Dr. Richard Paulus was charged by the United States under the Federal Claims Act (FCA) for a pattern of fraudulent conduct involving inserting stents in patients’ arteries. The basic claim of the US was that Dr. Paulus falsely recorded stenosis as at least 70% for certain patients in order to justify the insertion of stents. US claimed that these entries of the percent level of stenosis were fictitious statements.
A jury then found Dr. Paulus guilty of 10 of the original 16 criminal counts including healthcare fraud and making false statements. In an unusual move, the Court threw out the jury verdict and acquitted Dr. Paulus on the 10 counts. There were a number of interesting legal scuffles between the US and the defense attorneys that will prove very interesting to counsel for cardiologists.
The takeaways are:
- As the opinion in this case notes, the healthcare fraud statute was not intended to penalize a person who exercises a healthcare treatment choice or makes a medical or healthcare judgment in good faith simply because there was a difference of opinion regarding the form of diagnosis or treatment. In English, these statutes should not criminalize subjective medical opinions where there is room for disagreement between doctors.
- The deciding points in these cases, and you can expect more such cases to be brought, are often in the “extremes.” In this case there were disagreements even among the government experts with regard to the percentage of stenosis in the patients cited as examples by the government and one government expert testified that estimating the percentage of stenosis was an imprecise exercise. If, on the other hand, Dr. Paulus had found 90% stenosis in every patient, that pattern may have been extreme enough to justify the prosecution.
- In other cases, such as Patel and McClain, the circumstantial evidence was far more compelling and there seemed to be demonstrably false statements. Here there were no “lies” that could be pointed to as there were in other prosecutions.
- The diagnosis and the placing of stents turned out not to be the major income source for Dr. Paulus. The Court noted this as an indication of why Dr. Paulus may not have had a great imperative to overstate the stenosis. In the Patel, McClain and other cases, it appeared the diagnoses and invasive procedures were the major income item for those doctors.
- Notwithstanding the loss in Paulus, it appears the US is intent on seeking to punish cardiologists where the US believes they are over performing invasive cardiac procedures. It is likely that cardiologists are being identified by data mining to seek out billing patterns that stand out in applications for payment to Medicaid and Medicare. You may wish to review your diagnostic data with your peers to determine whether or not your diagnostic and treatment patterns are so outside the norm that they will invite scrutiny.
Section 1557 is the non-discrimination provision of the ACA. This Section prohibits discrimination on the basis of race, color, national origin, sex, age or disability in health programs or activities that receive federal funds. Currently, an injunction is pending prohibiting enforcement with regard to gender identity and termination of pregnancy.
OCR enforces this rule and all covered entities are required to post a notice of consumer civil rights telling consumers about their rights and also advising those with disabilities or limited English proficiency about the right to receive communication assistance. This notice must include tag lines in the top 15 languages spoken by individuals with limited English proficiency in the states in which the covered entity operates. We have attached a copy of the sample notice proposed by HHS. Note the sample notice does not include the 15 tag lines in other languages.
Peachtree Neurological Clinic was struck by ransomware. Its EHR system was encrypted by a virus but PNC was able to restore its files from backup records and avoided paying the ransom.
The interesting part is that in the process of fighting the ransomware attack, PNC discovered a 15 month old breach. A hacker had acquired access to PNC’s systems from February 2016 through May 2017. The possible data accessed by the hackers could include names, SSNs, driver’s licenses, addresses, phone numbers, medical data, prescriptions and health insurance data.
HIPAA security rules require periodic audits and reviews of your system. Obviously, PNC had not done so and could face substantial penalties for failing to periodically scan and check its systems. This case should be a call to you to set up a process for periodic review of the security of your EHR and medical data records.
Vanderbilt University Medical Center (VUMC) has agreed to pay $6.5 million to settle a 2011 case on Medicare fraud allegations. Three physicians who had been employed at VUMC claimed that the hospital’s surgery scheduling practices violated Medicare billing regulations. As is typical in these cases, VUMC did not admit that it violated any laws but agreed to pay $6.5 million (VUMC’s annual operating revenue is reported as $3.8 billion).
Oops I Did It Again
Anthem again is involved with a breach involving Anthem customer data. Apparently, its business associate Launch Point had an employee who emailed a file with information about Anthem employees to his home email address in July 2016.
Wordsmithing, Anthem claimed that Launch Point does not have any information that suggests the data on the file was misused. Of course, Anthem has no information to suggest the data was not misused either.
Data from Anthem Medicaid members in 21 states were affected. Anthem has not announced how it will stop its repeated disclosure of PHI.
Suing for Damages After PHI Breach
As I reported earlier, Plaintiffs continue to file suit against providers and insurers who allow PHI information to be access by hackers.
In most of the early attempts to sue the insurer or provider, the hospital or insurance company sought to dismiss such complaints on the basis that even though the PHI had been accessed, stolen or lost, the people whose PHI had been leaked could not prove any immediate concrete damage. The breachers claimed that whether one or many, the individual victims often were alleging merely that sometime in the future they might be harmed by the breach.
In many of the initial cases brought, this defense was found adequate and the Courts dismissed the cases. Increasingly though, Courts are beginning to find that the increased worry, increased vigilance necessary by victims of such breaches make arguments for damages. In a recent case against Care First, the Appellate Court found that such injuries by the class of nearly one million customers of Care First subject to a breach could be the basis for the award of damages. In this case, Care First computers were attacked by an intruder in 2014 who reached a database containing customers’ personal information, including PHI. Care First did not discover the breach until April 2015 and didn’t notify their customers until May 2015. Obviously, much damaged could have occurred between June 2014 and May 2015. Without going into the many details leading to the Court’s decision, what stands out is the Court’s careful consideration and method of analyzing the increased risk of harm claim that is at the core of these suits. The Court found the complaint plausibly alleged the victims of the Care First breach face a substantial risk of identity theft. The Court found the fact that there had already been a breach satisfied much of the burden. Care First like other providers and insurers have claimed there is no reason to believe or they haven’t found any evidence yet of use of the breached personal information. In other words, the insurers are arguing that anybody could have breached the information for any number of reasons and it isn’t necessarily for wrongful purposes. Here the Circuit Court in DC quoted the 7th Circuit from another data breach case “Why else would hackers break into a ….database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent changes or assume those customers’ identities.
The Court here dismissed the past provider/insurer claim that the road from the breach to future harm of the customers and victims was so long and so tenuous that no damage claim should be allowed. The Court found that there is no long sequence of uncertain contingencies, the risks accrued immediately upon the breach and that experience from past computer breaches and hacks indicates the intention of the hackers to do harm to the consumers/victims.
Providers and insurers should take note of this development. The 7th Circuit and now the DC Circuit are moving to make hospitals, providers and insurers fully liable for allowing their patients’ information and PHI to be breached. It appears only a matter of time before there will be an extremely large dollar judgment imposed upon a hospital, provider or insurer.
This newsletter is edited by Paul Wallace of Jones • Wallace, LLC, a member of the American Bar Association Healthcare Law Section and the American Health Lawyers Association who has been representing physicians and healthcare practices for over 25 years. Mr. Wallace assists physicians, practices and hospitals in contract items, federal legal compliance, practice entity creation, estate and wealth planning and similar issues. Please feel free to call if you have any questions on this newsletter or legal matters at (812) 402-1600 or email@example.com.