Information privacy and security requirements are coming up in legal cases more often these days. Part of that is because we have more of those type laws. Although HIPAA has been in effect for over a decade, I don’t recall seeing it used in lawsuits and legal cases as frequently as I do now. Maybe I am just paying more attention but there are certainly plenty of cases in the courts today. Most are civil cases but some are even criminal cases. After hearing these you will probably know the answer to the question “Do I need a lawyer?”. Probably, maybe, that is actually a fact-specific determination. Honestly, though, the answer is you probably will if you are not taking information privacy and security seriously today.
In this episode:
Do I Need A Lawyer? – Ep 142
Today’s Episode is brought to you by:
Kardon and HIPAA for MSPs / Security First IT
Where to meet us [1:34]
- GSASC/SCASCA Joint Semi-Annual Conference and Trade Show Feb 16, 2018, in ATL
- Hall Booth/Sterling Seacrest Partners HIPAA with the Experts breakfast seminar Feb 22
- 4medapproved Cybersecurity Officer live webinar course February 28, March 1, 7, 8, 2018 use GRINDLE20 for a discount.
- The Georgia Access Management Association (GAMA) March 16, in ATL at PatientCo offices in Buckhead
- 2018 JAWS Society Annual Conference, (a national society of oral and maxillofacial administrators) April 22-25 in Newport Beach, CA
- North GA Medical Management Association in Dalton, GA June 14
Learn more about our Live HIPAA Boot Camp and request one in your area: www.HelpMeWithHIPAA.com/bootcamp [3:41]
The HIPAA Boot Camp – Virtual Edition – For the first time, our Boot Camp is going virtual.
- The virtual format is done in 3-4 hour online sessions over a two week period.
- March 13/14/15 and 21/22.
- $997 early bird special rate through Feb 28th.
- $1,297 March 1 – 13.
- One registration covers attendance of up to 3 people on your team.
- One on one planning sessions included. You schedule them for after the end of class.
- Access to recordings and all resource material available online for at least 6 months.
Want to be part of Help Me With HIPAA? Become a Patreon at www.HelpMeWithHIPAA.com/give
HMWH App now has more features. You can now access a PDF with the show notes ready for your HIPAA training documentation! Find it under the bonus feature in the app for both the Apple and Android versions. It is a little gift box on the app bar.
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
[5:25]
Do I Need A Lawyer?
Let’s discuss some cases so you can understand what you may be up against. Don’t assume you will be the defendant here – you are probably more likely to be the plaintiff or the defendant’s employer if you listen to HMWH.
1 – Oregon – St. Charles Health System being sued for $500,000 because nurse shared medical records inappropriately.
May 2016 a patient is injured in an all-terrain vehicle accident. A nurse, not involved in TPO for this patient, looked up the patient’s medical records. Then, the nurse shared the blood alcohol content from his records with a friend of both the patient AND the nurse. The patient has filed the lawsuit against the health system for $500K
This health system has had trouble along these lines before. There are actually two stories in one here and the nurse probably needs a lawyer too. Because a nursing assistant pleaded guilty to “computer crimes” charges after it was found that she reviewed 2,459 patient records because she was curious. So we come up with at least two lawyers being required in this one story.
2 – Doctor gets jail time for HIPAA violations
He knew he was going to be let go so he just didn’t work. Instead, he started looking at patient records. The details from the article included the following conversation that was very telling about the misperception many healthcare people have concerning HIPAA laws.
“Dr. H began idling away his remaining days at the health system by looking at patient records for entertainment. He viewed the records of the health system’s many high-profile patients, including well-known movie stars, television personalities, and people in public office.
Dr. H never shared the information he saw in the records. He never tried to sell the information about the celebrity patients to the tabloids.
Dr. H immediately hired a defense attorney, who told him that although there was information that Dr. H had illegally accessed patient records over 300 times, the government was only charging him with four counts.
“But I didn’t do anything wrong,” Dr. H said. “I never sold the information or told anyone about it.”
“They aren’t charging you with selling the information,” the attorney replied. “If they were, you would be facing a felony and a lot of jail time. They are charging you with simply accessing identifiable health information without a valid reason for doing so. You were not treating any of those patients. And in the last several instances, you weren’t even working for the health system anymore.”
“But I didn’t know that was a crime,” Dr. H said. He was sentenced to 4 months in prison, followed by a year of supervised release, and a $2,000 fine.
The court held that the plain text of the statute does not limit its application to people who knew their actions were illegal. Rather, the court stated, “the misdemeanor applies to defendants who knowingly obtained individually identifiable health information relating to an individual, and obtained that information in violation of HIPAA.”
The key language, according to the court, was “knowingly and in violation of this part.” Dr. H wanted it to be interpreted as “knowingly, in violation of this part” — therefore presuming that knowledge was a violation necessary for conviction. The court disagreed, saying that if the statute did not contain the word “and,” Dr. H’s argument might be more persuasive.
“However, we cannot ignore ‘and,’ because its presence often dramatically alters the meaning of a phrase,” wrote the court in its decision.
3 – State law has a problem with records laying around a home office
“Pearlie Mae’s Compassion and Care LLC, and Ann Marie Kaiser and Jenell Jones, the owners of the company that provides care for disabled consumers, agreed to pay an $8,750 civil penalty for violations of the Wayne Owen Act, which is part of the Kansas Consumer Protection Act.
In June 2017, during the course of assisting the Topeka Police Department in executing a search warrant, special agents of the Kansas Attorney General’s office observed patient and employee records containing personal information in Kaiser’s home, which also served as one office location for the company. The records were found in open view, unsecured and accessible to anyone in the residence, including persons who had no legitimate business reason to access the personal information in the records. A lawsuit filed by Schmidt in June alleged the defendants failed to implement and maintain reasonable procedures and practices to protect personal information and by failing to take reasonable steps to destroy or arrange for the secure destruction of records containing personal information when the records no longer are to be used.”
4 – Allscripts is already dealing with a class action lawsuit over the ransomware incident.
There is definitely still a lot to learn here about exactly what went wrong. However, you should be paying attention if you are an EHR vendor and learn from their mistakes. Evaluate now what would happen if you get hit. Most often we hear the tech team say “that won’t happen to us” which is probably what the folks over at Allscripts said two minutes before they were hit and down for days.
5 – Aetna suing a Business Associate over the settlement payments after HIV mailing breach.
Claims administrator Kurtzman Carson Consultants send out the letters with window envelopes that showed the phrase “when filling prescriptions for HIV medications”. Aetna says it was their fault and wants them to pay the millions in costs and settlements.
6 – CVS Pharmacy, Inc. and Caremark Rx LLC (CVS) sought reimbursement from its business associate, Press America, Inc., following a 2012 PHI data breach.
Press America was in charge of mailing information to beneficiaries of IBM’s health plan about mail order pharmacy services. CVS says that Press America failed to perform their work properly when they incorrectly addressed the mailing. Of course, it had PHI for the beneficiaries, which disclosed their data to the wrong people. At least it was only a breach of 41 patients. You can’t really say that is good but I supposed it could have been worse. After the problem, IBM said show me the money because their contract said that they had to credit IBM for $1,845,000 as part of the problem. They also made sure everyone did a big investigation into the disclosure to determine who was involved.
There was also a business associate agreement (BAA) in place. They are using that contract to define the requirements for protecting the data and how that makes Press America response and they should pay up.
Press America tried to argue out of it but the terms of the BAA are so broad when included with their service contracts that the court ruled against Press America and said – show me the money!
As these cases become more ubiquitous we will continue to see the BAA pointed to often. If you don’t know what is in your’s it is time to pay attention!
As in everything else with HIPAA you may need a lawyer and you may not need one. It is often very hard to determine until you hear what is going on. However, based on the climate and the amount of money these things cost you can almost bet on needing a lawyer if a breach occurs in your wheelhouse.
Please remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
