By Ashley Thomson, Partner at Practus, LLP. A Virtual Law Firm.
On rare occasions a Court can issue an opinion that is so logical and on-point you want to stand up and cheer. Maybe you’re only cheering if you’re a HIPAA-nerd, like me. My name is Ashley and I work with Knicole. I was the assistant GC for Truman Medical Center for 17 years. As AGC at Truman, I was inundated with so many various issues.
Here’s what got me standing up in my home office as if Patrick Mahomes just threw a pass to Tyreek Hill and the KC Chiefs scored the winning touchdown in the Super Bowl—the 5th Circuit Court of Appeals held that a lost or stolen unencrypted device containing protected health information (“PHI”) does not automatically result in a violation of the HIPAA Disclosure Rule or Encryption Rule. If you want to do your own touchdown dance check out Univ. of Texas M.D. Anderson Cancer Ctr. v. United States Dep’t of Health & Human Servs., No. 19-60226, 2021 WL 127819, at *5 (5th Cir. Jan. 14, 2021).
Unless you’ve spent the last 20 years living under a rock, you are generally aware that HIPAA is a law that protects your health information from public disclosure. Most people don’t spell it correctly and even less people know what the acronym means. In 2009, HIPAA was supplemented with the HITECH Act. Together, these laws govern how health care providers handle your medical information and what to do if there is a breach of the information. HIPAA and HITECH’s implementing regulations (the “Regulations”) require all covered entities “implement a mechanism to encrypt” all PHI that is stored electronically. 45 C.F.R. Section 164.312(a)(2)(iv). Second, the Regulations prohibit unpermitted disclosure of PHI. 45 C.F.R. Sec. 164.502(a). These two regulations are referred to as the Encryption Rule and the Disclosure Rule respectively. These requirements are enforced by the Department of Health and Human Services (“HHS”) in conjunction with the Office for Civil Rights (“OCR”).
Whew, that was a quick history lesson. Now, back to the story.
In 2012 and 2013 MD Anderson Cancer Center (“MD Anderson”) had three (3) events happen involving unencrypted devices containing PHI. First, a laptop was stolen. Second, a thumb drive was lost during someone’s commute home. Third, a visiting researcher misplaced a thumb drive. Pursuant to the regulations, MD Anderson reported these events to HHS.
HHS concluded that MD Anderson violated the Regulations and imposed a fine over $4,000,000 (let me spell that out for you. . . FOUR MILLION DOLLARS).
You may be wondering, what in the world did they violate that would result in such an outrageous fine? So did MD Anderson!
MD Anderson threw its proverbial, red challenge flag and pursued its appeal rights and ended up, finally, in Federal Court where they succeeded on establishing that the mere loss of unencrypted PHI does not violate the Disclosure Rule and that the Encryption Rule does not require that a covered entity sit down and force each and every person to encrypt their devices.
Let’s look first at the Disclosure Rule. As a general rule, HIPAA prohibits the disclosure of PHI without permission from the patient. 45 C.F.R. Sec. 164.502(a). HIPAA defines disclosure as “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” 45 C.F.R. Sec. 164.103. Prior to reaching the 5th Circuit, MD Anderson had been told the mere fact that the unencrypted laptop and thumb drives were lost or stolen resulted in the conclusion the PHI had been improperly disclosed to someone outside of the covered entity. Thank goodness, the Court stepped in with the reasonable statement that many of us in the health care field have been saying for years. . . just because a device is lost or stolen doesn’t mean the PHI was improperly disclosed. “It defies reason to say an entity affirmatively acts to disclose information when someone steals it.” Univ. of Texas M.D. Anderson Cancer Ctr.,2021 WL 127819, at *5.
HHS claimed that it would be difficult for them to enforce the Disclosure Rule if it had to show that the PHI was disclosed to someone outside of the covered entity. Well, go complain to the referees HHS “that’s precisely the sort of policy argument that HHS could vet in a rulemaking proceeding. It’s not an acceptable basis for urging us to transmogrify the regulation HHS wrote into a broader one.” Id. And with that, the Court unceremoniously stated the obvious and provided some reason in the rather unreasonable world of HIPAA enforcement.
Next up? The Encryption Rule where HHS argued that MD Anderson’s desire to do more to encrypt their devices was an admission of non-compliance with the regulations. Not so fast, said the Court. The rule requires that a covered entity have a mechanism for the encryption PHI not that it implements an iron clad, hacker proof, 100% guaranteed encryption system. MD Anderson had an encryption mechanism which is enough to satisfy the regulation, even if HHS now “wishes it had written a different” regulation. Id.at *4.
I feel like this is the SUPERBOWL of HIPAA decisions. You may not be as excited about this opinion as I was. That’s ok. . . I’m a HIPAA and privacy nerd and I’m ok with that.
Let’s hope I have many touchdowns to stand up and celebrate on Sunday! Go Chiefs!
The legal fine print: As exciting as this opinion is, please remember that devices should be encrypted and PHI should be protected to the maximum extent possible. While this is a great decision, it doesn’t remove the obligation to comply with the Regulations.
 PHI contains 18 different identifiers. 42 C.F.R. § 164.514(a)(2)(i).
 It’s the Health Insurance Portability and Accountability Act of 1996.
 HITECH stands for the Health Information Technology for Economic and Clinical Health Act of 2009.
 Later, we can delve into what qualifies as a covered entity. Let’s just all agree that MD Anderson is a covered entity.
 This is a very simple overstatement, but it works for the purposes of this article.
 Let’s face it, most of these devices are lost or stolen and (1) never found or (2) thrown out as the thieves take what they really wanted . . . cold hard cash or credit cards. An old janky laptop or a random thumb drive is not at the top of the most wanted list for kleptomaniacs.
The RACs are on attack! The “COVID Pause Button” on RAC audits has been lifted. The COVID Pause Button has been lifted since August 2020. But never have I ever seen CMS spew out so many new RAC topics in one month of a new year. Happy 2021.
Recovery audit contractors (“RACs”) will soon be auditing positron emission tomography (PET) scans for initial treatment strategy in oncologic conditions for compliance with medical necessity and documentation requirements.
Positron emission tomography (“PET”) scans detect early signs of cancer, heart disease and brain disorders. An injectable radioactive tracer detects diseased cells. A combination PET-CT scan produces 3D images for a more accurate diagnosis.
According to CMS’ RAC audit topics, “(PET) for Initial Treatment Strategy in Oncologic Conditions: Medical Necessity and Documentation Requirements,” will be reviewed as of January 5, 2021. The PET scan audits will be for outpatient hospital and professional service reviews. CMS added additional 2021 audit targets to the approved list:
- Air Ambulance: Medical Necessity and Documentation Requirements,. This complex review will be examining rotatory wing (helicopter) aircraft claims to determine if air ambulance transport was reasonable and medically necessary as well as whether or not documentation requirements have been met.
- Hospice Continuous Home Care: Medical Necessity and Documentation Requirements, and
- Ambulance Transport Subject to SNF Consolidated Billing.
Upcoming HHS secretary Xavier Becerra plans to get his new tenure underway quickly.
In False Claims Act (“FCA”) news, Medicare audits of P-Stim have ramped up across the country. A Spinal Clinic in Texas agreed to pay $330,898 to settle FCA allegations for allegedly billing Medicare improperly for electro-acupuncture device neurostimulators. CMS claims that “Medicare does not reimburse for acupuncture or for acupuncture devices such as P-Stim, nor does Medicare reimburse for P-Stim as a neurostimulator or as implantation of neurostimulator electrodes.”
Finally, is your staff getting medical records to consumers requesting their records quickly enough? Right to access to health records is yet another potential risk for all providers, especially hospitals due to their size. A hospital system agreed to pay $200,000 to settle potential violations of the HIPAA Privacy Rule’s right of access standard. This is HHS Office for Civil Rights’ 14th settlement under its Right of Access Initiative. The first person alleged that she requested medical records in December 2017 and did not receive them until May 2018. In the second complaint, the person asked for an electronic copy of his records in September 2019, and they were not sent until February 2020.
Beware of slow document production as slow document production can lead to penalties. And be on the lookout for the next RAC Report.
Remember, never accept the results of a Medicare or Medicaid audit. It is always too high. Believe me, after 21 years of my legal practice, I have yet to agree with the findings if a Tentative notice of Overpayment by any governmental contracted auditor, whether it is PCG, NGS, the MACs, MCOs, or Program Integrity – in any of our 50 States. That is quite a statement about the general, quality of work of auditors. Remember Teambuilders? How did $12 million become $896.35? See blog.
1 CMS, “0200-Air Ambulance: Medical Necessity and Documentation Requirements,” proposed RAC topic, January 5, 2021, http://go.cms.gov/35Jx1co.
2 CMS, “0201-Hospice Continuous Home Care: Medical Necessity and Documentation Requirements,” proposed RAC topic, January 5, 2021, http://go.cms.gov/3oRUyiY.
3 CMS, “0202- Ambulance Transport Subject to SNF Consolidated Billing,” proposed RAC topic, January 5, 2021, http://go.cms.gov/2LOMEbw.
Since COVID-19, courts across the country have been closed. Judges have been relaxing at home.
As an attorney, I have not been able to relax. No sunbathing for me. Work has increased since COVID-19 (me being a healthcare attorney). I never thought of myself as an essential worker. I still don’t think that I am essential.
On Friday, May 8, my legal team had to appear in court.
“How in the world are we going to do this?” I thought.
My law partner lives in Philadelphia. Our client lives in Charlotte, N.C. I live on a horse farm in Apex, N.C. Who knows where the judge lives, or opposing counsel or their witnesses? How were we going to question a witness? Or exchange documents?
Despite COVID-19, we had to have court, so I needed to buck up, stop whining, and figure it out. “Pull up your bootstraps, girl,” I thought.
First, we practiced on Microsoft Teams. Multiple times. It is not a user-friendly interface. This Microsoft Team app was the judge’s choice, not mine. I had never heard of it. It turns out that it does have some cool features. For example, my paralegal had 100-percent control of the documents. If we needed a document up on the screen, then he made it pop up, at my direction. If I wanted “control” of the document, I simply placed my mouse cursor over it. But then my paralegal did not have control. In other words, two people cannot fight over a document on this new “TV Court.”
The judge forgot to swear in the witnesses. That was the first mess-up “on the record.” I didn’t want to call her out in front of people, so I went with it. She remembered later and did swear everyone in. These are new times.
Then we had to discuss HIPAA, because this was a health care provider asking for immediate relief because of COVID-19. We were sharing personal health information (PHI) over all of our computers and in space. We asked the judge to seal the record before we even got started. All of a sudden, our court case made us all “essentials.” Besides my client, the healthcare provider, no one else involved in this court case was an “essential.” We were all on the computer trying to get this provider back to work during COVID-19. That is what made us essentials!
Interestingly, we had 10 people participating on the Microsoft Team “TV Court” case. The person that I kept forgetting was there was Mr. Carr (because Mr. Carr works at the courthouse and I have never seen him). Also, another woman stepped in for a while, so even though the “name” of the masked attendee was Mr. Carr, for a while Patricia was in charge. A.K.A. Mr. Carr.
You cannot see all 10 people on the Team app. We discovered that whomever spoke, their face would pop up on the screen. I could only see three people at a time on the screen. Automatically, the app chose the three people to be visible based on who had spoken most recently. We were able to hold this hearing because of the mysterious Mr. Carr.
The witnesses stayed on the application the whole time. In real life, witnesses listen to others’ testimony all the time, but with this, you had to remember that everyone could hear everything. You can elect to not video-record yourself and mute yourself. When I asked my client to step away and have a private conversation, my paralegal, my partner, and the client would log off the link and log back on an 8 a.m. link that we used to practice earlier that day. That was our private chat room.
The judge wore no robe. She looked like she was sitting on the back porch of her house. Birds were whistling in the background. It was a pretty day, and there was a bright blue sky…wherever she was. No one wore suits except for me. I wore a nice suit. I wore no shoes, but a nice suit. Everyone one else wore jeans and a shirt.
I didn’t have to drive to the courthouse and find parking. I didn’t even have to wear high heels and walk around in them all day. I didn’t have to tell my paralegal to carry all 1,500 pages of exhibits to the courthouse, or bring him Advil for when he complains that his job is making his back ache.
Whenever I wanted to get a refill of sweet tea or go to the bathroom, I did so quietly. I turned off my video and muted myself and carried my laptop to the bathroom. Although, now, I completely understand why the Supreme Court had its “Supreme Flush.”
All in all, it went as smoothly as one could hope in such an awkward platform.
Oh, and happily, we won the injunction, and now a home healthcare provider can go back to work during COVID-19. All of her aides have PPE. All of her aides want to go to work to earn money. They are willing to take the risk. My client should get back-paid for all her services rendered prior to the injunction. She hadn’t been getting paid for months. However, this provider is still on prepayment review due to N.C. Gen. Stat. 108C-7(e), which legislators should really review. This statute does not work. Especially in the time of COVID. See blog.
I may be among the first civil attorneys to go to court in the time of COVID-19. If I’m honest, I kind of liked it better. I can go to the bathroom whenever I need to, as long as I turn off my audio. Interestingly, Monday, Texas began holding its first jury trial – virtually. I cannot wait to see that cluster! It is streaming live.
Being on RACMonitor for so long definitely helped me prepare for my first remote lawsuit. My next lawsuit will be in New York City, where adult day care centers are not getting properly reimbursed.
RACMonitor Programming Note:
Healthcare attorney Knicole Emanuel is a permanent panelist on Monitor Monday and you can hear her reporting every Monday, 10-10:30 a.m. EST.
HIPAA mandates the privacy of private health care records. HIPAA is a serious issue, both financially and in the risk-management aspect, for health care providers. Providers need to delegate annual funds to the defense of regulatory audits proactively – before the actual adverse action occurs. Because it’s not an “if;” it’s a “when,” when you accept Medicare/caid. In the Medicare/caid world, HIPAA violations can catastrophically render a company dead for an infraction. In the current days of technical, daily advances and allegations of cybersecurity breaches, health care providers must be cognizant of cyber criminals, their intent, their modus operandi, and what personal/company information is valuable to such criminals. The HIPAA statutes are vague and lack detailed explanations as to penalties.
In 2018, the Office for Civil Rights (OCR) issued a record-breaking $28 million in fines for HIPAA violations. The number of health care providers currently under investigation by HHS, in 2019, will be another record-breaking number.
As more and more data is maintained on computer systems, the more and more accessible the information becomes to potential scammers. In 2017, the number of cyber attacks increased exponentially to 5,207. There is actually an itemization as to how many of the attacks were germane to health care; health care breaches accounted for 8.5% of all breaches. 2.3 billion health care records have been exposed. This isn’t new. In 2015, the most healthcare records ever were breached. 113 million healthcare records were exposed that year. Now, in 2019, we may witness an all-time-high.
Human error is the number 1 reason for HIPAA violations. Employees gossiping and disclosing private health care information among each other is another culprit, along with social media and lack of training.
The largest individual HIPAA settlement was reached in October 2018, when OCR fined health insurer Anthem $16 million.
The oxymoron is that the government (Medicare/caid) and private payors are pushing for collaborative health care and the sharing of health care records amongst varying providers. Yet the possible HIPAA breaches increase with collaboration.
In April 2019, HHS randomly selected 9 HIPAA-covered entities—a mix of health plans and clearinghouses—for Compliance Reviews. The CMS Division of National Standards, on behalf of HHS, has launched a volunteer Provider Pilot Program to test the compliance review process.
The Trump administration has interpreted HIPAA penalties differently than the Obama administration did. Now HHS will apply a different cumulative annual CMP limit for the four penalties tiers in the Health Information Technology for Economic and Clinical Health (HITECH) Act.
There are four tiers of HIPAA violation severity outlined in the HITECH Act, based on the violator’s level of culpability:
Under the Obama administration, the annual limit for each tier was $1.5 million.
HIPAA penalties are appealable and with the disparate amount of penalties, it is well worth the time and expense to appeal.
Electronic health records or EHR have metamorphosed health care. Choosing a vendor can be daunting and the prices fluctuate greatly. As a provider, you probably determine your EHR platform on which vendor’s program creates the best service notes… or which creates the most foolproof way of tracking time… or which program is the cheapest.
But…what’s in YOUR contract can be legally deadly.
Regardless how you choose your EHR vendor, you need to keep the following legal issues in mind when it comes to EHR and the law:
Regulatory and Clinical Coverage Policy Compliance
Most likely, your EHR vendor does not have a legal degree. Yet, you are buying a product and assuming that the EHR program complies with applicable regulations, rules, and clinical coverage policies – whichever are applicable to your type of service. Well, guess what? These regulations, rules, and clinical coverage policies are not stagnant. They are amended, revised, and re-written more than my chickens lay eggs, but a little less often, because my chickens lay eggs every day.
Think about it – The Division of Medical Assistance (DMA) publishes a monthly Medicaid Bulletin. Every month DMA provides more insight, more explanations, more rules that providers will be held accountable to follow.
Does your EHR program update every month?
You need to review your contract and determine whether the vendor is responsible for regulatory compliance or whether you are. If you are, should you put so much faith in the EHR program?
You are required to maintain your records (depending on your type of service) anywhere from 5-10 years. Let’s say that you sign a four year contract with EHR Vendor X. The four years expires, and you hire a new EHR vendor. You are audited. But Vendor X does not allow you access to the records because you no longer have a contract with them – not their problem!
You need to ensure that your EHR contract allows you access to your documents (because they are your documents) even in the event of the contract expiring or getting terminated. The excuse that “I don’t have access to that” does not equal a legal defense.
This is otherwise known as the “Blame Game.” If there is a problem with regulatory compliance, as in, the EHR records do not follow the regulations, then you need to know whether the EHR vendor will take responsibility and pay, or help pay, for attorneys’ fees to defend yourself.
Like it or not, the EHR vendor does not undergo audits by the state and federal government. The EHR vendor does not undergo post and pre-payment reviews for regulatory compliance. You do. It is your NPI number that is held accountable for regulatory compliance.
You need to check whether there is an indemnification clause in the EHR contract. In other words, if you are accused of an overpayment because of a mistake on the part of the vendor, will the vendor cover your defense? My guess is that there is no indemnification clause.
HIPAA laws require that you minimize the access to private health information (PHI) and prevent dissemination. With hard copies, this was easy. You could just lock up the documents. With EHR, it becomes trickier. Obviously, you have access to the PHI as the provider. But who can access your EHR on the vendor-side? Assuming that the vendor has an IT team in case of computer issues, you have to consider to what exactly does that team have access.
I recently attended a legal continuing education class on data breach and HIPAA compliance for health care. One of the speakers was a Special Agent with the FBI. This gentleman prosecutes data breaches for a living. He said that hackers will pay over $500 per private medical document. Health care companies experienced a 72% increase in cyberattacks between 2013 and 2014. Stolen health care information is 10 times more valuable than your credit card information.
Obviously, I am exaggerating here. I do not believe that The Walking Dead is real and in our future. But here is my point – You are held accountable for maintaining your medical records, even in the face of an act of God or terrorism.
Example: It was 1996. Provider Dentist did not have EHR; he had hard copies. Hurricane Fran flooded Provider Dentist’s office, ruining all medical records. When Provider Dentist was audited, the government did not accept the whole “there was a hurricane” excuse. Dentist was liable for sever penalties and recoupments.
Fast forward to 2017 and EHR – Think a mass computer shutdown won’t happen? Just ask Delta about its August 2016 computer shutdown that took four days and cancelled over 2000 flights. Or Medstar Health, which operates 10 hospitals and more than 250 outpatient facilities, when in March 2016, a computer virus shut down its emails and…you guessed it…its EHR database.
So, what’s in YOUR contract?
We can add one more “oops” to the Department of Health and Human Services (DHHS) repertoire of “oopses.” I am reminded of Captain Edward Smith when he banged the Titanic into an iceberg. Talk about an “oops” moment. Not to mention the lives lost, hitting that iceberg cost $7.5 million in ship building costs back in 1909.
DHHS hit another iceberg yesterday. How much will this “oops” costs?
DHHS made its “oops” by sending 48,752 new Medicaid cards to the WRONG people. Oops! Medicaid cards have HIPAA protected information on them, such as names, Medicaid numbers and dates of birth.
Let me tell you a little about HIPAA. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996 (HIPAA). It was signed into law by Bill Clinton, Title II of HIPAA requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Why is this important? This act also provides significant penalties if privileged information is disseminated.
Hence the DHHS Medicaid card debacle. Iceberg, ahoy! “Oops I did it again!”
The questions are (1) how much will NC be penalized for the dissemination of so much private information; and (2) will NC actually have to pay the penalty?
Recently, HIPAA was revamped. Beginning September 2013, HIPAA became even more stringent with harsher penalties and began to apply to more people (including law firms). For example, prior to September 2013, my firm Williams Mullen treated my documents received from clients the same as all other privileged information in our firm. Obviously, almost everything at a law firm is confidential. Now I have to lock my door (we had to install a lock) anytime I leave my office, even for lunch. Bright yellow flags have been added to all my files that contain privileged health information (PHI), which is every file. My partners cannot access my documents on our computer network system unless granted access. I feel like Edward Snowdon.
I also remember a story about a nurse who worked at a hospital. Her husband was admitted into the ER while she was on her shift and she looked up his condition on the computer. She was fired for violating HIPAA.
How bad can it be?
The feds imposed a penalty of $4.3 million against Cignet Health of Prince George’s County, MD, for HIPAA violations in 2011. Oops!
And, in light of the “new HIPAA,” last week, DHHS disseminates privileged information to 48,752 people.
What are the penalties for violating HIPAA?
There are four violation categories (1) did not know; (2) reasonable cause; (3) willful neglect-corrected; and (4) willful neglect-not corrected. Here are the penalties:
Assuming DHHS’ HIPAA violation is the least severe, “did not know,” DHHS could be liable for $100-$50,000 per violation. Here, there are, at least, 48,752 violations. So we are talking a penalty anywhere from $4,875,200 to a number bigger than my calculator allows.
Thankfully for DHHS and, ultimately, our tax dollars, there are caps to HIPAA penalties. There is a $1.5 million cap per calendar year.
However, DHHS could be liable for multiple violations of multiple provisions and a violation of each provision can be counted separately. So, theoretically, DHHS could be liable for multiple violations of up to $1.5 million cap for each violation, which would result in a total penalty well above $1.5 million.
The other question is whether the federal government will hold a state liable for such HIPAA violations. I don’t know the answer to this, but it would seem fundamentally unfair if HIPAA applies to people and companies, but not the state.
Then, again, how many of you want our tax dollars going toward paying these HIPAA penalties?
You can also see this story on WRAL. (Yes, I was interviewed 🙂 )
Will Aldona Wos also have a $7.5 million “oops” like Captain Smith? Because, regardless who committed the “oops,” Wos is captain of the ship. It is believed that Capt. Smith went down with the Titanic.