High-Stakes Medical Privacy Litigation: The Top HIPAA Threats and

Transcription

High-Stakes Medical Privacy Litigation: The Top HIPAA Threats and
Fifth National HIPAA Summit
November 1, 2002
High-Stakes Medical Privacy Litigation:
The Top HIPAA Threats and
How to Avoid Them
Leigh-Ann M. Patterson, Esq.
Nixon Peabody LLP, Partner, Litigator on the HIPAA Task Force
Raymond Gustini, Esq.
Nixon Peabody LLP, Partner, HIPAA Task Force
Salvatore Colletti, Esq.
Pfizer Inc., Assistant General Counsel
High-Stakes Medical Privacy Litigation:
The Top HIPAA Threats and How to Avoid Them
Introduction
This session is about high-stakes medical privacy litigation in the context of what is
called “preventive law,” which is analogous to preventive medicine. To explain:
“Using the analogy with preventive medicine, preventive law is the legal specialty of
preventing the disease of litigation. Litigation is a serious disease that leaves its victims
financially and emotionally weakened and, in some cases, may lead to their economic
demise. It is a contagious disease characterized by a latent state with intermittent crises
(individual suits). Symptomatic treatment of the crisis phase may lead to a remission, but
the disease usually recurs in a more serious form. ... The disease cannot be cured, but it
can be controlled by carefully monitored therapy and regular checkups.”
~ National Center for Biotechnology Law
To this end, our session will cover the following:
I.
“Litigation 101”
• What is high-stakes litigation ?
• Why should you be concerned about it?
• How HIPAA and medical privacy issues lend themselves to high-stakes litigation
II.
The Top HIPAA Threats
• HIPAA 101 – brief overview of provisions discussed in session
• Low-stakes medical privacy exposure
• High-stakes medical privacy exposure:
(1) Inadvertent mass disclosure due to poor security
(2) Failure to follow one’s own privacy policies and procedures
(3) Medical data abuses or breaches by business associates
III.
How To Minimize the Risk of Future HIPAA Litigation
(a.k.a. How to Reduce Your Chances Of Becoming The First HIPAA Litigation
Posterchild)
• Think differently about HIPAA and Medical Privacy Issues
• Building a Strong Privacy Foundation
• Training, Awareness, and Self-Audits
B641906.2
2
I.
“Litigation 101”
A.
What is High-Stakes Litigation?
As an overview, the legal system in the U.S. has three general categories of personal
injury lawsuits. The first, and largest, category is known as “low-stakes” litigation. This type of
litigation involves a single plaintiff who has been injured in a common type of accident, such as
a car accident or a slip-and- fall. The injured plaintiff seeks restitution and compensation for her
injury. Her injuries are usually not severe and, as a result, her recovery is usually a low-dollar
amount.
The second category is known as “high-stakes” litigation. This type of litigation involves
many plaintiffs who have been injured in a common way by one or more defendants, such as in
the products liability context or the medical marketing context. The distinguishing characteristic
of this type of litigation is that the group of plaintiffs seek not only compensation, but also
deterrence of the defendants’ allegedly harmful conduct, which gives rise to the possibility of a
large damage award.
The third category is known as “mass torts” litigation and it is the smallest category of
cases. These cases involve a large number of plaintiffs who have been harmed by a single
defendant or product, such as the asbestos and Dalkon shield cases.
B.
Why Be Concerned About High-Stakes Litigation?
Companies need to be concerned about high-stakes litigation because it is the fastest
growing type of lawsuit in almost every one of the 50 state court systems. Over the past 10
years, not only has the sheer number of suits grown, but so have the average jury awards and the
plaintiffs’ chances of winning.
The stakes in these cases are higher -- for both plaintiffs and defendants -- than in the
other two types of personal injury cases because of the “deterrence factor.” The plaintiffs’
interest in deterring a defendant from future harmful conduct is realized by secur ing a large
punitive damages award. Plaintiffs’ attorneys often invest more resources in high-stakes cases
because of the potential for a high-dollar pay-off. The defendants’ interest in deterring future
high-stake litigation from being brought against them is realized by going to trial, winning the
case, and setting precedent. In some cases, the entire future of the company may rest on the
outcome of a particular piece of high-stakes litigation, making the company more willing to
invest big dollars in defending against the case, rather than settling. Many defendants fear that
settling such a suit will not be an effective deterrent. Indeed, many fear that settling will serve as
an invitation for others with similar complaints to file similar lawsuits. In short, the “deterrence
factor” gives both sides in high-stakes litigation big incentives to try the case rather than settle
out of court.
Serious risks exist in taking a case to trial, especially for defendants. First, the case could
be lost and a huge punitive damage award entered, which would set a dangerous precedent and
perhaps jeopardize the future financial viability of the defendant-company. Second, negative
B641906.2
3
publicity will be generated by a trial, especially if the press takes an interest in the case. Such
publicity could tarnish a company’s reputation and image, as well as damage existing customer
relationships. This is especially so because high-stakes cases tend to be highly-emotional cases
on the part of the plaintiffs, which lend themselves to dramatization. Publicity may also
encourage the filing of “copy cat” lawsuits against the defendant.
C.
How Do HIPAA and Medical Privacy Issues Lend Themselves to HighStakes Litigation?
HIPAA and medical privacy issues lend themselves to high-stakes litigation in two
fundamental ways: the ease of disclosure and the sensitivity of the information.
First, gone are the days of medicine in a manila folder. Historically, medical record
keeping consisted of a physician keeping notes on a sheet of paper placed in a manila folder kept
in the physician’s office. The modern-day medical information system is marked by medicine
on electronic and magnetic media. While technological advances arguably improve health care
delivery, the ease of collection, storage, and transmission of data over electronic networks poses
a threat to patient confidentiality and privacy.
Second, health care information is perhaps the most intimate, private, and sensitive type
of information maintained about a person. Used properly, medical records can be used to save
one’s life. Used improperly, disclosure can damage one’s reputation or be used for
discriminatory purposes in the employment context. The sensitivity of this type of information
makes medical privacy an emotionally- charged topic, which naturally lends itself to the highstakes deterrence game.
Indeed, the plaintiffs’ bar is keenly anticipating the opportunities that HIPAA presents,
calling HIPAA litigation the next “tobacco litigation,” “breast implant litigation,” etc.
II.
The Top HIPAA Threats
A.
HIPAA 101 – Brief Overview
As a brief overview, the general rule is that HIPAA prohibits “covered entities” from
using or disclosing protected health information (“PHI”), except as allowed by HIPAA. HIPAA
applies to certain health care entities – called “covered entities” – which include health care
providers, insurers (including corporate employers’ self- insured plans), and health care
clearinghouses (such as third-party administrators of self- insured plans).
HIPAA also restricts the use of health information by business associates of covered
entities. For purposes of the rule, a business associate is any entity or individual with whom the
covered entity does business, and includes accountants and lawyers. Business associates who
receive PHI are required to safeguard the information and restrict their use to the same extent as
the covered entity, and it requires that covered entities receive satisfactory assurances that
business associates will safeguard health information.
B641906.2
4
B.
Low-Stakes Medical Privacy Cases
Even though HIPAA’s privacy rule does not go into effect until April 2003, low-stakes
medical privacy cases based on state- law claims already abound. In general, these cases involve
an individual plaintiff claiming that medical information has been wrongfully disclosed to a
third-party. For example:
•
•
•
•
•
A patient sued the Washington Hospital Center in Washington, DC, when a
hospital employee revealed to the patient’s co-workers his HIV-positive status.
The patient was awarded $25,000 in damages for invasion of privacy.
A patient who had overdosed and was treated by an emergency medical
technician in Waukesha, Wisconsin, sued the EMT for disclosing the overdose to
the patient’s co-workers. The patient was awarded $3,000 in damages for
invasion of privacy.
A nurse sued the Emory School of Medicine when her supervisor posed as her
treating physician and wrongfully accessed her medical records without
permission. This suit is still pending.
An employee sued a San Francisco law firm that represented her employer,
claiming that the law firm wrongfully shared information, including a psychiatric
evaluation, about her workers’ compensation claim with one of the plaintiff’s coworkers. This suit is still pending.
A former patient of Johns Hopkins Hospital sued Johns Hopkins for $12 million,
alleging that the hospital wrongfully released his medical records to a former
friend and business partner. The court held that Johns Hopkins was not liable
because it did not knowingly release the information to the former friend. An
appeal is presently pending.
Some of these low-stakes cases are beginning to incorporate HIPAA into their state- law
claims and theories of liability for invasion of privacy, notwithstanding the fact that HIPAA does
not create a private right of action. One Court has already recognized that HIPAA sets a national
standard of care.
C.
High-Stakes Medical Privacy Cases
According to our research, the first high-stakes HIPAA medical privacy case has not yet
been filed, but by looking at trends in other areas of high-stakes litigation, such as products
liability, we surmise that the high-stakes HIPAA litigation is likely to fit the following profile.
1.
Inadvertent Mass Disclosure Due To Poor Security
Security is the framework within which all HIPAA’s privacy and transaction
requirements are implemented. If a covered entity cannot “ensure” security, then privacy
measures are an empty gesture and HIPAA transactions may be jeopardized.
B641906.2
5
a.
The Existing Security Requirement
Even though a final security rule has not yet been published, a security standard is in
existence right now in the underlying HIPAA statute. HIPAA’s standard for security is found at
42 U.S.C. §1320d-2(d)(2):
Safeguards
“Each [covered entity] who maintains or transmits health information shall maintain
reasonable and appropriate administrative, technical, and physical safeguards –
(A)
to ensure the integrity and confidentiality of the information;
(B)
to protect against any reasonably anticipated –
(i) threats or hazards to the security or integrity of the
information; and
(ii) unauthorized uses or disclosures of the information; and
(C)
otherwise to ensure compliance with this part by the officers and
employees of such person.”
What does this mean? It means that a strict security requirement is already in force! And
it applies to all covered entities that use or transmit “individually identifiable health information”
(not just PHI). Furthermore, by virtue of §1320d, all covered entities have been on notice since
1996 that a high level of security is required by the federal statute.
The Final Privacy Rule contains parallel “safeguard” requirements. These are found in
Subsection 164.530(c). This section creates what has been called a “mini” security rule within
the Privacy Rule. Once the final security rule is published, it will essentially be incorporated
wholesale into the privacy rule by virtues of subsection 164.530(c).
b.
How Plaintiffs’ Lawyers Might Use The Security Rule As A Basis For
A Lawsuit
Some have feared that the plaintiffs’ bar would come up with creative theories under
which plaintiffs might assert that they have a private right of action under HIPAA. Having a
private right of action under a federal statute means that a plaintiff can file a lawsuit against an
entity alleging a breach of the federal statute. Although commentators have opined that HIPAA
does not provide a private cause of action, we now have a solid body of federal court cases
which expressly states this. See:
•
•
•
•
B641906.2
Means v. Independent Life and Acc. Ins. Co., 963 F. Supp. 1131
(M.D.Ala. 1997)
Wright v. Combined Insurance Co. of America, 959 F. Supp. 356 (N.D.
Miss. 1997)
Brock v. Provident America Ins. Co., 144 F. Supp.2d 652 (N.D.Tex. 2001)
Dixie O’Donnell v. Blue Cross Blue Shield of Wyoming, 173 F. Supp. 2d
1176 (Dst.Wy., 2001)
6
In the latest of these cases, a plaintiff in Wyoming filed suit against her health insurer,
claiming breach of contract and violation of HIPAA, based on its denial of a certain medical
claim. Dixie O’Donnell v. Blue Cross Blue Shield of Wyoming, 173 F. Supp. 2d 1176 (Dst.Wy.,
2001). Specifically, the plaintiff claimed that the insurer’s denial of her medical claim violated
HIPAA’s requirements involving pre-existing conditions. The federal court for the District of
Wyoming dismissed the case, holding that : (1) there is no specific right of enforcement for a
violation under HIPAA, (2) no implied private cause of action existed, and (3) the only entity
with enforcement authority for a HIPAA violation is Health and Human Services (“HHS”).
With no private right of action, how then might plaintiffs’ lawyers use HIPAA’s security
rule in a lawsuit? They might use it in connection with a state law negligence claim by patients
for disclosure of PHI due to a security breach. The theory of liability would likely be along these
lines. The covered entity owed a duty of care to its patients to maintain reasonable and
appropriate technical and physical safeguards. Does this language sound familiar? It should
because it is lifted from the “safeguard requirement” of 42 USC §1320d to ensure the privacy
and security of confidential medical information. Plaintiff-patients can be expected to point to
the security obligation in §1320d to establish the existence of that duty of care. Their experts can
be expected to testify that this statutory standard requires covered entities to exercise a high level
of care where the security of PHI is at stake. To avoid being negligent, covered entities must
keep up with technological advances and innovations which set the standard of care in the
industry for covered entities.
Some additional causes of action which might be expected to surface are:
•
•
•
•
•
•
Negligent disclosure of PHI
Any state statue giving rise to a right of action for breach of confidentiality
Intentional revelation of PHI by employee
Inadequate policies and procedures
Negligent supervision and training
Negligent/intentional infliction of emotional distress
These causes of action and theories of liability appear in the complaint in the case of Jane Doe v.
Community Health Plan-Kaiser Corp., No. 8529 (N.Y.App. Div. 05/11/2000) (medical record
clerk improperly released records).
c.
How and Where A Security Breach Might Occur
How and where might a breach of security occur? This depends on who you are and
what you do. Some common ways in which security breaches might occur:
•
•
•
•
•
B641906.2
Computer security – workstations, laptops and mobile medical devices
Communications security
Physical security: access to premises, equipment, people, data
Personnel security
Procedural (business process) security
7
d.
Some Pre -HIPAA Examples of Litigation Based On Security
Breaches
Several pre-HIPAA examples of litigation involving breaches due to poor security:
•
•
•
•
•
2.
University of Montana: Hundreds of pages of detailed psychological records
concerning visits and diagnoses of at least 62 children and teenagers were
accidentally posted on the University of Montana web site for 8 days. Results of
psychological tests, names, birthdays, and home addresses were disclosed.
Eli Lilly and Co.: Lilly inadvertently revealed over 600 patient e- mail addresses
when it sent a collective message to every individual registered to receive
reminders about taking Prozac. Although in the past emails had been addressed to
individuals, the email announcing the end of the reminder service was
inadvertently addressed to all of the participants. The incident prompted the FTC
to file a complaint against Lilly alleging that the disclosure constituted an unfair
or deceptive act under federal law. As part of its settlement with the FTC and
attorneys general from 8 states, Lilly agreed to increase existing security and
create an internal program to prevent future privacy violatio ns.
University of Michigan Medical Center: Several thousand patient records at
the University of Michigan Medical Center inadvertently lingered on public
Internet sites for two months. The situation was discovered when a student
searching for information about a doctor was linked to files containing private
patient records with numbers, job status, treatment for medical conditions, and
other data.
Medlantic Healthcare Group Inc.: Plaintiff sued hospital for lack of adequate
security measures in protecting patient medical records when a part-time,
unauthorized employee accessed and discussed with plaintiff’s co-workers the
plaintiff’s HIV status. The hospital was held liable for $250,000, due in large part
to lax security, including the inability of the medical records software used by the
hospital to trace and identify who had accessed the records. Doe v. Medlantic
Healthcare Group Inc., No. 97-CA3889 (D.C.Super.Ct. 11/30/99).
Easton Hospital: Medical records with lab reports, drug reports, and doctor’s
examination notes were found on the streets of Allentown, PA. All of the records
had patient names and many included addresses and phone numbers. Officials at
Easton Hospital determined the disclosure was due to poor security at the hospital
(The Morning Call, August 8, 2002).
Failure to Follow One’s Own Privacy Policies and Procedures
a.
The Existing Requirement
HIPAA requires covered entities to adopt policies and procedures governing the
protection of patient privacy. HIPAA also requires that notice be given to patients informing
them of the covered entity’s privacy policies and the patient’s right to request restrictions as to
use and disclosure of their PHI.
B641906.2
8
b.
How Plaintiffs’ Lawyers Might Use Non-Compliance Or Breach Of
One’s Own Privacy Policy As A Basis For A Lawsuit
Much like the breach of security scenario, plaintiffs’ lawyers may be expected to connect
a covered entity’s violation of its own policy with state law claims for negligence, breach of
contract, and misrepresentation.
A negligence allegation could be framed in terms of a covered entity assuming a duty of a
certain level of care by virtue of its privacy policy, in other words, assuming a duty greater than
the covered entity would otherwise have by law. Further, breach of one’s own privacy policy
might be used as evidence of negligence in connection with a negligence claim based on other
underlying conduct.
An argument might be made under certain state law that a privacy policy creates a type of
contractual undertaking or that it is incorporated into the contractual relationship between the
covered entity and the patient, similar to the argument that an employee handbook becomes part
of the employment contract.
A misrepresentation claim could potentially be made out by arguing that the covered
entity represented to the patient that it would adhere to certain policies and procedures in
handling the patient’s PHI and that the covered entity either intentionally or negligently
misrepresented how it actually handles PHI.
In addition, violation of one’s own privacy policy could potentially give rise to an unfair
or deceptive practice claim or a qui tam violation.
c.
How And Where This Type Of Violation Might Occur
(See powerpoint chart)
d.
Some Pre -HIPAA Examples of Investigations and Litigation
Based On Failure To Follow One’s Own Privacy Policies and
Procedures
Several pre-HIPAA examples of investigations and litigation involving failing to follow
one’s own policies and procedures:
•
B641906.2
Arkansas Dept. of Human Services: Confidential Medicaid records were
disclosed during the sale of surplus equipment by the Arkansas Dept. of Human
Services twice in 6 months. In October 2001, the state stopped the sale of the
department’s surplus computer storage drives when it was discovered that
Medicaid records that were supposed to be erased pursuant to Department policy
were found on the computers. In April 2002, a man who bought a file cabinet
from the department found the files of Medicaid clients still in one of the
cabinet’s drawers, in violation of the Department’s document destruction policy
(Associated Press, April 3, 2002).
9
•
•
Aetna: Health insurance claim forms from Aetna, the nation’s largest health
insurer, blew out of a truck on the way to a recycling center and scattered on I-84
in East Hartford during the evening rush hour. The forms contained names and
personal health information of patients. Aetna quickly dispatched employees to
gather up all the forms. The forms should have been shredded under company
policy, but weren’t (The Hartford Courant, May 14, 1999).
Health Central.com and iVillage.com: FTC launched an investigation of health
care websites’ privacy practices to determine whether personal information had
been improperly shared. FTC action followed the California Healthcare
Foundation’s allegations that medical websites had shared personal data with third
parties and failed to follow privacy policies. Websites contacted by FTC include:
Health Central.com and iVillage.com (Wall Street Journal, Feb. 18, 2000).
3.
Medical Data Abuses Or Breaches By Business Associates
The third type of HIPAA litigation threat is likely to come from actions and conduct of
one’s business associates.
a.
The HIPAA Framework Governing Business Associates
What is a business associate? HIPAA defines this as:
A “business associate means, with respect to a covered entity, a person who:
(i) On behalf of such covered entity or of an organized health care arrangement
(as defined in § 164.501 of this subchapter) in which the covered entity participates, but
other than in the capacity of a member of the workforce of such covered entity or
arrangement, performs, or assists in the performance of:
(A) A function or activity involving the use or disclosure of individually
identifiable health information, including claims processing or administration,
data analysis, processing or administration, utilization review, quality assurance,
billing, benefit management, practice management, and repricing; or
(B) Any other function or activity regulated by this subchapter; or
(ii) Provides, other than in the capacity of a member of the workforce of such
covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in
§ 164.501 of this subchapter), management, administrative, accreditation, or financial
services to or for such covered entity, or to or for an organized health care arrangement in
which the covered entity participates, where the provision of the service involves the
disclosure of individually identifiable health information from such covered entity or
arrangement, or from another business associate of such covered entity or arrangement, to
the person.”
Also, a covered entity may be a business associate of another covered entity.
B641906.2
10
b.
Legal Liability For The Activities Of One’s Business Associates
Business associates are not directly regulated by HIPAA. Covered entities are. Thus,
covered entities are “their brother’s keeper,” to an extent. Before a covered entity may use or
disclose PHI to a business associate, the covered entity must obtain in writing satisfactory
assurances that the business associate will properly safeguard the PHI.
“Standard: disclosures to business associates.
(i) A covered entity may disclose protected health information to a business associate and
may allow a business associate to create or receive protected health information on its
behalf, if the covered entity obtains satisfactory assurance that the business associate will
appropriately safeguard the information.”
The mandatory “satisfactory assurance” requirement does not mean that a covered entity
is automatically liable for wrongdoing of business associates. Section 164.504(e) of the Privacy
Rule states that: “We have eliminated the requirement that a covered entity actively monitor and
ensure protection by its business associates.” 65 Fed. Reg. 82641. However, “covered entities
cannot avoid responsibility by intentionally ignoring problems with their contractors.”
c.
How Plaintiffs’ Lawyers Might Use The Satisfactory
Assurance Requirement As A Basis For A Lawsuit
How might plaintiffs’ lawyers use HIPAA’s satisfactory assurance requirement to hold a
covered entity liable for medical data abuses or breaches by business associates? Much like the
theory with HIPAA’s security rule, the plaintiffs’ bar might use the satisfactory assurance
requirement in connection with a state law negligence claim by patients for wrongful disclosure
of PHI. The theory of liability would likely be along these lines: The covered entity owed a
duty of care to the patient to ensure that the patient’s PHI was not negligently entrusted with a
third-party who failed to take appropriate steps to safeguard it. The applicable standard of care
would likely be the prudent behavior standard, which plaintiffs’ lawyers could be expected to
argue is enhanced by the HIPAA statutory standard of “satisfactory assurance.” Plaintiffs’
lawyers might also be expected to argue that HIPAA requires covered entities to exercise a
certain amount of due diligence in scrutinizing its business associates’ security practices.
Here are some likely issues which could be explored in deposition in this type of
litigation:
•
•
•
B641906.2
how much the covered entity knew, or should have known, about the security
systems of its business associates
what conversations the covered entity had with the business associate about
security issues
whether the covered entity deliberately did not ask its business associate for all
the details
11
•
•
whether this was the first violation by the business associate of which the covered
entity was aware
if not, when was the first violation and what, if anything, did the covered entity do
in response; is this the second breach in two weeks or is the second breach in two
years -- big difference between the two
A covered entity could be in violation of HIPAA, as well as state statutory and common
law, if the covered entity knew of an uncured “pattern of activity or practice” by the business
associate in breach of the business associate’s contract and failed to either terminate the contract
“if feasible” or, “if not feasible,” then report the problem to the Secretary of HHS.
d.
How and Where A Wrongful Disclosure By A Business
Associate Might Occur
How and where might a business associate wrongfully disclose PHI? This depends on
who the business associate is and what it does. Refer to the chart which shows the possible
disclosures by a business associate.
e.
Some Pre -HIPAA Examples of Litigation Based On Activities
of Business Associate Type Entities/Persons
Several pre-HIPAA examples of litigation involving wrongful disclosure of PHI by
business associate type entities/persons:
•
•
•
•
B641906.2
Unauthorized, unprivileged disclosure of PHI obtained by counsel for a hospital,
despite the fact that disclosure was made to counsel who represented the hospital
in a proceeding that required knowledge. Biddle v. Warren Gen. Hospital, 715
N.E.2d 518 (OH. 1999).
A medical student in Colorado sold the medical records of patients to malpractice
lawyers (1997).
Alleged wrongful disclosure of medical information by drugstore chain CVS to
direct marketing company in connection with patient compliance program. CVS
and Elensys Care Services Inc. agreed to send refill reminders and drug
advertisements to CVS pharmacy customers. The mailings were sent on CVS
letterhead but were paid for by the drug manufacturers whose drugs were
advertised. This litigation is still pending. Weld v. CVS Pharmacy, Inc., C.A.
No. 98-0897 (Mass. Super.Ct., Suffolk Co. 1998)
http://www.masslaw.com/masup/1007501.htm.
Class certified of accused criminals whose psychiatric and medical records were
made accessible to the public as part of the state’s determination of who was fit to
stand trial. Plaintiff prisoners claimed violations of their privacy rights under
New York and federal law. Hirschfeld v. Stone, 193 F.R.D. 175 (S.D.N.Y. 2000).
12
Some examples from outside the medical context:
•
•
III.
(financial context) NationsBank was forced to pay more than $6.5 million to settle
allegations that it provided its subsidiary NationsSecurities with customer names,
financial statements, and account balances in order to help the company sell
closed-end bond funds to bank customers as their certificates of deposits matured.
(financial context) Bank of America was sued in a class action for selling
unauthorized consumer credit reports to entities that were unaffiliated with the
company in alleged violation of the Fair Credit Reporting Act. 32 Plaintiffs v.
Bank of America, (D.Md. 2001).
How To Minimize Your Risk Of Future HIPAA Litigation (Or How To Reduce
Your Chances Of Becoming The First HIPAA Litigation Posterchild)
A.
Think Differently About HIPAA And The Medical Privacy Function
No one wants to be the first HIPAA litigation posterchild. Despite the very real threat of
high-stakes medical privacy litigation, a covered entity can take preventative and precautionary
measures to minimize its risk of future HIPAA litigation. It’s important for us to recognize the
significant challenges this environment creates for covered entities whose various operations rely
so heavily on the personal medical information of individuals. HIPAA’s numerous requirements
do create many impediments to our access to and transfer of important medical information, and
they create real legal exposure to fines and lawsuits.
Our challenge to you today is to look beyond the obstacles that this business environment
creates. We believe that, with the right approach, covered entities cannot only successfully
navigate this difficult terrain of HIPAA’s privacy and security requirements, but can also help to
create an improved landscape for the future. We’ll show you just such an approach for
successful navigation and landscape improvement and hope you can adapt it for your
organization.
B.
Two General Points Form The Foundation For Our Approach
Two general points form the foundation of this approach. First, the approach is based on
attacking HIPAA and medical privacy in a positive, pro-active way, as opposed to acting in a
defensive and reactive way. This means, for example, not merely recording the company’s
policies in its legal documents, but figuring out how to enable our colleagues to best implement
the key principles of those policies. That’s what we mean by active, not reactive or passive -anticipating change not merely responding to it.
On this point, we recently found a quote from an authority on data protection that drew
an interesting analo gy. Deidre Mulligan said, “Privacy is to the information age what
environment is to the industrial age: something that needs to be attended to on the front end.”
B641906.2
13
This means that we can’t afford to sit back and assess the damages of poorly guided
privacy practices just like we can’t afford to sit back and assess damage of poorly guided
environmental policies. They both need to be attacked pro-actively.
The second general point forming the foundation for our approach is simply to always
keep the patient or data subject in mind. There’s a motto we have at Pfizer that we inherited
from the Warner-Lambert Company – “the patient is waiting.” With all that we do as a
pharmaceutical company – from laboratory discovery to clinical development to consumer
advertising, from safety monitoring to manufacturing and everything in between – we must never
lose sight of the ultimate users of our products, the patients who rely so heavily on the health
care treatment we make possible.
The same applies in the area of HIPAA and medical privacy protection. It is ultimately
the interests of patients, consumers, and employees that should guide our efforts. These interests
are, after all, the very basis for all the various rules and regulations. We should, therefore, adopt
approaches that always ask questions like, “If I were a clinical trial participant or a patient being
admitted to a hospital, what would I want to know about how my personal medical information
would be used?” and “If I were sending information to a covered entity over the internet, how
would I expect them to treat it?” This may seem obvious or simplistic, but I am convinced that if
we adopt this perspective and urge our colleagues to do the same, we will go a long way toward
meeting our legal obligations as well as fostering well-earned trust among patients and the
public.
C.
Building A Strong Privacy Structure In Your Organization
With these two primary points as a foundation – being pro-active and emphasizing the
patient’s perspective – we’ll now turn to some of the specific considerations and strategies of our
approach.
Two fundamental problems that every covered entity faces are first, the wide-ranging
activities within the entity’s medical operations that handle protected health information, and,
second, the myriad regulatory and legal requirements in the U.S. at the federal and state level
addressing medical privacy issues and, therefore, affecting these activities of the entity. The first
I’ll call “medical function diversity” and the second “regulatory diversity.” The right strategic
approach, therefore, has to take these two factors into account.
1.
Medical Function Diversity
To address the medical function diversity factor, we need to: (1) take a good inventory to
identify potential “hot spots” and (2) build bridges in our organizations. Let’s start with the
threshold matter of an inventory. This enables us to define the problem and identify the hot
spots. To do this, we should carefully take an inventory of the many parts of our organizations to
determine where we handle personally identifiable data of individuals and where those areas
intersect with HIPAA’s privacy and security requirements. In addition to the more obvious
areas, like patient intake and clinical trials, we also need to look at emerging areas like disease
management programs and interactive internet sites.
B641906.2
14
For example, in the pharmaceutical industry, there were the widely publicized problems
Eli Lilly encountered with a disease management program database for Prozac patients and the
disclosure of the email addresses of the participants in that program to all the other 600+
participants. We could easily see how this type of privacy nightmare could happen. It was a
direct to consumer initiative, involving a sensitive medical condition, utilizing advanced
communication technology. In a situation with those three elements at play, it is critical to pay
careful attention to concerns about medical privacy protection – in this case, the risk of an
inappropriate disclosure of the email addresses. Remember what we said earlier about proactively addressing privacy on the front end. Lilly was easily able to develop a technical fix to
this particular situation, but only after it came to light and the damage was done. Our inventory
is a tool that could help you screen for and identify these types of situations in advance.
So, our organizational inventory of personal data protection areas must include all areas
where privacy medical information is handled. As examples again from the pharmaceutical
industry, in addition to research, safety monitoring and disease management programs, some
other areas to look at include human resources databases, employee benefit plans, customer
service phone lines, indigent patient programs, and genetic research. You will have to look at
your organization to determine the particular areas relevant for you
The key question as we look at any specific operation to determine if it is an area for our
HIPAA medical privacy protection scrutiny is “Do we handle PHI as part of this business
function?” If the answer is “yes,” we know that we will have to proceed by applying our
company’s core information handling principles, which most of your organizations have already
clearly articulated in written policy documents, in light of various laws and regulations. In some
cases, this will be very straightforward. In other cases it will be more involved. In either case,
the inventory provides a good starting point by generating a comprehensive list, a checklist, of
the areas we need to address.
2.
Regulatory Diversity
This inventory helps with what we referred to as the business function diversity problem.
As for Regulatory Diversity, we remind you that HIPAA will establish a federal floor as to the
privacy standards. It does not preempt more stringent state law – so you may have to comply
with both. And state law in this area abounds.
It will be necessary for organizations to make a case-by-case assessment of the law
applicable to a given business activity based on the jurisdiction in which that activity is carried
out. The first step in such an assessment is finding any relevant state law. This in itself could be
a vexing task. There could be dozens of different types of diverse statutes and case law in any
one state that regulate different aspects of privacy: e.g., professional licensing (medical,
pharmacy practice, etc.) laws, insurance laws, consumer protection statutes, laws regulating
particularly sensitive areas like mental health, AIDS or sexually transmitted diseases, laws
governing on- line content, state medical privilege laws, informed consent laws or general laws
that try to regulate medical privacy in a comprehensive way. And then, once you’ve identified
the applicable state law, a comparison to HIPAA must be made to determine if it conflicts with,
B641906.2
15
and is “less stringent” than, the HIPAA regulations, in which case it is preempted or if it is more
stringent, in which case it is not preempted. This determination promises to be more of an art
than a science, but something that will have to be undertaken to address the regulatory diversity
we face..
D.
Consciousness Raising
Once we have inventoried our organization to identify the hot spots, determined the
applicability of the various regulations and their impact on our organization’s operations and
once we’ve developed well-conceived privacy policies to address this landscape, we are only
part of the way there. We still need to effectively sensitize our work force to recognize the need
to apply our policies and give them the tools to do so.
The first step in this regard is to raise consciousness in the organization. Because we’ll
find the issues affecting wide-ranging parts of our company, it will not be a simple task. My
suggestion is to team up with the communications professionals in your company to develop a
strategy to get the message out and to highlight the importance of the issue to the company.
They could suggest the tools typically used by your company to communicate programs of
importance. For instance, how would the organization announce something like a universal
change to an employee benefits program or a institutional position on a major policy issue. You
will most likely want to utilize more than one means of communication to maximize your “share
of voice” and chances of connecting with your target audience. At Pfizer, we developed and
circulated broadly throughout the company a glossy, informational brochure explaining Pfizer’s
commitment to personal data protection and the substance of our policies. One of the key
success factors, we are told, in developing these messages, is to be able to articulate how an
individual employee is affected – why should the reader care about the issue in their day-to-day
life?
This day-to-day relevance can be demonstrated in at least two ways. On one level, we all
have concerns about compromises of our own personal information. Reminding people of their
own concerns might get their attention and suggest that they give thought to how the y approach
their handling of others’ information. Remember my earlier suggestion of always taking into
account the concerns of customers. I believe that applies at the broad level in developing policy,
but also on the individual level in how individuals can best relate to those policies.
On a second level, the day-to-day relevance of privacy issues can be demonstrated by
evidence of the relationship of building patient trust to the bottom line. The growing field of
consumer relationship marketing is providing evidence that it is simply good business to treat
people’s information with the right degree of confidentiality when we are trying to establish a
long term relationship with them. Building trust with consumers is critical and respect for their
privacy is a big part of it.
Another of the key factors to the success of a communications effort will be the support
that the messages have from senior management. It has been demonstrated that people tend to
respond to messages from their leadership, so we are well-advised to seek out senior
management endorsement for our program if that is possible.
B641906.2
16
As we discussed earlier, we should look at issues from the perspective of the individuals
and explain to them why it is in their interest to support our proposals for reasonable privacy
protection policies. And we need to engage the policy types in our companies to understand this
and to help us achieve it.
E.
Training And On-Going Compliance Support
An important part of operational change and compliance involves training personnel
about HIPAA-compliant policies and procedures. No matter how good an organization’s
policies and procedures are, if employees do not follow them, the corporation – and its
executives – are vulnerable to civil and criminal penalties under HIPAA. No matter how much
effort is spent on prevention, no corporation is immune from employee misconduct. A wellknown corporate compliance survey, conducted by Corporate Legal Times and
PricewaterhouseCoopers, found that despite having written policies and procedures on various
compliance matters, 60% of the corporation interviewed had been faced with litigation, claims,
and government investigations on the very same policies and procedures covered by their written
compliance programs. This suggests that employee training and periodic assessments to identify
risks and vulnerability should be key components of any HIPAA compliance program.
To minimize the risk of HIPAA-based claims, disputes and litigation, organizations
should:
•
•
•
F.
Conduct various training sessions to educate employees about their
HIPAA-compliance obligations, making sure that everyone from
receptionists to computer technicians to senior executives are informed.
Provide on-going compliance support for employees, such as periodic
HIPAA-awareness initiatives, which provide additional tools for effective
implementation of the compliance program and remind employees of the
serious civil and criminal consequences the corporate faces for noncompliance.
Periodically measure and mo nitor actual practices to determine if
compliance policies are being followed and to identify compliance risks,
vulnerabilities, and potential exposure.
Periodic Self-Audits/Internal Investigations
Covered entities can minimize their exposure to civil liability by conducting internal
investigations. Here are some tips on how to maximize the benefits and minimize the risks.
1.
Inside v. Outside Counsel
Counsel should have the primary role in overseeing the investigation. This will maximize
confidentiality though the availability of the attorney-client privilege and the work product
privilege. Where the misconduct involved is relatively minor, the investigation may be
conducted by in- house counsel. Where the misconduct is significant, however, it is best for
B641906.2
17
outside counsel to conduct or oversee the investigation, particularly where inside counsel may be
a witness or where senior management may be implicated. Outside counsel usually brings a
greater degree of objectivity and credibility because of their lack of self- interest in validating the
conduct. In addition, use of outside counsel increases the ability to achieve confidentiality
because there is a reduced risk that a plaintiff’s lawyer could argue that communications involve
business advice as opposed to legal advice.
2.
Maintaining the Attorney-Client Privilege
Cloak the investigation with the attorney-client privilege. The investigation should be
initiated under circumstances that make it clear that it is for the purpose of providing legal advice
rather than just investigation of facts or business advice. As few non-attorneys as possible
should be involved. If non-legal personnel are involved, they should be directly supervised by
attorneys.. Any non- legal outside experts sho uld be hired by counsel rather than the corporation.
All privileged communications should be clearly marked with the words “privilege attorneyclient communication.”
3.
Document Preservation Order
Document retention policies should be reviewed immediately and a document
preservation directive issued by inside counsel or senior management. It is critical to preserve all
relevant documents and prevent the destruction of documents. As evidenced by the Enron case,
the destruction of documents will be interpreted by the Government, plaintiffs’ counsel, and the
public at large as an admission of guilt.
4.
Interview Employees
All interviews should be conducted by counsel in order to preserve confidentiality.
Refusal of an employee to cooperate in an internal investigation is generally appropriate grounds
for discharge.
5.
Preparation of the Investigative Report
At the conclusion of the investigation, a written report is normally prepared addressed to
the individual or committee which ordered the internal investigation. The report generally will
summarize the circumstances which led to the investigation; detail the investigative steps which
were taken; summarize the facts revealed by the investigation, analyze the applicable law,
develop the arguments for and against liability, prosecution, or sanctions, identify internal
policies, procedures, or practices which led to the events or which could be improved to prevent
future violations; and recommend any appropriate remedial actions. The report sho uld also
describe facts and circumstances that reflect well on the corporation. Eventual disclosure of the
report will then include positive evidence that may influence the Government or Court. For
example, the report may show how the corporation’s compliance program was effective in
discovering and addressing the violation.
B641906.2
18
IV.
Conclusion
In conclusion, HIPAA and medical privacy issues naturally lend themselves to highstakes litigation. By thinking differently about these issues, building a strong privacy structure in
your organization, and incorporating training and periodic self-assessments into your business,
you can minimize your exposure to this type of potentially devastating litigation.
How to Reach Us
Leigh-Ann M. Patterson, Esq.
Nixon Peabody LLP, Partner
Litigator on HIPAA Task Force
[email protected]
Boston:
101 Federal Street
Boston, MA 02110
617.345.1258
New York:
437 Madison Avenue
New York, NY 10022
212.940.3000
Raymond Gustini, Esq.
Nixon Peabody LLP, Partner
HIPAA Task Force
Washington D.C.
202.585.8725
[email protected]
Salvatore Colletti, Esq.
Pfizer Inc.
Assistant General Counsel
New York, NY
212.573.7596
[email protected]
B641906.2
19
Leigh-Ann M. Patterson, Esq.
Experience
LEIGH-ANN M. PATTERSON
Partner
Nixon Peabody LLP
Boston:
101 Federal Street
Boston, Massachusetts 02110
617.345.1258
New York:
437 Madison Avenue
New York, NY 10022
212.940.3000
www.nixonpeabody.com
[email protected]
Practice Areas:
False Claims
Medical Privacy Litigation
HIPAA and Privacy Compliance
Complex Commercial Litigation
Education:
Suffolk University, J.D., cum laude
Miami University of Ohio, B.A.
Bar and Court Admissions:
Massachusetts; Rhode Island;
the United States Supreme Court;
U.S. District Court, Districts of
Massachusetts and Rhode Island;
First Circuit Court of Appeals
B641906.2
A partner in the Litigation Department, Leigh-Ann M. Patterson,
Esq., is an experienced trial lawyer who focuses her practice on
healthcare litigation, HIPAA compliance, and medical privacy issues.
Ms. Patterson founded Nixon Peabody’s HIPAA Task Force in 2001.
Working closely with the firm’s health care attorneys, she advises
health care organizations and major pharmaceutical companies on
HIPAA compliance, as well as litigation risk management and
litigation avoidance practices.
Ms. Patterson has successfully defended major business and
corporate clients against claims for privacy violations, securities and
financial fraud, False Claim Act (qui tam) violations, and complex
contract disputes. Ms . Patterson is presently defending a major
pharmaceutical company against alleged privacy violations in a class
action lawsuit filed in Massachusetts.
Affiliations
Ms. Patterson is the immediate past President of the Women’s Bar
Association of Massachusetts. She is a member of the Health Law
Section of the Boston Bar Association and serves on the Association’s
HIPAA Task Force; and is a member of the International Association
of Privacy Officers; serves on the Board of Editors of Nixon
Peabody’s “Privacy Alert” newsletter; and served on the organizing
committee for the Harvard Law School Berkman Center for Internet
& Society’s online course and conference on the evolving role of the
Chief Privacy Officer. In 2000, Ms. Patterson was named as one of
Boston Business Journal’s “40 Under 40” awardees, recognizing
young business and professional leaders in the greater Boston area.
Ms. Patterson has published numerous legal and non-legal articles on
HIPAA issues, high-stakes medical privacy litigation, financial privacy,
contract issues, and business torts. She has presented at various
local, regional and national conferences on HIPAA and medical
privacy issues. She may be reached at via e-mail at
[email protected].
20
Salvatore Colletti, Esq.
Assistant General Counsel
235 East 42nd Street
Legal Division, 24th Floor
New York, NY 10017-5755
212.573.7596
[email protected]
Sal Colletti is an Assistant General Counsel in the Legal Division of Pfizer Inc. His
responsibilities include providing legal support for a broad range of Pfizer’s pharmaceutical and
other business activities. These include leading the team of attorneys that support the Pfizer
Global Manufacturing business unit, participating on the Pharmaceutical Legal Leadership
Group and serving as the primary legal advisor to the company on personal data protection and
medical privacy matters.
He is currently a member of the Board of Directors of the International Pharmaceutical
Privacy Consortium. He has also represented Pfizer in the negotiation and closing of numerous
major business transactions. In his career at Pfizer, Mr. Colletti has also held legal positions
supporting the company’s international operations and its consumer/OTC business unit, and was
a member of the Corporate Governance group, where he handled corporate and SEC matters.
He earned his B.A. in Economics magna cum laude and his J.D. Degree from Fordham
University and his M.B.A. in Finance (with a concentration in International Business) from New
York University’s Stern School of Business.
B641906.2
21