ITS NEVER OUR FAULT
Anthem/WellPoint/Anthem reported that it allowed hackers to gain access to ten years of records and data for millions of its customers. Anthem reported its 2014 net income was $2.6 Billion. Its 2014 operating revenue exceeded $73 Billion. It is rumored that it spent over $100 Million on changing the company’s name from Anthem to WellPoint and then back to Anthem.
Yet Anthem did not spend relatively small sums to protect your financial and medical data by encrypting it. While encryption cannot prevent, itself, access by criminal hackers, it is intended to make the content accessed unreadable. If hackers know that your data is encrypted, hackers generally will not even bother to try to access and steal the data. In other words, if there is no payoff, hackers won’t bother.
Nevertheless, Anthem, and other much smaller companies, fail to take advantage of encryption’s opportunities to protect customers. Each year there are, literally, dozens of HIPAA violations because of lost computers, access hacks like Anthem and other causes where data has been kept in a readable (unencrypted) format. The latest report in Indiana before Anthem was Aspire Indiana’s breach on November 7, 2014. Apparently, a laptop with mental health data of 45,000 people was stolen. The question is why not encrypt sensitive data? Anthem surely cannot claim that costs are an issue given its billions of dollars in profit. Encrypting its data would likely cost less than changing Anthem’s name to WellPoint and back to Anthem.
Should Indiana’s insurance commissioner, attorney general and other states’ commissioners and attorney generals look into punishing Anthem and similar providers by withdrawing their ability to offer insurance or do business for these fundamental failures? What should the penalties be? One year’s profit?
For planning purposes, you should assume that within 12-18 months lawmakers will pass laws requiring encryption of sensitive consumer data, including PHI. Hopefully they will go beyond that, including financial data so that the massive breaches by Target, Home Depot and others will stop being a daily factor in our lives.
HOSPITALS BECOMING INSURERS
Last year I predicted that hospitals and hospital systems would begin entry into the health insurance business because of the greatly higher margins available to health insurers compared to most healthcare providers. Recent reports indicate that it is beginning to happen. Hospitals in the North Carolina triangle region, New York’s North Shore and others are beginning to construct health plans to offer insurance to individuals and employer based plans. This is a trend that is likely to continue throughout the United States.
Concierge medicine has been a fast growing phenomenon. Many of these provide for monthly or annual membership fees which give their concierge members benefits such as same day appointments. While there are still some locally driven concierge medical practices, many of them are organized and operated by chains such as MDVIP. These chains are operated on a model that provides that the chain organizes and provides the platform including all non-medical service, such as billing and hiring, etc. while the doctors involved provide the medical services. This model is also often used by emergency rooms at hospitals. All of these companies have sought to avoid liability for medical negligence on the basis that they don’t provide medical care, that only the doctors provide this care.
Recently, a Florida jury returned an $8.5 Million malpractice verdict against MDVIP. If this ruling is the beginning of a change in how liability is assessed, it will have an important impact, not only on concierge medicine companies like MDVIP, but also for emergency rooms and other hospital contracted practices that have attempted to shun liability by employing “independent” physicians.
MEANINGFUL USE PENALTIES OVER $200 MILLION
CMS estimates that meaningful use penalties may exceed $200 Million in 2015. This $200 Million in penalties should be compared to the $20 Billion in incentive payments paid to date. CMS estimates that about 1/3 of the penalties will see Medicare payment adjustments from $1 to $250, another 1/3 or so will see adjustments of $2,000 or more. Much smaller groups will see adjustments between $250 and $2,000.
While it is clear that the meaningful use standards are still largely unworkable, and while it is ironic that CMS failed to impose interoperability standards initially, and then fines providers for not making meaningful use of EHR, the factor means that these penalties are the providers need to plan for responding to such penalties.
WHAT IS THE TAB?
The trial and sentencing portions of Medicare fraud cases often spend significant time in determining just how big a particular fraud or fraud scheme was. The government usually claims that the loss should be based upon the amount billed while the defendant(s) claim that the sentencing and fines should be based upon the net actual reimbursement. Unfortunately, courts have been inconsistent in determining which number to use. The Fifth Circuit Court of Appeals recently upheld a trial court’s determination that the amount billed to Medicare could be used in determining appropriate sentencing.
This newsletter is edited by Paul Wallace of Jones ∙ Wallace, LLC, a member of the American Bar Association Healthcare Law Section and the American Health Lawyers Association who has been representing physicians and healthcare practices for over 25 years. Mr. Wallace assists physicians in health practices in contract items, federal legal compliance, creation of practice entities, estate and wealth planning and similar issues. Please feel free to call if you have any questions on this newsletter or legal matters at (812) 402-1600 or firstname.lastname@example.org.