Healthcare Law News - Volume 128
Destroyed
A recent CNN long form article called “Destroyed” investigates and describes the trashing of rape kits, many before the statute of limitations for rape has expired and in other cases in states that have no statute of limitations.
This article is a must read for those concerned with women’s healthcare.
More the Merrier
We reported last issue about Indiana being part of a multi-state federal law suit filed against an Indiana medical company, Medical Informatics Engineering, Inc. with regard to its Web Chart product. In 2015, apparently 3.9 million individuals were affected by a breach. The lawsuit claims hackers stole PHI, Social Security Numbers, lab results, health insurance policy information, diagnoses, disability codes, doctor names, medical conditions and children’s names and birth statistics. The other states involved in this litigation are Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Minnesota, Nebraska, North Carolina and Wisconsin.
The depth and breadth of information on individuals in this breach is particularly troubling. The theft of information about children and their birth information is particularly terrifying. Oddly, Web Chart apparently continues in business and apparently some providers are still using Web Chart.
The continued use of vendors who have suffered significant breaches may be a decision that providers will want to carefully consider unless they have been convinced by the vendor that significant and meaningful changes have been made that will prevent a recurrence of such a breach.
Caught!
Advance Care Hospitals PL (ACH) began operation in 2005. Like some other provider groups it did not follow basic HIPAA and privacy requirements. ACH never required business associate agreements from its vendors. ACH did not conduct a risk analysis. ACH did not implement security measures. ACH did not have written HIPAA policies or procedures.
In late 2011, ACH apparently began using the Florida based company Doctors’ First Choice Billings (Billings). There is some dispute whether the individual who claimed to be representing Billings was or was not an authorized representative, but in 2014, a local hospital notified ACH that its patient information was viewable on the Billings’ website. The information available included patient names, dates of birth and Social Security Numbers. It appears over 9,000 patients may have been affected.
As is common, ACH after being caught ignoring HIPAA requirements has pledged undying love for them going forward and entered into a Resolution and Compliance Agreement with CMS. The upfront penalty is $500,000.00 and the Resolution Agreement and Corrected Action Plan costs are not specifically identified but can be estimated at several hundred thousand dollars more. The relatively modest penalty amount which HHS settled for with this group again raises the question for compliance-is it better to pay money upfront to comply with HIPAA requirements or is it cheaper, over the long term, to pay only when caught? Note this group was able to avoid the costs of HIPAA compliance for 9 years (2005-2014).
Also, not reported yet, is whether any of ACH’s patients who had their information disclosed or at least made possible to disclose have filed suit and will seek damages against ACH or its individual providers.
Come and See
For years hospitals have had a charge master list or a master list of prices that generally represented the maximum price they would charge for any services or goods provided to patients. These prices were claimed by hospitals to be secret so that when you agreed to pay charges to the hospital you could not know the amount you agreed to pay the hospital and could only find those out later when you were billed and when your insurance company paid the amount they had “negotiated” for with the hospital. This often left a substantial extra balance to be paid by the patient.
In past Indiana litigation, regarding master lists of prices, hospitals have continued to argue these are trade secret information and should not be subject to discovery in court cases and should not be known to the public.
Now a new federal rule will require all hospitals to post their master list of prices. This posting will generally be online and requires detailing the services so that we are at the beginning of the long road to hospital price transparency. The new rule, effective January 1, 2019, requires the information be posted in a format which will allow consumers to download it into a spreadsheet. Hospitals are required to update the price list annually.
Please note this rule does not limit the hospitals from providing more information, such as information on prices they have negotiated with major insurance companies and employers.
Hopefully this new rule, over time (the next several years), will allow the data to be aggregated and placed in a format so that consumers of healthcare services whether from pharmacies, medical practices or hospitals, can determine their financial obligations prior to treatment.
Stupid Money
Insurers reportedly spend over $2 Billion in annual administrative costs to maintain provider directories for use in Medicare Advantage Plans. Despite spending that amount of money to provide a relatively simple list of providers, addresses, phone numbers and specialties, the MA directories are incorrect nearly half the time according to CMS. Obviously spending $2 Billion to be wrong half the time is money not well spent. This problem is particularly intense where MA providers use narrow networks which materially limit patient choices for providers. If a narrow network directory which only has a few providers for each location or specialty is 50% inaccurate, that means, Medicare Advantage enrollees may find themselves enrolled in a plan in which it is extremely difficult to receive the care paid for.
This newsletter is edited by Paul Wallace of Jones • Wallace, LLC, a member of the American Bar Association Healthcare Law Section and the American Health Lawyers Association who has been representing physicians and healthcare practices for over 25 years. Mr. Wallace assists physicians, practices and hospitals in contract items, federal legal compliance, practice entity creation, estate and wealth planning and similar issues. Please feel free to call if you have any questions on this newsletter or legal matters at (812) 402-1600 or pwallace@joneswallace.com.