Category: Uncategorized

Data Breach Characterized Instead As Violation of Medical Confidentiality and Privacy Provides Basis for Class Action

In a posting on this blog earlier in April of this year, we commented on the approval of a class action settlement in a matter in the United States District Court for Southern Florida arising out of the loss of laptops with unencrypted protected health information but without any demonstration of actual injury in the form of identity theft.  That outcome seemed contrary to the major trend in data breach cases, including the then fairly recent decision in Polanco v. Omnicell, Inc., 2013 WL 6823265 (D.N.J. Dec. 26, 2013).  The Florida Federal case had been grounded in state law and not HIPAA or HITECH.  But there may be a groundswell developing that may signal a likely increase in class action viability based on security breaches and medical data.

In Tabata v. Charleston Area Medical Center, 2014 WL 2430061 (W.Va. May 28, 2014), the highest court in West Virginia ruled that the plaintiffs had standing and met the requirements for class certification.  More than 3,000 patients of the MedicalCenter had their personal and medical information placed on the internet for an approximate six-month period so that it was exposed to view “if someone were to conduct an advanced internet search.”   In connection with the eventual breach notification to patients required by HIPAA/HITECH, all patients were offered a year’s worth of credit monitoring at the Medical Center’s cost.

Five of the patients filed a complaint alleging causes of action under West Virginia law for breach of a duty of confidentiality, violation of privacy, and negligence.  Plaintiffs filed a motion for class certification.  Discovery conducted to that point had not identified any instance of unauthorized users actually accessing or making any harmful use of the plaintiffs’ data or an instance of identity theft or any economic losses.  The trial court denied class certification finding that the burden of establishing commonality, typicality, and predominance of common issues of law or fact had not been met.  It also found that the plaintiffs lacked standing to bring the claims “because they have failed to show that they have suffered a concrete and particularized injury that is not hypothetical or conjectural.”

On appeal, the West Virginia Supreme Court of Appeals agreed with the lower court that the risk of future identity alone did not constitute an injury in fact for purposes of standing.  However, it noted that the complaint also asserted causes of action for breach of physician-patient confidentiality and invasion of privacy and that it was well established in West Virginia law that a patient had a cause of action against a physician who wrongfully disclosed confidential health information.  In a 2012 decision, the court had held that these common law torts were not preempted by HIPAA.

The court concluded that as patients of the MedicalCenter, plaintiffs had “a legal interest in having their medical information kept confidential,” that “this legal interest is concrete, particularized, and actual,” and that “when a medical professional wrongfully violates this right, it is an invasion of the patient’s legally protected interest.”  All of this was sufficient to give plaintiffs standing to bring a cause of action for breach of confidentiality.  It reached a similar conclusion with regard to the cause of action for invasion of privacy and went on to find the prerequisites for class certification were also present.

A brief dissent was filed by a single justice, stating that “[t]his case is a typical example of a frivolous class-action lawsuit.”  Invoking the proposition of “no harm, no foul,” he would have held that plaintiffs lacked standing and prognosticated that after “massive amounts of attorneys fees” were incurred by defendant conducting discovery of the several thousand unnamed plaintiff, there would still be no injury identified.  The trial court would then decertify the class and dismiss the matter.

Although it is widely accepted that neither HIPAA nor the expansion with HITECH and the 2013 Omnibus Rule provide for a private cause of action, the HIPAA/HITECH provisions can be used to provide a standard of care and concomitant legal duty regarding protection of health information from wrongful disclosure.  This has been quietly developing since at least 2006 when the appellate court in Acosta v. Byrum, 638 S.E.2d 246 (N.C. App. 2006) looked to HIPAA as “evidence of the appropriate standard of care, a necessary element of negligence.”  See generally Renewed Concerned for Tort Actions Based on HIPAA, 1 MDAdvisor 14 (January 2008).  Certainly the expanded liability of Business Associates as a result of HITECH presents an increased scope of exposure for breaches of patient confidentiality and an enlarged list of defendants for a class action claim.  This is a trend to keep an eye on.

Third Circuit Adopts More Liberal Pleading Standards For Claims Brought Under The False Claims Act

On June 6, 2014, the United State Court of Appeals for the Third Circuit issued a decision in Foglia v. Renal Ventures Management, LLC, Docket No. 12-0450, which reversed the New Jersey District Court’s dismissal of a False Claims Act (“FCA”) case for failure to satisfy the heightened pleading requirements in F.R.C.P. 9(b).

Foglia was a registered nurse formerly employed by the defendant, Renal Ventures Management, LLC (“Renal”), a dialysis care company.  Foglia alleged Renal violated the FCA by falsely certifying that it was in compliance with state regulations related to quality of care, falsely submitting reimbursement claims for the drug Zemplar, and reusing single-use Zemplar bottles.  The Disctrict Court granted Renal’s 12(b)(6) motion finding that because Foglia failed to “identify representative examples of specific false claims made to the Government” his pleading did not meet the standard of F.R.C.P. 9(b).

In reviewing the matter, the Third Circuit stated that it had not previously ruled specifically on what F.R.C.P. 9(b) requires of a FCA claimant, and noted that the other Circuits were split as to the appropriate requirements.  The Fourth, Sixth, Eighth and Eleventh Circuits require a FCA plaintiff to show “representative samples” of the alleged fraudulent conduct, specifying the time, place, and content of the acts, and the identity of the actors.  Conversely, The First, Fifth and Ninth Circuits require only that the plaintiff allege “particular details of a scheme to submit false claims paired with reliable indicia that lead to a strong inference that claims were actually submitted.”

The Third Circuit ultimately adopted the more nuanced standard of the First, Fifth and Ninth Circuits.  In doing so, it pointed out that “it is hard to reconcile the text of the FCA, which does not require that the exact content of the false claims in question be shown, with the ‘representative samples’ standard favored by” the other Circuits.  The court further noted that in a recent brief for the United States, as amicus curie, the Solicitor General indicated that the United States believed the more rigid standard followed by the Fourth, Sixth, Eighth and Eleventh Circuits, undermined the effectiveness of the FCA to combat fraud against the United States.

The Third Circuit ultimately reversed the District Court’s decision and remanded the matter for further proceedings.  A copy of the Third Circuit’s decision can be found here.

ONC’s Look Ahead to “An Interoperable Health IT Infrastructure” Within 10 Years

The Office of the National Coordinator for Health Information Technology (ONC) had released an ambitious “concept paper” setting forth its “10-Year Vision to Achieve An Interoperable Health IT Infrastructure.”  The goal is to “make the right data available to the right people at the right time across products and organizations in a way that can be relied upon and used by recipients.”  ONC has identified three, six, and ten-year agendas towards this objective.

Though HIPAA’s implementation in 1996 and certified meaningful use of certified electronic health record technology (CEHRT) has led to impressive advancements in technological innovation, ONC’s ten-year vision promises even more changes yet to come.

Extraordinary leadership will be required of ONC in collaboration with state and local governments, as well as the private sector.  To achieve this, ONC has identified “five critical building blocks” upon which to focus its efforts:

  1. Core technical standards and functions which build upon existing health IT (HIT) infrastructure;
  2. Certification to support adoption and optimization of health IT products and services;
  3. Privacy and security protections for health information greater transparency for individuals regarding the business practices of entities that use their data, even those users are not specifically covered under the HIPAA Privacy and Security Rules;
  4. Supportive business, clinical and regulatory environments;
  5. Rules of engagement and governance.

Within three years, ONC intends to further standardize the vocabulary and structure of essential information, as well as address critical issues such as data provenance, data quality and reliability, and patient matching.  All of these efforts aren’t year towards improving the quality of interoperability and facilitating a vastly increased quantity of information which is captured by HIT infrastructure.  Simultaneously, a “common framework to enhance trust” will be implemented by addressing key privacy, security, and business policy and practice challenges related to the secure exchange of health information across existing networks.  In addition ONC intends to advance policy and programmatic stimuli to encourage the use of this information in a manner which supports care delivery reform, improves quality, and lowers costs.

Within six years, by 2020, ONC envisions that individuals, care providers, and public health departments will send, receive, find and use an expanded set of health information across the entire industry in support of “team-based” care. By this time, interoperability between CEHRT and medical devices will enable remote monitoring from virtually any location, including homes, schools, and workplaces.  Data aggregation will give rise to “multi-payer” claims databases and clinical data registries.  Using this information, providers will be able to aggregate and trend information within and across groups of patients, and payers (including Medicare and Medicaid) will be able to implement value-based payment systems based on clinical analyses.

In 10 years, according to this ONC report:  information sharing will be standardized and improved all levels of public health, enabling patient-centered research to be better targeted, and individuals will , be able to manage information from their own mobile devices and share that information seamlessly across multiple electronic platforms, such as healthcare providers, social service agencies, and consumer-facing applications.  In addition, these data will enable public health surveillance and retrospective analyses on an unprecedented level.

ONC’s roadmap depends on continued support and engagement from all healthcare stakeholders who are encouraged to be active participants in shaping the decisions which will define this industry for years to come.

CMS Gives Providers A Meaningful Break from “Meaningful Use”

On May 20, 2014, the U.S. Department of Health and Human Services published and requested comment on a new proposed rule that would provide eligible providers more flexibility in how they use electronic health records (EHR) systems to meet Meaningful Use (MU) requirements.  These proposed regulations would permit the use of 2011-certified EHRs, or a combination of 2011- and 2014-certified EHR technology for the 2014 reporting period for the Medicare and Medicaid EHR Incentive Programs.

The proposed regulations would also require eligible providers in 2015 to report MU using 2014-certified EHR technology, but they also leave the door ajar for additional deferments, saying:  “We will maintain the existing policy that all providers must use 2014 Edition CEHRT for the EHR reporting periods in 2015, and in subsequent years or until new certification requirements are adopted in subsequent rulemaking.”

In addition, the proposed rule would formally extend Stage 2 MU through 2016, and defer Stage 3 until 2017, as had been previously stated.  The proposed changes to the MU timeline are as follows:

First
Payment Year
                                            Stage   of Meaningful Use
2011 2012 2013 2014 2015 2016 2017 2018
2011 1 1 1 2 2 3   -> 2 3 TBD
2012 1 1 2 2 3   -> 2 3 TBD
2013 1 1 2 2 3 3
2014 1 1 2 2 3
2015 1 1 2 2
2016 1 1 2
2017 1 1
Current   Stage 2 Start Date
Proposed Stage 3 Start Date

While over five times as many non-federal acute care hospitals now possess “basic EHR” systems compared to 2008, alarmingly few had adopted all sixteen Stage 2 Core Functionalities.   In fact, according to data reported in May 2014 by the Office of the National Coordinator for Health Information Technology (ONC), only 6 percent of all eligible providers met all criteria for Stage 2 MU.

These proposed regulations provide welcome, albeit temporary, relief to providers concerned with meeting Stage 2 and Stage 3 MU which had been scheduled for 2014 and 2016, respectively.  Providers should use this opportunity to shore up any shortcomings in their Stage 1 or Stage 2 MU compliance and begin preparing for Stage 3 requirements which go into effect in 2017.