Emerging Risks for Healthcare P&C Brokers April 3, 2014 1 Agenda • 9:00 Introduction Lindy Hardman, Beazley Broker Relations – Western Region • 9:00 Healthcare Regulatory Requirements Carolyn Conners and Kelly Webster, Beazley Underwriters HML • 9:30 Healthcare Claims Trends Kati Bynon, Beazley Healthcare Claims • 10:00 Break • 10:10 Stages of Risk During a Data Breach Alex Ricardo, CIPP\US, Beazley Breach Response Services • 10:30 HITECH: The Final Rule Lynn Sessions, Partner at Baker Hostetler • 11:00 Q&A 2 Healthcare Regulatory Liability Carolyn Conners and Kelly Webster Beazley Healthcare Management Liability 3 Healthcare Regulatory Environment • Healthcare fraud is estimated between $60B to $200B each year • In 2009 the Attorney General and Secretary of Health and Human Services (HHS) created the Health Care Fraud Prevention and Enforcement Action Team (HEAT) • Federal and state governments outsourcing oversight responsibilities • The Government’s ROI - for every dollar spent fighting fraud and abuse $8 is recovered. • ICD-10 will replace ICD-9 – Oct. 1, 2014 (Oct. 1, 2015) 4 Recoveries • In fiscal year 2013, the DOJ obtained $3.8B from fraud. Of this amount $2.6B were health care fraud recoveries. • Since January 2009 total recoveries under the False Claims Act were over $17B, of this $12.1B were in Federal health care dollars. • In the fiscal year 2012, RAC collected $2.4B in overpayments. • In 2012 whistleblowers earned more than $439M in share awards. • Fiscal year 2013 there were 3,214 exclusions of individuals and entities. • For FY 2013 there were 472 civil actions of individuals and entities. 5 Who’s Watching? • Department of Justice (DOJ) • Office of Inspector General (OIG) • Department of Health & Human Services (HHS) • Centers for Medicare & Medicaid Services (CMS) • Medicare and Medicaid Contractors o Zone Program Integrity Contractors (ZPICs) o Medicare Administrative Contractors (MACs) o Medicaid Integrity Contractors (MICs) o Recovery Audit Contractors (RACs) • Whistleblowers • Federal, state and municipal governments • Commercial Payors • Competition • Press 6 Fraud and Abuse Laws • False Claims Act – o Prohibits individuals and businesses from submitting false or fraudulent claims for payment to the government (applies to all government programs) o 1863, 1943, 1986 o Qui Tam “Whistleblowing” provision • Anti-Kickback Statute o Illegal kickbacks for referring patients • Stark Law o Physician Self-Referral Act – the act of referring a patient for services to a facility in which the physician has a financial interest • Exclusion Statute o Physicians who have been excluded from Medicare can not directly or indirectly bill the government for services • Civil Monetary Penalties Law o The Social Security Act authorizes HHS to seek civil monetary penalties and exclusion for certain behaviors 7 Annual FCA Recoveries by Industry *Gibson Dunn 2013 Year End False Claims Act Update 8 False Claims Act New Matters *Gibson Dunn 2013 Year End False Claims Act Update 9 Fines & Penalties • HIPAA o Civil and criminal penalties of $50K per violation with an annual maximum of $1.5M. • EMTALA o Hospital or Physician fines of up to $50K per violation • False Claims Act. o $5,500 - $11,000 for each item or service improperly claimed, and an assessment of up to three times the amount improperly claimed. • Anti-Kickback. o Criminal fines up to $25K and 5 years in prison for each violation. Civil fines up to $50K per violation and up to 3 times the amount of the kickback. • Stark. o Civil fines and penalties of up to $15K for each service as well as up to 3 times the amount claimed. 10 Government’s Targeted Healthcare Industries • Pharmaceuticals • Medical device / Durable medical equipment • Hospitals • Nursing homes / Assisted living / Long term care • Residential treatment facilities • Mental health organizations • Hospices • Home health agencies • Nursing facilities 11 Examples of violations • Billing for services not rendered • Medically unnecessary • Unbundling • Bundling • Double billing • Up-coding • Billing for brand • Kickbacks • Improper referral arrangements 12 Emerging Trends • Meaningful use audits • Executive compensation • Readmission penalties • Whistleblowers • Reverse False Claims • Self Disclosure Protocol • Commercial payor audits 13 Risk Transfer Solutions Directors & Officers • Sublimit of up to $1,000,000 • Coinsurance as high as 50% • Retentions averaging $1,000,000 • Damages rarely cover fines and penalties • Typically defense only • Claim triggers vary Standalone Regulatory Liability • Up to$10,000,000 capacity available on primary • Ability to structure towers of capacity • Fines and penalties covered • Lower coinsurance • Very early claim trigger 14 Expenses Resulting from Regulatory Actions • Legal fees • Shadow auditors / billing consultants / Forensic auditors • Medical experts • Public Relations • Civil and criminal fines and penalties • Data management consulting • Cost of Implementing a Corporate Integrity Agreement • Cost of implementing Compliance Program / Employees / Training • Disgorgement of profits / restitution 15 Best Practices for Health Care Providers • Compliance officer • Compliance plan • Board needs a system for candid reporting • Active compliance help‐line (and follow up) • Effective compliance training program • Robust audit function (Internal and external) • Written policies, procedures, standards of conduct • Thorough exclusion screening process • Favorable benchmarking against similar area providers • Credentialed coders 16 Underwriting • The nature of the organization • Officer position structure • Audited financials • Payor Mix • Compliance program review • Billing practices • Prior claims – outcome • Audits conducted by government contractors and the outcome (appeal success rate) • Application (including required attachments) • Conference call or face to face meeting for larger insured’s 17 Claim Examples Organization Damages Allegations Florida-based sleep diagnostic company $15.3M settlement. False claims misrepresenting technician credentials Urgent Care Chain $10M settlement. Unnecessary allergy, virus and respiratory testing upcoding Florida health system $26M settlement. Miscoding outpatient service claims as more expensive inpatient services. – whistleblower – State & Federal FCA Largest healthcare system in Utah $25.5M settlement. Violated FCA by engaging improper financial relationship with referring physicians South Carolina hospital $39M verdict. Improper patient referrals Rhode Island Health System $2.6M in disgorgement and $2.7M in damages Doctors billed Medicare and Medicaid for unnecessary overnight hospital stays Medical Center in Iowa 406K settlement The OIG alleged that they employed an individual that it knew or should have known was excluded Texas dialysis provider $7.3M settlement. Billing for phantom services in violation of FCA by charging for more of a drug than actually administered. Whistleblower received $1.3M Medical Center in KY Ongoing investigation Alleged that the medical center completed 28% more heart stents than any other hospital in the area 18 Regulatory Resources 19 Specialty title slide grey Healthcare Claims Trends Kati Bynon Healthcare Claims Manager April 3, 2014 Overview: What is everyone feeling? What Are You Feeling � � � � � � Some types of cases getting a little harder to resolve? Cases lifespans are increasing? Increased anxiety? Verdicts getting bigger? Settlement values creeping up? Legal expenses increasing? What We’re Seeing � It’s NOT your imagination � Claims environment is changing � Certain classes of claims are becoming more difficult to settle for reasonable amounts � It’s not all Claims! Claims Environment – Claims vs. Actuaries Claims We are currently managing approximately 3,000 open claims across our Hospital, Long Term Care and Miscellaneous Medical portfolios. Risks range from primary duty to defend accounts with low retentions, to accounts with very large underlying amounts. � Claims are viewed on a Year of Account basis. � Good at providing current on the ground observations and perceived trends. � Weak at providing historical context. � Perceptions can be subjective. Actuarial The Beazley Healthrate database is populated with 617,000 Professional Liability claims from hospitals submissions, from 1991 to 2013, and represents 39% of the nation’s hospital beds. � Actuarial trends are retrieved from losses by closed date. � Good at providing historical perspective on loss development. � Rearward looking. � Less useful at picking up emerging trends. In California our database is representative of 44% of the beds Claims Perspective � Volume: Overall volumes are steady, but the number of “large” claims is increasing � Size: The big claims are getting bigger. Plaintiffs are trying to make $10m the new $5m. Our highest paid claims have all been made in the last 12 months � Venue: “Bad” states seem to be getting worse, but the “good” states are getting tougher as well � Plaintiffs’ Bar: Top tier plaintiffs’ firms are getting more aggressive and demanding more. More often than not, severe cases are requiring multiple mediations � Anxiety: Certain insureds seem to be more anxious and likely to overpay Actuarial Perspective and Severity Claim Trends – Overall vs Tort Reform California Claims Severity Average incurred cost per closed claim California Claims Severity Average incurred cost per closed claim limited to $2m and unlimited $400,000 $350,000 $300,000 $250,000 $200,000 $150,000 $100,000 $50,000 $0 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 Closing Year Limited to $2m Unlimited The trend in California is even more steep when we look at claims severity unlimited. We should note how the gap between limited severity and unlimited is widening, as a sign of a larger number of large claims being paid in the last few years. 7 California Claims Severity Proportion of claims closed above $2m California Claims Severity Average indemnity California Claims Severity Average defense costs Getting Walloped for a $20,000,000 Verdict: The Good Old Days. � CT: Birth injury trial in CT resulting in a $58m verdict. (May 2011. State Record) � PA: Birth injury case tried in Philadelphia resulting in a $78m verdict. (July 2012) � MI: Birth injury trial in Oakland County, MI, resulting in a $144m verdict. (October 2011. State Record) � FL: Severe neurologic injury to an adult male follow bariatric surgery resulting in a $178m verdict. (January 2012) � CA: Alleged sexual assault of a 30 year old patient resulting in a $65m verdict. (November 2011) � CA: Birth injury claim resulting in a $74.5m verdict. (April 2012) � FL: Long Term Care case in Tampa resulting in a $900m verdict. (February 2012) � AL: $140m in AL for a Wrongful Death Claim. (December 2012) � NY: Birth injury claim resulting in a $130m in Nassau County, NY.(April 2013) Not Just the Usual Suspects � CO: Alleged paralysis to a 36 year old man resulting in a $15m verdict. (April 2012. State Record) � WY: Alleged paralysis to an adult male secondary to an alleged failure to diagnose a neck fracture resulting in a $9m verdict. (November 2011. State Record) � ME: Alleged wrongful death of a 44 year old man resulting in a $6.7m verdict. (June 2011. State Record) � VA: Alleged failure to timely diagnose impending myocardial infarction to a 37 year old resulting to diminished life expectancy. $25m verdict. (February 2013. State Record) And the Settlements Follow Along…  IL: Power Rogers & Smith case in Cook County, IL, involving quadriplegia to a 47 year old following a trucking accident resulting in a $25m settlement  NY: $17.9m settlement for allegations of failure to timely treat infection resulting in quadruple amputation  GA: $7.5m settlement for alleged overdose of potassium in pediatric patient resulting in brain damage  AL: $12m settlement for alleged neurological injury in pediatric patient  IL: $20m settlement for allegations of failing to respond to cardiac arrest post-surgery in three year old resulting in brain damage  FL: $11.5m settlement for allegations of failure to timely deliver infant plaintiff causing brain damage Recent California Verdicts and Settlements of Note � Sacramento County (2013)– $27m verdict for alleged elder abuse involving the death of an elderly patient. � San Francisco County (2013) - $38.6m verdict for alleged tetraplegia as a result of the failure to diagnose and treat an evolving ischemic stroke in a 19 year old. � Santa Clara County (2012) – $22m verdict for medical malpractice action involving quadriplegia following medical procedure � St. Louis Obispo County(2012)– $74m verdict for alleged birth injury failure to diagnose vascular injury resulting in amputation of 14 year old leg. � Sacramento County (2013) - $9m settlement in a birth injury case � Los Angeles County (2013) $7.5m settlement involving alleged brain damage in infant born after mother’s ruptured uterus deprived infant of oxygen during delivery. � Anonymous County (2013) - $10m settlement in a birth injury case Common Factors: 1%’ers �Recognized/Successful Plaintiff’s Counsel �Poor Liability Pictures �Potential for Significant Damages �Inflammatory Facts �Generally Venued in “Bad” States �Increased Expectations Drivers/Consequences � Top plaintiffs’ firms are demanding a premium. � Second tier plaintiffs’ firms want to emulate the top firms. � Bad cases are becoming more difficult to settle for the usual amounts. � Cases that would have been settled in the past are being tried, resulting in more large verdicts. � Increased anxiety among providers and potential for panic-based decisions. � Increased tension between insureds and insurers. Where do you draw the line? Case Example 1 (What not to do) Facts: � Alleged anesthesia error during non-invasive procedure on infant patient causing significant neurological injures � Well known plaintiff’s counsel � Difficult venue with multiple excess verdicts � Minimal expert support Issues: � Plaintiffs were unwilling to negotiate until a week before trial when they demanded $50m � Hospital quickly responded with offer after offer, even when they were not being matched in reductions of demand Strategy: � The strategy was to throw money at the case in the hopes of shutting it down at all costs Outcome: Within 5 working days, the case was resolved for excess of $25m Case Example 2 (What to do) Facts: � Alleged failure to diagnose and timely treat a developing infection in a then 23 year old woman following delivery of a healthy infant resulting in the amputation of both legs (above the knees) and arms (above the elbow). Issues: � Significant publicity surrounding plaintiff’s condition � Top tier plaintiff’s firm (Initial Demand of $90m) � Indefensible from liability standpoint � Significant future care costs Strategy: � Dig in, engage in multiple mediations � United front between Insured/Excess Insurer � Leverage causation arguments Outcome: Case resolved before trial for $8.5m Holding the Line �On the big cases, it is not business as usual �Prepare for trial, not settlement �“Just say no” �Try the right cases �Partnership between insured, broker and insurer �Let someone else be the easy target Thank you Kati Bynon t: 646-943-5917 a: 1270 Avenue Of The Americas, 12th Floor, New York, NY 10020 e: kati.bynon@beazley.com Stages of Risk During a Data Breach The “new” HIPAA Alex Ricardo, CIPP/US Breach Response Services Lynn Sessions, Esq. Baker Hostetler What we are NOT doing today Providing Legal Advice o Informational Purposes Only o You should consult with Privacy Counsel for any decisions surrounding your Incident Response Plan or Data Breach Response Methodology 41 Agenda • Healthcare Breaches and Fines • A Brief Review of Data Breaches and Breach Response • How NOT to Respond to a Data Breach – a Case Study • Regulatory Landscape – “The new HIPAA” 42 Healthcare Breaches & Fines Healthcare Breaches – “in the news” • June 2013 – Bon Secours – 5,000 patients due to breach of electronic records • June 2013 – University of Florida Pediatric Clinic – 5,682 patients and parents due to insider leaking information to criminals • February 2013 – Sonoma Valley Hospital – 1,350 patients due to internet exposure of unsecured section of website. (sometimes called “Google Search”-breaches) • January , 2013 – Lucile Packard Children’s Hospital – 57,000 patients – stolen laptop from physician’s car • January 2013 – New York Hospital – 9,887 patients due to Hurricane Sandy and structural damage to facility and unauthorized individuals on premise 44 Healthcare Breach Litigation & Fines – “in the news” • January, 2013 – FTC Settles with CBR Systems (Blood Bank) for Failure to Protect Data – 20 year consent decree • January, 2013 – Goldthwait Associates, Pathology Group pay $140,000 to settle claims that patients’ PHI was disposed of improperly • January, 2013 – • May, 2013 – Hospice of North Idaho fined $50,000 by OCR for a 441 person breach Idaho State University – $400,000 settlement involving 17,500 patients for violating HIPAA Security Rule • June, 2013 – Shasta Regional Medical Center fined $275,000 for CEO and CMO discussing with media on medical services of a patient • August, 2013 – Woman awarded $1.44M against Walgreens due to pharmacist sharing prescription history 45 Physicians’ and Clinic Breaches – “in the news” • April, 2013 – Documents containing personal information of patients left on Brooklyn sidewalk after medical supply company closes down. • April, 2013 – Family Health Enterprise notifies patients after laptops stolen in office • April, 2013 – Patient records found outside an evicted dental clinic in Detroit’ • March, 2013 – Medical assistant stole patient information • February, 2013 – Lee Miller Rehab Associates, MD – stolen network server • February, 2013 – American Home Patient – Stolen laptop • February, 2013 – Subcontractor responsible for Wisconsin’s River Falls Medical Clinic breach of 2400 clients • January, 2013 – Patients’ personal information found in dumpster outside dentist’s office in Aurora, Colorado • January, 2013 – ABQ Health Partners’ stolen laptop. • November, 2012 – Surgical Associates of Utica – stolen network server 46 A Brief Review of Data Breaches and Breach Response What is a Data Breach? • Actual release or disclosure of information to an unauthorized individual/entity that relates to a person and that: o May cause the person inconvenience or harm (financial/reputational)  Personally Identifiable Information (PII)  Protected Healthcare Information (PHI) o May cause your company inconvenience or harm (financial/reputational)  Customer Data, Applicant Data  Current/Former Employee Data, Applicant Data  Corporate Information/Intellectual Property 48 Types of Data Security Breaches • Improper Disposal of Data o Paper  Un-shredded Documents  File cabinets without checking for contents  Prescription Bottles  X-Ray Images o Electronic assets  computers, smart phones, backup tapes, hard drives, servers, copiers, fax machines, scanners, printers • Phishing/Spear Phishing Attacks • Network Intrusions/Hacks/Malware Viruses • Lost/Missing/Stolen Electronic Assets • Mishaps due to Broken Business Practices • Rogue Employees 49 A Simplified View of a Data Breach Response Methodology Discovery of an Event Evaluation of the Event Managing the Short-Term Crisis Handling the Long-Term Consequences Class-Action Lawsuits Theft, loss, or Unauthorized Disclosure of Personally Identifiable Non-Public Information or Third Party Corporate Information that is in the care, custody or control of the Insured Organization, or a third party for whom the Insured Organization is legally liable Notification and Credit Monitoring Regulatory Fines, Penalties, and Consumer Redress Forensic Investigation and Legal Review Reputational Damage Public Relations Income Loss 50 Why we should be careful with the word “Breach” Perception is Half the Battle o People use “breach” too frequently and you don’t want your customers or regulators to think you are subject to numerous breaches o “Breach” suggests something bad happened or is going to happen o “Breach” has legal significance  Train your Incident Response Team to not use “Breach” within internal communications as you vet out or investigate the “Security Incident” 51 How NOT to Respond to a Data Breach A case study Don’t assume you know the facts. • Entity Affected: Hospital • Incident Details: Hospital did a “disaster drill”. Set up 20 laptops, one in each ER suite. To replicate lost power, each laptop was to be set up with all 500,000 EHRs of the hospital. During course of drill, 1 laptop went missing. • Initial Response: Hospital called a press conference to acknowledge a loss of 500,000 EHRs. They held the press conference BEFORE the investigation. • Investigation: Investigation identified time of loss via surveillance cameras in the ER. IT reviewed network logs for downloading the 500,000 EHRs to each laptop and noticed 1 laptop did not receive the 500,000 EHRs. Investigation took 48 hours. • Conclusion: It was forensically concluded that the missing laptop was stolen BEFORE the download of 500,000 records occurred. • Data Format: Electronic • Information Compromised: PHI • Breach Universe: ZERO – “Non-Event” • Aftermath: The hospital had to hold a second press conference about the “false alarm”. 53 Alex Ricardo, CIPP/US Breach Response Services Beazley Group Rockefeller Center 1270 Avenue of the Americas New York, NY 10020 t: +1 (917) 344 3311 c: +1 (646) 477 1321 e: alex.ricardo@beazley.com For More Information: www.beazley.com “It’s bad enough a company may possibly face liability from the data breach itself. The last thing you want is to create further liability exposure from how you respond to the incident. Making sure you are kept in the best defensible position possible during the course of your breach response methodology should be a priority.” The descriptions contained in this broker communication are for preliminary informational purposes only. The product is available on an admitted basis in some but not all US jurisdictions through Beazley Insurance Company, Inc., and is available on a surplus lines basis through licensed surplus lines brokers underwritten by Beazley syndicates at Lloyd's. The exact coverage afforded by the product described herein is subject to and governed by the terms and conditions of each policy issued. The publication and delivery of the information contained herein is not intended as a solicitation for the purchase of insurance on any US risk. Beazley USA Services, Inc. is licensed and regulated by insurance regulatory authorities in the respective states of the US and transacts business in the State of California as Beazley Insurance Services (License#: 0G55497). 54 HIPAA/HITECH UPDATE Lynn Sessions lsessions@bakerlaw.com @lynnsessions 713.646.1352 Blog: www.dataprivacymonitor.com Lynn Sessions Lynn Sessions focuses her practice on providing legal services to healthcare industry clients, including hospitals, integrated delivery systems, healthcare providers, and academic medical centers. Using her prior in-house experience at Texas Children’s Hospital, Lynn represents and provides legal counsel to clients on a variety of privacy and data security matters from an in-house counsel and client perspective. Lynn works with clients to ensure they are in compliance with HIPAA/HITECH regulations, develops proactive compliance programs, provides counsel in response to a privacy or data breach, and works with clients to ensure the effective development of preventative data privacy and security measures. Lynn has worked with clients where multiple parties in various states were involved in high stake data privacy security breaches. She is experienced in applying federal HIPAA/HITECH regulations and specific state privacy and breach statutes and the OCR and other regulatory investigations that follow. Lynn has handled internal investigations on a large and small scale. These investigations are focused on protecting health care providers and their customers from privacy and data breaches, and fraud and identity theft. Ms. Sessions has also worked with clients to develop preventative data privacy and security strategies to avoid potential security breaches, including development of policies and procedures, breach response teams and training programs. OCR Resolution Agreements Providence Health & Services ($100K) CVS Pharmacy ($2.25M) Rite-Aid ($1M) Management Services Organization of Washington ($35K) Cignet ($4.3M) Massachusetts General Hospital ($1M) UCLA Health Services ($865K) Blue Cross Blue Shield of Tennessee ($1.5M) Alaska Medicaid ($1.7M) Phoenix Cardiac Surgery, P.C. ($100K) Massachusetts Eye and Ear Infirmary ($1.5M) Hospice of North Idaho ($50K) Idaho State University ($400K) Shasta Regional Medical Center ($275K) WellPoint ($1.7M) Affinity Health Plan ($1.2M) Adult Pediatric & Dermatology, P.C. ($150K) Skagit County ($215K) What Has OCR Said About Enforcement? “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.” Director OCR Leon Rodriguez HIPAA Final Rule  Business Associates are directly liable  Assurances of safeguards required  Calculation of CMPs clarified  Breach is presumed  Breach analysis modified  Other clarifications Business Associate Liability  Directly liable for regulatory compliance  Limited to contract with Covered Entity  CE not absolved from reporting responsibility  Both parties may be investigated by OCR/AGs  Both parties may be sued Business Associate Agreements are Critical 60 Calculation of Civil Monetary Penalties (CMPs)  §160.408 Factors considered in determining the amount of a civil money penalty.  The Secretary MUST consider a list of mitigating or aggravating factors. – The nature and extent of the violation (number of individuals affected, time period during which the violation occurred, the  number of individuals affected.  time period during which violation occurred.  the nature and extent of resulting harm (physical harm, reputational harm, or financial harm).  whether the violation hindered ability to obtain health care (“facilitated” removed). Calculation of Civil Monetary Penalties (CMPs)  The Secretary MUST consider a list of mitigating or aggravating factors – The history of prior compliance and attempts to correct indications of noncompliance. – Response to technical assistance from the Secretary. – Response to prior complaints. – Financial condition of CE or BA. – Size of the BA or CE. – Such other matters as justice may require. What Is A Breach? Baseline definition of a breach remains unchanged.  §164.402: Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under Subpart E of this part which compromises the security or privacy of the protected health information. Breach Analysis  An acquisition, access, use, or disclosure of protected health information in a manner not permitted . . . is presumed to be a breach  Unless, the CE or BA can demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment  Compromise is not defined Risk Assessment  Risk Assessment ‒ Documented ‒ Based on at least 4 factors     The nature and extent of the PHI The unauthorized person involved Whether the PHI was actually acquired or viewed Extent to which any risk has been mitigated Reporting/Notification Obligations  Notification, in situations where the use or disclosure is so inconsequential, is not warranted because it may cause the individual unnecessary anxiety or even eventual apathy if notifications of these types of incidents are sent routinely.  Notification to patients and media within 60 days but substitute notice may occur after depending on circumstances.  Breaches under 500 must be reported no later than 60 days after the calendar year in which they were discovered, not when they occurred.  Notification to the Secretary must occur at same time as notice to individuals for breaches over 500. What does it mean?      Expect to have more breaches reported Greater scrutiny and enforcement Increased CMP amounts CE and BA relationship tension More litigation – Class Action – Personal litigation 67 Litigation • Hollenbach v. Catholic Health Initiatives, Case No. 11-10855 (Berks County, Pennsylvania Court of Common Pleas) • Garcia v. Sutter Medical Foundation et al., Case No. RG11604927 (Alameda County, Superior Court) (putative class action complaint alleging violations of the Confidentiality of Medical Information Act) • Atkinson v. Sharp Memorial Hospital, Case No. 37-2011-00102684 (putative class action complaint alleging violation of the Confidentiality of Medical Information Act) • Zacarias v. Eisenhower Medical Center, Case No. INC 1108128 (Riverside County, Superior Court, 2011) (putative class action complaint alleging violations of the Confidentiality of Medical Information Act and Customer Records Act) • Gonzalez v. South Broward Hospital District, Case No. 12-22437 (Broward County, Florida) (putative class action arising from alleged employee theft of patient information) • Burgess v. Blue Cross Blue Shield of South Carolina, N.D. Cal. 2012 (putative class action arising out of the recording of calls to a call center) • Care England In re: Women and Infants Hospital of Rhode Island (Civil Investigative Demand 2013-CPD-18) • Beson v. Park Nicollet Health Service, 12CV02171 (D. Minn. 2012) (putative class action brought pursuant to Fair and Accurate Credit Transactions Act) • Merring v. St. Clare’s Health System et al, Case No. MRS-L-379-12 (Morris County, Superior Court of New Jersey, 2012) (complaint alleging disclosure of protected health information) • Faircloth v. Adventist Health System et al, Case No. 2013-CA-009369 (Orange County, Florida) (putative class action arising from alleged employee theft of patient information) 68 HIPAA as Standard of Care Hinchey v. Walgreens, Indiana Superior Court (2013)  Jury Verdict of $1.44M  HIPAA does not create private cause of action  HIPAA establishes the standard of care for provider  Walgreens found vicariously liable for pharmacist 69 Regulatory Hot Buttons         Security risk analysis Risk management plans Encryption Business Associate Agreements Minimum necessary Documentation of breaches Policies and procedures Storing old data 70 Chicago Cincinnati Cleveland Columbus Costa Mesa Denver Houston Los Angeles New York Orlando Washington, DC www.bakerlaw.com © 2013 Baker & Hostetler LLP Q&A 72
© Copyright 2024 Paperzz