WHISTLEBLOWER SUITS – FIGHTING BACK
Qui tam plaintiffs under the False Claims Act (FCA) and qui tam litigation continue to increase, and some analyses indicate that some qui tam plaintiffs appear to be less than honorable or stellar in their claims. FCA defendants have been looking for ways to identify these less than honorable qui tam plaintiffs, and to assert claims in the form of counterclaims. There are recent successes including a Pennsylvania federal court which allowed counterclaims against the whistleblower to be maintained in the face of a motion to dismiss filed by the whistleblower.
While other decisions remain which have refused to allow counterclaims in qui tam/whistleblower litigation, the Pennsylvania case and a Ninth Circuit case indicate that this issue is far from decided. Those who are accused in these qui tam actions are frustrated that they have been unable to assert and seek relief for claims that the whistleblowers have stolen documents, have violated confidentiality agreements and claims of breach of fiduciary and good faith duties or misappropriation of trade secrets.
Additional good news is that a New York federal court recently required a repeat whistleblower to pay nearly $170,000 in attorneys’ fees and costs after finding the relater’s claims frivolous. The qui tam plaintiff/relater was as sponsor of prescription drug plans under Medicare Part D and then filed False Claims Act against pharmacy defendants. After finding that the plaintiff was responsible for many of the “false” claims, as plan sponsor, the court awarded significant attorneys’ fee to one defendant.
Any company that is subject to a whistleblower lawsuit should have a careful review by counsel of potential counterclaims or independent third-party claims, including claims for indemnity.
On the other hand, the attempts by certain parts of the healthcare industry to contractually avoid qui tam actions by overstating trade secrets, by requiring release and indemnity language in employment or routine business contracts is not likely to be successful in the long run, and may cause a backlash against those attempting to use these methods. Properly written business contracts with other healthcare providers should follow the statute, and only prohibit, release or seek indemnity and not seek relief from the qui tam plaintiffs’ alleged participation and the submission of false claims under FCA.
HIPAA AND MEDICAL RECORD SUBPOENAS
HIPAA, indirectly or directly, requires the following in order to produce medical records under a civil subpoena.
- A HIPAA “qualified protective order” executed as a result of a lawsuit;
- A court order requiring production; or
- A proper HIPAA authorization from the patient that authorizes the disclosure required under the subpoena.
Civil litigation subpoenas are often signed by attorneys under appropriate trial rules. However, the language of HIPAA seems to require that the court order the production. It is unclear if attorney signed subpoenas, even if compliant under Indiana Rules of Trial Procedure, comply with the “court order” requirement under HIPAA.
You should review your procedures before producing any further documents under any civil subpoena.
A bipartisan bill, supported by the American Hospital Association, has been introduced in Congress. This bill would deal with some of the more problematical RAC structures including their contingency payments, by changing this to a flat fee. The key to reform RACs is to eliminate RAC incentives for false, sloppy or incorrect audit items, thereby drastically reducing the need for appeals. We previously reported that the United States and RAC contractors are routinely violating U.S. law relating to these appeals.
Other provisions of the bill would allow limited rebill options for medical providers.
SECURITY MANAGEMENT PROCESSES
The Office of National Coordinator for Health Information Technology for the Department of Health and Human Services has released information on how it believes a security management process should be implemented. This process is outlined in pages 35-55 of a recent post by ONC.
The fact that a seven step “sample” approach takes 20 written pages to outline indicates one of the fundamental problems of our rule based society. Nevertheless, this is a useful guideline for CEOs, COOs, CFOs and CIOs along with smaller practice managers to begin discussing, reviewing and improving security management processes at the hospital and practice level. Please remember the mere fact that you have a “security management system or process” will not impress HHS in a breach matter if you have not done proper implementation, review and change to the process over time.
Even worse, if you do not have such a security management process and review, then you can expect, in addition to patient/consumer issues, a much more strict and rigid response from HHS in the event of a breach. Attached are the first two pages of the recent ONC bulletin. We would be happy to email you, upon request, the entire 20 page article for your use. As ever, if you have any questions regarding HIPAA or HITECH or, in particular, this portion of those security management processes, we will be glad to assist you with any questions or issues.
This newsletter is edited by Paul Wallace of Jones ∙ Wallace, LLC, a member of the American Bar Association Healthcare Law Section and the American Health Lawyers Association who has been representing physicians and healthcare practices for over 25 years. Mr. Wallace assists physicians in health practices in contract items, federal legal compliance, creation of practice entities, estate and wealth planning and similar issues. Please feel free to call if you have any questions on this newsletter or legal matters at (812) 402-1600 or email@example.com.