Monthly Archives: December 2014

THREE NEW REASONS TO BE CONCERNED ABOUT A HIPAA BREACH

There are a number of events that recently occurred which, taken together, should make any individual or any company that is subject to an “associate agreement” or any “covered entity” possessing PHI, (as well as their respective attorneys) take pause.

1. Anchorage Community Mental Health Services (ACMHS) notified OCR regarding the breach of unsecured PHI relating to malware that compromised the security of its IT systems. The breach affected 2,743 individuals. Apparently, there was a finding that ACMHS had adopted security rules, policies and procedures in 2005, but based on its Resolution Agreement with the government, it was found that ACMHS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities as to the confidentiality, integrity and availability of its E-PHI. Aside from the various undertakings in the Resolution Agreement, ACMHS is subject to a $150K fine.

2. Sony Pictures Entertainment (SPE), the victim of a cyber-attack, has realized that based on the more than 200 GB of data that has already been released by the hackers, there have been more than 30,000 HR records compromised. Accordingly, Sony has released a notification letter that is extremely broad. The following language was included: “Although [SPE] is in the process of investigating the scope of the cyber-attack, SPE believes that the following types of personal identifiable information that you provided to SPE may have been obtained by unauthorized individuals: (i) name, (ii) address, (iii) Social Security number, driver’s license number, passport number and/or other government identifier, (iv) bank account information, (v) credit card information for corporate travel and expense, (vi) username and passwords, (vii) compensation and (viii) other employment related information. In addition, unauthorized individuals may have obtained (ix) HIPAA protected health information, such as name, Social Security number, claims, appeals information you submitted to SPE (including diagnosis and disability code), date of birth, home address, and member ID number to the extent that you and/or your dependents participated in SPE health plans, and (x) health/medical information that you provided to us outside of SPE health plans.”

HIPAA- HITECH breaches have now moved from allowing employees to improperly access and disseminate PHI, or the loss or theft of a laptop left in a car, to the vulnerabilities that “rich targets” for hackers such as major corporations present. I think it is fair to assume that the hackers’ primary target was not health records.

3. To further supplement the problem, on November 11, 2013, the Connecticut Supreme Court ruled in Byrne v. Avery Center for Obstetrics and Gynecology, P.C. that HIPAA does not necessarily preclude a private action (brought by the victim or victims) for negligence on the part of the covered entity, and that the HIPAA regulations may (at least theoretically) be used in determining the applicable standard of care. Simply stated, the idea of a class action for a single violation of HIPPA, e.g. the loss or theft of a hard drive or thumb drive, or the mass dissemination of one person’s personal information over the internet after that person’s PHI was the subject of a single breach of HIPAA could subject the health provider or their associates to damages that are well beyond anything ever contemplated by HIPAA. In the case of the former, a class action by many thousands of individuals is a real possibility. In the latter case, imagine if the medical records of a single high profile person, e.g. famous executive or actor/actress, was obtained in violation of HIPAA, and then was disseminated on the internet. In either case, the legal fees and damages (as well as the settlement value) could be staggering.

What these three seemingly unassociated issues seem to point towards is that taken together, covered entities and their associates may become responsible for failure to adequately protect their PHI in the event that malware enters their system, or their systems are hacked, at a time when even major corporations that have and use significant resources to protect their data, can be hacked. In addition, the release of HR data which could easily implicate HIPAA could render these entities not only prime targets for hackers, but major marks for class-action or high value negligence lawsuits.

It seems clear to me that the level of vulnerability, responsibility and accountability has recently risen to a higher degree of significance.

While playing on the same board – America is playing checkers and Iran is playing chess

While playing on the same board - America is playing checkers and Iran is playing chess

As the story goes, a person once observed an exchange between his friend and an acquaintance. The friend offered to buy the Brooklyn Bridge from the acquaintance for $40 million.

The acquaintance readily agreed to the sale, at which point the friend asked if he could pay by check. The acquaintance very quickly agreed. The friend asked for a pen so that he could make out a check. Once again this request was very quickly agreed to. The pen was handed over, the check was made out and handed over, at which point both the acquaintance and the friend shook hands, congratulated each other on the sale of the Brooklyn Bridge and went their separate ways.

Bewildered, the observer approached his friend and asked what had just happened. Essentially, he pointed out, the friend did not have the money to pay, and the acquaintance did not own the bridge. Therefore, what was the purpose of the exchange?
The friend looked at him, totally astonished, and started waving the pen. “Don’t you understand what happened here?” he asked. “It was all about the pen. I got his pen!”

We have heard for many months that there are ongoing negotiations between numerous countries (the United States and its cohorts) and Iran regarding the specter of a nuclear Iran. Using a carrot-and-stick approach, discussions took place with respect to relaxing sanctions, and the world’s unwillingness to allow Iran to achieve nuclear capability, while clearly stating that all options are on the table in the event that Iran does not cooperate. The dialogue degenerated over time to an acceptance that Iran would achieve nuclear capability. With a mysterious disappearance of all options being open, the issue was somehow shifted from the inability to achieve nuclear capability, to issues of Iran’s ability to produce military-grade uranium. Over time, the talks further shifted from absolute inability to produce military-grade uranium to a question of how many centrifuges they would be allowed to operate. What many people did not understand was that the number of centrifuges was really a question of how much time it would take Iran to develop sufficient military-grade uranium if they decided to break whatever deal was agreed to.

The first problem is that the “center of gravity” of the negotiations has been constantly shifting in favor of Iran. The second problem is that even if an agreement was made with respect to the number of centrifuges, essentially we would be lifting economic sanctions. Iran would then have the ability to rebuild its economy, and thereafter would be free to do whatever it wants with respect to developing military-grade uranium. Let’s not forget that it is not a question of “if” they have nuclear capability, but how much notice the rest of the world might get.

However, even with these significantly diminished expectations on the part of the United States and its negotiators, an agreement cannot be reached. Once again, another postponement was suggested and will probably be instituted.

I am reminded of the story of the Brooklyn Bridge sale. It seems that Iran is just fighting for time. Time is the “pen.” The world thinks that the issue is sanctions and/or centrifuges, but it is all about borrowing more time. Viewed through that lens, it is clear that Iran has continuously and substantially outmaneuvered the United States and its cohorts in this negotiation.

When will they wake up? When will they realize that there are people and regimes that just cannot be trusted?

The opinions expressed on this page are those of the individual authors and do not necessarily reflect the opinions of Hamodia.

CALIFORNIA CASE – Aetna Life Insurance Company Vs Bay Area Surgical Management –1-12-CV-217943, Superior Court of California, County of Santa Clara

OVERVIEW:

The world has not changed. Medical insurers try to maintain healthy profits by, in part, keeping reimbursements to medical providers as low as possible. On the other hand, medical providers try to get a fair shake based on their education, specialization, financial risk and hard work. Part of the insurer’s strategy is to negotiate rates with medical providers at levels that they often say is patently unfair, and therefore when the medical providers are not bound by the network contracts, they rightfully seek much higher reimbursement. Obviously the insurers bristle at the higher fees charged for out of network medical care.

This “tug-of-war” has resulted in a number of lawsuits throughout the United States that underscore the ying and yang, raise questions about the propriety of waiving co-pays and deductibles, as well as the propriety of using patients as leverage against the insurer’s.

THE NITTY GRITT

Recently, Aetna sued several California surgery centers for an alleged “fraudulent billing scheme” alleging that the surgery centers induced physicians to refer patients for surgery centers (ostensibly out-of-network centers) with promises that they would not have any financial responsibility for their coinsurance and deductibles.

Aetna claims that the charges that were thereafter submitted were artificially inflated driving up the cost of health insurance coverage.

(Presumably the allegation of inflated billing was supposed to strike a cord of public outrage which may be tempered by a Feb. 1, 2012 report in the Wall Street Journal that Aetna’s earnings rose 73% as the health insurer continued to benefit from light medical costs amid a sluggish pace of patient visits to hospitals and doctors.)

Aetna alleges that providers are liable for engaging in a fraudulent and illegal kickback scheme when they waive the patient’s coinsurance and deductibles, even if the provider bills the patient but ultimately doesn’t collect.

While I have not had the opportunity to read the California complaint, the information relayed regarding the case has been distilled from various published sources, and it is clear that the defendants have a very different view.

Defendant’s attorney, DaronTooch, a partner Hooper Lundy & Bookman, (defendant’s law firm) says that “this is a calculated move by Aetna to steer patients to contracted facilities.” He says that “the complaint is full of misstatements of fact and law.”

It appears that Aetna and other health insurers do not have standardized fees paid to network providers. Every contract is separately negotiated and apparently the major driving force in negotiating the contracts is the relative strength of the negotiating parties .

For example, if one medical organization controls the majority (or all) of the hospitals in a certain locale, and the health insurer wants to gain a foothold in that market, they do not have a strong negotiating position with the hospitals. The same obviously holds true with any independent physicians Association (IPA) that has a strong negotiating position based on its membership roll, and the specialization and geographic reach of its constituency.

To the extent this is true, the prices for which medical care is contracted are not grounded in allowing medical providers to earn a fair profit, but essentially turn into an unprincipled money grab. Doctors feel that in many (if not the vast majority of) cases they are left holding the short end of the stick. It is easy to understand why. The medical insurers are the Goliath and the doctors are generally the David, except in this case David does not necessarily conquer Goliath.

From the insurer’s perspective, out-of-network surgery centers charging many times more than the amount of the contracted rates that in network centers are allowed to charge gives the insurer’s pause.

The questions:

  1. Are high out-of-network charges a natural consequence of taking unfair advantage of medical providers when insurers have the clout, and therefore when they lose that clout there is a certain understandable payback.
  2. Are the insurers at least in part responsible for the out-of-network fees, to the extent that their reimbursement relates to the customary charges in a geographic locale.
  3. Is it improper for medical providers to waive co-pays and deductibles, and even if it is improper, should that render the medical provider liable to disgorge the profits earned on the medical procedures for which they waived the co-pays or deductibles.
  4. How far must a medical provider go in trying to collect the co-pays or deductibles before it is considered a waiver. Is one invoice enough, two invoices, collection agency intervention, or must the patient be sued and must a judgment be obtained.

There is a somewhat similar New York case that is currently pending, as well as a lawsuit against certain pharmaceutical companies for providing coupons toward the co-pays on branded drugs. However, the details of those cases are best left for another day.

In summary, what do you think?