HIPAA
New HIPAA Case: Changes for Penalties on the Horizon?
Shannon B. Hartsfield
To date, there has been little consistency in how Health Insurance Portability and Accountability Act (HIPAA) requirements are enforced by the U.S. Department of Health and Human Services (HHS), or the amount of settlements or penalties. In Univ. of Texas M.D. Anderson Cancer Ctr. v. U.S. Dept. of Health and Human Servs. No. 19-60226, 2021 WL 127819 (5th Cir. Jan. 14, 2021), the court vacated significant penalties against M.D. Anderson Cancer Center (M.D. Anderson) in a manner that could lead to changes to HIPAA enforcement in the future. The court found that HHS' decision to fine M.D. Anderson $4,348,000 "was arbitrary, capricious, and contrary to law."
Three security incidents preceded M.D. Anderson's suit. In 2012, a faculty member's unencrypted laptop containing electronic protected health information (ePHI) was stolen. In that same year, a trainee lost an unencrypted USB thumb drive containing ePHI. In 2013, a researcher misplaced an unencrypted thumb drive that also contained ePHI. After M.D. Anderson reported these incidents to HHS as required, HHS determined that M.D. Anderson had violated rules promulgated under HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). These rules related to a requirement to "[i]mplement a mechanism to encrypt" ePHI or adopt another method to limit access to ePHI. HHS also concluded that M.D. Anderson had committed an impermissible "disclosure" under HIPAA. In addition, HHS concluded that, under its enforcement authority (42 U.S.C. §1320d-5(a)(1)(B)), it could impose $1,348,000 in daily fines for violation of the regulations regarding encryption, and a total of $3 million for violating HIPAA's restrictions on disclosures.
M.D. Anderson went through two levels of administrative appeal unsuccessfully. Once M.D. Anderson filed a petition in federal court for review of the fine, HHS determined that "it could not defend a fine in excess of $450,000." The court granted M.D. Anderson's petition for review because the civil money penalty (CMP) that HHS sought to impose "violates the Administrative Procedure Act (APA)." The court cited four reasons for its conclusion that the CMP order was "arbitrary, capricious, and otherwise unlawful." First, the court found that HIPAA merely requires the implementation of "a mechanism" to encrypt and decrypt ePHI, and M.D. Anderson had done that and had furnished the mechanism to employees. Although HHS argued that M.D. Anderson should have done more to protect ePHI, HHS was incorrect in finding that M.D. Anderson had failed to encrypt ePHI at all just because three devices were unencrypted. The court noted that the regulation "does not require a covered entity to warrant that its mechanism provides bulletproof protection of 'all systems containing ePHI.'" The court went on to observe that the regulation does not protect covered entities more if they work harder to encrypt ePHI and, "[i]f HHS wants to police just how herculean a covered entity must be in encrypting ePHI, the government can propose a rule to that effect and attempt to square it with the statutes Congress enacted."
The court considered HHS' interpretation of HIPAA's prohibition on disclosure as the second basis for vacating the CMP. The administrative law judge concluded that a covered entity unlawfully releases ePHI any time it loses control of ePHI, regardless of whether anyone outside the covered entity actually accesses it. The court noted that HHS' definition of disclosure indicates "an affirmative act of disclosure, not a passive loss of information ... It defies reason to say an entity affirmatively acts to disclose information when someone steals it." The court also noted that HHS could not prove that the ePHI was stolen by someone outside the entity. Unless the ePHI is sent outside the entity, it is not a disclosure.
The third reason the court gave for deciding in favor of M.D. Anderson related to HHS' enforcement of the CMP rule against only certain covered entities. The court noted that "[i]t is a bedrock principle of administrative law" that the government must treat similar cases alike. The court observed that a number of covered entities that failed to encrypt ePHI received no penalties.
As the fourth basis for its decision, the court questioned the penalty. Congress specified that violations due to "reasonable cause" and not "willful neglect" could not exceed $100,000 for all violations of an identical requirement or prohibition during a calendar year. Nevertheless, HHS determined that the calendar year cap was $1.5 million. The court found that this was "arbitrary, capricious and contrary to law." In a "Notice of Enforcement Discretion Regarding HIPAA Civil Money Penalties," HHS conceded in April 2019, that it had incorrectly interpreted the statutory caps. The court noted that, "[i]n addition to nonsensically conflating the fault levels specified by Congress, HHS's interpretation rendered meaningless surplusage the statutory cap for reasonable-cause violations." Additionally, the court noted that HHS' own regulations require it to assess a number of factors in assessing CMPs, such as whether the violation caused physical, financial or reputational harm, and whether the violation impaired an individual's ability to obtain healthcare.
It remains to be seen whether this case will lead to new enforcement practices at HHS. The reasoning in this case bolsters arguments that penalties should not be assessed in situations where the entity has a HIPAA compliance program in place, but nevertheless experiences a loss of ePHI or some other incident. Although it could lead to reduced penalties due to HHS' previous incorrect interpretation of penalty caps, the case could result in increased imposition of penalties in breach cases. Therefore, it is important that covered entities and business associates continue to maintain robust HIPAA and HITECH Act compliance programs.
Enforcement
Dismissal for Failure to Plead Sufficient Presentment, Use and Retaliation FCA Claims
Alexis K. Mason
In United States v. Prometheus Laboratories, Inc., Case No. 8:18-cv-2931-T-33AAS, 2020 WL 6203527 (M.D. Fla. Oct. 22, 2020), the relator, an employee at Prometheus Laboratories (Prometheus), filed a qui tam suit pursuant to the False Claims Act (FCA), 31 U.S.C. § 3730(b)(2), which alleged that in an effort to increase sales, Prometheus 1) unlawfully promoted Proleukin for uses not approved by the U.S. Food and Drug Administration (FDA); 2) caused Proleukin to be misbranded; 3) intentionally misled prescribers and patients into thinking Proleukin was comparable to newer, better drugs when Prometheus knew it was not; and 4) engaged in an off-label marketing scheme by directing employees to a) distribute non-FDA approved publications and b) emphasize off-label information. The suit further alleges that Prometheus 5) instructed providers to miscode diagnoses-related group (DRG) codes to allow hospitals to receive higher reimbursements from government healthcare programs and 6) participated in a fraudulent kickback scheme in which Prometheus made concerted efforts to influence specific oncologists to treat patients with Proleukin in exchange for free marketing to increase their referrals. The relator alleged that when he reported the fraudulent scheme to Prometheus, he was terminated in retaliation. The matter came before the court in connection with Prometheus' motion to dismiss the complaint for failure to state a claim.
The court dismissed the relator's count for "Presentation of False Claims" under the FCA (§ 3729(a)(I)(A)), and noted that in FCA "presentment" cases, the actual submission of the claim must be pled with particularity and not simply implied from the circumstances. In the instant case, the relator alleged that Prometheus presented fraudulent claims, but the complaint was devoid of any proof. Furthermore, the relator alleged that Prometheus caused false claims to be presented because 1) Prometheus' off-label marketing caused physicians to submit false claims, and 2) Prometheus instructed hospital staff incorrectly to code doses of Proleukin resulting in the submission of false claims. The court noted that the relator failed to provide information to allege that fraudulent claims were submitted with a sufficient indicium of reliability (e.g., information about specific fraudulent bills or claims for reimbursement, dates of such bills or claims, or particular providers that allegedly submitted the false claims).
The court also dismissed the relator's count for "Making and Using False Records and Statements" under the FCA (§ 3729(a)(1)(B)), and noted that in FCA "use" cases, the claim must identify the particular document and statement alleged to be false, who made or used it, when the statement was made and how the statement was false such that it was material to a false claim. In the instant case, the relator offered the following statements (among others) to substantiate his use claim: 1) Prometheus employees distributed pamphlets containing off-label information to physicians, and 2) Prometheus instructed providers to deliberately miscode DRG codes. The court noted that the relator did not specify with particularity when the false statements were made, how such statements were false such that they were material to a false or fraudulent claim (e.g., facts that show such statements impacted the physicians' decision to prescribe Proleukin) or the existence of any such false claim.
Last, the court dismissed the relator's count for retaliation under the FCA (§ 3730(h)), and it noted that in retaliation claims, a plaintiff must allege 1) that the employee engaged in protected conduct under the FCA and 2) a causal connection between his/her protected conduct and the allegedly retaliatory actions he/she suffered. In the instant case, the relator claims that he documented the fraudulent activity in a report he intended to submit to his supervisor, and also reported his concerns to corporate officers (among others). The court noted that the relator did not specify which scheme he brought to his employer's attention or if he alerted them to anything that would offer sufficient notice thereof (e.g., possible false claims filed by medical providers), and that the relator had not yet filed the suit when he was terminated in early 2018. The holding indicates that reports of regulatory failures without a connection to fraudulent claims knowingly submitted to the government do not constitute protected conduct under the FCA.
Failure to Plead with Specificity Leads to Dismissal of Claimed Countywide Fraudulent Scheme
Nathan A. Adams IV
In United States ex rel. Lanahan v. Cnty. of Cook, No. 17C5829, 2020 WL 6894395 (N.D. Ill. Nov. 24, 2020), the court dismissed the relator's complaint alleging a broad scheme by the county to defraud the U.S. in violation of the FCA, Anti-Kickback Statute (AKS) and Stark Law without adequately alleging the who, what, when, where and how of the alleged fraud. The relator claimed that county certifications for federal grant awards to the Cook County Health and Hospital System (CCHHS) were false; the county used the CCHHS Enterprise Fund to launder the illicit proceeds from false claims for grants by applying the funds as profit to CCHHS; CCHHS used a non-certified public health department as fiscal agent for a grant award for which only certified public health departments such as CCHHS were eligible; the county and Hektoen Institute of Medicine participated in a kickback scheme involving federal grant funds; at least one former physician received cash benefits in exchange for Hektoen's fiscal management of a federal grant; and the county certified cost reports to the Centers for Medicare & Medicaid Services (CMS) that were false. But the relator did not plead the submission of a false statement to the government for payment at all, failed to allege specific dates except dates pertaining to alleged activity after payments were disbursed to county accounts, and did not plead that the county submitted a false statement to the government for payment in the form of a claim or false certification of compliance and, thus, failed to plead the falsity of any claim.
Provider FCA Liability for Falsely Certifying CPT Code Billing Requirements
Sakinah N. Jones
In United States ex rel. Montcrieff v. Peripheral Vascular Assocs., P.A., No. SA-17-CV-00317-XR, 2020 WL 7342662 (W.D. Tex. Dec. 14, 2020), relators alleged that the defendant, a full-service vascular surgery practice, falsely billed Medicare for vascular ultrasound services it did not perform, either in whole or in part. Vascular ultrasounds have two components relevant to the case: a technical component (the ultrasound) and a professional component (the physician's interpretation of the ultrasound). The two components can be billed separately or the components can be billed jointly. The relators claimed that the provider misrepresented the services it performed by billing Medicare using a five-digit global Current Procedural Terminology (CPT) code, which is used when both the technical and professional components have been performed. However, the services were billed before the generation of a written report reflecting the physician's interpretation of the study; i.e., before the professional component had been completed.
According to the CPT Manual, a written report is required when using any radiological imaging code, including the global CPT code for vascular ultrasounds. Therefore, the generation of a written report is required to bill the professional component, whether separately or globally. The court found that the provider violated the FCA when it failed to generate a written report for the professional component and when it submitted bills to Medicare that represented the wrong rendering physician, which the court described as "plainly a false claim." The court denied the provider's motion for summary judgment in whole. It granted the relators' motion for summary judgment in part as to the wrong provider claims and denied it in part finding that fact issues existed as to whether the remaining alleged false bills were material to the government's reimbursement decision. The court also found that the provider acted knowingly, satisfying the scienter requirement of FCA liability by submitting forms to Medicare certifying that it had completed the professional component of a vascular study when it had not done so.
Collection of Patient Information Found to Be Referral Under Anti-Kickback Statute
Brian P. Murray
In Stop Ill. Health Care Fraud, LLC v. Asif Sayeed, Physican Care Servs., S.C., Case No. 12-cv-09306, 2020 WL 6896265 (N.D. Ill. Nov. 24, 2020), the court refused to enter a directed verdict for the defendant under AKS (42 U.S.C. § 1320a-7b). Defendant Management Principles Inc. (MPI) entered into a contract with a community care organization, Healthcare Consortium of Illinois (HCI), which coordinated services for low-income seniors such as "Meals on Wheels" and medical services that would enable the seniors to remain in their own housing longer. Under the contract, MPI paid HCI $5,000 per month over 18 months to ostensibly secure HCI's advice and counsel, but also purportedly allowed MPI to access HCI's raw client data such as client names, contact information and insurance information.
The plaintiff alleged that MPI's payments under the agreement were intended to secure access to the client information in the HCI files that it then used to place solicitation calls to HCI clients. In order to prevail on its AKS claim, the plaintiff was required to prove by a preponderance of the evidence the following: 1) the offer or payment or the causing of any offer or payment of remuneration; 2) part of the purpose of which was to induce any person to refer an individual to a person for the furnishing or arranging for the furnishing of any item or service for which payment may be made in whole or in part under a federal healthcare program; 3) those items or services were paid for in whole or in part by a federal healthcare program; and 4) the purposeful inducement in No. 2 was knowing and willful.
The court evaluated whether the payments made under the management agreement were given in exchange for indirect referrals MPI gained through access to client files, which MPI used to solicit clients. The court stated that in its consideration of the definition of "refer," the Seventh Circuit has highlighted the need for an expansive definition to avoid defeating the central purposes of AKS, and that a referral is to be evaluated in a practical sense, focusing on substance, not form. Under the expansive interpretation, the court concluded HCI providing MPI access to client files that contained client contact information, which MPI then used to solicit those clients, would have the same effect as if HCI had directly referred those clients to MPI's services; therefore, this act is properly classified as a referral under AKS. The court deferred its findings on the issue of remuneration for the referral and safe harbor until after a bench trial.
Privacy
Attorney-Client Privilege Attaches to Communications Between Hospital's Lawyer and Independent-Contractor ER Doctor: Prior Decision to Contrary Reversed
Charles A. Weiss
In October 2019, Holland & Knight wrote about a decision of the intermediate appellate court in Washington state, Hermanson v. Multi-Care Health System, Inc., 448 P.3d 153 (Wash. App. 2019), which held that attorney-client privilege did not apply to communications between a hospital's attorney and a physician who worked in its emergency department but was not an employee of the hospital. Rather, the physician was an employee of a nonprofit entity called the Trauma Trust, which had been organized by several hospitals to improve and coordinate trauma care in the Tacoma, Washington area.
As explained in our earlier article (see "Healthcare Law Update: October 2019"), the court declined to follow cases in other jurisdictions holding that non-employee agents of an entity may be treated as employees for purposes of attorney-client privilege if their responsibilities make them functionally indistinguishable from actual employees. Further, as a consequence of rejecting this line of cases, the physician's non-employee status meant that the hospital's attorney was prohibited by Washington's "no contact" rule from speaking with him about the events in question without consent of the plaintiff/patient. We observed that this case illustrates one potentially unexpected result when members of a hospital's medical staff are not employees of the hospital: communications between them and the hospital's attorneys may not be privileged, and indeed might even be prohibited, even when their purpose is to defend the hospital from a patient's lawsuit.
We now report that the Washington Supreme Court reversed the lower court's decision, holding that the physician's employment by the Trauma Trust instead of by the hospital was not controlling. Hermanson v. MultiCare Health System, Inc., 475 P.3d 484 (Wash. 2020). First, even though the hospital and physician were not in an employer-employee relationship, they were nevertheless in a principal-agent relationship. Second, the physician's duties at and relationship to the hospital made him the "functional equivalent" of an employee.
The court was closely divided on these issues, with three justices dissenting. The dissenting opinion argued that the hospital had presumably structured its relationship with nonemployee physicians, who were categorized as "independent contractors" in the staffing agreement, in part to limit its liability. It agreed with the lower court that exceptions to Washington's "no contact" rule should be narrowly applied, and that the justifications for an exception in the case of communications between the attorney for a hospital and its physician employees with firsthand knowledge of facts bearing on the hospital's potential liability should not extend to other kinds of relationships, such as the independent-contractor relationship that existed here.
The potential importance of this case, given the variety of physician staffing models used by different hospitals, was reflected in the submission of a friend-of-the-court brief by the Washington State Hospital Association, the Washington State Medical Association and the American Medical Association. As noted in our previous article, the nuances and application of attorney-client privilege vary from state to state, but the Washington Supreme Court's rejection of the narrow application of privilege by the lower court was well-received in the Washington state healthcare community.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
