First Do No Harm
Dr. Arvin Gandhi, Cardiologist Associates of Northwest Indiana, PC and Community Hospital of Munster were sued by a large (more than 250 patients) group of individuals claiming that Ghandi and his group had implanted pacemakers or defibrillators not needed by patients, routinely scheduled unnecessary procedures and had done other wrongs. The Defendants denied any wrongdoing but have agreed to pay over $66 Million to settle with the victims of the alleged malpractice. It will be interesting to see what the Indiana Medical Board does with Dr. Arvin Gandhi’s license following the settlement.
The huge hotel chain, Marriott, has been reported suffering a horrendous data breach which became known in 2018, apparently 4 years after it began. It is estimated that over 339 million individuals’ personal data had been exposed. Britain’s Information Consumers Office (ICO) found that Marriott had not only failed to take proper steps to avoid the breach but had failed to properly report it. So far, ICO has charged Marriott a $24+ Million penalty.
What makes this data breach so interesting is not only the size of the data breach but how long it went on without any either detection or reaction by Marriott. Databreachtoday.com has more details but what is dumbfounding about this, is not only the number of people affected and the length of time it went on, but the lack of any significant punishment of Marriott by regulatory authorities either in the United States or in Europe.
My Records Not Your Records
HHS has published two Resolution Agreements regarding situations where patients requested medical records but New York Spine Medicine and St. Joseph’s Hospital and Medical Center refused or failed to provide the records.
In the case of New York Spine Medicine it agreed to pay $100,000 for a failure to provide medical records to a single patient and St. Joseph’s Hospital and Medical Center paid $160,000 for a similar failure. Both of the descriptions in Resolution Agreement indicate the person requesting the information made a proper written request but in each case the covered entity simply failed in its obligations to make a prompt, timely, considered and complete disclosure to the requesting party. The result is that both of these covered entities have made themselves a special name at HHS and one assumes the Corrective Action Plan that each of them signed will cost them at least as much as the penalty they have agreed to pay.
The lesson? Have a procedure in place to promptly and carefully fulfill requests for patient records. This information truly belongs to the patient only your compilation of the information belongs to you. The law is clear-when a proper request is made for patient data, by an authorized person, you must make a complete, timely and proper disclosure and do so promptly. The failure can be expensive.
Dark Overlord Means $1.5 Million HIPAA Settlement
Athens Georgia Orthopedic Clinic learned the cost and became the poster child for long-term, system wide noncompliance with HIPAA. Athens Orthopedic has approximately 400 employees. It apparently was attacked by a hacking group called Dark Overlord which resulted in a 2016 breach. One of the members of Dark Overlord was located, charged and sentenced to five years in prison.
Athens Orthopedic agreed to pay a $1.5 Million settlement which is believed to be the largest HIPAA penalty OCR levied in 2020.
A review not only of the large settlement amount but the breadth and depth of the Corrective Action Plan underlies the OCR finding of a systemic failure to have any reasonable information security program, its lack of fundamental policies and procedures, to have safeguards and its failure to perform information security risk assessments indicate this was almost a textbook failure.
Clients sometimes ask is it more expensive to comply or is it less expensive to see if you get caught and if you do, reach a settlement. The Athens Orthopedic situation indicates it may be cheaper to comply, particularly when one takes into account that $1.5 Million only reflects a portion of the costs that will be incurred by Athens Orthopedic. The Corrective Action Plan indicates there will be substantial ongoing costs to Athens Orthopedic over the next several years, probably more than initial compliance would have cost.
This newsletter is edited by Paul Wallace of Jones • Wallace, LLC, a member of the American Health Lawyers Association who has been representing physicians and healthcare practices for over 25 years. Mr. Wallace assists physicians, practices and hospitals in contract items, federal legal compliance, practice entity creation, estate and wealth planning and similar issues. Please feel free to call if you have any questions on this newsletter or legal matters at (812) 402-1600 or firstname.lastname@example.org.