Author Archives: mz

Seven Noteworthy HIPAA Breaches & the Recent Enforcement Actions

Puzzle words

The following unlucky seven were subject to substantial fines. The costs associated with defending the audit, negotiating the settlement and the cost of implementing the invariable forward-going consent agreements/corporate action plans (CAP), however, are separate and above (and often higher) than the reported fine.

These cases range from relatively small to admittedly large breaches, from the unlikely event to situations that could happen to any entity without implementation of well thought out and vigorously monitored policies and procedures.

In my next post, I will detail one of the most burdensome consent agreements I have ever seen, namely, the Corporate Integrity Agreement between the Office of Inspector General of the Department of Health and Human Services and Nason Medical Center.

It is evident that the ever increasing enforcement of HIPAA and the Omnibus Rule, as well as both the increased use of electronic data and the commonplace reports of mass data breaches are forcing Covered Entities (CE) and their business associates (BA) to increase the resources dedicated to compliance with the Omnibus Rule.

1.    Cornell Prescription Pharmacy ($125,000)

The Denver compounding pharmacy will pay this fine after HHS learned of the potential HIPAA violations from a television news report that PHI was improperly disposed of after a garbage dumpster with un-shredded PHI was discovered. Cornell also agreed to develop and implement a comprehensive set of policies and procedures to comply with HIPAA rules, and to provide staff training. OCR Director Jocelyn Samuels stated that “Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.”

2.    Anchorage Community Mental Health Services, Inc. ($150,000)

Malware compromised the security of ePHI due to a failure to update software patches as well as unsupported software.

HHS Office for Civil Rights (OCR) received notification from ACMHS, a non-profit, regarding a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources. It was later determined that ACMHS had not timely installed patches to its software as mandated by its very own policies and procedures. The takeaway is that entities are not only required to follow the regulations, but they are also being held accountable for compliance with their own policies and procedures.

3.    Parkview Health System ($800,000)

OCR opened an investigation after receiving a complaint from a retiring physician alleging that Parkview had violated the HIPAA Privacy Rule. In September 2008, Parkview took custody of medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice.  On June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue. Parkview entered into a one year corrective action plan without admission of any wrongdoing.

4.    NY Presbyterian Hospital and Columbia University Medical Center ($4.8 million)

An investigation revealed that a breach was caused when a physician employed by Columbia University Medical Center who developed applications for both New York  Presbyterian Hospital  and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. The noteworthy point is that it seems that the person who caused the breach had all the right intentions but the result was catastrophic.

Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on Internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the Internet. Another noteworthy point is that knowledge of a breach is often only discovered by the breaching entity after receiving reports from third parties. This general situation was confirmed to me by an FBI cybercrime agent.

In addition to the impermissible disclosure of ePHI on the Internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections.  Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI.  As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI.  Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

NYP has paid OCR a monetary settlement of $3,300,000 and CU paid $1,500,000, with both entities agreeing to a substantive corrective action plan which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff and providing progress reports.

5.    Concentra Health Services ($1,725,220)

OCR opened an investigation following a reported breach that an unencrypted laptop containing the ePHI of 870 individuals was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center.

The investigation found that Concentra had previously recognized, in multiple risk analyses, that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information was a critical risk.  While steps were taken to begin encryption, Concentra’s efforts were “incomplete and inconsistent over time,” according to an HHS press release, leaving patient PHI vulnerable throughout the organization.

Essentially, Concentra did not sufficiently implement policies and procedures to prevent, detect, contain, and correct security violations under the security management process standard when it failed to adequately execute risk management measures to reduce its identified lack of encryption to a reasonable and appropriate level from October 27, 2008, (date of Concentra’s last project report indicating that 434 out of 597 laptops were encrypted) until June 22, 2012 (date on which a complete inventory assessment was completed and Concentra immediately took action to begin encrypting all unencrypted devices).

Concentra did not make any admissions of liability but entered into a CAP – corrective action plan.

6.    Adult & Pediatric Dermatology, P.C. ($150,000)

An investigation of Adult & Pediatric Dermatology was initiated upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered.  The investigation revealed that A&P Derm had not conducted an accurate and thorough risk analysis as part of its security management process.  Further, it did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members. It did not admit liability and entered into a CAP.  The takeaway is that the use of thumb drives to store ePHI is inherently problematic and the use of unencrypted storage devices is courting disaster.

7.    Affinity Health Plan, Inc. ($1,215,780)

OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information stored in copier’s hard drives in its risk analysis as required by the Security Rule, and accordingly failed to implement policies and procedures when returning the hard drives to the companies from whom it leased its copiers.  Affinity did not admit liability and entered into a short term CAP.  The takeaway is the required scope, detail and individual nature of the required risk analysis.

 

About Mendel Zilberberg:

An attorney, visionary and entrepreneur admitted to practice in New York, New Jersey and Florida who has represented and counseled clients with nationwide interests in many areas of the healthcare arena.

The use of ePHI is growing exponentially, the likelihood of a breach is ever increasing, and the regulating authorities are ramping up their audit/enforcement programs.  Covered Entities (CE) and Business Entities (BA) must understand the importance of maintaining the integrity of ePHI, compliance with the relevant regulations as well as thoroughly understand the potential consequences for non-compliance. 

Please like & share:

The Seven Most Likely Causes of Major HIPAA Breaches

Computer Security

While it is important to comply with all of the mandates of the Omnibus Rule, I think it is instructive to know from where the most vulnerable areas of breach of PHI arise.

In a recent presentation to a limited number of attorneys in which I participated, an investigator for the Office for Civil Rights (OCR) advised that with respect to breach notification of major HIPAA breaches (those in which the PHI of 500+ individuals had been disclosed), as of February 27, 2015,  OCR’s  records indicate that the following were the percentages attributable to the causes/circumstances for those breaches:

  1.   Paper records 22%
  2.   Laptop 21%
  3.   Desktop computer 12%
  4.   Network server 12%
  5.   Portable Electronic device 11%
  6.   Email 7%
  7.   EMR 4%
  8.   Other 11%

 

Please like & share:

The Five Most Likely Types of Major HIPAA Breaches

The Five Most Likely Types of Major HIPAA Breaches

While it is important to comply with all of the mandates of the Omnibus Rule, I think it is instructive to know from where the most vulnerable areas of breach of PHI arise.

In a recent presentation to a limited number of attorneys in which I participated, an investigator for the Office for Civil Rights (OCR) advised that with respect to breach notification of major HIPAA breaches (those in which the PHI of 500+ individuals had been disclosed), as of February 27, 2015, OCR’s records indicate that the following were the percentages attributable to the types of breaches:

  1.   Theft 51%
  2.   Unauthorized Access/Disclosure 19%
  3.   Loss 9%
  4.   Hacking /IT Incident 7%
  5.   Improper Disposal 4%
  6.   Other 9%
  7.   Unknown 1%
Please like & share:

Does the FDA Need a Comprehensive Reassessment?

testing-i

Has technology outpaced the laws and regulations that guide/drive the FDA?

In recent years, advances in technology have precipitated quantum leaps in bothmedical/diagnostic and treatment alternatives. The controlling laws and regulations which guide and govern the FDA may either not have kept pace, or as result of technology advances, be subject to unintended consequences which may negatively impact the very people the FDA seeks to protect.

Prevailing wisdom, law and popular opinion strongly allow for and suggest:

  1. That if medical data is properly and responsibly aggregated and analyzed, the process has the capacity to lead to significant improvement and efficiencies in the delivery of medical care. (The issue of the protections needed with the aggregation and de-identification of data is beyond the scope of this post, but in any case does not appear to be an FDA concern.)
  2. Thatpatients have unrestricted access to their personal medical data.

On the other hand, the FDA is guided by a statutory framework that goes back to the late 1950s/early 1960s.

As many of you may be aware, in the late 1950s thalidomide was first marketed in West Germany and was primarily prescribed as a sedative or hypnotic. There were also claims that it might cure anxiety, insomnia and tension among other assorted conditions. Thereafter, it was apparently used in the treatment of nausea and to alleviate morning sickness in pregnant women. On October 1, 1957,thalidomide became an over-the-counter drug in West Germany. The popularity of thalidomide, particularly among pregnant women precipitated an unmitigated catastrophe. Thousands of infants were born with malformation of the limbswith an approximate 60% mortality rate.

Not surprisingly, these events sent shock waves through the global medical/pharmaceutical world.  It is readily apparent that not enough had been done to ensure the safety of this drug before it was approved.

The United States responded with the passage of the Kefauver Harris Amendment or “Drug Efficacy Amendment” as a 1962 amendment to the Federal Food, Drug and Cosmetic Act.  This amendment required proof of efficacy in addition to safety for the approval of new drugs — despite the fact that the thalidomide crisis was entirely a safety issue. Proving efficacy is apparently much more expensive and timeconsuming than proving safety.

It is important to note that the authority of the FDA extends both to drugs and medical devices. In order to understand the possible issue here, it is important to understand the difference between the two. Even a cursory review of the FDA website highlights the distinct difference between drugs (which are generally ingested) and medical devices which are generally used outside of the body for diagnostic or treatment purposes.

More particularly, a medical device is an instrument, apparatus, implant or similar or related article that is used to diagnose, prevent or treat disease or other conditions, and does not achieve its purposes through chemical action within or on the body.

On the other hand, drugs achieve their principal action by pharmacological, metabolic or immunological means.

So far so good.

The problem arises when we have reached the point where in a totally safe way (a cheek swab), we are able to obtain enough genetic information to be able to assess the genetic makeup of an individual. The twofold advantage with this technology (in no particular order of significance as I am not sure which is more important) is that individuals are able to gain insight into their personal health, and the data can be aggregated and analyzed allowing for an unprecedented view into our collective health. Both these areas have the potential to yield significant personal comfort and preservation of health, as well as a better understanding of both the role of genetics and the relationship between possible predisposition and incidence of numerous medical issues, which ultimately may point us in the direction of prevention or cure.

In fact, one company, 23andMe, is and was able to complete a relatively low cost genetic analysis that was available to individual consumers and allowed for the aggregation and analysis of data.

There seems to be little doubt that this type of testing does not pose any safety issue. The FDA, however, has determined that by definition it is a MEDICAL DEVICE,and therefore not only must the safety of this service be proven (which is apparently not a problem) but that 23andMe has not yet proven the efficacy of its broad rangetesting.  As a result, in 2013 the FDA issued a demand that 23andMe stop marketing its personal genome service.  The FDA allowed 23andMe to continue marketing the service to possibly help find customers’ relatives – if they were in the database.

As this service is available in Canada, a visit to the Canadian 23andMe website is extremely informative and sets forth that its genome service covers more than 40 inherited condition reports, more than 10 drug response reports, more than 10 genetic risk factor reports, and more than 40 reports relating to varioustraits.

On the other hand, the FDA might be concerned that the information should not be handed over to patients without an interpretation by a physician.  The two answers that come to mind are either to require prominent labeling (it can’t be worse than cigarettes) or to recognize that there is virtually nothing (meaningful or of FDA concern) that a person can do with the information without enlisting the services of a physician.

It is beyond the scope of the article to explain how these reports can and should be used, however the 23andMe website is straightforward.  In addition, I think that when giving patients access to their medical records, it must be assumed that people have a certain minimum level of native intelligence.

Apple (yes, the iPhone, iPad, iWatch company) is also entering this arena with its recently announced ResearchKit, which will aggregate data from individual participants.  Apparently, there is a real possibility that allowing this type of activity may actually inure to the benefit of the general public.

The FDA may finally have realized the possibility that its stand and reasoning was somewhat flawed as it announced in February 2015 that it would allow the direct marketing by 23andMe of a specific test for Bloom Syndrome to the general market.  There are also indications that in the future, the FDA may allow other tests to be marketed directly.  There is no protocol in place for this process, however, nor is there any indication of how long it will take. Clearly, it is a meaningful first step, but I think it really misses the point.

How many millions of dollars – how many years – and how much lost opportunity will we suffer, either directly or through opportunity cost (the lost time in which substantive progress could have been made) because the FDA worldview is not keeping pace with medical technology?

As a lawyer, I may not have the educational background that many of my readers who are more closely allied with the medical/Pharma world may have. In addition, I am sure that there are many differing perspectives on this issue.

My basic question is if the FDA, which is functionally charged with determining the efficacy of drugs and medical devices, should be subjected to a similar examination with respect to the efficacy of the guidelines under which it currently operates?

What do you think?

Please like & share:

Nurses make fun of their dying patients. Is that ok.

Nurses

The linked article in the Washington Post raises an interesting question, namely, if it is appropriate for dark humor in a medical setting to possibly offset the difficulties inherent in dealing with the sick and infirm. The question may in fact be a little deeper, namely, if it is appropriate to enact myriad rules and regulations that may generally have a negative effect in the hopes of protecting a few instances where through unintended consequences, third parties are offended. I thought the article was thought-provoking and would love to hear what you think.

http://www.washingtonpost.com/opinions/2015/04/13/18ecc874-d309-11e4-ab77-9646eea6a4c7_story.html?hpid=z2

Please like & share:

What Is an Elephant? – An Ant Built to
Government Specification

Elephant

When I was a lot younger, the title to this post was a joke that was often bandied about.

It is entirely possible, however, that the new elephant is what covered entities and/or business associates (which, for purposes of brevity I will refer to as covered entities) must be ready for with respect to HIPAA audits.

The notion that health information should be held private has metastasized into a set of requirements and protocols that have the capacity to virtually capsize any small-to- medium sized covered entity unless it places significant resources, effort and focus on compliance.

Failure to do so is essentially playing Russian roulette with your practice, company or entity.

I am generally not an alarmist, but the apparent lack of awareness of the parameters of the regulatory landscape causes me to take pause. In this article, I will address two of the 168 enumerated sections of the current draft of what OCR has set forth as the HIPAA Audit protocols. As an aside, advance notice has already been given that there is an updated set of protocols being prepared that will reflect the Final Omnibus Rule. I think it is fair to assume that the new protocols will not be any less cumbersome than the current list. Much to the contrary, the prevailing view is that it may be even more detailed.

Of the 169 current items, there are issues that relate to Security (78), Privacy (81), and Breach (10).

Within these three classifications, though, 40 are required, 27 are addressable, and the remainder are n/a as they deal more with what the auditors have to contend with than with what the covered entity has to do.

If this is not enough, “addressable” does not really mean optional in the typical sense of the word, as failure to address the issue must be accompanied with a reason why it was not addressed.

Rather than write in the abstract, I thought it would be much more productive to take the first required/security item as well as the first addressable/security item in the protocols and try to parse out what the regulations, protocols and ultimately the auditor will be looking for (the information in the boxes is from the HHS website).

Number 1

Section Established
Performance
Criteria
Key
Activity
Audit Procedures Implementation
Specification
HIPAA
Compliance
Area
§164.308 §164.308(a)(1):
Security Management Process §164.308(a)(1)(ii)(a) – Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
Conduct Risk Assessment Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI. Evidence of covered entity risk assessment process or methodology considers the elements in the criteria and has been updated or maintained to reflect changes in the covered entity’s environment. Determine if the covered entity risk assessment has been conducted on a periodic basis. Determine if the covered entity has identified all systems that contain, process, or transmit ePHI. Required Security

I will not repeat what has already been set forth with respect to conducting a risk assessment. It is important, however, to note the following:

  1. The potential risks and vulnerabilities will vary significantly from one organization to another. This is not a one-size-fits-all document. As such, in order to comply with this requirement/protocol, it is important to have a real and thorough assessment of the physical layout of the operation, as well as a thorough understanding of how and where ePHI is stored and how it is communicated. Without a data map, it might prove difficult to be able to properly set forth the risk assessment. There are many things we understand but are very difficult to put to paper. For example, most people know how to tie their shoes, but if directed to write the various steps involved in this well understood activity, it would be a daunting task. In very general terms, you may know where your data is stored, but detailing this information with the required degree of specificity in a risk assessment may prove to be a very different story.
  1. Completing a risk assessment is apparently not enough. Not only do actual changes in the operation of the entity require updates of the risk assessment, the auditor is tasked with determining if the covered entity has conducted a risk assessment on a periodic basis, and if the assessment identified ALL systems that contain, process or transmit ePHI. It would seem that doing it the first time is the most difficult, but this is something that has to become part of the entity’s routine operation.

Let’s jump to the first “addressable” security requirement

Section Established
Performance
Criteria
Key
Activity
Audit
Procedures
Implementation
Specification
HIPAA
Compliance
Area
§164.308 §164.308(a)(3)(ii)(A):
Workforce security – Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
Implement Procedures for Authorization and/or Supervision Inquire of management as to whether the level of authorization and/or supervision of workforce members has been established. Obtain and review the entity’s organizational chart or other formal documentation and evaluate the content in relation to the specified criteria to determine the existence of chains of command and lines of authority. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. Addressable Security

Once again, I will not repeat what has already been stated except to point out that in order to address this issue documentation is required.

Either an organizational chart or similar documentation is necessary relating to a covered entity.  In addition, workforce members that need access to ePHI to carry out their duties must be identified. For each workforce member or job function, the covered entity must identify the ePHI that is needed, when it is needed, and make reasonable efforts to control access to the ePHI. Covered entities must provide only the minimum necessary access to ePHI that is required for a workforce member to do his or her job.

For addressable implementation specifications, covered entities must perform an assessment to determine whether the specification is a reasonable and appropriate safeguard in the covered entity’s environment. After performing the assessment, a covered entity decides if it will employ the addressable implementation specification, utilize an equivalent alternative measure that allows the entity to comply with the standard, or not implement the addressable specification or any alternative measures if equivalent measures are not reasonable and appropriate within its environment. Covered entities are required to document these assessments and all resulting decisions.

Factors that determine what is “reasonable” and “appropriate” include cost, size, technical infrastructure and resources. While cost is one factor entities must consider in determining whether to implement a particular security measure, some appropriate measure must be effected. An addressable implementation specification is not optional, and the potential cost of implementing a particular security measure does not free covered entities from meeting the requirements identified in the rule.

Once again, this protocol is probably not a “do it once and file it away” issue.
My analysis is far from comprehensive, and is not meant to convey any legal advice or opinion.  At a practical level, a great deal of how an audit plays out depends on the totality of circumstances (including if the audit is random or precipitated by a breach), the totality of compliance, and the general preparedness of the company.
The purpose of this article is to delicately scratch the surface of what a HIPAA audit may include and alert readers that failure to take a very serious look at the requirements and prepare accordingly is essentially playing Russian roulette.
The good news is that there are many qualified consultants and/or lawyers that can be very helpful. It is important to remember that one advantage a law firm brings to the table is attorney/client confidentiality, which in many cases is an extremely important protection.

Please like & share:

HIPAA Audits – Imagine Tax Payments without IRS Audits

audit

We can probably all agree that no one (except possibly accountants) looks forward to an IRS audit. At its most elemental level, there is virtually no upside, a possible downside and a deep feeling that, at best, it will disrupt our lives.

HIPAA audits are essentially no different.

One major difference is that for almost all taxpayers, the idea and the real possibility of an audit existed when they filled out their tax returns. With respect to HIPAA, initially enacted approximately 20 years ago, there was (and, in some cases, still is) some mental block or disconnect regarding audits, penalties, and fines for noncompliance — choose one.

For a little historical background, HIPAA was enacted as a broad Congressional attempt at healthcare reform; it was initially introduced in Congress as the Kennedy-Kassebaum Bill.  The landmark Act was passed in 1996 with two objectives.

  1. One was to ensure that individuals would be able to maintain their health insurance between jobs. This is the Health Insurance Portability part of the Act. Because of its successful implementation, it has become “part of the system” and does not get much coverage.
  2. The second part of the Act is the “Accountability” portion. This section is designed to ensure the security and confidentiality of patient information/data.

Over the years, there have been many additions, clarifications and new portions added to this legislation. All of the changes and details are far beyond the scope of this post; that said, I will list a few.

HIPAA Requirements – Security
Compliance Date – April 20, 2005

The HIPAA Security Rule became effective on April 20, 2005. The Security Rule standards define how we are to ensure the integrity, confidentiality, and availability of our patients’ electronic protected health information (ePHI). The Security Rule requires that we have administrative, physical and technical safeguards for protecting ePHI.  Some (but clearly not all of the ) examples are:

Administrative Safeguards:

  1. Assigning or delegating security responsibility to an individual – Chief Security Officer.
  2. Training workforce members on security principles and organizational policies/procedures.
  3. Terminating workforce members’ access to information systems.
  4. Reporting and responding to security incidents.

Physical Safeguards:  mechanisms to protect electronic systems, equipment and the data they hold from threats, environmental hazards and unauthorized intrusion.

  1. Limiting physical access to information systems containing ePHI (i.e. server rooms).
  2. Preventing inappropriate viewing of ePHI on computers.
  3. Properly removing ePHI from computers before disposing or reusing them.
  4. Backing up and storing ePHI.

Technical Safeguards:  automated processes used to protect data and control access to data.

  1. Providing users with unique identifiers for accessing ePHI.
  2. Accessing ePHI during an emergency.
  3. Encrypting ePHI during transmission.
  4. Automatically logging off users after a determined time period.

Patient Privacy/Security and Technology
As we use technology to improve patient care, we are faced with additional challenges to protect patient information from unauthorized use and disclosure.

In February 2009, the Health Information Technology for Economic and Clinical Health Act (“HITECH”) was enacted as part of the American Recovery and Reinvestment Act of 2009 (“ARRA”). HITECH makes significant changes to HIPAA’s administrative simplification provisions pertaining to privacy and security, including notifying individuals (and in some instances, media outlets) when there has been a privacy/security breach.

Previously, covered entities (healthcare providers, health plans and healthcare clearinghouses) were obligated to mitigate harm caused by unauthorized disclosures of protected health information (“PHI”), but not required to give notice to the individuals whose information was inappropriately disclosed. With HITECH, covered entities and business associates are required to notify individuals when security breaches occur with respect to “unsecured” information. Unsecured information means information not protected through technology or methods designated by the Federal government. In addition, if the breach involves 500 or more individuals, notice to the U.S. Department of Health and Human Services and the media is also required. Depending on the number of people affected by the breach, the time to report the breach changes as well.

While very large healthcare providers have been forthcoming with respect to breach notification, and other providers have been caught when information was breached, we have not yet really had an audit process that would significantly motivate medical providers (especially smaller organizations) to deal with these laws/regulations with the same attention they might give their tax returns. It is only natural that people act based on the consequences of their actions. That is not to say that we should not take the laws seriously, but human nature is still human nature. If I am wrong, the IRS would have no need to audit taxpayers.

To that end, a pilot program was initiated to develop protocols and evaluate HIPAA COMPLIANCE of 115 covered entities. In addition, the methodologies employed in ascertaining compliance were also audited for their effectiveness. In the fourth quarter of 2011, 20 covered entities were selected and received a letter requesting documents, and thereafter on-site reviews began in the first quarter of 2012.

The audit protocol is available at

www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html

Subsequently, more entities were audited, and the result of the phase one findings (in this case, findings are not good) showed that approximately 11% of the 115 entities had no findings.  The 11% were comprised of two providers, two clearinghouses and nine health plans.

Additionally, 60% of the findings related to security, which were more than privacy and breach notification findings. This is actually reasonable considering that every entity has security obligations but not every entity has a breach or a breach notification issue. The same rationale applies to privacy issues.

Providers had 65% of the findings and observations although they were only 53% of the entities reviewed.

The frightening part is that the smaller entities had issues with everything.

With respect to security, two-thirds of the entities did not have complete or accurate risk assessments. The other problem areas for providers ran the gamut of issues.

In cases where there were breaches, notification to individuals was the biggest issue.

What we can expect in 2015?

OCR will contact approximately 550 to 800 covered entities for pre-audit surveys; it will use the survey results to select 350 covered entities for an audit. Those entities will have to identify their business associates and provide contact information, at which point OCR will select business associates for audit.

OCR plans to conduct on-site audits as well as desk audits which will be presumably staffed by OCR.

Entities will have two weeks to respond to data requests. All information submitted must be current as of the date of the request. Therefore, after an entity receives a request, it should not then begin to review and update its HIPAA policies and practices. Failure to respond to the request may lead to referral for a compliance review.

It is difficult to know how quickly this will be rolled out in 2015.

There are many entities that should be preparing themselves, as there are many law firms, consultancies and other entities that are gearing up to provide assistance to (virtually) the full vertical of medical coverage that could be subject to this ever-increasing audit regimen.

From a practical perspective, the more audits, the more fines, the more money, the greater expansion of audits.

A word of caution — this article is not meant to offer any legal advice, does not represent the totality of legal/regulatory requirements, the scope of the audits, compliance or remedial measures that entities should take.  In addition there may be state laws and regulations that come into play.

The real concern is that the smaller practices or covered entities may be caught totally off guard. These laws are an important component of the operations of these entities. In sum, it is the new reality.

Please like & share:

Emerging Medical Care – Check the Box or Check the Patient

Emerging Medical Care

A central component of healthcare reform in general and the ACA in particular is creating new efficiencies in the system. It is readily apparent that the powers-that-be believe that if enough data is aggregated and crunched, new (and almost unimagined) efficiencies will be obtained.

The fact that too many doctors are complaining that their time and energy is being misappropriated from patient interaction and clinical care to administrative functions seems to be the cost of doing business. A real question is if the cost of aggregation of data and the ultimate hope for efficiencies are worth the distraction that doctors are complaining about. In particular, my question is if diverting doctors from today’s clinical care and a climate of reduced reimbursement is worth the expected efficiencies (projected lower future costs.)

I believe, however, that there is a second more important question which speaks to apparent differing views of the practice of medicine.

The traditional view seems to have been that while, on the one hand, medicine was driven by science and research, breakthroughs in medicine were driven by these scientific breakthroughs, new medicines, the development of new medical devices, and new treatment methodologies, on the other hand, there was also a significant overlay of intuitive medicine. The traditional view thoroughly embraced the idea that medical treatment was determined by a physician’s innate ability to integrate numerous facts, assess what they heard from the patient, compare it with their objective findings and arrive at a diagnosis and a course of treatment.

The modern ( governmental) view seems to embrace a philosophy that medicine can be broken down into drop-down screens (of which a doctor must choose) and an ever increasing level of diagnosis and treatment codes so that the aggregation of data (and in this case, the patients) must fit into highly defined predetermined slots.

As a small example, I decided to take an illustration of what I thought was already a very limited diagnosis for depression or anxiety in ICD-9 and show what it has morphed into with ICD 10. Frankly, doctors will now have to choose a needle in the haystack in order to better accommodate our apparent need for very detailed classifications for data aggregation.

V61.3 Problems with aged parents or in-laws
This is the ICD-9 code
2015 ICD-10-CM

Z63.1 – Problems in relationship with in-laws
This is the ICD 10 code

Other related ICD 10 codes that are similar

Z63.0 Problems in relationship with spouse or partner
Z63.31 Absence of family member due to military deployment
Z63.32 Other absence of family member
Z63.9 Problem related to primary support group

Need I say more?

The answer is unfortunately, there is more to be said because there are a number of potentially problematic outcomes:

  1. Doctors are forced to choose exact diagnoses, and it appears that the records will not contain and/or credit more than a certain number of ICD codes, which means that if there are more contributory issues, data will be aggregated that does not take those “outlier” issues into account.
  1. After limiting the physician, patients will then be held hostage to the outcomes of the diagnoses that they do not necessarily agree with but were forced into. In an effort not to be cryptic, the global plan is to move from fee-for-service reimbursement based on outcome. If the outcomes are measured against diagnoses (that may be flawed at least in part) the new reimbursement system and by definition the healthcare system, may be materially flawed.

One might argue that the position I’ve taken is too extreme because doctors can always write notes. The fact that these notes will not go into the data aggregation/reimbursement model is not of primary importance.

The problem is that even the proponents of a paradigm shift in the practice of medicine recognize that it is important to have doctors’ notes. In fact, they already realize that in certain cases (as in home care ), we need very detailed and specific notes of the doctors’ encounter with the patient who seemingly needs home care.

In an effort to reconcile the need for detailed notes and the extreme interest in uniform data, CMS made significant changes to the face-to-face encounter documentation requirements by eliminating the physician narrative requirement for most home health services for care episodes beginning on or after January 1, 2015. In making this change, CMS stated that the medical records of the certifying physician or the acute/post-acute care facility (if a patient in that setting was directly admitted to home health) must contain sufficient documentation to support the physician’s certification of patient eligibility for home health services, and to that end they have supplied a template with very detailed notes when the doctor has to check the box.

http://www.cms.gov/Research-Statistics-Data-and-Systems/Computer-Data-and-Systems/Electronic-Clinical-Templates/Downloads/eclinicaltemplatev41.pdf

For those of you who are not able to, or choose not to follow the link, it is a five-page document requiring the patient’s biographical data, and a check-the-box substitution of what would otherwise be very detailed notes.

As early as 2011, IBM was working with their supercomputer “Watson” towards the ultimate goal of having the machine which beat Jeopardy experts accurately formulate diagnoses. Reports from 2011 indicated that even at that time, there were already computer programs that were far better at diagnoses than Watson.

Are we heading towards a day where rather than seeking a referral from a doctor to a specialist, patients will go to their computers, enter their symptoms and be given a diagnosis and either a prescription or a referral to a doctor?

I know this sounds far-fetched, but on the other hand, if it does happen I’m sure people will look back and say the writing was on the wall.

I am fearful that this is the wave of the future, that the age-old intuitive medicine will be replaced by a national medical practice driven by algorithms, artificial intelligence, statistical analyses and computer science, which will be boiled down to the digital/ministerial practice of medicine. Patients and/or doctors will be taking direction from machines.

I hope I am wrong.

What do you think?

If you think this article is worthy of comments, please share it with your connections.

Please like & share:

Breast Implants and Cancer – the disease looking for a cause

Woman looking trough a loupe

As a predicate matter, I do not mean to in any way negate the horrible anguish, devastation or pain-and-suffering endured by cancer victims and their families.

Although I am not a doctor and I am not a scientist (just an attorney), it appears that there is an apparent need for people to have someone or something to blame for this devastating disease.

I recently read a bulletin from a law firm claiming that it is extremely worrying that the number of incidences of breast implants related to anaplastic large cell lymphoma (ALCL) has risen sharply since the first reported case. This statement was made with respect to approximately 150 women who have been diagnosed with cancer allegedly related to implants.

While my heart goes out to any cancer victim and/or their families, ALCL is an extremely rare form of cancer which is estimated to affect one in 500,000 women. Initial evidence dismissed the link between ALCL and breast implants. Thereafter, in 2011, the FDA embarked on a review of the available data and concluded that there is a POSSIBLE association between breast implants and ALCL, although it is strangely rare. In fact, it was not possible to confirm with statistical certainty that breast implants caused ALCL and was not possible to identify (a) the type of implant (silicone versus saline,) or (b) the reason for implant (reconstruction versus aesthetic) that could be associated with either greater or smaller risk. Bottom line, it is a very rare form of cancer, and the big WHY of cancer still looms large.

The problem with many of these news releases is that they are likely to fuel victims and their families who alternatively blame or sue their doctors. It is unfortunate that:

  1. When a person is met with an undesired outcome (particularly with respect to medical care), he/she feels that there must be someone to blame, which in the case of medicine, is generally the doctor.
  1. Even when individuals are advised of particular risks, they stay focused on the benefits (perceived or real) until they are confronted with the risks about which they were warned.
  1. Item 2 above exists with virtually every drug and medication we take, but we generally ignore all of the accompanying warnings.
  1. When doctors advise patients about the risks inherent in various procedures, patients think that those risks happen to other people.
  1. Number 4 above is especially so in the case of aesthetic surgery e.g. breast augmentation. Let’s face it, whatever the motivation or benefit (perceived or real), the possibility of the risks involved in any surgery or anesthesia are not front and center in a patient’s mind.

Clearly, informed consent is necessary, but that does not negate the risks of medication and/or surgical procedures. Apparently, it also does not in any way limit the various studies and finger-pointing with regard to cancer.

A recent study has purportedly linked increased risk of bladder cancer to “meat related compounds” including nitrate and nitrite. In the NIH – AARP Diet and Health Study, Cancer August 2010, 854 transitional cell bladder–cancer cases were found among the over 300,000 men and women enrolled in the 1995 NIH – AARP Diet and Health Study. The results indicate that in comparison to the people who ate the least amount of processed red meat, the top 20% of red meat-eating participants had a 30% greater risk of contracting bladder cancer. In this case, absent mandated warnings on red meat, it is based on personal lifestyle choices.

The Harvard School of Public Health documented 2,830 cases of breast cancer during 20 years of follow-up of 88,803 premenopausal women and concluded that on the one hand, there were higher risks of breast cancer among the people who had higher red meat intake, while on the other hand, higher intakes of poultry, fish, eggs, legumes and nuts were not related to breast cancer overall. Once again, this relates to personal choice. The authors of the study reported that “each serving per day increase in red meat was associated with a 13% increase in risk of breast cancer, acknowledging that “this is relatively small risk” but “the absolute number of excess cases attributable to red meat intake would be substantial and thus a public health concern.” Not surprisingly, they suggested replacing red meat with legumes and poultry per the American Cancer Society dietary guidelines.

A Johns Hopkins study was recently published in the journal Science, which indicated that two-thirds of cancer incidence of various types can be blamed on random mutations and not heredity or risky habits like smoking. It is important to note that breast and prostate cancer were excluded from the study. The study looked at 31 types of cancer and found that 22 of them including leukemia, pancreatic, bone, testicular, ovarian and brain cancer could largely be explained by these random mutations, which are essentially nothing more than bad luck.

The other nine types, including colorectal, skin cancer (basal cell carcinoma) and smoking-related lung cancer were more heavily influenced by heredity and environmental factors like risky behavior or exposure to carcinogens.

Overall, 65% of cancer incidence was attributed to random mutations in genes that can drive cancer growth.

Once again, I do not mean to minimize the pain, anguish and agony of cancer victims or their families, but it appears to be a disease looking for a cause, and in many cases, people looking for someone to blame.

What do you think?

 

Please like & share:

$8+ Million Dollar Verdict against a Concierge Medicine Company – Anomaly or Game Changer?

Jury

I recently saw a very short report about this Florida case, Beber v. MDVIP, and commented on it. Considering the importance and far reaching implications, however, I took a closer look and realized that it is important for lawyers, doctors and other professionals in the healthcare arena to have a more detailed understanding of the facts and the possible ramifications.

The underlying facts are pretty straightforward; the questions and possible implications are not. In order to fully understand the nuances, I think it important to understand certain details.

The late Joan Beber sought treatment from Dr. Metzger, a concierge physician affiliated with MDVIP. Depending on whose story you believe, there were either intervening complications or Dr. Metzger failed to timely/accurately diagnose the issue. Accordingly, Ms. Metzger required a leg amputation in 2008, and passed away four years later (in 2012).

At that time, MDVIP charged patients $1,500 per year and offered a marketing service for doctors and paid those doctors for patient checkups. MDVIP has developed a very sizable base of doctors and patients.  Its annual rate has risen to $1,600 and it currently has 784 enrolled doctors and derives annual revenue of approximately $700 million dollars according to some reports

Before the trial, Dr. Metzger settled with respect to malpractice, but the case went forward primarily relating to MDVIP.

Most of the various causes of action brought against MDVIP were that it was responsible for the malpractice of Dr. Metzger and other medical professionals, that Dr. Metzger (and thereby, MDVIP) failed to timely seek the intervention of a vascular surgeon, that Ms. Beber’s husband (former General Counsel of W.R. Grace) wanted his wife treated at a hospital  to which Dr. Metzger did not have admission privileges, and maybe most importantly, that there was an implied promise on the part of MDVIP that far surpassed the level of “reasonable care” and required MDVIP  to provide “exceptional doctors, exceptional care and exceptional results.” The argument of this enhanced and (in this writer’s opinion) ill-defined standard renders virtually any result that turned out less than ideal to fall short of the care that was allegedly promised. In essence, that was the argument made by plaintiff’s counsel in their closing statements by saying that “exceptional doctors and exceptional care” might in the case of the stage four cancer patient be able to provide another month of life with a higher quality of life, but in this case fell short of what was promised. The implicit argument was that short of an illness where the result is inevitable, there was a promise of quasi-perfection.

I have read some of the available promotional literature, reviewed the fifth amended complaint, the MDVIP contract with the physician, as well as the patient membership agreement with MDVIP and (while I have not read all of the trial exhibits or viewed the totality of the trial) it appears that this argument may have played well with the jury, but it’s not really supported by the documentation or objective common sense.

As an example, the MDVIP agreement stresses that “Your Affiliated Physician’s limited practice size also enables your Affiliated Physician to provide conveniences such as same or next day appointments that start on time, unhurried visits, 24/7 availability via personal pager or cell phone, and enhanced coordination of specialist care at no additional charge to you.” I did not see any indication that the doctors chosen would be subject to an almost impossible standard of care.

Paragraph 8 of the membership agreement, however, did say “Entire Agreement. The undersigned agrees to the terms of this agreement all of which are expressed herein. There are no promises or representations except as set forth herein.”

It is significant to note that in Article 18 of the agreement between MDVIP and the physician (Metzger) it states that “physician acknowledges that and the VIP shall not have or exercise control or direction over the method by which physician or physician’s personnel perform any work or render where he/she performs any services or functions.” This further raises the question how MDVIP was held responsible for the actions or inactions of one of its physicians. The fact that it could oversee does not mean it could control.

The plaintiffs hammer away at this alleged enhanced standard of care. Frankly, I always thought and still think that concierge medicine obtains its fees because of the limited number of patients a doctor may have, and the 24/7 availability/rapid scheduling of appointments. It is the patient’s choice and responsibility to select the doctor of his/her choice.

Of course, the prosecution spoke about all of the marketing efforts done by MDVIP, and the jury was faced with the fact that someone had died despite the reality that there were apparently conflicting expert reports, and as the defense pointed out in its closing arguments, it would be unfair to play Monday morning quarterback.

Ultimately, the jury came back with a verdict comprised of:

Joan Beber
Past medical expenses, whole modifications – $536,285.91
Bodily injury, pain and suffering, loss of capacity for enjoyment of life – $8 million

Robert Bieber
Loss of wife’s comfort, society and attention – $2
Loss of services – $3,001

Apparently, there is an additional line item for attorney’s fees and possible interest.

Various reports indicate that although Dr. Charles Metzger was found to be 95% negligent and Netanial Lowen was found to be 5% negligent, the above stated verdict of $8,539,001 ($8,539,288.91?) would be fully attributable to MDVIP.

It appears that a lot of the blame laid at MDVIP’s feet was with respect to its alleged promise of exceptional doctors and exceptional care. In my opinion, that does not rise to medical malpractice only possibly puffery, or at worst, false advertising for which the verdict seems to be unusually excessive as it related to MDVIP.

I think that if this case goes up on appeal the verdict may not survive.

This case, however, raises a number of significant questions:

  1. Will this verdict in any meaningful way change the emerging trend towards concierge medicine, which basically offers easier access to doctors, easier interaction and more face-to-face time with the doctor?
  1. Will this case negatively impact those entities that try to develop a brand name and act as a marketing agency for independent contract doctors, relegating concierge medicine to independent practices that used to go that route? The course of an independent practice to undertake marketing and adoption as a concierge practice, though, faces considerable obstacles.
  1. If an independent practice wishes to go the route of concierge medicine where it directly collects the fee (which ultimately includes marketing and other associated expenses), this may raise significant issues if those charges are additional fees in excess of insurance recovery, which based on most contracts, is not allowed, and therefore, it may effectively limit concierge medicine to those very few and rarified doctors who do not accept any insurance.
  1. Will concierge medical companies have to have a disclaimer that “our network does not assure you of any better treatment or outcomes than if you took a list of doctors and blindly threw a dart at the wall?” While this may sound absurd, the following question may put it into perspective.
  1. An insurer advises prospective applicants that the doctors in its group have been carefully screened (credentialed) and those doctors have demonstrable records and exhibit the qualities that patients deserve, or some other complimentary language. Will the insurer now be liable for medical malpractice and be held to some higher standard because they were paid and made some representation?

There is an old legal adage that bad facts make bad law.

From my limited inquiry into this case, I believe that a jury may have focused on some sales puffery and viewed it as false advertising, and then raised it to a higher order of magnitude where they made what was essentially a marketing company liable for malpractice.

What do you think?

Please like & share: