Complete Seminar List

Emerging Risks for Healthcare
P&C Brokers
April 3, 2014
1
Agenda
• 9:00
Introduction
Lindy Hardman, Beazley Broker Relations – Western Region
• 9:00
Healthcare Regulatory Requirements
Carolyn Conners and Kelly Webster, Beazley Underwriters HML
• 9:30
Healthcare Claims Trends
Kati Bynon, Beazley Healthcare Claims
• 10:00
Break
• 10:10
Stages of Risk During a Data Breach
Alex Ricardo, CIPP\US, Beazley Breach Response Services
• 10:30
HITECH: The Final Rule
Lynn Sessions, Partner at Baker Hostetler
• 11:00
Q&A
2
Healthcare Regulatory Liability
Carolyn Conners and Kelly Webster
Beazley Healthcare Management Liability
3
Healthcare Regulatory Environment
• Healthcare fraud is estimated between $60B to $200B each year
• In 2009 the Attorney General and Secretary of Health and Human Services (HHS)
created the Health Care Fraud Prevention and Enforcement Action Team (HEAT)
• Federal and state governments outsourcing oversight responsibilities
• The Government’s ROI - for every dollar spent fighting fraud and abuse $8 is
recovered.
• ICD-10 will replace ICD-9 – Oct. 1, 2014 (Oct. 1, 2015)
4
Recoveries
• In fiscal year 2013, the DOJ obtained $3.8B from fraud. Of this amount $2.6B were
health care fraud recoveries.
• Since January 2009 total recoveries under the False Claims Act were over $17B, of this
$12.1B were in Federal health care dollars.
• In the fiscal year 2012, RAC collected $2.4B in overpayments.
• In 2012 whistleblowers earned more than $439M in share awards.
• Fiscal year 2013 there were 3,214 exclusions of individuals and entities.
• For FY 2013 there were 472 civil actions of individuals and entities.
5
Who’s Watching?
• Department of Justice (DOJ)
• Office of Inspector General (OIG)
• Department of Health & Human Services (HHS)
• Centers for Medicare & Medicaid Services (CMS)
• Medicare and Medicaid Contractors
o Zone Program Integrity Contractors (ZPICs)
o Medicare Administrative Contractors (MACs)
o Medicaid Integrity Contractors (MICs)
o Recovery Audit Contractors (RACs)
• Whistleblowers
• Federal, state and municipal governments
• Commercial Payors
• Competition
• Press
6
Fraud and Abuse Laws
• False Claims Act –
o Prohibits individuals and businesses from submitting false or fraudulent claims for
payment to the government (applies to all government programs)
o 1863, 1943, 1986
o Qui Tam “Whistleblowing” provision
• Anti-Kickback Statute
o Illegal kickbacks for referring patients
• Stark Law
o Physician Self-Referral Act – the act of referring a patient for services to a facility
in which the physician has a financial interest
• Exclusion Statute
o Physicians who have been excluded from Medicare can not directly or indirectly
bill the government for services
• Civil Monetary Penalties Law
o The Social Security Act authorizes HHS to seek civil monetary penalties and
exclusion for certain behaviors
7
Annual FCA Recoveries by Industry
*Gibson Dunn 2013 Year End False Claims Act Update
8
False Claims Act New Matters
*Gibson Dunn 2013 Year End False Claims Act Update
9
Fines & Penalties
• HIPAA
o Civil and criminal penalties of $50K per violation with an annual maximum of
$1.5M.
• EMTALA
o Hospital or Physician fines of up to $50K per violation
• False Claims Act.
o $5,500 - $11,000 for each item or service improperly claimed, and an
assessment of up to three times the amount improperly claimed.
• Anti-Kickback.
o Criminal fines up to $25K and 5 years in prison for each violation. Civil fines up
to $50K per violation and up to 3 times the amount of the kickback.
• Stark.
o Civil fines and penalties of up to $15K for each service as well as up to 3 times
the amount claimed.
10
Government’s Targeted Healthcare Industries
• Pharmaceuticals
• Medical device / Durable medical equipment
• Hospitals
• Nursing homes / Assisted living / Long term care
• Residential treatment facilities
• Mental health organizations
• Hospices
• Home health agencies
• Nursing facilities
11
Examples of violations
• Billing for services not rendered
• Medically unnecessary
• Unbundling
• Bundling
• Double billing
• Up-coding
• Billing for brand
• Kickbacks
• Improper referral arrangements
12
Emerging Trends
• Meaningful use audits
• Executive compensation
• Readmission penalties
• Whistleblowers
• Reverse False Claims
• Self Disclosure Protocol
• Commercial payor audits
13
Risk Transfer Solutions
Directors & Officers
•
Sublimit of up to $1,000,000
•
Coinsurance as high as 50%
•
Retentions averaging $1,000,000
•
Damages rarely cover fines and penalties
•
Typically defense only
•
Claim triggers vary
Standalone Regulatory Liability
•
Up to$10,000,000 capacity available on primary
•
Ability to structure towers of capacity
•
Fines and penalties covered
•
Lower coinsurance
•
Very early claim trigger
14
Expenses Resulting from Regulatory Actions
• Legal fees
• Shadow auditors / billing consultants / Forensic auditors
• Medical experts
• Public Relations
• Civil and criminal fines and penalties
• Data management consulting
• Cost of Implementing a Corporate Integrity Agreement
• Cost of implementing Compliance Program / Employees / Training
• Disgorgement of profits / restitution
15
Best Practices for Health Care Providers
• Compliance officer
• Compliance plan
• Board needs a system for candid reporting
• Active compliance help‐line (and follow up)
• Effective compliance training program
• Robust audit function (Internal and external)
• Written policies, procedures, standards of conduct
• Thorough exclusion screening process
• Favorable benchmarking against similar area providers
• Credentialed coders
16
Underwriting
• The nature of the organization
• Officer position structure
• Audited financials
• Payor Mix
• Compliance program review
• Billing practices
• Prior claims – outcome
• Audits conducted by government contractors and the outcome (appeal success rate)
• Application (including required attachments)
• Conference call or face to face meeting for larger insured’s
17
Claim Examples
Organization
Damages
Allegations
Florida-based sleep diagnostic company
$15.3M settlement.
False claims misrepresenting technician credentials
Urgent Care Chain
$10M settlement.
Unnecessary allergy, virus and respiratory testing upcoding
Florida health system
$26M settlement.
Miscoding outpatient service claims as more expensive
inpatient services. – whistleblower – State & Federal
FCA
Largest healthcare system in Utah
$25.5M settlement.
Violated FCA by engaging improper financial
relationship with referring physicians
South Carolina hospital
$39M verdict.
Improper patient referrals
Rhode Island Health System
$2.6M in disgorgement and
$2.7M in damages
Doctors billed Medicare and Medicaid for unnecessary
overnight hospital stays
Medical Center in Iowa
406K settlement
The OIG alleged that they employed an individual that
it knew or should have known was excluded
Texas dialysis provider
$7.3M settlement.
Billing for phantom services in violation of FCA by
charging for more of a drug than actually administered.
Whistleblower received $1.3M
Medical Center in KY
Ongoing investigation
Alleged that the medical center completed 28% more
heart stents than any other hospital in the area
18
Regulatory Resources
19
Specialty title
slide grey
Healthcare
Claims
Trends
Kati Bynon
Healthcare Claims Manager
April 3, 2014
Overview: What is everyone feeling?
What Are You Feeling
пѓ�
пѓ�
пѓ�
пѓ�
пѓ�
пѓ�
Some types of cases getting a little harder to resolve?
Cases lifespans are increasing?
Increased anxiety?
Verdicts getting bigger?
Settlement values creeping up?
Legal expenses increasing?
What We’re Seeing
� It’s NOT your imagination
пѓ� Claims environment is changing
пѓ� Certain classes of claims are becoming more difficult to settle for
reasonable amounts
� It’s not all Claims!
Claims Environment – Claims vs. Actuaries
Claims
We are currently managing approximately 3,000 open claims across our Hospital, Long Term Care and
Miscellaneous Medical portfolios. Risks range from primary duty to defend accounts with low retentions,
to accounts with very large underlying amounts.
пѓ� Claims are viewed on a Year of Account basis.
пѓ� Good at providing current on the ground observations and perceived trends.
пѓ� Weak at providing historical context.
пѓ� Perceptions can be subjective.
Actuarial
The Beazley Healthrate database is populated with 617,000 Professional Liability claims from hospitals
submissions, from 1991 to 2013, and represents 39% of the nation’s hospital beds.
пѓ� Actuarial trends are retrieved from losses by closed date.
пѓ� Good at providing historical perspective on loss development.
пѓ� Rearward looking.
пѓ� Less useful at picking up emerging trends.
In California our database is
representative of 44% of the beds
Claims Perspective
� Volume: Overall volumes are steady, but the number of “large” claims is increasing
пѓ� Size: The big claims are getting bigger. Plaintiffs are trying to make $10m the new
$5m. Our highest paid claims have all been made in the last 12 months
� Venue: “Bad” states seem to be getting worse, but the “good” states are getting
tougher as well
� Plaintiffs’ Bar: Top tier plaintiffs’ firms are getting more aggressive and demanding
more. More often than not, severe cases are requiring multiple mediations
пѓ� Anxiety: Certain insureds seem to be more anxious and likely to overpay
Actuarial Perspective and Severity Claim Trends – Overall vs Tort Reform
California Claims Severity
Average incurred cost per closed claim
California Claims Severity
Average incurred cost per closed claim limited to $2m and unlimited
$400,000
$350,000
$300,000
$250,000
$200,000
$150,000
$100,000
$50,000
$0
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
Closing Year
Limited to $2m
Unlimited
The trend in California is even more steep when we look at claims severity unlimited. We should note how the
gap between limited severity and unlimited is widening, as a sign of a larger number of large claims being paid in
the last few years.
7
California Claims Severity
Proportion of claims closed above $2m
California Claims Severity
Average indemnity
California Claims Severity
Average defense costs
Getting Walloped for a $20,000,000 Verdict: The Good Old Days.
пѓ� CT: Birth injury trial in CT resulting in a $58m verdict. (May 2011. State Record)
пѓ� PA: Birth injury case tried in Philadelphia resulting in a $78m verdict. (July 2012)
пѓ� MI: Birth injury trial in Oakland County, MI, resulting in a $144m verdict. (October
2011. State Record)
пѓ� FL: Severe neurologic injury to an adult male follow bariatric surgery resulting in a
$178m verdict. (January 2012)
пѓ� CA: Alleged sexual assault of a 30 year old patient resulting in a $65m verdict.
(November 2011)
пѓ� CA: Birth injury claim resulting in a $74.5m verdict. (April 2012)
пѓ� FL: Long Term Care case in Tampa resulting in a $900m verdict. (February 2012)
пѓ� AL: $140m in AL for a Wrongful Death Claim. (December 2012)
пѓ� NY: Birth injury claim resulting in a $130m in Nassau County, NY.(April 2013)
Not Just the Usual Suspects
пѓ� CO: Alleged paralysis to a 36 year old man resulting in a $15m verdict. (April
2012. State Record)
пѓ� WY: Alleged paralysis to an adult male secondary to an alleged failure to
diagnose a neck fracture resulting in a $9m verdict. (November 2011. State
Record)
пѓ� ME: Alleged wrongful death of a 44 year old man resulting in a $6.7m
verdict. (June 2011. State Record)
пѓ� VA: Alleged failure to timely diagnose impending myocardial infarction to a
37 year old resulting to diminished life expectancy. $25m verdict. (February
2013. State Record)
And the Settlements Follow Along…
 IL: Power Rogers & Smith case in Cook County, IL, involving quadriplegia to a
47 year old following a trucking accident resulting in a $25m settlement
 NY: $17.9m settlement for allegations of failure to timely treat infection
resulting in quadruple amputation
 GA: $7.5m settlement for alleged overdose of potassium in pediatric patient
resulting in brain damage
 AL: $12m settlement for alleged neurological injury in pediatric patient
 IL: $20m settlement for allegations of failing to respond to cardiac arrest
post-surgery in three year old resulting in brain damage
 FL: $11.5m settlement for allegations of failure to timely deliver infant
plaintiff causing brain damage
Recent California Verdicts and Settlements of Note
� Sacramento County (2013)– $27m verdict for alleged elder abuse involving the death of
an elderly patient.
пѓ� San Francisco County (2013) - $38.6m verdict for alleged tetraplegia as a result of the
failure to diagnose and treat an evolving ischemic stroke in a 19 year old.
� Santa Clara County (2012) – $22m verdict for medical malpractice action involving
quadriplegia following medical procedure
� St. Louis Obispo County(2012)– $74m verdict for alleged birth injury failure to
diagnose vascular injury resulting in amputation of 14 year old leg.
пѓ� Sacramento County (2013) - $9m settlement in a birth injury case
пѓ� Los Angeles County (2013) $7.5m settlement involving alleged brain damage in infant
born after mother’s ruptured uterus deprived infant of oxygen during delivery.
пѓ� Anonymous County (2013) - $10m settlement in a birth injury case
Common Factors: 1%’ers
�Recognized/Successful Plaintiff’s Counsel
пѓ�Poor Liability Pictures
пѓ�Potential for Significant Damages
пѓ�Inflammatory Facts
�Generally Venued in “Bad” States
пѓ�Increased Expectations
Drivers/Consequences
� Top plaintiffs’ firms are demanding a premium.
� Second tier plaintiffs’ firms want to emulate the top firms.
пѓ� Bad cases are becoming more difficult to settle for the usual amounts.
пѓ� Cases that would have been settled in the past are being tried, resulting in
more large verdicts.
пѓ� Increased anxiety among providers and potential for panic-based decisions.
пѓ� Increased tension between insureds and insurers.
Where do you draw the line?
Case Example 1 (What not to do)
Facts:
пѓ� Alleged anesthesia error during non-invasive procedure on infant patient causing significant
neurological injures
� Well known plaintiff’s counsel
пѓ� Difficult venue with multiple excess verdicts
пѓ� Minimal expert support
Issues:
пѓ� Plaintiffs were unwilling to negotiate until a week before trial when they demanded $50m
пѓ� Hospital quickly responded with offer after offer, even when they were not being matched
in reductions of demand
Strategy:
пѓ� The strategy was to throw money at the case in the hopes of shutting it down at all costs
Outcome: Within 5 working days, the case was resolved for excess of $25m
Case Example 2 (What to do)
Facts:
пѓ� Alleged failure to diagnose and timely treat a developing infection in a then 23 year
old woman following delivery of a healthy infant resulting in the amputation of both
legs (above the knees) and arms (above the elbow).
Issues:
� Significant publicity surrounding plaintiff’s condition
� Top tier plaintiff’s firm (Initial Demand of $90m)
пѓ� Indefensible from liability standpoint
пѓ� Significant future care costs
Strategy:
пѓ� Dig in, engage in multiple mediations
пѓ� United front between Insured/Excess Insurer
пѓ� Leverage causation arguments
Outcome: Case resolved before trial for $8.5m
Holding the Line
пѓ�On the big cases, it is not business as usual
пѓ�Prepare for trial, not settlement
�“Just say no”
пѓ�Try the right cases
пѓ�Partnership between insured, broker and insurer
пѓ�Let someone else be the easy target
Thank you
Kati Bynon
t: 646-943-5917
a: 1270 Avenue Of The Americas, 12th Floor, New York, NY 10020
e: [email protected]
Stages of Risk During a Data Breach
The “new” HIPAA
Alex Ricardo, CIPP/US
Breach Response Services
Lynn Sessions, Esq.
Baker Hostetler
What we are NOT doing today
Providing Legal Advice
o Informational Purposes Only
o You should consult with Privacy Counsel for any decisions surrounding your
Incident Response Plan or Data Breach Response Methodology
41
Agenda
• Healthcare Breaches and Fines
• A Brief Review of Data Breaches and Breach Response
• How NOT to Respond to a Data Breach – a Case Study
• Regulatory Landscape – “The new HIPAA”
42
Healthcare Breaches &
Fines
Healthcare Breaches – “in the news”
• June 2013 – Bon Secours – 5,000 patients due to breach of electronic records
• June 2013 – University of Florida Pediatric Clinic – 5,682 patients and parents due to
insider leaking information to criminals
• February 2013 – Sonoma Valley Hospital – 1,350 patients due to internet exposure of
unsecured section of website. (sometimes called “Google Search”-breaches)
• January , 2013 – Lucile Packard Children’s Hospital – 57,000 patients – stolen laptop
from physician’s car
• January 2013 – New York Hospital – 9,887 patients due to Hurricane Sandy and
structural damage to facility and unauthorized individuals on premise
44
Healthcare Breach Litigation & Fines – “in the news”
• January, 2013 –
FTC Settles with CBR Systems (Blood Bank) for Failure to Protect Data – 20
year consent decree
• January, 2013 –
Goldthwait Associates, Pathology Group pay $140,000 to settle claims that
patients’ PHI was disposed of improperly
• January, 2013 –
• May, 2013 –
Hospice of North Idaho fined $50,000 by OCR for a 441 person breach
Idaho State University – $400,000 settlement involving 17,500 patients for violating
HIPAA Security Rule
• June, 2013
– Shasta Regional Medical Center fined $275,000 for CEO and CMO discussing with
media on medical services of a patient
• August, 2013 –
Woman awarded $1.44M against Walgreens due to pharmacist sharing
prescription history
45
Physicians’ and Clinic Breaches – “in the news”
• April, 2013 –
Documents containing personal information of patients left on Brooklyn sidewalk
after medical supply company closes down.
• April, 2013 –
Family Health Enterprise notifies patients after laptops stolen in office
• April, 2013 – Patient records found outside an evicted dental clinic in Detroit’
• March, 2013 –
Medical assistant stole patient information
• February, 2013 –
Lee Miller Rehab Associates, MD – stolen network server
• February, 2013 –
American Home Patient – Stolen laptop
• February, 2013 –
Subcontractor responsible for Wisconsin’s River Falls Medical Clinic breach of 2400
clients
• January, 2013 –
Patients’ personal information found in dumpster outside dentist’s office in
Aurora, Colorado
• January, 2013 –
ABQ Health Partners’ stolen laptop.
• November, 2012
– Surgical Associates of Utica – stolen network server
46
A Brief Review of Data
Breaches and Breach
Response
What is a Data Breach?
• Actual release or disclosure of information to an unauthorized individual/entity that
relates to a person and that:
o May cause the person inconvenience or harm (financial/reputational)
 Personally Identifiable Information (PII)
 Protected Healthcare Information (PHI)
o May cause your company inconvenience or harm (financial/reputational)
 Customer Data, Applicant Data
 Current/Former Employee Data, Applicant Data
 Corporate Information/Intellectual Property
48
Types of Data Security Breaches
• Improper Disposal of Data
o Paper
 Un-shredded Documents
 File cabinets without checking for contents
 Prescription Bottles
 X-Ray Images
o Electronic assets
 computers, smart phones, backup tapes, hard drives, servers, copiers, fax
machines, scanners, printers
• Phishing/Spear Phishing Attacks
• Network Intrusions/Hacks/Malware Viruses
• Lost/Missing/Stolen Electronic Assets
• Mishaps due to Broken Business Practices
• Rogue Employees
49
A Simplified View of a Data Breach Response Methodology
Discovery of an Event
Evaluation of
the Event
Managing the
Short-Term
Crisis
Handling the
Long-Term
Consequences
Class-Action
Lawsuits
Theft, loss, or Unauthorized
Disclosure of Personally
Identifiable Non-Public
Information or Third Party
Corporate Information that
is in the care, custody or
control of the Insured
Organization, or a third
party for whom the Insured
Organization is legally liable
Notification and
Credit Monitoring
Regulatory Fines,
Penalties, and
Consumer Redress
Forensic
Investigation and
Legal Review
Reputational
Damage
Public Relations
Income Loss
50
Why we should be careful with the word “Breach”
Perception is Half the Battle
o People use “breach” too frequently and you don’t want your customers or
regulators to think you are subject to numerous breaches
o “Breach” suggests something bad happened or is going to happen
o “Breach” has legal significance
 Train your Incident Response Team to not use “Breach” within internal
communications as you vet out or investigate the “Security Incident”
51
How NOT to Respond
to a Data Breach A case study
Don’t assume you know the facts.
• Entity Affected: Hospital
• Incident Details: Hospital did a “disaster drill”. Set up 20 laptops, one in each ER suite.
To replicate lost power, each laptop was to be set up with all 500,000 EHRs of the
hospital. During course of drill, 1 laptop went missing.
• Initial Response: Hospital called a press conference to acknowledge a loss of 500,000
EHRs. They held the press conference BEFORE the investigation.
• Investigation: Investigation identified time of loss via surveillance cameras in the ER. IT
reviewed network logs for downloading the 500,000 EHRs to each laptop and noticed 1
laptop did not receive the 500,000 EHRs. Investigation took 48 hours.
• Conclusion: It was forensically concluded that the missing laptop was stolen BEFORE the
download of 500,000 records occurred.
• Data Format: Electronic
• Information Compromised: PHI
• Breach Universe: ZERO – “Non-Event”
• Aftermath: The hospital had to hold a second press conference about the “false alarm”.
53
Alex Ricardo, CIPP/US
Breach Response Services
Beazley Group
Rockefeller Center
1270 Avenue of the Americas
New York, NY 10020
t: +1 (917) 344 3311
c: +1 (646) 477 1321
e: [email protected]
For More Information:
www.beazley.com
“It’s bad enough a company may possibly face liability from the data breach itself. The last thing you want is to create further liability exposure
from how you respond to the incident.
Making sure you are kept in the best defensible position possible during the course of your breach response methodology should be a priority.”
The descriptions contained in this broker communication are for preliminary informational purposes only. The product is available on an admitted
basis in some but not all US jurisdictions through Beazley Insurance Company, Inc., and is available on a surplus lines basis through licensed
surplus lines brokers underwritten by Beazley syndicates at Lloyd's. The exact coverage afforded by the product described herein is subject to and
governed by the terms and conditions of each policy issued. The publication and delivery of the information contained herein is not intended as a
solicitation for the purchase of insurance on any US risk. Beazley USA Services, Inc. is licensed and regulated by insurance regulatory authorities
in the respective states of the US and transacts business in the State of California as Beazley Insurance Services (License#: 0G55497).
54
HIPAA/HITECH UPDATE
Lynn Sessions
[email protected]
@lynnsessions
713.646.1352
Blog: www.dataprivacymonitor.com
Lynn Sessions
Lynn Sessions focuses her practice on providing legal services to healthcare
industry clients, including hospitals, integrated delivery systems, healthcare
providers, and academic medical centers. Using her prior in-house
experience at Texas Children’s Hospital, Lynn represents and provides legal
counsel to clients on a variety of privacy and data security matters from an
in-house counsel and client perspective. Lynn works with clients to ensure
they are in compliance with HIPAA/HITECH regulations, develops proactive
compliance programs, provides counsel in response to a privacy or data
breach, and works with clients to ensure the effective development of
preventative data privacy and security measures.
Lynn has worked with clients where multiple parties in various states were
involved in high stake data privacy security breaches. She is experienced in
applying federal HIPAA/HITECH regulations and specific state privacy and
breach statutes and the OCR and other regulatory investigations that follow.
Lynn has handled internal investigations on a large and small scale. These
investigations are focused on protecting health care providers and their
customers from privacy and data breaches, and fraud and identity theft. Ms.
Sessions has also worked with clients to develop preventative data privacy
and security strategies to avoid potential security breaches, including
development of policies and procedures, breach response teams and
training programs.
OCR Resolution
Agreements
пЃ¶Providence Health & Services ($100K)
пЃ¶CVS Pharmacy ($2.25M)
пЃ¶Rite-Aid ($1M)
пЃ¶Management Services Organization of Washington ($35K)
пЃ¶Cignet ($4.3M)
пЃ¶Massachusetts General Hospital ($1M)
пЃ¶UCLA Health Services ($865K)
пЃ¶Blue Cross Blue Shield of Tennessee ($1.5M)
пЃ¶Alaska Medicaid ($1.7M)
пЃ¶Phoenix Cardiac Surgery, P.C. ($100K)
пЃ¶Massachusetts Eye and Ear Infirmary ($1.5M)
пЃ¶Hospice of North Idaho ($50K)
пЃ¶Idaho State University ($400K)
пЃ¶Shasta Regional Medical Center ($275K)
пЃ¶WellPoint ($1.7M)
пЃ¶Affinity Health Plan ($1.2M)
пЃ¶Adult Pediatric & Dermatology, P.C. ($150K)
пЃ¶Skagit County ($215K)
What Has OCR Said
About Enforcement?
“This final omnibus rule marks the most sweeping
changes to the HIPAA Privacy and Security Rules since
they were first implemented. These changes not only
greatly enhance a patient’s privacy rights and protections,
but also strengthen the ability of my office to
vigorously enforce the HIPAA privacy and security
protections, regardless of whether the information is
being held by a health plan, a health care provider, or one
of their business associates.”
Director OCR
Leon Rodriguez
HIPAA Final Rule
пЃ¶ Business Associates are directly liable
пЃ¶ Assurances of safeguards required
пЃ¶ Calculation of CMPs clarified
пЃ¶ Breach is presumed
пЃ¶ Breach analysis modified
пЃ¶ Other clarifications
Business Associate Liability
пЃ¶ Directly liable for regulatory compliance
пЃ¶ Limited to contract with Covered Entity
пЃ¶ CE not absolved from reporting responsibility
пЃ¶ Both parties may be investigated by OCR/AGs
пЃ¶ Both parties may be sued
Business Associate Agreements are Critical
60
Calculation of Civil Monetary
Penalties (CMPs)
пЃ¶ В§160.408 Factors considered in determining the amount
of a civil money penalty.
пЃ¶ The Secretary MUST consider a list of mitigating or
aggravating factors.
– The nature and extent of the violation (number of
individuals affected, time period during which the
violation occurred, the

number of individuals affected.

time period during which violation occurred.

the nature and extent of resulting harm (physical harm,
reputational harm, or financial harm).

whether the violation hindered ability to obtain health care
(“facilitated” removed).
Calculation of Civil
Monetary Penalties (CMPs)
пЃ¶ The Secretary MUST consider a list of mitigating or
aggravating factors
– The history of prior compliance and attempts to correct indications
of noncompliance.
– Response to technical assistance from the Secretary.
– Response to prior complaints.
– Financial condition of CE or BA.
– Size of the BA or CE.
– Such other matters as justice may require.
What Is A Breach?
Baseline definition of a breach remains
unchanged.
пЃ¶ В§164.402: Breach means the acquisition, access,
use, or disclosure of protected health information in
a manner not permitted under Subpart E of this part
which compromises the security or privacy of the
protected health information.
Breach Analysis
пЃ¶ An acquisition, access, use, or disclosure of
protected health information in a manner not
permitted . . . is presumed to be a breach
пЃ¶ Unless, the CE or BA can demonstrate that
there is a low probability that the PHI has been
compromised based on a risk assessment
пЃ¶ Compromise is not defined
Risk Assessment
пЃ¶ Risk Assessment
‒ Documented
‒ Based on at least 4 factors




The nature and extent of the PHI
The unauthorized person involved
Whether the PHI was actually acquired or viewed
Extent to which any risk has been mitigated
Reporting/Notification
Obligations
пЃ¶ Notification, in situations where the use or disclosure is so
inconsequential, is not warranted because it may cause the
individual unnecessary anxiety or even eventual apathy if
notifications of these types of incidents are sent routinely.
пЃ¶ Notification to patients and media within 60 days but
substitute notice may occur after depending on
circumstances.
пЃ¶ Breaches under 500 must be reported no later than 60
days after the calendar year in which they were discovered,
not when they occurred.
пЃ¶ Notification to the Secretary must occur at same time as
notice to individuals for breaches over 500.
What does it mean?
пЃ¶
пЃ¶
пЃ¶
пЃ¶
пЃ¶
Expect to have more breaches reported
Greater scrutiny and enforcement
Increased CMP amounts
CE and BA relationship tension
More litigation
– Class Action
– Personal litigation
67
Litigation
•
Hollenbach v. Catholic Health Initiatives, Case No. 11-10855 (Berks County, Pennsylvania Court of Common Pleas)
•
Garcia v. Sutter Medical Foundation et al., Case No. RG11604927 (Alameda County, Superior Court) (putative class action
complaint alleging violations of the Confidentiality of Medical Information Act)
•
Atkinson v. Sharp Memorial Hospital, Case No. 37-2011-00102684 (putative class action complaint alleging violation of the
Confidentiality of Medical Information Act)
•
Zacarias v. Eisenhower Medical Center, Case No. INC 1108128 (Riverside County, Superior Court, 2011) (putative class
action complaint alleging violations of the Confidentiality of Medical Information Act and Customer Records Act)
•
Gonzalez v. South Broward Hospital District, Case No. 12-22437 (Broward County, Florida) (putative class action arising
from alleged employee theft of patient information)
•
Burgess v. Blue Cross Blue Shield of South Carolina, N.D. Cal. 2012 (putative class action arising out of the recording of
calls to a call center)
•
Care England In re: Women and Infants Hospital of Rhode Island (Civil Investigative Demand 2013-CPD-18)
•
Beson v. Park Nicollet Health Service, 12CV02171 (D. Minn. 2012) (putative class action brought pursuant to Fair and
Accurate Credit Transactions Act)
•
Merring v. St. Clare’s Health System et al, Case No. MRS-L-379-12 (Morris County, Superior Court of New Jersey, 2012)
(complaint alleging disclosure of protected health information)
•
Faircloth v. Adventist Health System et al, Case No. 2013-CA-009369 (Orange County, Florida) (putative class action
arising from alleged employee theft of patient information)
68
HIPAA as Standard of Care
Hinchey v. Walgreens, Indiana Superior Court (2013)
пЃ¶ Jury Verdict of $1.44M
пЃ¶ HIPAA does not create private cause of action
пЃ¶ HIPAA establishes the standard of care for provider
пЃ¶ Walgreens found vicariously liable for pharmacist
69
Regulatory Hot Buttons
пЃ¶
пЃ¶
пЃ¶
пЃ¶
пЃ¶
пЃ¶
пЃ¶
пЃ¶
Security risk analysis
Risk management plans
Encryption
Business Associate Agreements
Minimum necessary
Documentation of breaches
Policies and procedures
Storing old data
70
Chicago
Cincinnati
Cleveland
Columbus
Costa Mesa
Denver
Houston
Los Angeles
New York
Orlando
Washington, DC
www.bakerlaw.com
В© 2013 Baker & Hostetler LLP
Q&A
72