Category Archives: MZA

Seven Noteworthy HIPAA Breaches & the Recent Enforcement Actions

Puzzle words

The following unlucky seven were subject to substantial fines. The costs associated with defending the audit, negotiating the settlement and the cost of implementing the invariable forward-going consent agreements/corporate action plans (CAP), however, are separate and above (and often higher) than the reported fine.

These cases range from relatively small to admittedly large breaches, from the unlikely event to situations that could happen to any entity without implementation of well thought out and vigorously monitored policies and procedures.

In my next post, I will detail one of the most burdensome consent agreements I have ever seen, namely, the Corporate Integrity Agreement between the Office of Inspector General of the Department of Health and Human Services and Nason Medical Center.

It is evident that the ever increasing enforcement of HIPAA and the Omnibus Rule, as well as both the increased use of electronic data and the commonplace reports of mass data breaches are forcing Covered Entities (CE) and their business associates (BA) to increase the resources dedicated to compliance with the Omnibus Rule.

1.    Cornell Prescription Pharmacy ($125,000)

The Denver compounding pharmacy will pay this fine after HHS learned of the potential HIPAA violations from a television news report that PHI was improperly disposed of after a garbage dumpster with un-shredded PHI was discovered. Cornell also agreed to develop and implement a comprehensive set of policies and procedures to comply with HIPAA rules, and to provide staff training. OCR Director Jocelyn Samuels stated that “Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.”

2.    Anchorage Community Mental Health Services, Inc. ($150,000)

Malware compromised the security of ePHI due to a failure to update software patches as well as unsupported software.

HHS Office for Civil Rights (OCR) received notification from ACMHS, a non-profit, regarding a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources. It was later determined that ACMHS had not timely installed patches to its software as mandated by its very own policies and procedures. The takeaway is that entities are not only required to follow the regulations, but they are also being held accountable for compliance with their own policies and procedures.

3.    Parkview Health System ($800,000)

OCR opened an investigation after receiving a complaint from a retiring physician alleging that Parkview had violated the HIPAA Privacy Rule. In September 2008, Parkview took custody of medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice.  On June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue. Parkview entered into a one year corrective action plan without admission of any wrongdoing.

4.    NY Presbyterian Hospital and Columbia University Medical Center ($4.8 million)

An investigation revealed that a breach was caused when a physician employed by Columbia University Medical Center who developed applications for both New York  Presbyterian Hospital  and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. The noteworthy point is that it seems that the person who caused the breach had all the right intentions but the result was catastrophic.

Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on Internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the Internet. Another noteworthy point is that knowledge of a breach is often only discovered by the breaching entity after receiving reports from third parties. This general situation was confirmed to me by an FBI cybercrime agent.

In addition to the impermissible disclosure of ePHI on the Internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections.  Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI.  As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI.  Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

NYP has paid OCR a monetary settlement of $3,300,000 and CU paid $1,500,000, with both entities agreeing to a substantive corrective action plan which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff and providing progress reports.

5.    Concentra Health Services ($1,725,220)

OCR opened an investigation following a reported breach that an unencrypted laptop containing the ePHI of 870 individuals was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center.

The investigation found that Concentra had previously recognized, in multiple risk analyses, that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information was a critical risk.  While steps were taken to begin encryption, Concentra’s efforts were “incomplete and inconsistent over time,” according to an HHS press release, leaving patient PHI vulnerable throughout the organization.

Essentially, Concentra did not sufficiently implement policies and procedures to prevent, detect, contain, and correct security violations under the security management process standard when it failed to adequately execute risk management measures to reduce its identified lack of encryption to a reasonable and appropriate level from October 27, 2008, (date of Concentra’s last project report indicating that 434 out of 597 laptops were encrypted) until June 22, 2012 (date on which a complete inventory assessment was completed and Concentra immediately took action to begin encrypting all unencrypted devices).

Concentra did not make any admissions of liability but entered into a CAP – corrective action plan.

6.    Adult & Pediatric Dermatology, P.C. ($150,000)

An investigation of Adult & Pediatric Dermatology was initiated upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered.  The investigation revealed that A&P Derm had not conducted an accurate and thorough risk analysis as part of its security management process.  Further, it did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members. It did not admit liability and entered into a CAP.  The takeaway is that the use of thumb drives to store ePHI is inherently problematic and the use of unencrypted storage devices is courting disaster.

7.    Affinity Health Plan, Inc. ($1,215,780)

OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information stored in copier’s hard drives in its risk analysis as required by the Security Rule, and accordingly failed to implement policies and procedures when returning the hard drives to the companies from whom it leased its copiers.  Affinity did not admit liability and entered into a short term CAP.  The takeaway is the required scope, detail and individual nature of the required risk analysis.


About Mendel Zilberberg:

An attorney, visionary and entrepreneur admitted to practice in New York, New Jersey and Florida who has represented and counseled clients with nationwide interests in many areas of the healthcare arena.

The use of ePHI is growing exponentially, the likelihood of a breach is ever increasing, and the regulating authorities are ramping up their audit/enforcement programs.  Covered Entities (CE) and Business Entities (BA) must understand the importance of maintaining the integrity of ePHI, compliance with the relevant regulations as well as thoroughly understand the potential consequences for non-compliance. 

CALIFORNIA CASE – Aetna Life Insurance Company Vs Bay Area Surgical Management –1-12-CV-217943, Superior Court of California, County of Santa Clara


The world has not changed. Medical insurers try to maintain healthy profits by, in part, keeping reimbursements to medical providers as low as possible. On the other hand, medical providers try to get a fair shake based on their education, specialization, financial risk and hard work. Part of the insurer’s strategy is to negotiate rates with medical providers at levels that they often say is patently unfair, and therefore when the medical providers are not bound by the network contracts, they rightfully seek much higher reimbursement. Obviously the insurers bristle at the higher fees charged for out of network medical care.

This “tug-of-war” has resulted in a number of lawsuits throughout the United States that underscore the ying and yang, raise questions about the propriety of waiving co-pays and deductibles, as well as the propriety of using patients as leverage against the insurer’s.


Recently, Aetna sued several California surgery centers for an alleged “fraudulent billing scheme” alleging that the surgery centers induced physicians to refer patients for surgery centers (ostensibly out-of-network centers) with promises that they would not have any financial responsibility for their coinsurance and deductibles.

Aetna claims that the charges that were thereafter submitted were artificially inflated driving up the cost of health insurance coverage.

(Presumably the allegation of inflated billing was supposed to strike a cord of public outrage which may be tempered by a Feb. 1, 2012 report in the Wall Street Journal that Aetna’s earnings rose 73% as the health insurer continued to benefit from light medical costs amid a sluggish pace of patient visits to hospitals and doctors.)

Aetna alleges that providers are liable for engaging in a fraudulent and illegal kickback scheme when they waive the patient’s coinsurance and deductibles, even if the provider bills the patient but ultimately doesn’t collect.

While I have not had the opportunity to read the California complaint, the information relayed regarding the case has been distilled from various published sources, and it is clear that the defendants have a very different view.

Defendant’s attorney, DaronTooch, a partner Hooper Lundy & Bookman, (defendant’s law firm) says that “this is a calculated move by Aetna to steer patients to contracted facilities.” He says that “the complaint is full of misstatements of fact and law.”

It appears that Aetna and other health insurers do not have standardized fees paid to network providers. Every contract is separately negotiated and apparently the major driving force in negotiating the contracts is the relative strength of the negotiating parties .

For example, if one medical organization controls the majority (or all) of the hospitals in a certain locale, and the health insurer wants to gain a foothold in that market, they do not have a strong negotiating position with the hospitals. The same obviously holds true with any independent physicians Association (IPA) that has a strong negotiating position based on its membership roll, and the specialization and geographic reach of its constituency.

To the extent this is true, the prices for which medical care is contracted are not grounded in allowing medical providers to earn a fair profit, but essentially turn into an unprincipled money grab. Doctors feel that in many (if not the vast majority of) cases they are left holding the short end of the stick. It is easy to understand why. The medical insurers are the Goliath and the doctors are generally the David, except in this case David does not necessarily conquer Goliath.

From the insurer’s perspective, out-of-network surgery centers charging many times more than the amount of the contracted rates that in network centers are allowed to charge gives the insurer’s pause.

The questions:

  1. Are high out-of-network charges a natural consequence of taking unfair advantage of medical providers when insurers have the clout, and therefore when they lose that clout there is a certain understandable payback.
  2. Are the insurers at least in part responsible for the out-of-network fees, to the extent that their reimbursement relates to the customary charges in a geographic locale.
  3. Is it improper for medical providers to waive co-pays and deductibles, and even if it is improper, should that render the medical provider liable to disgorge the profits earned on the medical procedures for which they waived the co-pays or deductibles.
  4. How far must a medical provider go in trying to collect the co-pays or deductibles before it is considered a waiver. Is one invoice enough, two invoices, collection agency intervention, or must the patient be sued and must a judgment be obtained.

There is a somewhat similar New York case that is currently pending, as well as a lawsuit against certain pharmaceutical companies for providing coupons toward the co-pays on branded drugs. However, the details of those cases are best left for another day.

In summary, what do you think?

Is the 2012 presidential election irrelevant

If one takes a moment and looks beyond the reasons every party seems to be promoting – why a vote for the other candidate/party is not good for America, and takes a cursory look at the challenges ahead of us, one might easily conclude that there may not be a very big difference who is elected to office.

Obviously, Obama and Romney have a very different world view, agenda, and plan (even if the plan neither been articulated nor shared with the American public in any significant detail).

The harsh reality is that we have a $16 trillion debt, and unprecedented deficit, looming social security issues, looming Medicare issues, higher defense spending then the second third and fourth place countries combined, high unemployment, a corporate tax rate that creates an incentive for companies to take their business elsewhere, and a global economy in which our foreign counterparts are more efficient in many areas.

With all of these looming challenges in the backdrop, we are assaulted with questions of whether Mr. Romney should disclose his tax returns (although not required to do so by law) or how egregious the (hopefully) accidentally released commercial regarding Romney as the cause of a woman’s death.

Medicare has become a big issue, because each party is trying to get the senior vote. However, the disagreement should be able to be resolved by an independent audit, accounting firm, or any other disinterested party that actually had the time and inclination to ascertain which plan would ultimately adversely affect Medicare.

Similarly, the Latino vote is being courted with some hollow immigration concessions which at best puts a bad aid on the real issue.

Obviously, immigration, entitlements, education, and foreign policy are also very important.

My question is if any of the candidates in their four-year term (in the case of Obama) or eight-year term (potentially in the case of Romney) can really address these issues in a meaningful way. . Let’s not forget that the president is not the “all-powerful” or ” omnipotent” person that people often assume.

We fortunately have checks and balances in this country and ultimately the president is subject to Congress and the Supreme Court.

Can any president really effect change considering the challenges we face.

Even if one party won both the presidential election and control of Congress would they be really able effect change.

Can change only occur if Americans as a whole recognize that there are some very tough (and painful) choices to be made, and the sacrifices can not be solely made by the other fellow or the other party.

Can real change be effected without consensus between the parties.

Has either candidate shown that they can reach across the divide and reach a consensus. Has this multi billion dollar “race to the bottom” campaign so muddied the waters that it is improbable that whoever wins will be able to effect meaningful change.

If ‘pro’ is the opposite of ‘con’ what is the opposite of ‘progress’? – Paul Harvey

As we enter the last stretch in the 2012 presidential campaign, both the Republicans and the Democrats have decided to spend incredible sums for their respective campaigns, or better yet, to hammer their opponents into the ground.

I think one of the reasons that we are exposed to a daily barrage criticizing the opponent, is because neither of the candidates are able to really articulate how they are going to right the course. However, that may be a discussion for another day, as I would like to devote this post to the issue of outsourcing.

The Democrats have made a lot of hay out of the allegation that Mitt Romney was responsible for outsourcing during his tenure at Bain & Co. I am not certain that the outsourcing occurred during his tenure, or in fact that he was responsible for it. However, even if that were the case, I fail to understand the problem that outsourcing raises with respect to a candidates ability to faithfully serve as president of the United States.

From my perspective, there is a predicate question. Is outsourcing the evil that the Democrats claim. The secondary questions are (1) and even if outsourcing is evil, and even if Mitt Romney was responsible for outsourcing, does that in any way affect or limit his ability to lead this nation, and (2) is this really one of the core issues in this election, (3) is the negative campaign (on both sides of the divide) driven by an inability to set forth in concrete terms how a particular candidate or party will effect short term refief as well as lonf term answers to the obvious questions. I will deal with the first question in this post and leave the other questions for my followers to ponder.

When I was in law school we had a professor who expected everyone in the class to be prepared for class so that they could participate in the many questions posed by the professor and participate in the open dialogue. He took great exception to those students were not properly prepared, and as he explained it, this class was like in open ground bag lunch. To the extent you attend the lunch and expect to eat (derive the benefits) you have to contribute.

We live in a global economy. We are very happy when Boeing, IBM, eBay, Amazon, Microsoft, Dell, and numerous other companies generate significant revenue and profits through foreign sales. All of these companies outsource manufacturing and /or service operations. It makes sense – we live in a global economy. While we used to comparison shop in the neighborhood, and as our reach grew we shopped throughout the city, state and country, we now are able to comparison shop anywhere on the planet. To remain relevant and to maximize profits, companies must avail themselves of the best the world has to offer – and similarly they have to offer the best value proposition to their clientele. Is it reasonable to think that American businesses will flourish if they operate with one hand tied behind their back. In addition, is it reasonable to expect our global trading counterparts to embrace our products and services if we reject theirs.

The Ugly Side of “face value” – How much of “our face” do we unwittingly reveal on the Internet

Both the regulatory environment in which we live, as well as, the insistence of consumers we live in an environment in which we fully expect – for the most part – to be provided with the cost of an item or service before we make a purchase.

However, price disclosure in and of itself does not necessarily mean that the consumer is being treated fairly. One of my pet peeves has always been the fact that an economy customer on a United States domestic flight can be paying either one 10th, or 10 times as much as the person sitting next to them for the same ticket, with the same privileges, and the same cost to the airline. Of course, this seeming inequity is justified by the amount of time the reservation or confirmation is made before flight is taken, the airlines need to either (a) give last-minute seats at discount because they have to generate revenue, albeit at a discount, for last-minute seats, or (b) charge exorbitantly high prices for last-minute reservations because they have kept these seats out of sale inventory at cheaper prices to accommodate the needs of people who make the last-minute reservations, and accordingly are entitled to a premium. In either case, the general feeling is that the airlines have been able to ascertain just how desperate the passenger is, and charge them accordingly.

Imagine walking into a clothing store and when asking how much an article of clothing cost you were told that “that depends on how badly you need it” which is the general feeling I have about airline charges. Fortunately, this is not the case in the retail establishment — or is it.

I recently read an article which referenced a 2006 study by Kathryn Graddy that deals with the Fulton Fish market in New York, and found that Asian buyers were given better pricing because they rejected higher prices and were perceived to have the capacity to boycott dealers that they felt ripped them off.

While that related to brick-and-mortar retail sales, apparently there are a number of companies that offer price customization software, and the article in the Economist, listed [24]7 and RealRelevance with a strong suggestion of the following.

Apparently, many retail websites are able to use technology to customize their pricing, or in other words develop close and profiles of individual shoppers relatively easily. The article goes on to say that retail websites can incorporate software to detect shoppers who can afford to pay more, or who are in a hurry to buy (kind of reminds me of the airlines) and thereby offer them pricier options or in fact charge more for the same product.

Those “cookies” that we often read about but most of us do not understand, are able to allow data aggregators to zero in on demographic data including where we live (and thereby take a stab at our income/discretionary dollars) and/or analyze how long we look at a particular product before going to the price (illustrating that we have either made up her mind or are in a rush) or the extent of our comparison shopping.

While I do not fully understand how this works, or the totality of its implications, one thing is clear – to the extent this is happening, our privacy is being invaded in a truly detrimental way, despite the fact that our personal identities may not be revealed.

The argument that full body scans at the airport are not really an invasion of privacy because the inspector viewing the scan has no idea who the person is, can only take you so far. When the product you are being offered, or the price that you pay is determined by a “deep dive” into your spending habits/web browsing patterns/income/place of residence, anonymity does not answer the problem.

Apparently, we show much more of our face then we realize, often to our detriment.


Certitude is not the test of certainty. We have been cocksure of many things that were not so. Holmes

I was recently in India and left the television in my hotel room on through the night. There were successive commercials from Nivea promoting a cream that one makes one’s skin lighter. Apparently, the Indians are very sensitive to the fact that they have a dark complexion and they are trying to use various methods to address this issue. Oftentimes, one can observe people who cover themselves (despite the sweltering heat) to block the sun’s rays. (This is aside from those who cover themselves for religious reasons – the litmus test is how they dress when indoors or after dark)

As an American, I am used to the well-established tanning salon industry that is owes it success to the notion that fair skinned Americans seek a darker (tanned) complexion. For those Americans who are concerned about potentially harmful UV rays, spray on tans are a viable alternative.

The obvious question I had – who is right, is anyone right, what is real beauty etc. etc.

This cultural difference seems to underscore the idea that so many things in life are not absolute – despite the authoritative tone taken by many when stating issues of preference, opinion or taste.

The issues that are often hotly contested are social, financial, political or in the case of an attorney – legal.

As an attorney I often face adversaries in the litigation arena, and recognize that it is important to try to see and understand that there is another side to the story, that while I must zealously represent the interests of my client(s) and do whatever I can within ethical boundaries to win the case, many times there is another side to the story. In fact, failure to recognize the other side’s position precludes a litigator from properly preparing their own case and succeeding in litigation, arbitration or negotiating the best settlement. If an attorney’s attitude is that they can’t lose a case, they often find out that they not only can but do. On the other hand if an attorney tries to understand the other side, they are usually better prepared and that preparation usually yields positive results.

The moral of the story is that there are few absolutes.

What do you think.