Sins of Others May be Visited on Employer

ThinkstockPhotos-464201615Healthcare organizations are learning tough lessons that actions of employees can come back with serious consequences to the organization. When it comes to maintaining the privacy and security of patient data, no action comes without a consequence. While some actions are completely uncontrollable, that does not necessarily mean that liability cannot potentially flow to the employer. Additionally, HIPAA may only tell part of that story in that regard as state law will play a significant role in determining potential liability.

The impetus for the focus on potential employer liability is a recent decision from the Supreme Court of Virginia. The high-level summary is that the employer healthcare organization (Carilion) may be liable for the snooping of two employees into the record of a patient and the subsequent spreading around of information learned. The Virginia Supreme Court found that vicarious liability could exist based on the actions taken by the employees. Given the snooping premise, the ruling could realistically apply to any healthcare organization around the country. Snooping is a pervasive problem and one of the leading causes of data breaches, whether the so-called “small” breaches or in some instances the large, immediately reportable breaches as well. While any form of snooping should always be taken seriously, if more litigation results, then maybe it will garner more corrective action.

Diving into Carilion

Getting more into the details of Carilion, the factual background from the complaint is a patient visited a Carilion clinic for a particular issue, then presented months later at a different clinic for an unrelated issue. While in the waiting room, the patient started chatting with another individual who was acquainted with an employee at that clinic. The employee decided to take a look at the patient’s record, then called another Carilion employee to discuss the conversation and what was found by looking at the patient’s record. The second employee also looked in the patient’s record to confirm what the first employee stated. As would be expected, the whole chain of circumstances made it way back to the patient. The patient complained and initiated the lawsuit against the two employees and Carilion. With respect to Carilion, the patient alleged vicarious liability for the actions of the employees and direct liability of negligence per se under Virginia law for a purported HIPAA violation. Upon Cariliion’s motion, the trial court dismissed all of the claims.

The appellate decision from the Virginia Supreme Court, while premised upon Virginia law, offers organizations food for thought when it comes to potential liability based on employee actions. Taking the vicarious liability claim first, the analysis considered whether the doctrine of respondeat superior should hold Carilion liable for the actions of the two employees. For the doctrine to apply, the individuals would need to be employees and the harmful act would need to occur within the scope of employment. The first element is likely easy to determine in most circumstances and will not present a hurdle.

The second element of the act being within the scope of employment raises more complicated questions. What constitutes being within the scope of employment and when activity edges outside to being animated by personal motives. As pointed out in the Carilion case, that is a factual decision that would need to be made by a judge or jury. The need to make it a factual determination underscores the risks to organizations that can arise from snooping. While any form of snooping is arguably motivated by personal desires, that is not always readily apparent and can take many years and lots of money to dispute. From the HIPAA perspective, it highlights to need to have strong policies in place setting forth what constitutes appropriate access and also pushing for access controls in terms of who can access what data.

The negligence per se claim asserted that Carilion should be liable under Virginia law as a result of the purported HIPAA violation. The patient tried to claim that HIPAA established a standard of conduct and that not meeting that standard should constitute negligence. The Virginia Supreme Court denied that claim in requiring that an underlying common law duty be violated, which duty could not be created solely by reference to another law. The determination that HIPAA did not automatically set a standard of conduct is very much specific to Virginia. Each state can and may take a different approach in defining its own law in reference to standards set by federal law. The nuances established in each state need to be considered for the potential to result in liability. It is not sufficient to just look to HIPAA on the federal level and believe that everything will be ok.

Liability for PHI Removal

In another example, the University of Rochester Medical Center (“URMC”) was fined $15,000 by the New York Attorney General after a nurse practitioner took patient data to a new employer. The URMC does date back to 2015, but demonstrates that the covered entity bears ultimate responsibility for complying with HIPAA. In assessing the facts in the URMC case, it seems like attention focused on the departing/departed nurse practitioner asking for a patient list, which was provided in spreadsheet form. More often, when an employee leaves there is a clear acknowledgment that the employee is cut off from all of the employer’s patient information because HIPAA does not allow continued access. The seemingly voluntary transmission offers a plausible basis for fining an entity when the ultimate bad act was on the part of the departed employee. As such, the takeaway from the URMC case is to not be overly generous as misuse of information can come back to haunt the organization.

Final Thoughts


Ensuring the privacy and security of patient information needs to be a paramount concern at all times. While it is impossible to control all the actions of employees, organizations can and must take reasonable and appropriate action to secure information as much as possible. That means understanding obligations imposed by HIPAA and likely considering additional reasonable protections beyond HIPAA. Implementing solid policies and procedures can help educate both the organization and the workforce on requirements while providing an argument that any inappropriate action by an individual was not condoned by the organization. Ultimately, being conscientious and attentive to compliance considerations is a preferable approach.

Posted in Business, Compliance, HIPAA, HITECH, Regulations | Tagged , , , , , , | Leave a comment

Healthcare Startups: Don’t Forget About Regulations


start_up_illustration_0Healthcare has become a hotbed for startups of all kinds from new provider models to insurance companies to health technology. No matter what area of healthcare is targeted by a startup, the desire is to proceed with innovation or disruption bolstered by a feeling that this idea will be the one to change healthcare. However, nothing in healthcare is easy, simple, or straightforward. For every potential issue that may be addressed, there are myriad other issues interconnected that will be impacted, most likely in unanticipated ways.

Leaving aside the business impacts of an idea, almost every startup trying to work in healthcare will run into issues with regulations. As has been well documented, the healthcare industry is subject to a tangled and complex web of regulations governing almost every aspect of, and organization in, the industry. However, in the excitement of pursuing a new idea or concept, some startups will not consider the regulatory environment.

Importance of Regulations

Proceeding in deliberate or unintentional ignorance of the regulations can have profound impacts on the viability of an idea. If regulations are not considered, a startup may not discover the deficiency until approaching potential customers and then not being able to adequately answer questions from a potential customer or, even worse, being informed by the potential customer of how a regulation is being violated or not followed. If a startup gets to that point, at best some aspect of the solution will need to be modified or at worst the entire idea could end up needing to be scrapped.

What can help the situation? Seeking advice and consultation earlier on in the development cycle. In most instances, the advice should be sought when there is sufficient detail around an idea or concept to begin work on it. Depending upon the area of healthcare involved, the regulations could play a fundamental role in how development proceeds. For example, if the idea is to enhance communications between physicians or other providers around patient care, HIPAA must be addressed right from the start. That may mean not trying to attract individual users who may not be able to bind their organization to an entity that will store protected health information. That nuanced aspect of regulatory impact may not be apparent to a startup founder not well versed in healthcare or entering healthcare for the first time, but unintentional lack of awareness will not remedy a regulatory violation.

The Top Regulations

If regulations are so vital to success in healthcare, which ones are the most important? That question is actually somewhat hard to answer since the specific area of healthcare addressed by the startup will drive what the most important regulation(s) may be. While there are a variety of regulations, discussion most often comes back to HIPAA, the Stark Law, and the Anti-Kickback Statute.

HIPAA covers the privacy and security of protected health information. If a startup will provide a service to or on behalf of a healthcare provider, health plan, or healthcare clearinghouse, then the startup will most likely be a business associate. As a business associate, the startup needs to comply with the HIPAA security rule and portions of the HIPAA privacy rule. Compliance is not just composed of building security measures into a tool or other solution. Compliance requires developing and implementing policies and procedures as well as regularly updating those policies and procedures. HIPAA compliance (and really all regulatory compliance) is an ongoing commitment, not a one and done proposition.

The other major regulatory area is fraud and abuse. That is covered from the civil side (the Stark Law) and the criminal side (Anti-Kickback Statute). In both instances, the regulations are wary of arrangements that encourage the referral of patients to enable the billing of services or procedures. Most arrangements can satisfy regulatory requirements by carefully structuring the terms. However, that requires understanding what elements need to be present for compliance. Further, potentially inappropriate relationships can arise in unexpected ways, particularly through arrangements that would be fine in any other industry.

Another less discussed area are civil monetary penalties, which tagalong with the fraud and abuse laws and regulations. In particular, the beneficiary inducement provisions are gaining relevance with ideas that try to engage patients through some type of reward or other compensation. Just giving a patient a financial benefit could raise questions and undermine the potential idea.

While the discussion of the regulations was intentionally brief and high level, the discussion is sufficient to demonstrate that the regulations impact a wide range of ideas and potential activities.

What To Do

Given the complexity of regulations, what should startups do? As already suggested, seek help and do that as early as possible. While it is acknowledged that resources can be tight or non-existent for startups, failing to properly vet or tweak an idea early on can result in the waste of a lot more money later. Additionally, many areas have programs designed to aid startups, with many of those programs having a healthcare focus. Those resources should be taken advantage of to more quickly enable the team behind a startup to get on the right path.

It is a time of much potential innovation in healthcare. That should be a time of promise and hope. Do not let an idea be derailed by rushing headlong into an idea at the start without taking the proper time to fully assess that idea.


Posted in Anti-kickback Statute, Business, Compliance, Healthcare, HIPAA, HITECH, Regulations, Stark Law | Tagged , , , , , , , | Leave a comment

Escaping Notice, by Laying Low

downloadAn interesting argument was posed in a recent post on databreaches[.]net about a lack of enforcement actions from the Office for Civil Rights against small or medium-sized healthcare entities that do not appropriately report breaches to either OCR and/or the individuals impacted. As outlined in the post, the apparent lack of follow up from OCR is occurring even though outside parties are filing reports or complaints with OCR about the underlying conduct that resulted in the breach.

The post then went on to report about a seemingly rare instance when OCR did follow up on a report. In the example, it was discovered that a covered entity left patient information exposed on an FTP server that could be publicly accessed. A security researcher found that information, notified the covered entity, was accused by the covered entity of hacking the covered entity, and then the researcher filed its report with OCR. In response, OCR contacted the covered entity and over six months later a breach report was finally filed by the covered entity. Further, the covered entity implemented many changes to its HIPAA policies and procedures to better bring itself into alignment with expectations.

OCR outlined all of these developments in its follow up letter to the security researcher when the matter was deemed resolved by OCR. No penalties or fines were assessed. Instead, OCR used the matter as a means of educating the covered entity so it better understood the requirements of HIPAA.

The outcome is not surprising based on publicly reported actions and outcomes observed in practice. The comparison of reported issues to penalties or fines imposed shows that a penalty or fine results in the extreme vast minority of instances. That disparity only seems to be growing as the fines have fallen off dramatically from an already low number. Instead, OCR investigations more typically end with a determination of no issue or through behind the scenes corrective action.

In helping entities correct issues and improve compliance behind the scenes, the focus of such efforts seems to center upon education. In fact, OCR investigators will often push for more information and then provide resources to help entities update policies as opposed to going down a line of punitive action. The friendly approach very often helps to relieve the tremendous worry and burden that many entities encounter when having to report a breach or otherwise find OCR opening an investigation. The concern arises because more often than not the issue did not arise from intentional conduct, but a mistake or some other oversight even when the entity was trying to do the right thing.

While behind the scenes resolutions work very well for the entities involved, a different perspective should also be considered. Specifically, the perspective of the complainant if there is an alleged violation of a HIPAA requirement or the individuals whose protected health information is impacted in the event of a breach. In those instances, the aggrieved individuals may ask why more was not done to penalize the entity or impose some punishment given the harm to the individual that likely cannot be “remedied” in the individual’s eye. While retribution will not necessarily result in satisfaction, a very real human desire can arise to see it imposed regardless.

Given what should be a real consideration of not discounting the harm to individuals, should OCR pursue more enforcement actions that result in penalties or another form of public reprimand? The answer is not clear and not one subject to easy advocacy. As noted, entities are for the most part trying to do the right thing and may be caught up in some extremely unfortunate circumstances. As such, the education and teaching offered by OCR is appropriate and likely should not be followed by any other action. It is acknowledged that these outcomes can feel less than satisfactory to impacted individuals, but the approach may be more beneficial in the long run to the involved entities. Pushing punitive action can result in a climate based upon fear and could further drive entities to brush incidents under the rug in the hopes that no one will ever find out about the issue.

While punitive measures may not be appropriate, could alternatives be found that result in some form of public notice and a financial consequence? In classic legal fashion, the answer likely depends. It is hard to argue against education as a good endpoint, but that alone is not always enough to drive compliance. If a fine or penalty needs to be issued, maybe it could be in the form of some public benefit fund that could result in any money paid to help further HIPAA education and compliance broadly. Trying to come up with a “public justice” style remedy could produce many ideas. Such remedies may be more appealing than just fining entities and not result in an atmosphere of fear.

There is a long-delayed rule that would let individuals share in any penalty assessed, almost like the share a whistleblower can receive. However, it is not clear when, if ever, that rule will ever be proposed and then implemented. However, this remedy could arguably result in a bit of a hunt for issues to enable recovery. The incentive should not be on finding and reporting issues, but better encouraging prevention in the first place.

Ultimately, the issue also comes back to upfront compliance. If an entity is not willing to invest in those efforts or does not want to freely admit when an issue has occurred, getting to the favorable end place can be longer or more complex. As has been argued many times before, creating a collaborative environment where entities can work together to promote and implement compliance will help everyone in the long run.

Posted in Compliance, Healthcare, HIPAA, HITECH | Tagged , , , , , , , | 1 Comment