Medicare is governed by a notoriously complex statute.
-Hon. William Pryor, dissenting.
The tort plaintiff was injured on the condominium premises. She settled with the condo’s carrier, Western Heritage. She represented that there were no liens or subrogation claims. Humana, which operated her Medicare Part C (aka Advantage) plan, thought otherwise. Western tendered a settlement check which included Humana as a payee. The tort plaintiff asked the Florida state court for sanctions against Western for failing to pay the full settlement. A stipulated order was entered in the Florida court, directing that $19,155.41 be held in trust by the tort plaintiff’s lawyer pending resolution of the MSP claim.
Humana sued the tort plaintiff and her lawyer in federal court but after some procedural machinations voluntarily dismissed it.
The tort plaintiff obtained a declaratory judgment from the Florida state court that she owed Humana $3,685.03. This result was thrown out on appeal because only federal courts have jurisdiction over MSP disputes, and only after federal administrative remedies have been exhausted.
Humana then sued Western in federal court. The result: Western owes Humana double, or $38,310.82.
Among the points made by the majority of a divided panel of the 11th Circuit:
- Medicare Part C Plans have MSP claims enforceable in federal court.
- Putting the money in trust was not good enough.
- Any dispute as to the amount of the MSP claim must be resolved in accordance with CMS administrative process.
Humana Medical Plan, Inc., v Western Heritage Insurance Company (USCOA 11th Cir., Aug. 8, 2016)
OCR put out an end-of-Monday email blast touting new guidance for covered entities and business associates on ransomware. Ransomware is malware that threatens to permanently encrypt your files or otherwise make them permanently unusable unless a payment is received. OCR says there is an upswing in these attacks in the healthcare sector. Most infections occur when a user opens an email attachment or clicks on a link in a bogus email.
The guidance document points out that general compliance with the Security Rule will offer protection against ransomware. A couple of things are mentioned that, while obvious, are noteworthy.
1) Regular backup greatly reduces vulnerability to ransomware extortion.
2) Encryption applied at the drive level on a device such as a laptop makes the EPHI* protected when the device is powered off and disconnected from the internet. So if it is lost or stolen in that condition, no breach. But if a hack occurs after the encryption key is applied while the device is in active use, you may well have a breach.
You can obtain the complete guidance document here.
*Electronic protected health information.
OCR sent out a Friday happy-hour email blast proudly announcing dissemination of a new “Crosswalk” tool, which correlates NIST cyber security standards with HIPAA security regulations. Click here for the “Crosswalk”.
A manager for a home respiratory therapy and infusion company moved out of the marital residence. The husband told OCR that she left documents behind that contained Protected Health Information. OCR hit the company with a CMP of $239,800. The company asked for a hearing, but the Administrative Law Judge granted summary judgment in favor of the government.
The company argued that hubby stole the paperwork, making the company an innocent crime victim. The ALJ scoffed at this, noting that HIPAA was clearly violated when the manager
“took documents out of the office, left them in places (car or home) accessible to this purportedly untrustworthy and possibly unbalanced individual, and then, apparently without giving a thought to the security of those documents, abandoned them entirely”.
When asked about policy changes in response to the event, the company’s Chief Compliance Officer said staff had
“considered putting a policy together that said thou shalt not let anybody steal your protected health information.”
I take it they were not interested in settling the charges.
So as Spring makes a somewhat early return to the Valley of the Sun, and heart shaped wreaths start to adorn romantic residences, OCR put out its press release noting that
“This is only the second time in its history that OCR has sought CMPs for HIPAA violations, and each time the CMPs have been upheld by the ALJ.”
Practitioners in this field may wish to read the ALJ’s decision. The press release can be found here.
The DHHS Office of Civil Rights delivered an email blast touting its newly issued guidance on individuals’ rights of access to their health records. I have doubts about its helpfulness to ordinary patients who have not had long exposure the HIPAA regulations and their associated jargon. But it looks like a good reference for lawyers and their health care clients.
Individuals’ Right under HIPAA to Access their Health Information
In 2005, the IRS resolved a long running dispute with teaching hospitals by promulgating a reg stating that anyone who works more than 40 hours per week – a category that clearly includes medical residents – is not a student for purposes of FICA tax.
Maimonides Medical Center had been paying FICA on residents long before the effective date of the reg, and sued for a refund. Fast forward to 2015, and the only question left was the interest rate. Maimonides argued that since it is a not-for-profit corporation, it should get the higher rate available to ordinary taxpayers, and not the lower rate applicable to corporations.
The Second Circuit held that Maimonides gets the lower rate : a corporation is a corporation. As to the IRC definition of “corporation” at IRC § 7701(a)(3) , says the panel: “that language is not technically a definition”.
Maimonides Medical Center v USA (Dec. 18, 2015)
Lahey Clinic Hospital, Inc., had an unencrypted laptop attached to a CT scanner. Somebody swiped the laptop from an unlocked treatment room. The laptop contained data on about 599 people. Lahey reported the breach, and OCR responded with an audit resulting in a big negotiated payment.
In its holiday season email blast/boast about the salt poured into this wound, OCR indicated this should serve as a lesson for users of medical devices.
The resolution agreement alleges that Lahey :
- failed to conduct a proper risk analysis
- failed to implement physical safeguards
- failed to have policies and procedures governing receipt removal and movement of hardware and media
- failed to assign user names and track users
If you have read this far, you may find OCR’s guidance on mobile device security to be of interest.
On my holiday wish list: that we will hear about laptop or data thieves being pursued and prosecuted with the same vigor as their “covered entity” victims.
A Brooklyn dentist was investigated for Medicaid fraud. When they presented the case to the grand jury, the prosecutor and investigator presented a spreadsheet summary of billings. The spreadsheet made it look like the dentist billed the same procedure multiple times on a single patient. But they left out the tooth number associated with each procedure. Had they included the tooth numbers, it would have been apparent that the procedure was performed on multiple teeth and the billing was per tooth.
By the time the dentist was acquitted, his professional life lay in ruins. He sued the prosecutor and investigator for violating his constitutional rights by knowing use of false evidence. The jury found in favor of the dentist, and the U.S. District Court awarded $4,624,946 compensatory and $100,000 punitive damages.
The Second Circuit held that there was no qualified immunity for the prosecutor because it was settled that the knowing use of false evidence was an actionable deprivation of constitutional rights. The court also upheld the District Court’s finding that that the knowing omission of the tooth numbers, so as to make the spreadsheet misleading, could qualify as false or fraudulently altered evidence.
Morse v Fusto (September 11, 2015)
OCR announced a settlement agreement with Anchorage Community Mental Health Services for a self reported breach of ePHI affecting 2,743 individuals. OCR cays the organization was vulnerable to malware because it ran outdated, unsupported software that was not reinforced with available patches.
OCR also criticized the organization for adopting policies and procedures that were not followed, and for failing to conduct regular assessments of vulnerabilities.
The outdated software is not identified in the bulletin or settlement agreement.
Just in time for the declaration that there are no known active cases of Ebola in the U.S., OCR issued a bulletin to ensure understanding of how the Privacy Rule works in emergency situations.
The helpful guidance includes the assurance that information can be shared to avoid “imminent danger,” but only to the extent consistent with state statutes, regulations and case law.
Privacy Officers will also be glad to know that, if the President declares an emergency or disaster and the Secretary of HHS declares a public health emergency, the Secretary may waive sanctions or penalties against hospitals that fail to distribute privacy notices to the hundreds or thousands of victims that come streaming into the ED for help.
Those readers who are not covered entities or business associates, and thus not required to comply with the HIPAA Privacy Rule, will be relieved to find out that they may voluntarily comply if they want to.
On a serious note, since so many of the enforcement provisions key off state law, even in the event of a catastrophe, it is essential for institutions to build state requirements into their policies and procedures.