An RSS Feed from melniklegal.com

Over-sharing on Facebook Costs $80,000

Tue, 04 Mar 2014 22:42:32 EST

In an opinion issued on February 26, 2014, a Florida Appeals Court ruled that a plaintiff was not entitled to retain an $80,000 settlement because he disclosed the settlement to his college-aged daughter, who then posted the news on her Facebook page. In effect, the over-sharing on Facebook cost $80,000.

The case arises out of a 2011 lawsuit filed by Patrick Snay against Gulliver Schools, Inc., alleging age discrimination and retaliation under the Florida Civil Rights Act after the school declined to renew Snay's contract to serve as the school's headmaster. As part of the November 2011 settlement, the parties executed a general release and settlement agreement, where the school agreed to pay:

Back pay: $10,000 - Check no. 1
Settlement funds to Mr. Snay: $80,000 - Check no. 2
Mr. Snay's attorneys: $60,000 - Check no. 3

The settlement agreement included the following confidentiality language:

13. Confidentiality. . . [T]he plaintiff shall not either directly or indirectly, disclose, discuss or communicate to any entity or person, except his attorneys or other professional advisors or spouse any information whatsoever regarding the existence or terms of this Agreement. . . A breach . . .will result in disgorgement of the Plaintiffs portion of the settlement Payments.

In effect, a breach of the confidentiality clause would lead to the disgorgement of the $80,000 paid to Mr. Snay.

As the Appeals court explained:

Only four days after the agreement was signed, on November 7, 2011, Gulliver notified Snay that he had breached the agreement based on the Facebook posting of Snay�s college-age daughter, wherein she stated:
Mama and Papa Snay won the case against Gulliver. Gulliver is now officially paying for my vacation to Europe this summer. SUCK IT.
This Facebook comment went out to approximately 1200 of the daughter�s Facebook friends, many of whom were either current or past Gulliver students.

. . .

On November 15, 2011, Gulliver sent a letter to Snay's counsel, stating that it was tendering the attorney's fees portion of the parties' agreement but was not going to tender Snay's portion because he had breached the confidentiality provision. That letter included a Joint Stipulation for Dismissal which reconfirmed in part that "the parties have settled this action," and Snay signed off on it and returned it to Gulliver. The action was dismissed with a reservation of jurisdiction for enforcement of the settlement agreement.

Then in June 2012, Snay filed a motion to enforce the settlement agreement, arguing that neither his statement to his daughter nor her post on Facebook constituted a breach of the confidentiality provision. The lower court agreed with Snay.

But, the Florida Third District Court of Appeal disagreed with the lower court and reversed, holding that, "the plain, unambiguous meaning of paragraph 13 of the agreement between Snay and the school is that neither Snay nor his wife would 'either directly or indirectly' disclose to anyone (other than their lawyers or other professionals) 'any information' regarding the existence or the terms of the parties� agreement."

Snay, despite signing the agreement, chose to disclose the information to his daughter. Snay explained in a deposition that he had good reason to tell his daughter because she was retaliated against by the school and that Snay and his wife "understood the confidentiality . . . [but] needed to tell [the daughter] something." However, the Appellate Court noted that Snay's deposition clearly established that he breached the confidentiality provision and the fact that "he knew he needed to tell his daughter something did not excuse this breach."

Take-a-Ways

This decision highlights the need for contracts to reflect the understanding and needs of the parties. The Appellate Court noted that, "There [was] no evidence that [Snay] made this need [to tell his daughter] known to the school or to his or its attorneys so that the parties might hammer out a mutually acceptable course of action in the agreement." Snay's deposition testimony showed that he and his wife were acutely aware that they would need to tell their daughter something about the settlement, yet their agreement failed to reflect this understanding.

Similarly, parties can also run into issues when they include provisions that are not immediately applicable to their transaction. In many 'form' business associate agreements for example, there are often provisions included that do not apply to a particular business associate given the context of the transaction and the HIPAA covered services being provided. Parties should consider removing such language to minimize risks of ambiguity or misapplication of particular language should the relationship fall apart.

Confidentiality provisions should be taken seriously and parties should take appropriate steps to protect information deemed confidential.

This case is yet another example of the troubles that can be caused by over-sharing information on social media. Once information is released online, there is no taking it back and such disclosures could lead to loss of settlement funds (as in this case), money damages, or termination of employment.

------------------

See Gulliver Schools, Inc. v. Patrick Snay, Case No. 3D13-1952 (Third Dist. App. Feb. 26, 2014). (PDF)
------------------

Posted on: March 4, 2014
By: Tatiana Melnik

According to HHS Attorney, HIPAA Enforcement to Increase

Fri, 13 Jun 2014 10:11:11 EST

Yesterday, Law360 reported on some interesting comments made by Jerome B. Meites, a chief regional civil rights counsel at HHS (speaking on his own behalf) at the American Bar Association conference in Chicago on Physician Legal Issues. [1] According to the report, Meites told "attendees that the past 12 months of enforcement will likely pale in comparison to the next 12 months." Meites further said that, "Knowing what�s in the pipeline, I suspect that that number will be low compared to what's coming up."

Meites also addressed the risk of portable media devices, stating that "Portable media is the bane of existence for covered entities. It causes an enormous number of the complaints that OCR deals with." These comments regarding portable media (e.g., phones, usb drives, laptops, etc.) are not surprising considering that of the 18 published actions, 7 involved the loss of unencrypted devices. Additionally, according to OCR's most recent report to Congress [2]:

The 222 reports submitted to OCR for breaches occurring in 2012 described the following locations of the PHI (in order of frequency):
(1) laptop computer (60 reports affecting 654,158 individuals);
(2) paper (50 reports affecting 386,065 individuals);
(3) network server (30 reports affecting 986,607 individuals);
(4) desktop computer (27 reports affecting 253,720 individuals);
(5) other (22 reports affecting 166,411 individuals);
(6) other portable electronic device (20 reports affecting 463,702 individuals);
(7) e-mail (8 reports affecting 241,108 individuals); and
(8) electronic medical record (5 reports affecting 121,964 individuals).

Similarly, many of the most notable class actions and other enforcement actions also involved the loss or theft of laptops. The action against Accretive Health by both the Minnesota Attorney General and the FTC stemmed from the theft of an unencrypted laptop and the class action settlement by AvMed Health Plans involved the theft of two unencrypted laptops from its corporate office (recall that in this case, several of the plaintiffs were victims of identity theft).

According to the report, Meites also "noted that failure to perform a comprehensive risk analysis, as required under HIPAA, has factored into most of the relatively few cases in which breaches actually resulted in financial settlements and not just corrective actions."

"You really have to think carefully about what a risk analysis involves, and it can�t just be the obvious," Meites said. "Everywhere in your system where [patient information] is used, you have to think about how to protect it."

Providers and business associates should remember that a Risk Analysis is not a check-the-box exercise. That is, completing the HIT Security Risk Assessment Tool provided by the National Learning Consortium is unlikely to be sufficient to meet the obligations of performing a thorough Risk Analysis. Similarly, as OCR has made clear in numerous settlements, the Risk Analysis process is an on-going effort and a Risk Analysis must be undertaken when there is a change in the environment:

move to a new office space -- settlement with Blue Cross and Blue Shield of Tennessee
update to website that handles PHI -- settlement with WellPoint
change in server configuration -- settlement with Skagit County, Washington and New York and Presbyterian Hospital

(Brief summary of the OCR settlements.)

For those providers that have attested to Meaningful Use, completing a proper Risk Analysis is that much more important because MU dollars could be clawed back based on fraud given the failure to comply with the requirements of the program.

---------------------------------------
[1] Jeff Overley, Big Year Ahead For HIPAA Fines, HHS Atty Says, Law360.com, June 12, 2014, https://www.law360.com/health/articles/547721?nl_pk=e15b4a14-9a51-44fe-8fba-30fc49555202&utm_source=newsletter&utm_medium=email&utm_campaign=health

[2] HHS, OCR, Report to Congress on Breach Notification Program: 2011 - 2012 Report to Congress on the Breach Notification Program, https://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachreptmain.html
---------------------------------------

Posted by Tatiana Melnik on June 13, 2014

Money doesn't stop technology crashes

Tue, 15 Oct 2013 18:22:27 EST

Skip to the Take-a-Ways

The U.S. government's insurance exchange program is not the only one to experience technological woes. Healthcare IT News and the California Nurses Association recently reported that Sutter Health, a health system in Northern California, experienced some technological woes as well, when its $1 billion dollar EPIC electronic health record (EHR) system crashed, causing patient records to be unavailable at several of its facilities.

The crash happened on August 26, 2013 at approximately 8 a.m. and lasted for a full day. During the crash, doctors and nurses could not access patient records, including medication lists and medical history. According to the California Nurses Association (CNA), the pharmacy backup system also failed.

Several of Sutter Health's facilities were impacted including Alta Bates Summit Medical Center facilities in Berkeley and Oakland, Eden Medical Center facilities in Castro Valley, Mills Peninsula in Burlingame, Sutter Delta in Antioch, and Sutter Tracy and Sutter Modesto, as well as Sutter affiliated doctors' offices and clinics.

According to the CNA, the EPIC system was down for about 8 hours on August 23 for planned maintenance, "during which nurses and other users could read medication orders and patient histories, but not enter new data." The new information "was kept on paper records then re-entered into the computers later."

In its press release, the CNA noted that "[r]eports from RNs throughout Sutter found little or no backup planning by hospital management, inadequate training, and little support during the emergency. . . . All that prevented greater chaos, said [Alta Bates Summit RN Mike] Hill, was the expertise of the RNs who 'knew what to do from experience, not from any direction from management as management was running around not knowing what to do according to the nurses. There was no training for this kind of downtime as it was unplanned. Nurses followed previous downtime training but this was different because there was no ability to see any info on the patient.'"

Sutter Health's spokesperson Bill Gleeson explained to Healthcare IT News that, the system "experienced an issue with the software that manages user access to the EHR . . . This caused intermittent access challenges in some locations. Our team applied a software patch Monday night to resolve the issue and restore access. We regret any inconvenience this may have caused patients[.]"

According to the CNA, the issues with Sutter's EPIC implementation are not new. In a press release issued July 2013, the CNA reported that, RN's at Alta Bates Summit Medical Center facilities in Berkeley and Oakland submitted over 100 reports, where "nurses cited a variety of serious problems with" the EPIC implementation efforts. These problems included:

A patient who had to be transferred to the intensive care unit due to delays in care caused by the computer.
A nurse who was not able to obtain needed blood for an emergent medical emergency.
Insulin orders set erroneously by the software.
Missed orders for lab tests for newborn babies and an inability for RNs to spend time teaching new mothers how to properly breast feed babies before patient discharge.
Lab tests not done in a timely manner.
Frequent short staffing caused by time RNs have to spend with the computers.
Orders incorrectly entered by physicians requiring the RNs to track down the physician before tests can be done or medication ordered.
Discrepancies between the Epic computers and the computers that dispense medications causing errors with medication labels and delays in administering medications.
Patient information, including vital signs, missing in the computer software.
An inability to accurately chart specific patient needs or conditions because of pre-determined responses by the computer software.
Multiple problems with RN fatigue because of time required by the computers and an inability to take rest breaks as a result.
Inadequate RN training and orientation.

Take-a-ways

Stakeholder buy-in - This dispute between Sutter and its nurses is a great reminder of the importance of getting user buy-in when implementing new technology. When users desires are not carefully considered and addressed, the on-boarding process becomes significantly more complicated and leads to animosity and hurt feelings on both sides.

Disaster Training - No technology is fool-proof. Technology is not perfect and crashes should be expected, whether they are due to a software error, natural disaster, or some other reason. Employees must be adequately trained and knowledgeable about the steps that need to be taken in the event of an EHR or other critical software system malfunction. Otherwise, hospital systems and doctors leave themselves open to greater liability in the event of an adverse patient outcome. A Disaster Recovery Plan is required under HIPAA and employee training should be considered in any Disaster Recovery and Business Continuity plan.

Adequate Backup - Critical systems must have adequate backup. Yes, this can be costly, but "critical" indicates that the information technology resources are essential to the function of the particular business. In the case of an EHR system, it is critical in the sense that lives are literally on the line. As such, backup services in these circumstances should be looked at as the cost of doing business and accounted for in annual cost allocations. A Data Backup Plan is a requirement element of HIPAA.

Resources and Supporting Documents

Erin McCann, Setback for Sutter after $1B EHR crashes, Healthcare IT News, Aug. 28, 2013
California Nurses Association, Press Release, Sutter�s $1 Billion Boondoggle-New Electronic Records System Goes Dark, Aug. 27, 2013
California Nurses Association, Press Release, Sutter�s New Electronic System Causes Serious Disruptions to Safe Patient Care at E. Bay Hospitals, July 11, 2013

Florida Boards Adopt Standards for Telemedicine Practice

Wed, 26 Feb 2014 04:57:27 EST

Florida's Board of Medicine and Board of Osteopathic Medicine each adopt a rule addressing Standards for Telemedicine Practice. (See 64B8-9.0141 for Board for Medicine and 64B15-14.0081 for Board of Osteopathic Medicine).

The Final Rule for each Board is effective on March 20, 2014.

For some background details, see our post from November 2013: Telemedicine is Coming to Florida (Slowly but Surely).

Board of Medicine - Rule 64B8-9.0141 (Florida Administrative Code)

64B8-9.0141 Standards for Telemedicine Practice.

(1) "Telemedicine" means the practice of medicine by a licensed Florida physician or physician assistant where patient care, treatment, or services are provided through the use of medical information exchanged from one site to another via electronic communications. Telemedicine shall not include the provision of health care services only through an audio only telephone, email messages, text messages, facsimile transmission, U.S. Mail or other parcel service, or any combination thereof.

(2) The standard of care, as defined in Section 456.50(1)(e), F.S., shall remain the same regardless of whether a Florida licensed physician or physician assistant provides health care services in person or by telemedicine.

(3) Florida licensed physicians and physician assistants providing health care services by telemedicine are responsible for the quality of the equipment and technology employed and are responsible for their safe use. Telemedicine equipment and technology must be able to provide, at a minimum, the same information to the physician and physician assistant which will enable them to meet or exceed the prevailing standard of care for the practice of medicine.

(4) Controlled substances shall not be prescribed through the use of telemedicine.

(5) The practice of medicine by telemedicine does not alter any obligation of the physician or the physician assistant regarding patient confidentiality or recordkeeping.

(6) A physician-patient relationship may be established through telemedicine.

(7)(a) Nothing contained in this rule shall prohibit consultations between physicians or the transmission and review of digital images, pathology specimens, test results, or other medical data by physicians or other qualified providers related to the care of Florida patients.

     (b) This rule does not apply to emergency medical services provided by emergency physicians, emergency medical technicians (EMTs), paramedics, and emergency dispatchers. Emergency medical services are those activities or services to prevent or treat a sudden critical illness or injury and to provide emergency medical care and prehospital emergency medical transportation to sick, injured, or otherwise incapacitated persons in this state.

   (c) The provisions of this rule shall not apply where a physician or physician assistant is treating a patient with an emergency medical condition that requires immediate medical care. An emergency medical condition is a medical condition manifesting itself by acute symptoms of sufficient severity that the absence of immediate medical attention will result in serious jeopardy to patient health, serious impairment to bodily functions, or serious dysfunction of a body organ or part.

Rulemaking Authority 458.331(1)(v) FS. Law Implemented 458.331(1)(v) FS. History?New 3-12-14.

Board of Osteopathic Medicine - Rule 64B15-14.0081 (Florida Administrative Code)

64B15-14.0081 Standards for Telemedicine Practice.

(1) "Telemedicine" means the practice of medicine by a licensed Florida physician or physician assistant where patient care, treatment, or services are provided through the use of medical information exchanged from one site to another via electronic communications. Telemedicine shall not include the provision of health care services only through an audio only telephone, email messages, text messages, facsimile transmission, U.S. Mail or other parcel service, or any combination thereof.

(2) The standard of care, as defined in Section 456.50(1)(e), F.S., shall remain the same regardless of whether a Florida licensed physician or physician assistant provides health care services in person or by telemedicine.

(3) Florida licensed physicians and physician assistants providing health care services by telemedicine are responsible for the quality of the equipment and technology employed and are responsible for their safe use. Telemedicine equipment and technology must be able to provide, at a minimum, the same information to the physician and physician assistant which will enable them to meet or exceed the prevailing standard of care for the practice of medicine.

(4) Controlled substances shall not be prescribed through the use of telemedicine.

(5) The practice of medicine by telemedicine does not alter any obligation of the physician or the physician assistant regarding patient confidentiality or recordkeeping.

(6) A physician-patient relationship may be established through telemedicine.

(7)(a) Nothing contained in this rule shall prohibit consultations between physicians or the transmission and review of digital images, pathology specimens, test results, or other medical data by physicians or other qualified providers related to the care of Florida patients.

(b) This rule does not apply to emergency medical services provided by emergency physicians, emergency medical technicians (EMTs), paramedics, and emergency dispatchers. Emergency medical services are those activities or services to prevent or treat a sudden critical illness or injury and to provide emergency medical care and prehospital emergency medical transportation to sick, injured, or otherwise incapacitated persons in this state.

(c) The provisions of this rule shall not apply where a physician or physician assistant is treating a patient with an emergency medical condition that requires immediate medical care. An emergency medical condition is a medical condition manifesting itself by acute symptoms of sufficient severity that the absence of immediate medical attention will result in serious jeopardy to patient health, serious impairment to bodily functions, or serious dysfunction of a body organ or part.

Rulemaking Authority 459.015(1)(z) FS. Law Implemented 459.015(1)(z) FS. History?New 3-12-14.

Is the HIPAA EMR/EHR Mandate Required by ALL Medical Providers?

Mon, 05 May 2014 13:37:44 EST

Is the HIPAA EMR/EHR Mandate Required by ALL Medical Providers?

Recently, an interesting question was posed to me by a colleague regarding a so-called 'HIPAA EMR/EHR mandate' and whether all medical providers are required to comply, or only those providers that accept Medicare and/or Medicaid.

To the best of my knowledge, there is no such thing as a "HIPAA EMR/EHR mandate." This question seems to be conflating the HIPAA privacy, security, and breach notification requirements with the EHR Incentive Program. Under the Medicare EHR Incentive Program, providers are required to initiate participation by 2014 to avoid Medicare payment adjustments that begin in 2015. See here for a timeline - https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/downloads/EHRIncentProgtimeline508V1.pdf (excerpted below). Similarly, under the Medicaid Incentive Program, providers are required to initiate participation by 2016. There are no payment adjustments for providers who are only eligible for the Medicaid program.

Further, there is no mandate for medical providers to participate in the EHR Incentive Program. To the extent that a provider accepts Medicare, the provider can take the adjustment. A number of small medical providers have opted to take the adjustment because the EHR subsidy is not enough to cover the cost of EHR implementation. Alternatively, the provider can stop accepting Medicare and transition his or her practice to a cash-only, concierge style practice, or private insurance only practice.

How a provider is paid has no impact on whether a provider is subject to HIPAA compliance. All medical providers that transmit protected health information electronically are required to comply with HIPAA.

Posted by Tatiana Melnik May 5, 2014.