmacy management; length of stay management; discharge planning; population based management; and analytics and reporting of utilization by patient, per patient profit and loss reports, and identification of patient ‘outliers.’” The AG characterizes Accretive’s business model using its own language, which boasted that the company provides risk scoring of patients; focuses on reducing avoidable hospital admissions; identifies the “sickest and most impactable patients” for “proactive management” and identifies “real-time interventions with significant revenue or cost impact.”

 

In addition to HIPAA violations, the suit alleges violation of state debt collection and consumer protection laws, and asks the court to order Accretive to fully disclose to patients the nature and purpose of the information gathered including to what extent data has been sent to the company’s “Shared Services Blended Shore Center of Excellence” in New Delhi, India. The suit also seeks injunctive relief and damages.

 

It may be tempting to see this lawsuit as an act of political grandstanding seeking to capitalize on current anti-Wall Street sentiments (and on the widespread resentment of outsourcing of American jobs).  Accretive’s troubled history with Minnesota regulators and its use of impenetrable, Orwellian and vaguely threatening euphemisms for its data analysis services (“impactable patients,” “proactive management,” “real-time interventions”) doesn’t help its case.

 

However, the case may also validate the maxim “bad cases make bad law.” The type of data allegedly gathered and analyzed by Accretive could potentially be used for nefarious purposes including shunting poorer, sicker patients into a second-class care system, but it could also be used to identify those patients for whom special attention could most effectively improve outcomes. In fact, this is the very type of analytical capability that many providers will need to develop to effectively participate in the emerging post-fee-for-service reimbursement environment typified by Medicare’s ACO Shared Savings Program.  The suit may signify a crackdown on shadowy organizations trafficking in secret health and financial scores for profit without the knowledge of the patients whose data is being bought and sold, but regulators should be cautious not to chill legitimate and transparent use of the multitude of electronic data currently available in ways that may advance cost-effective, high-quality care.

In the first settlement of a HIPAA enforcement action brought by a state attorney general under the new authority granted by the HITECH Act, Connecticut Attorney General Richard Blumenthal announced that the state had entered into an agreement with Health Net for failing to secure patient health and financial information.  The AG had brought suit in January based on Health Net’s loss of a hard drive containing over 500,000 individuals’ records including clinical data, social security numbers, addresses, and other financial information. The company had concluded that the hard drive had been lost due to theft. Compounding the damage, the AG alleged that the company had delayed notifying the affected individuals for over six months.

The press release issued by the AG states:

  • Under this settlement, Health Net and its affiliates have agreed to:
    • A “Corrective Action Plan” in which Health Net is implementing several detailed measures to protect health information and other private data in compliance with HIPAA. This plan includes continued identity theft protection, improved systems controls, improved management and oversight structures, improved training and awareness for its employees, and improved incentives, monitoring, and reports.
    • A $250,000 payment to the state representing statutory damages. This payment is intended as a future deterrent to such conduct not only by Health Net, but by other insurers and health care entities that are entrusted with individuals’ private information.
    • An additional contingent payment to the state of $500,000, should it be established that the lost disk drive was accessed and personal information used illegally, impacting plan members.

The full settlement is here

 

It’s been years since HIPAA became a household term.  Yet, there continues to be a significant amount of confusion about when it applies, what types of uses and disclosures of PHI are  permitted, and if individuals can sue someone for a HIPAA violation.  

The Office for Civil Rights recently published separate guides, one for health care providers and one for patients, to help clarify misunderstandings about when PHI can be released to family and friends involved in a patient’s medical care.  Even though HIPAA requires health care providers to protect patient privacy, providers are permitted, in most circumstances, to communicate with the patient’s family, friends, or others involved in their care or payment for care. The provider guidance document is intended to clarify these HIPAA requirements so that health care providers do not unnecessarily withhold a patient’s health information from these persons. The guide also includes common questions and a table that summarizes the relevant requirements. 

There are other helpful resources posted on the government’s website to help patients and providers understand HIPAA.  Below is a sample of links that aim to dispel certain misunderstanding about HIPAA:

By far, the most frequent question that I receive from individuals is "can I sue for a HIPAA violation?"  There appears, in my experience, to still be significant confusion regarding the fact that HIPAA does not provide for a private right of action. What this means is that an individual cannot sustain a lawsuit against another person or entity based solely on HIPAA, even if such individual believes his or her PHI has been disclosed in violation of HIPAA.  In such situations, HIPAA provides for a mechanism where the individuals can file a complaint with the federal government.  Individuals can also consult with an attorney to determine if other federal laws or their State’s laws may provide for any remedy.

Yesterday, the White House Office of the Press Secretary announced that President Bush signed the Genetic Information Nondiscrimination Act of 2008 ("GINA").  The intent of GINA is to protect individuals from employers and insurance companies denying employment, promotions or health coverage to people when genetic tests show they have a predisposition to cancer, heart disease, or other ailments.  But critics of the law are concerned that certain provisions are vague and may expose employers and insurers to frivolous lawsuits.  

The Genetic Information Nondiscrimination in Employment ("GINE") Coalition lobbied and prepared numerous letters to Congress to have certain provisions of GINA revised prior to enactment in order to protect employers’ nondiscriminatory practices and legitimate collection and uses of genetic information.  According to Michael Eastman, executive director of labor law policy at the US Chamber of Commerce and a member of the GINE Coalition, the group remains concerned that GINA (1) will not preempt inconsistent state laws, (2)  will award “excessive” punitive and compensatory damages that will likely encourage “unmeritorious litigation," and (3) lacks exceptions to provisions barring the collection of genetic information.  

For a good review of the pros and cons of GINA, see an article published by GenomeWeb Daily News.  For a quick and dirty summary of  legal provisions of GINA, click and read on . . .

Continue Reading GINA (the new federal law, not a girl) May Spur Lawsuits

The National Law Journal reported in its June 2007 issue that The Health Insurance Portability and Accountability Act (HIPAA) is raising new legal fears for health care providers concerning privacy suits. Labor and employment attorneys are concerned that courts have begun to let plaintiffs use HIPAA standards to prove liability in privacy suits, even though the law doesn’t currently provide a private right of action. And a new federal crackdown on HIPAA violators is also causing concerns for health care providers.

Continue Reading Courts Begin Allowing Plaintiffs To Use HIPAA as Standard in Privacy Suits