Overlapping Regulations for Confidentiality Regarding Substance Abuse Treatment

Our starting point is that privacy and confidentiality are important in any type of treatment but in connection with substance abuse and addiction treatment, there is a need for some enhanced protections. The United States Court of Appeals for the First Circuit has stated that “[t]he express purpose” of federal initiatives in this area was “to encourage patients to seek treatment for substance abuse without fear that by so doing their privacy will be compromised.” United States v. Cresta, 825 F.2d 538, 551-52 (1st Cir. 1987).  The collateral stigmas for an individual and the family are of such great concern that they can be obstacles to even seeking treatment. Reputations are at risk for having the disease and jobs or work opportunities may be jeopardized. Family members will be embarrassed. Federal regulations involving the HIPAA Privacy Rule and special provisions for substance abuse treatment programs recognize these concerns. While there have been efforts to align these two regulatory systems, it is important to recognize that these regulations intersect, overlap, and sometime supersede each other. In addition, state licensing or regulatory provisions may have stricter requirements or may, as in New Jersey (N.J.A.C. 10:161B-3.6(b)(5)), incorporate the Federal standards.

HIPAA is the first body of regulations concerning medical privacy that comes to mind for most persons. But historically speaking, it is not. The Health Insurance Portability and Accountability Act (HIPAA), 42 USC §1320d, enacted in 1996 directed the Secretary of Health and Human Services and the Attorney General to develop guidelines that “appropriately protect the confidentiality of the information and the privacy of individuals receiving health care services.”  This eventually led to the release of the Privacy Rule in 2002 with an April 13, 2003 effective date and codification at 45 CFR Parts 160 and 164. In contrast, the restrictions on disclosures concerning substance abuse treatment have their origins in the 1970 Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment and Rehabilitation Act and the 1972 Drug Abuse and Prevention, Treatment and Rehabilitation Act with implementing regulations issued by the then Department of Health, Education and Welfare in 1975 with various revisions and supplements. The pertinent statute is 42 USC §290dd-2 with regulations now codified at 42 CFR Part 2.

As with the HIPAA regulations, there have been some recent amendments to the 42 CFR Part 2 regulations. 82 Fed.Reg. 6052 (Jan. 18, 2017). The most recent update was to go into effect as of February 17, 2017 but was delayed to March 21, 2017 by virtue of the 60-day regulatory freeze issued by the Trump Administration on January 20. The amendments were intended to make the Part 2 regulations more consistent with HIPAA. Differences persist with the potential for resulting confusion.

Here is one starkly clear reality: violation of the substance abuse treatment restrictions is a federal crime with a fine to be imposed pursuant to Title 18 of the United States Code.  42 USC §290dd-2(f). While both sets of regulations cover similar material, there are points of difference. But a reasonably valid heuristic in choosing between HIPAA and Part 2, with a slight refinement, is: Whichever standard is stricter — usually 42 CFR Part 2 — and provides the greater privacy protection should be applied.

Here is the refinement to that problem-solving heuristic. While HIPAA covers the health care industry broadly, the provisions of 42 CFR Part 2 only apply to “federally assisted” drug and alcohol “programs.” These are defined terms in 42 CFR 2.11. Thus, the records of a primary care physician who is not held out as providing alcohol or drug abuse treatment is not covered. The special confidentiality provisions would not apply to a hospital except to an identified unit that has a “primary function” of providing substance abuse diagnosis, treatment or referral. Similarly, the rules would not apply to an emergency room. See generally Center for Legal Advocacy v. Earnest, 320 F.3d 1107 (10th Cir. 2003); United States v. Zamora, 408 F.Supp.2d 295 (S.D. Tex. 2006). The applicability of Part 2 requires not only a “program” as defined in the regulation but also that the program be “federally assisted.” Federal funding is, of course, endemic in health care and the definition in 42 CFR 2.12(b) is consistent with that reality but being “federally assisted” must be confirmed.

The basic HIPAA rule of thumb is that except in connection with disclosures to the individual whose health information is at issue or to HHS or its Office of Civil Rights enforcement arm, a covered entity should not make any use or disclosure without a patient’s authorization unless permitted by the Privacy Rule. However, in addition to the broad approval for use or disclosure for treatment, payment or operations (TPO) without patient authorization, there are quite a few permissive disclosures without patient authorization set forth in 45 CFR 164.512 including such circumstances as public health activities and oversight, judicial and administrative proceedings, law enforcement purposes, and reporting crimes. The Part 2 regulations on the other hand are much stricter and more limited than what is allowed under HIPAA. Disclosures without a patient’s consent are allowed in the following circumstances:

  • Communications among program personnel
  • Communications between a program and a Qualified Service Organization
  • Crimes on program premises or against program personnel but without an exception for the duty to warn others unless the threatened violence is against program personnel.
  • Reports of suspected child abuse and neglect limited to making the initial report with any disclosure for subsequent investigation not permitted in the absence of a court order or signed authorization.
  • Medical emergencies involving an immediate threat to the health of the patient requiring immediate medical intervention.
  • Scientific research
  • Audits and evaluation activities
  • Court order, which must comply with special requirements set forth in the regulations.

Moreover, in the absence of consent or the special court order, the regulations in 42 CFR  2.13(c) prohibit a substance abuse treatment facility from even acknowledging that a particular individual is a patient.

Another instance of a stricter standard in Part 2 can be found in connection with a consented-to disclosure. 42 CFR 2.31 requires written voluntary consent. A verbal consent is inadequate. The consent document must contain ten elements specified in the regulation. Furthermore, under the provisions of the HIPAA Privacy Rule found at 45 CFR 164.508(c)(2) information that is disclosed pursuant to an authorization has the potential for being re-disclosed and no longer subject to HIPAA privacy protection. In contrast, an authorized disclosure under Part 2 must be accompanied by an explicit statement that further disclosure of information that identifies a patient as having or being treated for a substance use disorder is prohibited. 42 CFR 2.32(a).

HIPAA covers “protected health information” (PHI) and “individually identifiable health information” (IIHI). The Part 2 regulations speak in terms of “records” which term is defined in 42 CFR 2.11 as “any information” whether recorded or not, created by, received, or acquired by a Part 2 program relating to a patient whether involving diagnosis, treatment, referral for treatment, billing, emails, voice mails, and texts. For the purpose of the regulations “records” include both paper and electronic records.

Both HIPAA and Part 2 address disclosures in connection with judicial proceedings and various law enforcement activities. Although there are few judicial decisions concerning 42 CFR Part 2, there is a lucid and helpful discussion by the Connecticut Superior Court in Briggs v. Winter, 2014 Conn. Super. LEXIS 1292, 2014 WL 2922643, of these “two discrete but complementary federal statutory schemes” in the civil context. The HIPAA approaches of “satisfactory assurances” concerning civil subpoenas and the effectiveness of grand jury subpoenas without a court order are inadequate for substance abuse records. The statutory standard found in 42 USC §290dd-2 requires a showing of “good cause.” The Part 2 regulations more specifically set forth separate requirements for what constitutes “good cause” as to the court orders to be issued in connection with disclosures for noncriminal purposes such as civil law suits and those for criminal investigations and prosecutions of patients as well as for investigations or prosecutions of Part 2 programs or employees including the use of undercover agents. Under 42 CFR 2.64, the criteria for entry of an order authorizing disclosure for a noncriminal matter require a finding of “good cause” with determinations (1) that other ways of obtaining the information are not available or would not be effective and (2) that the public interest and need for the disclosure outweigh the potential injury to the patient, the physician-patient relationship and the treatment services. In connection with disclosures for criminal matters, the criteria in 42 CFR 2.65 are more extensive and “all” must be met. The threshold is that the crime involved is extremely serious, such as one which causes or directly threatens loss of life or serious bodily injury including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, and child abuse and neglect. Next, there must be a reasonable likelihood that the records will disclose information of substantial value in the investigation or prosecution along with a demonstration that other ways of obtaining the information are not available or would not be effective. As part of the evaluation, the court must determine that the potential injury to the patient, to the physician-patient relationship and to the ability of the Part 2 program to provide services to other patients is outweighed by the public interest and the need for the disclosure. Lastly, if the applicant is a law enforcement agency or official, the person holding the records has been afforded the opportunity to be represented by independent counsel; and any person holding the records which is an entity within federal, state, or local government has in fact been represented by counsel independent of the applicant.

In connection with any contemplated disclosure, there are several questions to be posed which include at least the following. Can or should patient authorization be obtained? Is there an exception for disclosure without patient authorization? Is the recipient to whom the disclosure is to be made pursuant to an exception authorized under the regulations to receive the information?

American society has long placed significant value on a private sphere protected from intrusion. In addition, bioethical principles of nonmalefience — the doing of no harm — and respect for persons call for safeguarding personal privacy and placing importance on individual autonomy. In follow-up at another time or in another place, musings on whether or not privacy and confidentiality really exist in this era might be appropriate.

Breach of Medical Confidentiality and Privacy Claims

On July 12, 2017, the New Jersey Appellate Division issued an opinion in the case of Smith v. Datla, which involved the question of how much time a party has to file a lawsuit arising out of the unauthorized disclosure of private medical information. The court ruled that the appropriate statute of limitations period was two years.  In the opinion the court reiterated New Jersey’s adherence to the widely held rule that there is no private right of action under the Federal HIPAA rule but clarified that conduct that violates HIPAA regulatory provisions provides a state law claim for disclosure of the patient’s protected health information. While the decision is currently binding precedent in New Jersey, it could be appealed to the New Jersey Supreme Court for further review.

The appeal was presented on a somewhat limited factual record.  The plaintiff, identified by the pseudonym of John Smith, was a hospitalized patient.  The physician, a board-certified nephrologist, was treating the patient for acute kidney failure.  During an emergency bedside consultation with John Smith in his private hospital room, the doctor discussed his medical condition including the patient’s HIV-positive status.  It is not clear if this was an established diagnosis or newly conveyed information. The conversation took place while “an unidentified third party” was in the room.  In a footnote the court stated that “[t]he record does not reveal the third party’s identity nor his or her relationship to plaintiff.” Plaintiff claimed that the HIV disclosure was without his consent. The plaintiff further claimed that the disclosure caused him to endure pain and suffering, emotional distress, other emotional injuries and insult, and permanent injury with physiological consequences.

That third-party’s identity and relationship to the patient may become an important factor in the eventual outcome of this case.  The HIPAA Privacy Rule specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care. If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment that the patient does not object.

On an admittedly “limited record,” the court evaluated the consequences of this disclosure which took place on July 25, 2013 and with the lawsuit being filed on July 1, 2015.

Ultimately, following motion practice, the plaintiff’s amended complaint asserted three causes of action: (1) invasion of privacy based on public disclosure of private facts; (2) medical malpractice based on the improper disclosure; and (3) violation of the AIDS Assistance Act, N.J.S.A. 26:5C-1 to -14.

Defendant filed a new motion to dismiss on the grounds that all three claims were barred by the one-year statute of limitations found in N.J.S.A. 2A:14-3 where the complaint had been filed nearly two years after the incident.  Arguing that all three claims were predicated on the public disclosure of private facts, defendant contended that they should be subject to the same statute of limitations.  Defendant noted that there was no specific statute of limitations for the public disclosure of private facts, but analogized that type of invasion of privacy claim to claims for placing plaintiff in a false light in the public eye and defamation.  This motion was denied by the trial court with leave to appeal granted.

The Appellate Division engaged in an extended analysis leading to the rejection of defendant’s contention.  It invoked the classic comments of Professor William Prosser regarding invasion of privacy being “not one tort, but a complex of four.”

The law of privacy comprises four distinct kinds of invasion of four different interests of the plaintiff, which are tied together by the common name, but otherwise have almost nothing in common except that each represents an interference with the right of the plaintiff to “be left alone.” [Quoting William L. Prosser, The Law of Torts § 112 (3d ed. 1964).]

The four braches of Prosser’s taxonomy of the privacy tort included (1) intrusion, (2) public disclosure of private facts, (3) placing a person in a false light in the public eye, and (4) appropriation of the plaintiff’s name or likeness for the defendant’s benefit.  The court observed that the limitations period for the public disclosure of private facts was an “unresolved issue” in New Jersey.  In Rumbauskas v. Cantor, 138 N.J. 173 (1994), the Supreme Court had held that the limitations period for the intrusion on seclusion type of privacy tort was two years and approved the use of a six-year period for actions based on appropriation of a person’s name or likeness for the benefit of the defendant. In commenting on varying limitations periods for the different types of privacy torts, it had stated:

The limitation periods applicable to actions involving other types of invasion of privacy are not before us. … Regarding actions for public disclosure of private facts or placing one in a false light, case law in other jurisdictions indicates that such actions are subject to the limitations period for defamation claims, which is one year in New Jersey. [Id. at 183.]

 In rejecting the defense contention in Smith v. Datla for use of the one-year limitations period for public disclosure of private facts, the key factor in the court’s analysis is that the essential element of a defamation action is the dissemination of false information.  Here the private facts that were disclosed were true.  The court emphasized the heightened protection afforded to a person’s HIV and AIDS status in various contexts including the New Jersey Law Against Discrimination (LAD), the New Jersey Civil Rights Act, and actions under Section 1983 for deprivation of federally protected civil rights.  All of these claims were subject to a two-statute of limitations.

This heightened protection was also embodied in the AIDS’ Assistance Act which required that records regarding this infection were to be kept confidential and disclosed only with a person’s “prior written informed consent” in limited circumstances.  The Act provided for a private cause of action including compensatory and punitive damages as well as attorneys’ fees.  The Act did not set forth a particular statute of limitations but the court concluded that this statutory-based action was analogous to the public disclosure of private facts tort for which it had determined there was a two-year statute of limitations.

The court went through a similar analysis with regard to the medical malpractice claim.  Describing such a claim generally as a deviation from an accepted standard of care, it referred to the HIPAA requirements that health care providers protect personal medical information from unauthorized disclosure as well as the mandate of the AIDS’ Assistance Act.  Aside from these statutorily-based obligations, the court referred to “the common law duty “to maintain the confidentiality of patient records and information.”  It cited several prior cases involving breaches of physician-patient confidentiality.  Curiously, the court did not refer to Crescenzo v. Crane, 350 N.J. Super. 531, 541-44 (App. Div.), certif. denied, 174 N.J. 364 (2002) which had involved a physician releasing patient records to a lawyer in response to an improperly issued subpoena.  In concluding that there was “a viable cause of action” against the physician, the Crescenzo court had referred to the Board of Medical Examiners’ regulations mandating confidentiality of patient records.

In concluding that this claim also was within the two-year statute of limitations in N.J.S.A. 2A:14-2, the court stated:

The breach of a physician’s duty to maintain the confidentiality of his patient’s medical records is a deviation from the standard of care, giving rise to a personal injury claim based upon negligence, not defamation or placing plaintiff in a false light.

 In addition, plaintiff’s claim for medical malpractice is most analogous to the category of invasion of privacy claims that are grounded on an allegation that defendant improperly disclosed private facts concerning the plaintiff to a third party.

 The court affirmed the denial of the motion to dismiss.

The Appellate Division in its comprehensive opinion nonetheless placed too much emphasis on the categorization of the privacy tort as articulated by Professor Prosser. Prosser’s contributions to the development of tort law regarding privacy are widely acknowledged.  However, his “taxonomy” of the privacy tort has been criticized as too restrictive and omitting other important interests.  Neil M. Richards & Daniel J. Solove, Prosser’s Privacy Law: A Mixed Legacy, 98 Calif. L. Rev. 1887, 1891 (2010).  One of these omissions is the tort of breach of confidence.  “This tort provides a remedy whenever a person owes a duty of confidentiality to another and breaches that duty.” Id. at 1909. See generally Daniel J. Solove & Neil M. Richards, Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Geo. L.J. 123 (2007).  This tort is well recognized in a variety of professional settings.

At the end of the day, this case is a further illustration of the importance of sensitivity to a patient’s right of privacy.  It is difficult to accept that the defendant was informing the patient for the first time that he had AIDS and presumably the patient was already aware of that diagnosis as a backdrop for the discussion of his current condition. A brief time-out in which the physician either asked the third party to leave the room or during which the patient was asked if he wanted that person to remain during the discussion could have avoided this litigation.

The Spectre of Strict Liability For An Employee’s HIPAA Breach

On May 7, 2015, the Supreme Court of Indiana denied any further review in the matter of Walgreen Company v. Hinchy  This denial of review leaves standing the opinion of the intermediate Court of Appeals that had upheld a $1.44 million verdict against Walgreen Company for a breach of confidentiality by an employed pharmacist. Walgreen Co. v. Hinchy, 21 N.E.3d 99 (Ind. Ct. App. 2014), 29 N.E.3d 748 (Ind. Ct. App.), transfer denied, 2015 Ind. LEXIS 374 (Ind. 2015).

The pharmacist had accessed the prescription records of a woman customer who had been romantically involved with the pharmacist’s boyfriend and eventual husband and divulged information she obtained to him.   The disclosed information related to birth control prescriptions and sexually transmitted diseases and was used by the boyfriend in an attempt to have the woman relent on her paternity claims against him.  All of this came to the knowledge of the woman’s family and friends.

Hinchy is notable not only for the size of the verdict but also as another instance of the expanding number of cases finding a state-law cause of action for a HIPAA breach.  This issue has previously been identified in this blog.

But the decision is more noteworthy in its imposition of vicarious liability on the employer.  The Indiana Court of Appeals rejected out of hand the Walgreen position that the pharmacist had acted on her own and outside the scope of her employment as a pharmacist.  It did not matter to the court that Walgreen had in place policies restricting the use and disclosure of HIPAA PHI and a computer audit trail that identified the pharmacist’s accessing of the records and confirmed the breach.   Walgreen also had a training program for employees to encourage adherence to the policies regarding non-disclosure of patient confidential information.  Before jury selection, the trial judge had granted partial summary judgment in favor of Walgreen on an allegation of negligent training.   While the trial judge had denied the part of that motion challenging negligent supervision of the pharmacist by Walgreen, the Court of Appeals stated that it was not considering the supervision claim at all and that its determination of liability was based solely on respondeat superior.  It approved of the following jury instruction:

An employer is liable for the wrongful acts of its employee which are committed within the scope of employment.

An act is within the scope of employment if it is incidental to the employee’s job duties, that is to say, the employee’s wrongful act originated in activities closely associated with her job.

In deciding whether an employee’s wrongful act was incidental to her job duties or originated in activities closely associated with her job, you may consider:

1. whether the wrongful act was of the same general nature as her authorized job duties;

2. whether the wrongful act is intermingled with authorized job duties; and

3. whether the employment provided the opportunity or the means by which to commit the wrongful act.

Contrary to Hinchy is the outcome and analysis in Bagent v. Blessing Care Corp., 862 N.E.2d 985 (Ill. 2007), in which a hospital-employed phlebotomist received a fax from a facility that performed laboratory tests for the hospital at which she was employed.  The fax had the results of a pregnancy test for the plaintiff indicating that she was pregnant.  A few days later the phlebotomist was at a tavern with friends when she saw the plaintiff’s sister and asked how the sister was doing with the pregnancy assuming she knew of it.  She did not.  The Illinois Supreme Court ruled that this conduct was outside the scope of the phlebotomist’s employment.

The established doctrine of respondeat superior provides that an employer faces liability to persons harmed by employees acting in the course of their employment.  Generally, a master is not subject to liability for the torts of his or her servants acting outside the scope of their employment, unless: (a) the master intended the conduct or the consequences, or (b) the master was negligent or reckless, or (c) the conduct violated a non-delegable duty of the master, or (d) the servant purported to act or to speak on behalf of the principal and there was reliance upon apparent authority, or he or she was aided in accomplishing the tort by the existence of the agency relation. More particularly, intentional torts and crimes rarely fall within the scope of employment because an employer is not responsible for acts that are clearly inappropriate or unforeseeable in carrying out authorized tasks.  In Davis v. Devereux, 209 N.J. 269 (2010), the Supreme Court conducted an extensive review of the principles of respondeat superior with particular reference to the scope of employment issues.  In Davis as it had on several occasions, the Court noted that the determination of whether or not a particular act is within or outside the scope of employment involves a fact-specific inquiry.  That will be quite true in connection with allegations of tortious HIPAA breaches.

The Court in Davis also looked at the exception to employer vicarious liability based on a non-delegable duty.  Although the non-delegable duty doctrine has been used in a healthcare context, see Marek v. Professional Health Services, Inc., 179 N.J. Super. 433, 441-42 (App. Div. 1981), the Court underscored its reluctance to impose liability on the basis of this concept.  It results in liability regardless of whether the employer acted with care in hiring and training an employee and regardless of whether the employee acted within the scope of his or her employment.  Although the Indiana Court of Appeal did not use the terminology of “non-delegable duty,” its holding is consistent with that analysis.  Finding of a non-delegable duty in connection with HIPAA medical privacy issues will open expansive tort liability for employers.  There are a number of instances in which creative plaintiff’s attorneys have attempted to construct liability claims based on an asserted “non-delegable duty” arising out of Federal regulations.  This is something to watch out for in connection with HIPAA breach torts.  As illustrated in a number of recent state cases, including more recently Hinchy, while the source of a duty may be state law which provides the private cause of action, the standard of care is derived from the Federal regulation.  It is indeed something to watch out for.

ePHI Data Breach and the Consumer Fraud Act

The important protection against data breach liability by encrypting ePHI has been pointed out a number of times on this blog. Although not required by HIPAA or HITECH security rules, encryption is a practical solution to a potentially big problem. Indeed, the Office of Civil Rights has commented in the past that “[e]ncryption is an easy method for making lost information unusable, unreadable and undecipherable.” While not required, encryption is an “addressable” implementation that nonetheless becomes effectively required under the “reasonable and appropriate” standard of review applied to the retrospective evaluation of security measures utilized in data breach circumstances. The burden is on the covered entity to show that it was unreasonable and inappropriate to have used encryption.

In any event, the persuasiveness of the argument for encryption as a matter of routine was strengthened on January 9, 2015 when Governor Christie signed Senate Bill 562 into law as P.L. 2014, c. 88.

This is an amendment to the New Jersey Consumer Fraud Act that will be codified at N.J.S.A. 56:8-196 to 56:8-198. The new legislation has an effective date of August 1, 2015.

It uses the definition of individually identifiable health information found in the HIPAA Privacy Rule and incorporates it into a broader category of “personal information.” N.J.S.A. 56:8-196. As of its effective date the statute mandates that a health insurance carrier shall not compile or maintain computerized records with personal information “unless that information is secured by encryption or by any other method of technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.” N.J.S.A. 56:8-197. It explicitly provides that “more than the use of a password protection” is required if the password program only prevents general unauthorized access and does not render the information “unreadable, undecipherable, or otherwise unusable.”   These requirements are directly at computer sytems broadly, including desktop computers, laptops, tablets or other mobile devices, or removable media.

New Jersey is the second state to impose explicit encryption requirements on personal information in a computerized form. Massachusetts had taken the first step with regulations effective in 2010 that had been promulgated pursuant to its anti-identity theft legislation. See generally 201 Mass. Code Regs. 17.04. The New Jersey restrictions currently apply only to health insurance carriers and do not extend to health care providers. This is consistent with the long-standing general proposition that the New Jersey Consumer Fraud Act does not apply to licensed professionals such as physicians or hospitals who are subject to comprehensive regulations by their own regulatory bodies. See, e.g., Macedo v. Dello Russo, 178 N.J. 340, 344-46, 840 A.2d 238, 240-42 (2004); Hampton Hosp. v. Bresan, 288 N.J. Super. 372, 381-83, 672 A.2d 725, 730-31 (App. Div.), certif. denied, 144 N.J. 588, 677 A.2d 760 (1996). But the statute certainly may be viewed as an expression of best practices if not an emerging standard of care.

Pursuant to N.J.S.A. 56:8-198 violations of the computer encryption statute are declared to be “an unlawful practice” subjecting violators to consequences under the Consumer Fraud Act. These include penalties of up to $10,000 for the first violation and up to $20,000 for the second and any subsequent violation. The Attorney General can bring an action for a cease and desist order and the court can order restitution. Lastly, an individual consumer who can demonstrate an ascertainable loss and a causal nexus between the alleged act of consumer fraud and the damages sustained can bring a private action for treble damages and attorney’s fees.

Federal HIPAA Privacy Rule Provides Standard of Care for State Common Law Breach of Medical Confidentiality And Potentially for Class Action Claims of Data Breach

In an opinion filed November 11, 2014, the Supreme Court of Connecticut held that to the extent that state law recognized a cause of action for breach of a health care provider’s duty of confidentiality in responding to a subpoena issued in connection with private litigation involving the patient, such a cause of action was not preempted by the provisions of the HIPAA Privacy Rule.  The HIPAA regulations, however, could inform the standard of care applicable to such a claim.  The Supreme Court reversed the dismissal of the negligence counts alleging breach of confidentiality and remanded the matter for further proceedings.  Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 2014 WL 5507439 (Conn. 2014).

The plaintiff in Byrne had been a patient of the OB-GYN group and had received a copy of its Notice of Privacy Practices which included a representation regarding non-disclosure of protected health information without her authorization.  The patient had been in a relationship with one Andro Mendoza which ended.  She directed the OB-GYN group to not release any of her information to Mr. Mendoza.  The man filed paternity actions and issued a subpoena to the OB-GYN group for medical records.  The OB-GYN group did not alert the patient to receipt of the subpoena or move to quash it or appear in court in response.  Rather, it mailed a copy of the patient’s medical file to the court.  The records were not placed under seal but were made available to Mendoza for review.  The plaintiff alleged that she had been harassed by Mendoza and received extortionate threats from him following his accessing her medical records.

On motions for summary judgment, the trial court had concluded that there was no private right of action under HIPAA and that the Federal regulations preempted any basis for action in the state court.  In its opinion, the Connecticut Supreme Court acknowledged the now well established proposition that HIPAA did not provide for a private right of action and indeed the concession in this regard by plaintiff.  However, it emphasized that the cause of action was not based on HIPAA but would use the HIPAA regulations as evidence of the proper standard of care.  “[T]o the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.”  The court concluded that common-law negligence actions, with HIPAA informing the standard of care, did not obstruct, preclude, conflict with, or complicate health care providers’ compliance with HIPAA for preemption purposes. On the contrary, it stated:  “[N]egligence claims in state courts support ‘at least one of HIPAA’s goals by establishing another disincentive to wrongfully disclose a patient’s health care record.’” (Quoting Yath v. Fairview Clinics, N.P., 767 N.W.2d 34, 50 (Minn. App. 2009).

In a pre-HIPAA opinion by Judge Philip Carchman, the New Jersey Appellate Division identified a cause of action in tort under state law for improper disclosure of medical records in response to a subpoena where there had not been compliance with the procedural requirements for the subpoena and, as in Byrne, the health care provider had simply mailed the requested records – although directly to the attorney issuing the subpoena.  Cresceno v. Crane, 350 N.J. Super. 531 (App. Div.), certif. denied, 174 N.J. 364 (2002).  There is no published opinion from a New Jersey court that directly addresses this issue in light of HIPAA.  In Smith v. American Home Products, 372 N.J. Super. 105 (Law Div. 2003), Judge Marina Corodemus rejected a contention by plaintiffs that the HIPAA regulations preempted the informal discovery procedures permitted by state law but acknowledged certain additional procedural safeguards to be HIPAA-compliant.

In a posting in July of this year, we had noted the developing groundswell of decisions utilizing HIPAA violations as a basis for a cause of action arising under state law.  The Connecticut decision joins a number of jurisdictions that now include decisions from the highest court in North Carolina (Acosta v. Byrum, 638 S.E.2d 246 (N.C. 2006)) and West Virginia (R.K. v. St. Mary’s Medical Center, 735 S.E.2d 715 (W.Va. 2012), cert. denied, 133 S.Ct. 1738 (2013)); as well as lower court decisions in Missouri, Minnesota, and Tennessee.  These lower court decisions are collected in the R.K. opinion.

Building on the R.K. precedent and the use of HIPAA as a standard of care for breach of medical confidentiality, West Virginia had expanded the existence of that cause of action into a basis for a data breach class action in its opinion in Tabata v. Charleston Area Medical Center, 759 S.E.2d 459 (W.Va. 2014), which was featured in our July blog posting.  The court found that this was sufficient “injury in fact” to sustain the putative class claim.  Two recent Illinois decisions reached the seemingly opposite conclusion in HIPAA data breach claims arising – once again – out of the loss of unencrypted laptop computers.  In Vides v. Advocate Health & Hospitals, Case No. 13-CH-2701 (Ill. Lake County Cir. Ct. May 27, 2014), and in Maglio v. Advocate Health & Hospitals, Gen. No. 13 L 538 (Ill. Kane County Cir. Ct. July 10, 2014) the court granted motions to dismiss a putative class action arising out of a data breach, holding that the recent United States Supreme Court decision in Clapper v. Amnesty Int’l, Inc., 133 S.Ct. 1138 (2013), compelled “rejection of Plaintiffs’ argument that an increased risk of identity theft is sufficient to satisfy the injury-in-fact requirement for standing.”  The potential for future injury was deemed too speculative to sustain the cause of action.  The Illinois decisions are in line with the overall consensus regarding data breach cases that putative class members lack standing where there is only a possible future risk of harm and cannot show an injury-in-fact.  It remains to be seen if the notion of the more focused concept of breach of medical confidentiality as injury will be widely accepted as conferring standing and liability on a class basis for a HIPAA breach.

Termination of the Designation of Trial Counsel for Medical Malpractice Defendants: Presumptive But Not Automatic

The highly respected and distinguished judge Wilfred H. Jayne made the following observation in Amo v. Genovese, 17 N.J. Super. 109, 85 A.2d 529 (App. Div. 1951), certif. denied, 9 N.J. 181, 87 A.2d 576 (1952):  “It is exceedingly desirable, if not imperative, that in the disposition of the modern quantity of litigation, expedition must supplant languor, but never at the expense of justice.”  With the issuance of its 2014 Omnibus Rules Amendment Order at the end of July, the New Jersey Supreme Court found a way to balance the clamor for administrative efficiency and calendar control regarding medical malpractice litigation with the administration of justice in individual cases.

The Court adopted a modification of the recommendation made by its Civil Practice Committee for an amendment to Rule 4:25-4.  Since 1964 the Rules of Court have provided that a party in a civil lawsuit may notify the court that a particular lawyer is designated to try the case.  If there is no attorney designated as trial counsel in accordance with the Rule, then the court and opposing counsel have the right to expect any partner or associate to proceed with the trial when the case is reached on the trial calendar.  By its terms, the Rule applies to counsel for plaintiffs and for defendants.  A subcommittee of the Civil Practice Committee reviewed data concerning significant backlogs in the disposition of medical malpractice cases and find that on average such case took almost four years to reach a trial date and such cases had the highest frequency of trial date adjournments.  The Report asserted that trials were “routinely adjourned” on the basis of the unavailability of designated trial counsel and noted that there were a “limited number of defense counsel permitted to try these cases.”  After due consideration, the Civil Practice Committee proposed an amendment that continued the designation of trial counsel procedure but revising the Rule so that such designation “shall expire” in all medical malpractice cases “pending for more than three years.”  The Committee’s Report adopted the subcommittee’s proposal for “the automatic expiration” of the designation of trial counsel.  It recommended that the amendment not go into effect until January 1, 2015 to allow time to accommodate the impact on already existing cases.  No type of case other than medical malpractice matters would be affected by the proposed amendment to terminate trial counsel designation.

The Supreme Court received comments from various bar organizations, some law firms, and stakeholders such as the Medical Society of New Jersey.  While the Supreme Court accepted the deferred effective date rather than using the September 1, 2014 date for most of the approximately 50 rule amendments in the Omnibus Order, it changed the language of the amendment to R.4:25-4.  As implemented by the Supreme Court, designation of trial counsel “shall presumptively expire” in medical malpractice cases that have been pending for more than three years.  The changed language sets an expectation regarding the ready status of a case but continues to repose in the bench – whether the presiding judge for the county or the actual trial judge – the need for the exercise of judicial discretion.

The defense of physicians in medical malpractice claims frequently present issues that will require the careful exercise of this discretion.  While meritorious claims are advanced against physicians, there are many cases that are either without merit or that present substantial defenses and answers to the asserted wrongdoing and liability.  But the only way for a physician sued for malpractice to avoid permanent harm to a professional career and reputation is to litigate the lawsuit to a successful conclusion.

Physicians must report to both the Federal Government’s National Practitioner Data Bank (NPDB) and the State Medical Practitioner Review Panel any settlements of malpractice suits filed against them as well as the entry of judgments against them resulting from a malpractice lawsuit.  Such collateral consequences of being sued and having a resulting judgment or settlement in tort cases are virtually unique to health care providers.  This reporting alone has a significant adverse impact on a physician’s professional career and reputation. Reports to the NPDB are accessed by health plans and insurance carriers; hospitals; nursing homes; and other healthcare entities.  Based on the information reported health plans may terminate participation agreements; hospitals may undertake a review of the circumstances of the settlement and take negative actions; privileging and credentialing may be negatively impacted; healthcare entities may revoke privileges or use the settlement as a basis not to privilege or employ the physician in the future.  Reports to the State Medical Practitioner Review Panel may result in investigations or disciplinary proceedings that could jeopardize one’s license but in any event will cause a disruption in one’s practice and life.  The compulsory change of defense lawyers from a previously designated trial counsel can result in a switch from a lawyer familiar with the matter to one who comes to the case late with the risk of lesser preparation and insight.  This heightens the potential for an adverse outcome in a case that could be won and increases the pressure to accept a settlement in a matter that should be taken to verdict.  Even the settlement of a case without merit must be reported by physicians. In fact, the only way for a physician to avoid harm to his/her professional career and reputation is to litigate to a successful conclusion.

In many instances physicians can and do choose an individual attorney, not a firm or the defense bar, to represent them in malpractice cases. The choice is frequently personal and is based on trust in that individual’s skill to bring the matter to a successful conclusion. The choice may be based on prior experience with the attorney, the recommendation of a trusted colleague, or the attorney’s successful record with similar cases. The bond between the physician-client and attorney grows throughout discovery and preparation for the trial. The physician-client puts his professional career and reputation in the hands of the designated trial attorney the same way a patient puts his health in the hands of a surgeon.  Thus, two important bonds are at risk here: the physician-patient relationship which is the subject of the litigation, and the attorney-client relationship which is crucial in the eyes of the physician to ensure that he/she has the counsel who has prepared the case and who will handle the trial to its conclusion.  In its case law the New Jersey Supreme Court frowned on “ghost surgery” where another surgeon was substituted for the individual who had been engaged and expected to do the operation.  A similar dynamic is presented by an automatic waiver of designated trial counsel status.

In addition to the trust that the physician has placed in his/her trial attorney, that attorney is best prepared to try the case. The attorney will know facts and medical and legal issues better than another attorney who is brought in simply to move the calendar. In fact, the designated trial attorney may be able to move the case more quickly, once the trial has started, than a newly designated one.

The need to move the calendar and to bring malpractice cases to a timely resolution is a mutually shared objective of all parties to the litigation. The pendency of a lawsuit has negative ramifications for all parties involved.  The toll of protracted litigation is significant in terms of the time required to defend and the emotional strain when a patient has suffered a bad outcome and believes that the physician did not exercise the appropriate standard of care. However, the need for trials to commence in an appropriate amount of time and the physician’s right to proceed at trial with his/her choice of counsel must be balanced against each other and assessed in light of reasons for delay.

The “presumptive” waiver of designated counsel after three years should not become “automatic” without taking into consideration the reasons that counsel is unavailable or whether counsel was available prior to reaching the three-year benchmark.  Judges should have discretion to consider all the reasons for delay, including the late identification of additional defendants and the need for additional discovery extending the time to get trial-ready as well as the continuing impact of prolonged judicial vacancies, on the trial schedule. Judges must have the discretion to weigh the potential harm to a physician of going to trial with a new attorney against the need to move the calendar.

It is the duty of the court to consider and determine issues before it so that the rights of the parties may be fairly protected in an orderly manner. It is as much an abuse of judicial discretion in refusing to exercise such discretion when warranted by the facts before the court, as it is to exercise that discretion improperly by means of a decision that is clearly erroneous on the facts or under the law.  But whether “presumptively” becomes “automatically” and the discretion is exercised in favor of mandatory waiver remains to be tested in the crucible of the trial calendar call.

Data Breach Characterized Instead As Violation of Medical Confidentiality and Privacy Provides Basis for Class Action

In a posting on this blog earlier in April of this year, we commented on the approval of a class action settlement in a matter in the United States District Court for Southern Florida arising out of the loss of laptops with unencrypted protected health information but without any demonstration of actual injury in the form of identity theft.  That outcome seemed contrary to the major trend in data breach cases, including the then fairly recent decision in Polanco v. Omnicell, Inc., 2013 WL 6823265 (D.N.J. Dec. 26, 2013).  The Florida Federal case had been grounded in state law and not HIPAA or HITECH.  But there may be a groundswell developing that may signal a likely increase in class action viability based on security breaches and medical data.

In Tabata v. Charleston Area Medical Center, 2014 WL 2430061 (W.Va. May 28, 2014), the highest court in West Virginia ruled that the plaintiffs had standing and met the requirements for class certification.  More than 3,000 patients of the MedicalCenter had their personal and medical information placed on the internet for an approximate six-month period so that it was exposed to view “if someone were to conduct an advanced internet search.”   In connection with the eventual breach notification to patients required by HIPAA/HITECH, all patients were offered a year’s worth of credit monitoring at the Medical Center’s cost.

Five of the patients filed a complaint alleging causes of action under West Virginia law for breach of a duty of confidentiality, violation of privacy, and negligence.  Plaintiffs filed a motion for class certification.  Discovery conducted to that point had not identified any instance of unauthorized users actually accessing or making any harmful use of the plaintiffs’ data or an instance of identity theft or any economic losses.  The trial court denied class certification finding that the burden of establishing commonality, typicality, and predominance of common issues of law or fact had not been met.  It also found that the plaintiffs lacked standing to bring the claims “because they have failed to show that they have suffered a concrete and particularized injury that is not hypothetical or conjectural.”

On appeal, the West Virginia Supreme Court of Appeals agreed with the lower court that the risk of future identity alone did not constitute an injury in fact for purposes of standing.  However, it noted that the complaint also asserted causes of action for breach of physician-patient confidentiality and invasion of privacy and that it was well established in West Virginia law that a patient had a cause of action against a physician who wrongfully disclosed confidential health information.  In a 2012 decision, the court had held that these common law torts were not preempted by HIPAA.

The court concluded that as patients of the MedicalCenter, plaintiffs had “a legal interest in having their medical information kept confidential,” that “this legal interest is concrete, particularized, and actual,” and that “when a medical professional wrongfully violates this right, it is an invasion of the patient’s legally protected interest.”  All of this was sufficient to give plaintiffs standing to bring a cause of action for breach of confidentiality.  It reached a similar conclusion with regard to the cause of action for invasion of privacy and went on to find the prerequisites for class certification were also present.

A brief dissent was filed by a single justice, stating that “[t]his case is a typical example of a frivolous class-action lawsuit.”  Invoking the proposition of “no harm, no foul,” he would have held that plaintiffs lacked standing and prognosticated that after “massive amounts of attorneys fees” were incurred by defendant conducting discovery of the several thousand unnamed plaintiff, there would still be no injury identified.  The trial court would then decertify the class and dismiss the matter.

Although it is widely accepted that neither HIPAA nor the expansion with HITECH and the 2013 Omnibus Rule provide for a private cause of action, the HIPAA/HITECH provisions can be used to provide a standard of care and concomitant legal duty regarding protection of health information from wrongful disclosure.  This has been quietly developing since at least 2006 when the appellate court in Acosta v. Byrum, 638 S.E.2d 246 (N.C. App. 2006) looked to HIPAA as “evidence of the appropriate standard of care, a necessary element of negligence.”  See generally Renewed Concerned for Tort Actions Based on HIPAA, 1 MDAdvisor 14 (January 2008).  Certainly the expanded liability of Business Associates as a result of HITECH presents an increased scope of exposure for breaches of patient confidentiality and an enlarged list of defendants for a class action claim.  This is a trend to keep an eye on.

DOJ Intervenes In False Claims Act Case and Alleges Violation for Failure to Return Medicaid Overpayment Within 60 Days of “Identification”

The need to investigate and “identify” potential Medicare and Medicaid overpayments promptly and diligently after they have come to the attention of hospitals and health care providers was underscored by recent action of the Department of Justice (DOJ). On June 27, 2014, DOJ intervened in a qui tam whistleblower lawsuit pending in the United States District Court for the Southern District of New York. It joined in claims under the federal False Claims Act against New York City’s Continuum Health Partners and its constituent hospitals based on the defendants’ failure to return Medicaid overpayments within sixty (60) days of identifying them, as required by § 6402(d) of the Affordable Care Act (ACA). United States ex rel. Kane v. Continuum Health Partners, Inc., et al, (Civil Action No. 11-2325 (ER)) (Complaint in Intervention filed June 27, 2014). These allegations are based solely on the fact that repayment did not occur within the 60-day timeframe required by the ACA and were brought despite defendants’ repayment of all amounts in dispute.

 The qui tam lawsuit that had been filed under seal in the Federal Court for the Southern District of New York included claims against the Healthfirst MCO, its affiliate entities, a large number of New York hospitals and also 20 New Jersey hospitals.  On June 26, 2014 the United States Attorney for the Southern District of New York and the New York Attorney General intervened in part of the case involving New York hospitals.  That same day, the qui tam Amended Complaint was unsealed.  It includes allegations that the 20 New Jersey hospitals had also erroneously billed Medicaid and attempted to unlawfully retain the overpayments in an aggregate amount of approximately $125 million.  In the Third Count, the qui tam Plaintiff asserts claims against the New Jersey hospitals under the New Jersey False Claims Act, N.J.S.A. 2A:32C(g), based on the hospitals’ alleged knowing failure to report and return the overpayments.  The State of New Jersey has not yet indicated whether it will intervene or not.

 Section 6402(d) of the ACA requires any “overpayment” to be reported, explained and returned within 60 days after the date on which it is identified or any corresponding cost report was due, as applicable. 42 U.S.C. § 1320a-7k(d). An “overpayment” is defined as “any funds that a person receives or retains under… [Medicare or Medicaid] to which the person, after applicable reconciliation, is not entitled under such title.” 42 U.S.C. § 1320a-7k(d)(4)(B).  Although to date CMS has not issued expected final regulatory guidance, the statutory text indicates that any overpayment retained past this deadline can lead to liability under the False Claims Act (FCA) in the form of treble damages, civil monetary penalties between $5,000 to $11,000 per violation, attorney’s fees and/or exclusion from Medicare participation. 31 U.S.C. § 3729; 42 U.S.C. § 1320a-7.

 In Kane, the overpayments were not the fault of any of the providers involved, but rather the result of coding errors by Healthfirst, the MCO which contracted with the Continuum providers for services to New York Medicaid managed care enrollees. Starting around early 2009, these errors caused Healthfirst to erroneously authorize the hospitals to seek additional payments from secondary payers. As a result, Continuum impermissibly submitted claims to New York Medicaid on behalf of its constituent providers

 The complaint alleges that in September 2010, the State of New York identified a small number of claims submitted by Continuum on behalf of its hospitals as having been wrongly submitted to Medicaid as secondary payer. Less than six months later, according to the DOJ, an internal investigation at Continuum revealed that approximately 900 specific claims totaling over $1 million may have been submitted to, and paid by Medicaid as a secondary payer, in error. While Continuum eventually made final repayment of all amounts in issue, that process was not completed until March 2013 and only after the Government issued a Civil Investigative Demand concerning these payments in June 2012.

 The DOJ is seeking treble damages in an amount to be determined, penalties of $11,000 for each overpayment retained beyond the 60-day deadline created by the ACA, and costs of suit. This is believed to be the first instance where damages under the FCA are sought solely as a result of failing to comply with the ACA’s requirement that overpayments be returned within 60 days.

 When exactly each alleged overpayment was “identified” by the defendants will be a crucial issue in Kane. This ambiguity concerning the “identification” of overpayments under § 6402(d) has been the source of industry concern since the ACA’s enactment. In February 2012, the Centers for Medicare and Medicaid Services (CMS) issued a proposed rule addressing this, at least in part. See 77 Fed. Reg. 32, 9179-9187 (Feb. 16, 2012) (the “Proposed Rule”). In speaking to Medicare, (leaving “[o]ther stakeholders, including, without limitation… Medicaid MCOs … [to] be addressed at a later date”), CMS advocated a knowledge requirement similar to that which exists under the FCA, stating that an overpayment has been identified for purposes of the ACA when “the person has actual knowledge of the existence of the overpayment or acts in reckless disregard or deliberate indifference of the overpayment.” Id. at 9180, 9187 (proposed 42 C.F.R. § 401.305(a)(2)).

Concerning “identification,” of overpayments, the Proposed Rule states that a provider “may receive information concerning a potential overpayment that creates an obligation to make a reasonable inquiry to determine whether an overpayment exists.” Id. at 9182. Failure to make such a “reasonable inquiry” with “all deliberate speed after obtaining the information could result in the provider knowingly retaining an overpayment because it acted in reckless disregard or deliberate ignorance of whether or not it received such an overpayment.” Ibid.

Illustrative examples of wrongfully retained overpayments, apropos of Kane, provided in the Proposed Rule include instances where a provider “is informed by a government agency of an audit that discovered a potential overpayment, and… fails to make a reasonable inquiry.” Ibid. In CMS’s view, “[w]hen government agency informs a provider or supplier of a potential overpayment, the provider or supplier has an obligation to accept the finding or make a reasonable inquiry. If the provider’s or supplier’s inquiry verifies the audit results, then it has identified an overpayment and, assuming there is no applicable cost report, has 60 days to report and return the overpayment.” Ibid.

Though the Proposed Rule was never enacted, that is not of any significance in light of the plain language of the statute. Confirming this, CMS warned “all stakeholders that even without a final regulation they are subject to the statutory requirements found in… [Section  6402(d) of the ACA] and could face potential False Claims Act liability, Civil Monetary  Penalties Law liability, and exclusion from Federal health care programs for failure to report and return an overpayment.” Id. at 9180-81.

 By intervening in Kane, the DOJ has signaled its expansive view of what constitutes “identification” of these overpayments and its willingness to seek the draconian remedies permitted by the FCA.

The Potential Blinding Effect of the Physician Payments Sunshine Act

This past Monday June 30, 2014 was the deadline for submission to the Federal government of detailed data on payments from pharmaceutical and medical device manufacturers to physicians and teaching hospitals.  Designed to increase transparency of financial relationships between manufacturers and health care professionals and to thereby allow patients to make more informed decisions regarding their health and treatment choices, this area is rife with controversy.

Section 6002 of the Affordable Care Act – also known as the Physician Payment Sunshine Act – is codified as 42 U.S.C. § 1320a-7h.  Although a piece of the overall Obamacare legislation, the Sunshine Act has its origins and roots in the efforts of two United States Senators, Chuck Grassley (R-IA) and Herbert Kohl (D-WI), dating back to 2007.  The Sunshine Act mandates tracking and reporting of certain transfers of value from biologic, pharmaceutical, and device manufacturers to physicians and teaching hospitals as of August 1, 2013.  The Centers for Medicare and Medicaid Services (CMS) released the Final Regulations in February 2013 for what is now called the Open Payments Program.  See 78 Fed. Reg. 9458-9528.

The Sunshine Act appears in Title VI of the ACA with the categorization of Transparency and Program Integrity. It has a number of important defined terms. “Applicable manufacturers” is broadly defined in the ACA provisions and even more broadly defined in the applicable Open Payments regulations found at 42 CFR § 403.902 implementing the Sunshine Act.  It basically encompasses any manufacturer of a drug, biologic or medical device that is made or sold in the United States.  The “applicable manufacturers” are required to report “payments or transfers of value” to “covered recipients” which are defined as physicians or teaching hospitals. The latter are hospitals that received payment for Medicare direct graduate medical education (GME), inpatient prospective payment system (IPPS), indirect medical education (IME), or psychiatric hospital IME programs in the prior year.  The reporting requirement encompasses not only direct but also “indirect payments or transfer of value.”  However, there is a statutory minimum threshold of $10.00 (with an annual aggregate of $100.00) to trigger the reporting requirement.  This threshold amount will be adjusted based on changes in the annual Consumer Price Index.

The statute requires reporting on both the form of payment and the nature of payment for each payment or transfer of value made by an applicable manufacturer to a covered recipient. The statute provides a list of categories for both the form of payment and nature of payment and gives the Secretary discretion to add additional categories.  The Act has the following form of payment categories:

  • Cash or a cash equivalent.
  • In-kind items or services.
  • Stock, a stock option, or any other ownership interest, dividend, profit, or other return on investment.
  • Any other form of payment or other transfer of value.

The Act includes the following nature of payment categories:

  • Consulting fees.
  • Compensation for services other than consulting.
  • Honoraria.
  • Gift.
  • Entertainment.
  • Food.
  • Travel (including the specified destinations).
  • Education.
  • Research.
  • Charitable contribution.
  • Royalty or license.
  • Current or prospective ownership of investment interest.
  • Direct compensation for serving as faculty or as a speaker for a medical education program.
  • Grant.
  • Any other nature of the payment or other transfer of value.

The Open Payments regulations permit physicians and teaching hospitals to register so as to review, dispute and correct information provided by the applicable manufacturers.  There is no right to preview the information before it is submitted.  The time period for disputing data is a very limited 45 days.  CMS will begin publishing the reported data on a public website later in 2014.  The information to be available on the website is to consist of

  • the name and address of the physician and specialty
  • the amount and date of the payment
  • the form of the payment, such as cash or stocks
  • the nature of the payment, such as consulting fees, gifts, or entertainment expenses the name of the drug, device, biologic, or medical supply involved.

The American Medical Association has recommended that physicians register with CMS and utilize the right to access and review reports regarding payments to them and also prepare to be transparent with patients regarding financial interactions with industry.

The quest for transparency is fundamentally illusory.  At its essential core, there is an intrinsic conflict in any payment made for professional services.  If the payment is based on the number or extent of services provided, there is an incentive to overutilize and inflate the expense.  If the payment is simply based on the fact of a patient encounter, there is an incentive to undertreat so as to limit the cost to the provider.  This is the space where professionalism must come in to engender and hold patient trust.  But the potential corrupting influence of payments from manufacturers to health care providers is an unfortunately recurring issue.  At the same time there are many interactions between physicians and manufacturers of pharmaceutical products, medical devices or other medical supplies that benefit patients and advance medicine and the ability to optimize outcomes and health.  There are strong arguments to support compensating knowledgeable and well-credentialed physicians who serve as consultants.  The consequences of alternatives could be dire.  The Sunshine Act transparency reports present the prospect of information overload as well as the limits of actual access to an internet resource.  Moreover these reports can provide patients and public with information that likely will be subject to interpretation but also too frequently misinterpretation.  Thoughtful commentators such as Professors Kathleen Boozang and Carl Coleman of SetonHallLawSchool have suggested that disclosure will not resolve all of the ethical and practical problems presented by conflicts of interest arising from financial transactions between physicians and pharmaceutical or medical device manufacturers.

Indeed, payment disclosures present the real risk of a socially unworkable framework for healthcare in the long term.  Attention is diverted from the scientific merit of the information presented and focus instead is given to the identity and presumed motives of those presenting the information.  But the Sunshine Act is the law of the land.

A number of states, such as California, Colorado, Connecticut, Maine, Massachusetts, Minnesota, Nevada, Vermont and West Virginia, as well as the District of Columbia have had laws requiring pharmaceutical or medical device manufacturers to report certain types of payments.  Pursuant to 42 U.S.C. § 1320a-7h(d)(3)(A), the Sunshine Act will preempt state laws requiring disclosure or reporting of the type of information described in it but explicitly leaves state regulation of other types of information unaffected.  In December 2009, the New Jersey Attorney General had released a report from the Division of Consumer Affairs that set forth recommendations regarding the impact of potential conflicts of interest on patient care and new polices to be considered by the Board of Medical Examiners, the Board of Pharmacy, and the Department of Health and Senior Services.  No regulations, however, were promulgated in follow-up to that report.  Nonetheless, as of the 2011-12 timeframe the Board of Medical Examiners has included questions in its biennial license renewal process concerning payments from pharmaceutical manufacturers and device manufactures.  The threshold used has $5,000 in the course of a year.  In addition, in 2011 disciplinary action was taken against several physicians for failing to disclose to their institutions where clinical trials were being conducted that they had an ownership interest in the device manufacturer of the product being studied and in connection with the renewal of their licenses.

In connection with the announcement of the reprimands, the Attorney General had declared that “[t]he undisclosed conflicts of interest on the part of these doctors undercut public trust in the medical profession. The Board has acted to maintain the integrity and high ethical standards that the public rightfully expects from their doctors.”

The opening act for the 1969 Woodstock festival was Richie Havens.  The most famous performance in his career was his later rendition of “Here Comes the Sun.”   Having the lyrics in mind, we will see if smiles return to any faces.

Cesarean Section Rates: Standard of Care or Standard of Fear and the Potential Impact of the Affordable Care Act

A recent New York Times article reported the filing of a lawsuit on behalf of a Staten Island woman alleging a forced cesarean section.  This may provide an impetus to look – once again – at the high rate of cesarean section deliveries and perhaps take the initiative to bring about some reforms within the context of reimbursement policy and the Affordable Care Act.

The concerns regarding cesarean section rates involve both the initial or primary delivery of a woman’s baby and the handling of repeat pregnancies.   In particular, controversy persists regarding vaginal birth after cesareans, the so-called VBAC procedure.  For a number of years, the cesarean section rate in New   Jersey has been in excess of 30% and approaching 40%.   The rate for c-sections in repeat pregnancies where the primary delivery was by c-section may even be higher, and the common belief is that once a woman delivers by c-section, she is destined to deliver all subsequent children by the same method.  According to some scales, New Jersey has the second highest cesarean section rate in the United States.  A 2009 publication of the World Health Organization stated that the acceptable level of cesarean section births is “not more than 15%.”  The United States Public Health Service had a similar target figure in 1998.

The New York lawsuit presents a number of challenging issues involving patient autonomy, bioethical standards, and the balancing of the sometimes divergent interests of mother and unborn child.  A published opinion of the New Jersey Appellate Division in Draper v. Jasionowski, 372 N.J. Super. 368, 858 A.2d 1141 (2004), recognized a duty on the part of the obstetrician to not only the pregnant mother but to her unborn child in the context of informed consent and the possibility of a cesarean section as opposed to a vaginal birth.   As a result of the vaginal birth in that case, the child developed an Erb’s palsy and suffered hypoxia and brain damage.  In contrast, the patient in the New York case had previously given birth by cesarean section procedures but wished to have a vaginal delivery for this child.  She refused consent.  The attending physicians explicitly “overrode” her decision and did the cesarean section because of the fetus being “at risk for serious harm without the C-section.”  There was an injury to her bladder in the course of the operation but a healthy child was born.

The decision-making leading to the performance of a cesarean section has many facets.    There are a number of clinical situations that present risk to the well-being of the fetus.  But there are times when c-sections have been done for the convenience of either the laboring mother or the attending physician.  The availability of staffing in some hospitals has also come into play.  Nonetheless, there are a number of studies that have demonstrated that the medical-legal concern of liability exposure influences the judgment of many physicians so as to lower the threshold for doing the operation.  See, e.g., Minkoff, Fear of litigation and cesarean section rates, 36 Semin. Perinatol. 390 (2012); Yang, Mello, Subramanian, & Studdert, Relationship between malpractice litigation pressure and rates of cesarean section and vaginal birth after cesarean section, 47 Med. Care 234 (2009).

The impact of the Affordable Care Act on malpractice claims remains to be seen.  In the view of some, the number of claims will increase as the number of people using healthcare services expand.  On the other hand, there are those who believe that fewer patients will need to bring claims because they will now have a means for covering the expense of their injury claims.  Medical malpractice reform is barely mentioned in the Affordable Care Act. Section 6801 articulates the nonbinding “sense of the Senate,” and recognized that health care reform presented an opportunity to address issues related to medical malpractice and “encouraged” States to develop and test alternatives to the existing civil litigation system to improve patient safety, reduce medical errors, and stimulate efficiency in the resolution of disputes while preserving an individual’s right to seek redress through the courts. Moreover, Section 10607 provides potential federal grant money to support demonstration or pilot programs to develop alternatives to tort litigation.

The many evolving changes being implemented through the Affordable Care Act make it likely that the malpractice aspect of healthcare will also change.  And change brings opportunity.

The issue of cesarean section rates can be one of these opportunities.

One path to consider involves effective use of Clinical Practice Guidelines (CPGs), an approach considered in the past but meriting renewed evaluation.   There are several underlying assumptions necessary for practice guidelines to exert influence in the context of litigation.  They have to be developed for conditions or procedures that frequently lead to events for which negligence claims are filed.  They have to be widely accepted in the medical profession and fully integrated into clinical practice.  They also must be straightforward and readily interpreted in a litigation setting.  Proposals have been advanced to give CPGs a role in medical malpractice litigation in several different ways. One requires that courts take judicial notice of CPGs as the standard of care, with deviations conclusively establishing negligence. An alternative and more sensible approach would have compliance with CPGs constitute an affirmative defense for physicians, but that deviations from CPGs should not be used as inculpatory evidence.  See, e.g., Bovbjerg & Berenson, The Value of Clinical Practice Guidelines as Malpractice “Safe Harbors,” Timely Analysis of Immediate Health Policy Issues: Urban Institute (2012);  Mello, Of Swords and Shields: The Role of Clinical Practice Guidelines in Medical Malpractice Litigation, 149 U. Penn. L.Rev. 645 (2001).  The increasing recognition of Evidence-Based Medicine holds out hope that effective CPGs could be developed with regard to the indication and non-indications for cesarean section procedures.

Another possibility involves reimbursement policy.  This might take several forms.  One might involve financial disincentives for elective cesarean sections, those performed before 39 weeks of gestation without a documented medical indication for the procedure.  Payments for a planned VBAC delivery that nonetheless become a cesarean section might be limited to centers that have a demonstrated adequate staffing and resources for these procedures.

There is a compelling public health need to explore and resolve the issue of cesarean section rates.  Babies born by Cesarean section are more likely to have breathing problems and to develop several chronic diseases, childhood-onset diabetes, allergies with cold-like symptoms and asthma.  The surgery presents risks to the mother, including infection, blood clots, wound healing problems, prolonged recovery, and permanent scarring.  That the New Jersey cesarean section rate of greater than 30% is not a necessary circumstance is manifested by the fact that in a few counties the section rate occurs in one out of four births.  One must wonder why.

References:

State of New Jersey, Department of Health, Safety and Quality in Maternity Care available at http://www.state.nj.us/health/fhs/professional/safequality.shtml

State of New Jersey, Department of Health – Maternal & Child Health Epidemiology: Cesarean Delivery: Comparing New Jersey Hospitals, 2012 available at http://www.state.nj.us/health/fhs/professional/documents/cdh_explanation.pdf