Appellate Division Enforces The Self-Critical Analysis Privilege Protections of the Patient Safety Act

by John W. Kaveney

On February 6, 2017, the New Jersey Appellate Division reversed a trial court ruling by holding that a hospital’s failure to notify regulators of a treatment error does not mean that the hospital loses the privilege and confidentiality afforded to its internal self-critical analysis under the Patient Safety Act.

The matter of Brugaletta v. Chilton Memorial Hospital, et al. concerned a claim of medical malpractice by a patient, Ms. Brugaletta. During discovery she sought the hospital’s internal self-critical analysis of her care. The trial judge initially ruled the documentation should be produced claiming that Ms. Brugaletta had suffered a “serious preventable adverse event” (“SPAE”) and that the hospital had failed to report the event to the New Jersey Department of Health or Ms. Brugaletta in violation of the Patient Safety Act. The hospital appealed that determination disputing that Ms. Brugaletta suffered an SPAE and that it had any reporting obligation to the Department or Ms. Brugaletta.

The Patient Safety Act (N.J.S.A. 26:2H-12.23, et al.) creates an absolute privilege over certain documents that a hospital develops as part of a self-critical analysis. In analyzing the Patient Safety Act, the Appellate Division held that the only statutory precondition of the self-critical analysis privilege is compliance with the statutory requirement that hospitals develop and implement a patient safety plan in accordance with the requirements established by the commissioner by regulation. Thus, as long as the proper procedure is followed as set forth in the hospital’s safety plan, then the self-critical analysis is protected by the privilege.

The Appellate Division rejected any interpretation whereby the self-critical analysis privilege was conditioned on a hospital meeting its reporting obligations. Rather, it viewed those as a separate and distinct obligation under the Patient Safety Act. The Appellate Division also disagreed with the trial court’s finding that an SPAE had occurred as the trial court failed to identify record evidence to make such a conclusion, specifically with regard to causation. 

Thus, the Appellate Division found the trial court had erred in compelling the hospital to disclose the self-critical analysis and in finding that the hospital failed to report an alleged SPAE to the Department and Ms. Brugaletta.

This case and decision are just the most recent example of the continuing efforts by patients to challenge the protections of the Patient Safety Act and the courts’ efforts at determining the legislature’s intended purpose of the statute’s language. History suggestions this will not be the last such case.

 

The State of Health Insurance After President Obama

by Marissa Koblitz-Kingman

In President Obama’s weekly address on December 10, 2016, the President encouraged Americans who do not currently have healthcare, to enroll in a health insurance plan under the Affordable Care Act (ACA). In the address, the President likely also wanted to remind everyone listening that the threat of Republicans in Congress repealing this law was now a real possibility. President Obama stated “that if Congress repeals Obamacare as they’ve proposed, nearly 30 million Americans would lose their coverage. Four in five of them would come from working families. More than nine million Americans who would receive tax credits to keep insurance affordable would no longer receive that help.” Now that President-elect Trump will take office in a matter of days, what is the fate of healthcare in America?

“The first order of business is to keep our promise to repeal Obamacare and replace it with the kind of healthcare reform that will lower the cost of health insurance without growing the size of government,” Vice President Elect Pence told a news conference recently. Pence also said that Trump would work with congressional leaders for a “smooth transition to a market-based healthcare reform system” through legislative and executive action. House Speaker Paul Ryan said that lawmakers would take action that did not “pull the rug out from anybody” and that the party had “plenty of ideas.” Democrats and many health-care experts are warning that a swift repeal could lead insurers to stop selling policies to individuals on federally mandated exchanges. More than 12 million Americans are covered under those policies.

The current Health and Human Services Secretary, Sylvia Mathews Burwell, briefed Senate Democrats on December 8, 2016, on the expected unraveling of Obamacare’s insurance exchanges. As previously discussed on the MDM&C blog, Trump’s selection of Representative Tom Price to the position of Secretary of Health and Human Services seems to be Trump’s first step towards repealing the ACA. Price has been a regular voice in opposition to the ACA. Price’s philosophy on fixing Obamacare is rooted in “clear[ing] out the bureaucratic impediments” to health-care providers so that the marketplace can figure out the best way to get people health insurance.

Some commentators have stated that a possible less drastic route Congress may go is to replace the ACA rather than an all-out repeal. Congress could pass a plan that doesn’t call for repeal for several years. Between now and then, there would need to be some kind of transition to whatever replaces Obamacare that did not just dump people off coverage with no alternative. However, others still believe that the Republican Congress will swiftly replace ACA’s ban on health status underwriting and pre-existing condition exclusions, as well as its individual mandate, with a continuous coverage guarantee and high-risk pools. This could mean that if individuals were initially uninsured or if they had to drop coverage because of financial hardship, they may face a penalty when they seek coverage significantly greater than the repealed individual mandate penalty. Many argue that these Republican plans would fall far short of the assistance lower-income Americans need, who are currently being helped by ACA.

However, in his recent 60 Minutes interview, President-Elect Trump assured the public that he agrees with certain parts of ACA. Trump plans to keep the ACA policy that allows young adults to stay on their parents’ insurance plans until age 26, as well as the provision that insurers must cover people with pre-existing conditions.

We are likely to know more in the coming months as Congress and the President-Elect begin to take action.

A Light at the End of the Telemedicine Tunnel Appears (on the New Jersey Side)

by Cecylia K. Hahn

Upon recently reviewing the healthcare coverage benefits under a particular health plan, I was almost giddy to note that telemedicine services (both medical and mental health) were covered and reimbursable at the same rate as traditional in-person services. While some carriers have come to appreciate this form of health care service delivery, standards for licensure, practice, reimbursement, and prescription of medication have to date been unregulated and thus unclear in New Jersey.

Nevertheless, New Jersey lawmakers are working hard toward enacting legislation that would provide clarity by regulating the practice of telemedicine. The Senate Health and Human Services Committee and the Senate Appropriations Committee unanimously recommended the passage of Bill No. S291, while testimony was recently taken by the Assembly Health and Senior Services Committee on an identical Bill No. A1464.

What is Telemedicine?

The bill’s definition of “telemedicine” is quite technical and I would refer you to the bill for that technical definition. In sum, telemedicine is the delivery of a health care service using electronic means or technology to remotely bring together a health care practitioner (e.g., a physician, nurse practitioner, psychologist, and psychiatrist) with a patient typically via two-way videoconferencing or store-and-forward technology. (Store-and-forward technology is the transmission of medical data from a patient’s location to a distant site practitioner for later assessment.) This form of communication is meant to replicate the in-person encounter experience; thus, real-time visual and auditory communication is a must. Telemedicine is not a simple phone call, email, instant message, text, or fax.

Standard of Care

Another important issue, particularly if a health care practitioner is located out-of-state, is which state’s standard of care would apply? One view has been to look to the standard of care where the patient is located. The proposed bill confirms, for New Jersey, a health care practitioner is subject to the same standard of care as he/she would be subject to if the patient encounter was physically located within New Jersey. This would apply to recordkeeping rules as well as maintenance of patient confidentiality.

Added Responsibility of Hospitals

Where a health care practitioner wishes to engage in telemedicine with patients in a hospital, the hospital’s governing body must first verify and approve the credentials of, and grant telemedicine practice privileges to, the practitioner based solely upon the recommendations of the medical staff. The medical staff recommendation is based on information provided by the originating site employer (i.e., employer of health care practitioner at location where service rendered).

Licensing

License portability is an added challenge. Most states that permit telemedicine require that a health care practitioner be licensed in the state where the patient is located. This makes sense given the state’s responsibility to protect its residents. Pursuant to the telemedicine bill, the process to obtain a New Jersey license by an out-of-state practitioner wishing to practice here will be easier or harder depending on the laws of the practitioner’s home state. If the following criteria are met, the appropriate licensing board will be required to grant a reciprocal license to an out-of-state health care practitioner: (1) the other state has substantially equivalent requirements for licensure, registration, or certification; (2) the applicant has practiced in the profession within the five-year period preceding application; (3) the respective New Jersey State board receives documentation showing that the applicant’s out-of-state license is in good standing, and that the applicant has no conviction for a disqualifying offense; and (4) an agent in New Jersey is designated for service of process if the non-resident application does not have an office here. Further, the bill proposes clarifying State Board regulations that provide only for discretionary reciprocal license: the discretion is limited to permit a reciprocal license where not all of the criteria above are met; if they are all satisfied, a license must be granted.

Face-to-face Encounter for Online Prescribing

Federal law makes if generally illegal to prescribe a controlled dangerous substance based solely on an online questionnaire completed by a patient. The question with online prescription of medication is always whether a health care practitioner (who is authorized to prescribe medication) must have an in-person encounter with a patient before prescribing medication to that patient via telemedicine. The bill permits a physician to prescribe, dispense or administer medication to a New Jersey patient if (1) the physician first performs a face-to-face examination of the patient (which examination may occur in-person or via telemedicine and must comply with the standard of care) and (2) the physician adheres to particular laws that apply to that medication. 

Reimbursement

Last, but certainly not least, there is the issue of reimbursement. Even though state regulators currently may permit various providers to engage in telemedicine, the issue of reimbursement remains. The bill would generally prohibit New Jersey Medicaid and New Jersey FamilyCare programs and private health benefit plans from requiring in-person encounters between a health care practitioner and patient, or establishing location restrictions, as a condition of reimbursement under the pertinent program. Further, parity is required for benefits covered and reimbursement rates whether the encounter is in-person or via telemedicine. A drawback to the reimbursement parity, cited by insurance plans, is that it will prevent the use of telemedicine as a cost-savings tool. Of course, the use of telemedicine in the particular situation would have to make sense (and not be contraindicated).

To date, there has been no indication on when the Assembly Health and Senior Services Committee will be voting on Bill No. A1464. If the bill were to pass, it would go before the Governor for review and consideration.

Say Goodnight To The Two Midnight Rule’s Payment Reductions

by Paul L. Croce

The Two Midnight Rule, which was introduced as part of CMS’ FY 2014 Inpatient Prospective Payment System (“IPPS”) rule, dictates that when a physician expects a beneficiary to require care that crosses two midnights and admits the beneficiary based on that expectation, Medicare Part A payment is generally appropriate.  Conversely, if the beneficiary’s hospital stay is expected to be less than a period spanning two midnights, payment under Medicare Part A is generally inappropriate.

Because CMS anticipated significant increases in expenditures as a result of the Two Midnight Rule, CMS exercised the Secretary’s “broad authority” under 42 U.S.C. 11395ww(d)(5)(I)(i) to impose a 0.2% reduction to the national capital federal rate in FY 2014 to offset the anticipated increase in expenditures.  That same reduction was applied to the national capital federal rate in FY 2015 and FY 2016 as well.

In connection with the adoption of the Two Midnight Rule numerous commenters questioned the validity of the Secretary’s prediction of increased expenditures, upon which the decision to reduce rates was based. However, CMS never addressed these comments in detail when adopting its final rule except to say that the reductions were an appropriate use of the Secretary’s statutory exceptions and adjustments authority.

Having not received an adequate response to their comments during the rule making process, numerous hospitals filed suit challenging the 0.2% reduction. Several of those suits were consolidated before the United States District Court for the District of Columbia under the caption Shands Jacksonville Medical Center, et al. v. Burwell, Consolidated Civil Case Nos. 14-263, 14-503, 14-536, 14-607, 14-976, 14-1477 (the “Shands Litigation”).

On September 21, 2015 the Court in the Shands Litigation found that the Secretary’s failure to disclose critical assumptions made by the actuaries who calculated the alleged increase in expenditures, which was relied upon to impose the 0.2% reduction, failed to meet the standards of the Administrative Procedures Act by depriving the public of a meaningful opportunity to comment on the proposed rule. As a result, the Court remanded the matter back to the agency for further proceedings regarding the adequacy of the 0.2% reduction.

After remand, CMS issued public notice of the basis for the 0.2% reduction and its underlying assumptions.  As a result of the comments received to that public notice, CMS eliminated the 0.2% reduction for FY 2017 in connection with the FY 2017 IPPS final rule.  Additionally, CMS adjusted the FY 2017 capital IPPS rate to effectively eliminate the impact of the 0.2% reduction to rates in previous years by implementing a one-time prospective adjustment of 1.006 in FY 2017 to the national capital Federal rate.

Despite implementing this adjustment, CMS denies any error and continues to maintain that “the assumptions underlying the 0.2% reduction to the rates put in place beginning in FY 2014 were reasonable at the time we made them in 2013.”  Nevertheless, whether CMS recognized its error, or felt compelled to make this change as a result of the Shands Litigation, the end result is the same for hospitals throughout the country.  They have been relieved of the burden imposed by the 0.2% reduction associated with the adoption of the Two Midnight Rule.

 

The Future Is Uncertain For the Patient Protection and Affordable Care Act

by John W. Kaveney

With the election of Donald Trump to the office of President of the United States, Republicans and their supporters began implementing plans for the repeal and replacement of President Obama’s signature legislation, the Patient Protection and Affordable Care Act (“ACA”). President-Elect Trump’s selection of Representative Tom Price (R-GA) to the position of Secretary of Health and Human Services signaled the next step in those efforts.

Dr. Price, an orthopedic surgeon, has been a regular voice in opposition to the ACA and many in Congress and the media see this selection as confirmation that every effort will be made to replace the ACA. Several Democrats have already come forth indicating they plan to challenge Dr. Price’s selection as they see any threat to the ACA as a threat to thousands of patients that have only received insurance as a result of the ACA.

While a repeal of the ACA is still not guaranteed and many are already challenging whether it could even be effectuated without significant impacts on the health insurance industry and millions of Americans, it is nevertheless important to understand what a replacement program might look like. Dr. Price has previously submitted one of the more detailed Republican plans to replace the ACA. His previously proposed legislation is known as the Empowering Patients First Act.

Unlike the ACA, Dr. Price’s legislation seeks to minimize government’s role in health care. The following are five key elements of Dr. Price’s prior proposal:

  1. Fixed tax credits that rise with age so that patients can purchase their own insurance on the private market, including across state lines. The tax credits would not fluctuate based on income.
  2. Expand health savings accounts to further incentivize patients to contribute to such accounts to pay co-pays and deductibles.
  3. Preexisting conditions would continue to be excluded as a basis to deny coverage but only if the patient has had continuous insurance for eighteen months prior to selecting a new policy. If not, coverage might be denied for up to eighteen months under the new policy.
  4. Limiting the amount of money companies can deduct from their taxes for employee health insurance expenses.
  5. States would be paid federal funds to set up high risk pools to assist those with preexisting conditions that cannot afford insurance on the private market.

While Dr. Price has indicated his willingness to negotiate and compromise on what the ultimate replacement looks like, it remains to be seen how flexible he and the Republicans will be on a substitute for the ACA. Regardless of the final form, one cannot forget that as Secretary of HHS, Dr. Price would ultimately control the authoring of the enabling regulations to implement the new legislation.

It is anticipated that during President-Elect Trump’s first 100 days in office this issue will be addressed.

OCR and FTC Detail Overlapping Interests Between HIPAA and the FTC Act

by Leonardo M. Tamburello

On October 21, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) issued joint guidance highlighting agencies’ common interest in protecting individuals’ health information.

The health care industry is familiar with the restrictions on use and disclosure of protected health information (PHI) imposed by HIPAA.  In general, other than as required by the HIPAA Privacy Rule or for treatment, payment or health care operations, HIPAA requires a valid, signed authorization from the individual before any further use or disclosure of their PHI can occur.   This authorization must be in “plain language,” not be combined with any other type of authorization, and include specific terms and descriptions of the information sought and the proposed use or disclosure.

The FTC’s interest in the healthcare sector’s information security practices is less well known, however.  Many may be surprised by the FTC’s longstanding position that its broad power to regulate unfair and deceptive practices under Section 5 of the FTC Act includes overlapping jurisdiction with OCR concerning the privacy and security practices of HIPAA-regulated entities.

The FTC Act prohibits a contemplated use or disclosure of health information from being a “deceptive or unfair” act or practice.  Among other things, this means that individuals may not be “mislead” about how their PHI may be being used or disclosed.   The FTC therefore recommends that entities consider all of their consumer-facing messaging to ensure it is free from any deceptive or misleading statements.   Moreover, the FTC explicitly cautions against burying key facts regarding use and disclosure of health information in links to a privacy policy, terms of use, or HIPAA authorizations.  It also warns against manipulating font sizes or colors online in a manner which would make disclosure statements deceptive.  Instead, it recommends that all disclosure statements be “clear and conspicuous” from a consumer’s perspective.

OCR and the FTC have a history of collaboration and joint enforcement in the security area.  In February 2009, OCR entered into a $2.25 million settlement agreement with CVS Pharmacy, Inc. (CVS) and required implementation of a detailed corrective action plan to ensure the proper disposal of PHI.  Simultaneously, in a separate but related agreement, CVS resolved FTC charges that it failed to implement reasonable and appropriate procedures for handling personal information about customers and employees, did not adequately train employees, did not use reasonable measures to assess compliance with its policies and procedures for disposing of personal information, and did not employ a reasonable process for discovering and remedying risks to personal information.

A year later, in July 2010, Rite Aid Corporation entered into a similar resolution agreement, paying $1 million to OCR and implementing a corrective plan of action while simultaneously settling a FTC complaint which alleged it failed to properly dispose of personal information, inadequately trained employees, did not sufficiently assess compliance with its disposal policies, and did not employ a reasonable process for discovering and remedying risks to personal information.

In addition, the FTC has not hesitated to bring enforcement actions on its own against healthcare entities.  Most notably, the FTC has doggedly pursued LabMD, a former clinical laboratory which no longer operates, for failure to protect patients’ sensitive personal information.  This resulted in a July 2016 unanimous opinion from the FTC which found LabMD’s security practices unreasonable, “lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.”  A motion to stay the FTC’s enforcement order has recently been filed in the Eleventh Circuit by LabMD. See, LabMD, Inc. v. FTC, 11th Cir., No. 16-16270, motion to stay filed, Oct. 7, 2016.

It remains to be seen whether this recent joint statement from OCR and FTC foreshadows a more robust collaboration between the two agencies which builds on their efforts in the CVS and Rite Aid cases and expands into the HIPAA Privacy Rule area.  Even if that does not immediately occur, the FTC remains active in pursuing cases on its own, such as LabMD.  Whatever the outcome, businesses in the healthcare sector should remain sensitive to the FTC’s mandates, along with those from OCR.

HIPAA Enforcement At All-Time High So Far in 2016

by Leonardo M. Tamburello

Still with four months to go, 2016 has been a record-setting year for HIPAA enforcement by the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Before September even begins, OCR has already levied over $20 million in fines resulting from its investigation of suspected HIPAA violations. This amount more than triples the $6.2 million in HIPAA penalties which it assessed for all of 2015. These enforcement actions included both first-ever settlement of possible HIPAA violations by a Business Associate and the largest single fine of $5.5 million for suspected HIPAA violations.

In addition, OCR has recently begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals. While Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.   The factors that OCR’s Regional Offices will consider in this manner include:

  • The type and size of the breach, including the amount nature, and sensitivity of the PHI involved
  • Whether the breach involved theft or improper disposal of unencrypted PHI;
  • Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
  • A particular covered entity or business associate’s breach history;
  • Lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.

This flurry of enforcement activity has occurred against the backdrop of “Phase 2” desk and onsite audits of approximately 200 – 250 covered entities and their business associates which will examine compliance with specific requirements of the Privacy, Security, or Breach Notification Rules. In particular, these audits will focus on Notice of Privacy Practices’ contents, individual’s rights to access protected health information, risk analysis, risk management, and timeliness and content of breach notification. There will also be a limited number of comprehensive on-site audits. All audits are expected to be completed by December 31, 2016.

Even if not selected for an audit, the covered entities and business associates would be well-advised to review the Audit Protocol available through the HHS website, ensuring their internal list of business associates is current, and reviewing, and if necessary, updating their risk analysis and risk management in light of recent developments, particularly the proliferation of ransomware attacks targeting the health industry.

OCR Issues HIPAA Guidance on Ransomware Threat to Health Care Industry

by Leonardo M. Tamburello

U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) has published a HIPAA Fact Sheet, outlining the multi-faceted threat which ransomware poses to the health care sector and providing insights into how this threat may affect HIPAA compliance.  In this publication, OCR states that a ransomware attack, even on encrypted devices, may result in a reportable breach of electronic Protected Health Information (“ePHI”).  In light of this, covered entities and business associates should consider revisions to their risk assessment plans specifically directed at countering ransomware attacks.

Ransomware is an increasingly rampant type of malware that encrypts data with a complex “key” known only to the hacker, making data and possibly entire information systems such EHRs or scheduling programs, inaccessible to authorized users. Once ransomware has taken hold, hackers demand a payment before providing the key required to decrypt the affected files.  Ransomware frequently infects devices and systems when unsuspecting users click on malicious website links or open infected emails attachments.

OCR’s guidance states that ransomware infections of a computer system are a “security incident” under HIPAA. As a result, once ransomware is detected, the covered entity or business associate must initiate its HIPAA-mandated security incident and response and reporting procedures.  In addition, they should also assess whether or not a “breach” has occurred.  As defined by HIPAA regulations, a breach occurs with “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [rules governing PHI] which compromises the security or privacy of the PHI.” Whether ransomware infections meet this definition is a fact-sensitive question.

According to OCR’s recent guidance, ransomware represents an unauthorized user’s attempt to encrypt the data, which amounts to an “acquisition,” and therefore impermissible disclosure, under HIPAA. At this point, a risk assessment is required to determine whether there is a “low probability” that a breach has occurred, taking into account the following factors:  (1) the nature and extent of ePHI involved; (2) the unauthorized person who used ePHI or to whom the disclosure was made; (3) whether the ePHI was actually acquired or viewed; and (4) the extent to which the risk to ePHI has been mitigated.  If a “low probability” of compromise cannot be demonstrated, then a breach has occurred and HIPAA’s Breach Notification Rule is triggered.

If encrypted data is involved, the question of whether or not a breach has occurred becomes more complicated and depends, in part, of the technical aspects of the particular encryption used. Because the Breach Notification Rule only applies to  “unsecured PHI,” meaning PHI “that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary,”  properly encrypted PHI, even if stolen, usually does not constitute a “breach.”  However, additional analysis is still required to ensure that the encryption solution, as implemented, is effective.  For example, a full disk encryption solution may render the data on a computer system’s hard drive unreadable, unusable and indecipherable to unauthorized persons while the computer system is powered down. However, once the system is operational, many full disk encryption solutions will transparently decrypt and encrypt files accessed by the user.  Thus, an authenticated user who accidentally infects the system with ransomware may cause breach of ePHI.  Thus, despite having encryption protection in place, sophisticated ransomware can result in a breach of ePHI which is reportable under HIPAA

HIPAA already requires covered entities and business associates to implement security measures to prepare for, respond to, and recover from ransomware and other malware attacks. Some of these required security measures include: implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to ePHI and implementing security measures to mitigate or remediate those identified risks; implementing procedures to guard against and detect malicious software; training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and implementing access controls to limit access to ePHI to only those persons or software programs requiring access.

With respect to recovery from a ransomware infection, covered entities should maintain offline backups of data and conduct periodic test restorations to verify the integrity of backed-up data. HIPAA requires covered entities to have a data backup plan as well as security incident procedures.

An interagency U.S. Government report reveals that there have been 4,000 daily ransomware attacks since early 2016, a remarkable 300% increase from this period last year. With health information systems containing vital information for daily operation as well as highly personal information of their patients, the health care sector has been a growing target of ransomware.  The OCR’s new guidance recognizes this threat, and clarifies the implications that it carries for covered entities and business associates.

SCOTUS Broadens False Claims Act Liability Based On “Implied False Certification” Theory

by Leonardo M. Tamburello

In a June 2016 decision, the United States Supreme has held, under the False Claims Act (FCA), that (1) the so-called “implied false certification theory” may create liability when the defendant fails to disclose noncompliance with a legal requirement when submitting payment claims that make definitive representations about the services provided; and (2) liability is not contingent upon the requirements being an express condition of payment.

Yarushka Rivera, received counseling at a mental health facility. Rivera suffered an adverse reaction to medication resulting in her death. After Rivera’s death, her parents learned that most employees at the facility were not licensed to provide mental health counseling. They later discovered that only one of the five professionals treating their daughter was licensed. Respondents filed a qai tam suit alleging violations under the FCA, based on an implied false certification theory of liability; that is, they claimed that the facility submitted false claims by submitting reimbursement requests without disclosing regulatory violations regarding the staff credentialing and licensing violations.

Implied False Certification Theory

The implied false certification theory suggests that a defendant implicitly verifies all payment requirements are satisfied when submitting a claim. However, if the claim fails to disclose violations of material legal provision then a misrepresentation has been made rendering the claim false or fraudulent under the FCA. Disputes among the Court of Appeals concerning the validity of this theory prompted the Supreme Court to grant review. In its decision, the Supreme Court held the implied certification theory may create liability when two conditions are met: first, the claim does not just demand payment but makes definitive representations about the products or services provided; and second, failure to disclose noncompliance with material statutory, regulatory, or contractual provisions makes those representation deceptive half-truths.

Liability Under the FCA

The FCA imposes civil liability on “any person who…knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval.” Defendants argued that liability should only be imposed when the violations of statutory, regulatory, or contractual requirements are an express condition of payment. The Supreme Court rejected this contention, stating liability is not contingent upon the violated legal provision being an express condition of payment. In so holding, the Court noted that the FCA does not impose such a restriction.

Instead, liability is determined by the extent of the material misrepresentation. The FCA defines material as having influence or capable of influencing the payment or receipt of money or property. However, misrepresentation is not material simply because the government compels compliance with statutory, regulatory, or contractual provisions as condition of payment. Nor is materiality found if noncompliance is trivial or insubstantial. Thus, when evaluating the materiality of a misrepresentation for possible FCA violation under the implied false certification theory, that an express condition of payment is relevant but not dispositive.

The Supreme Court’s ruling on the implied false certification theory now broadens healthcare providers’ liability because plaintiffs can now bring more expansive claims under the FCA. But liability is only actionable when the misrepresentation of a legal provision is material to the government’s decision to provide payment. While a healthcare provider’s liability is broadened, the bar to sustain such claims is slightly raised by demanding nature of the materiality standard articulated by the Court.

Questions Regarding “Minimum Necessary,” Physical Controls, and Encryption Follow Insurer’s “Ongoing Search” for Six Hard Drives Containing PHI of 950,000 Individuals

by Leonardo M. Tamburello

A major health insurer announced an “ongoing comprehensive internal search” for six hard drives containing the PHI including the name, address, date of birth, social security number, member ID number and “health information,” of approximately 950,000 individuals who received laboratory services from 2009 through 2015. According to the announcement, the hard drives were used in an internal data project which analyzed laboratory results with the goal of improving health outcomes.

This incident raises two potential topics of interest under HIPAA. First, whether a data set containing fewer identifiers, or de-identified data could have been used for this project.  If de-identified information were used, the loss of the hard drives would be less damaging and possibly not a “breach” under HIPAA.  The post-breach risk assessment should attempt to answer this question and make policy recommendations that require a critical assessment of whether and to what extent PHI beyond the “minimum necessary” is required for future similar projects.

If it was necessary to use the complete data set of PHI contained on the lost hard drives, additional security precautions, such as enhanced physical security tracking measures and encryption, should have been considered and implemented.  Physical security tracking that restricted or linked the physical movement of the hard drives to a particular location or individual could be enhanced with a requirement that the location and custody of media containing PHI be periodically verified, especially if the PHI of nearly a million individuals is potentially in play.  Although there seems to have been some process along these lines in place in light of the “ongoing comprehensive internal search,” there is no indication of the last date on which the location of the hard drives can be verified.

In addition, the decision to apparently not encrypt the hard drives should also be examined.  Encryption remains an addressable implementation standard under HIPAA, it must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of ePHI. See, 45 CFR § 164.312(a)(2)(iv) and -(e)(2)(ii).  If the entity decides that encryption, as addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.

With the relative ease and speed of modern encryption applications that are available across a variety of platforms, from smart phones and tablets, to flash drives and individual hard drives, to back-up media, not encrypting data, whether it is in use, in motion, or at rest, is becoming increasingly difficult to defend from a technical standpoint.

The unexplained disappearance of devices or storage media containing unencrypted PHI through inadvertence, malicious theft, or other physical loss remains a vexing problem for covered entities.  Two relatively simple strategies to avoid the serious harm that could result for such an occurrence are eliminating the use of PHI when possible, and implementing robust tracking and encryption protocols for those instances when PHI is truly necessary.