A Section 1557 lawsuit is now pending in an Arizona federal court.  Twelve (12) hearing-impaired individuals have brought suit alleging their health care provider discriminated against them by not providing sign language interpreters or electronic video interpretation.  Instead of providing such accomodations, the lawsuit alleges, the health care staff relied on notes and lip reading in an attempt to communicate with the patients.  The individuals assert that the provider should have trained the staff to recognize when interpretation is necessary, provided a functioning electronic video interpretation system, and instructed the staff on how to use electronic video interpretation.

The lawsuit underscores the requirements now imposed on health care providers under the Section 1557 of the Affordable Care Act which became effective in July 2016.  Section 1557 prohibits discrimination on the basis of race, color, national origin, sex, age, and disability in federal health care programs.   When interacting with individuals with sensory, manual, or speaking disabilities, health care providers are required to provide communication that is as effective as the provider’s communication with non-impaired individuals.  This requires that health care providers have access to sign language interpreters, Braille handouts, visual aids, auxiliary aids, or other communications formats when the need arises.

Continue Reading Section 1557 Lawsuit Highlights ACA’s Anti-Discrimination Rule

For many years, medical providers have been faced with the task of untangling the web of medical and ethical issues surrounding end of life decisions.  More recently, the profession has successfully navigated the problem by pushing for patients and the general public to complete healthcare directives or other documentation clarifying their wishes.  However, this most recent movement has created an interesting twist on the same old problem – what happens when a medical provider fails to actually follow a patient’s written directive?

Paula Span, a writer for the New York Times, recently published an article documenting the new trend of lawsuits brought against medical providers for ignoring a directive and actually saving a patient’s life.  Among other specific accounts, her article documents a Maryland woman who had a Medical Order for Life-Sustaining Treatment stating that she did not want life saving care if her heart or lungs failed.  When she was found blue in her bed at the hospital, staff revived her through CPR and defibrillation, saving her life but breaking her ribs, collapsing one of her lungs, and ignoring her wishes in the process.  The patient and her family brought suit for a variety of damages, including for recovery of the cost of the hospital bills she would have never incurred.  The case is set to go to trial in November of this year.


On December 21, 2016, the South Dakota Supreme Court in Wipf v. Alstiel required a defendant surgeon in a perforated bowel case to redact and provide the plaintiff with non-party patient medical records from his last five years of practice.  The records became relevant to the case when the defendant’s expert testified that the plaintiff would “have to show an unacceptably high complication rate in similar procedures with different patients.”

In its 3-2 split decision, the South Dakota Supreme Court reviewed SDCL 19-19-503(b) (the physician-patient privilege).  The Court took a narrow view of the privilege, finding that it only protects “confidential communications” contained in a medical record and concluding that medical records are not “confidential communications” per se.  The Court did provide further guidance on the types of redactions a covered entity or provider must make before disclosing these types of records.

In an uncharacteristically scathing dissent, Chief Justice Gilbertson attacked the majority’s holding on numerous grounds, calling its analysis “result-oriented” and noting that the majority misinterpreted SDCL 19-19-503(b), undercut policy in South Dakota that encourages honest conversations between a physician and patient, and called into question the traditional scope of many other codified privileges in this state.  Justice Severson penned his own dissent, joining Justice Gilbertson and further discussing the majority’s misinterpretation of SDCL 19-19-503(b).

Continue Reading South Dakota Supreme Court Opens Door to Discovery of Non-party Patient Records

On February 8, 2017, a Federal District Court in Texas provided a noteworthy ruling requiring a Texas hospital to void a NPDB report about a surgeon on its staff.  The underlying facts are simple: The surgeon was peer reviewed as a result of two cases; The MEC recommended proctoring for five cases; The hospital’s Board followed the MEC’s recommendation, however, it did not specify a timetable for completion of the proctoring; After the five proctored cases were not completed within 30 days, the hospital reported the surgeon to the NPDB.  The surgeon brought suit seeking various forms of relief, one being his request that the NPDB report be voided.

Continue Reading Texas Federal Court Provides Guidance on NPDB Reporting

It seems we can’t have a conversation about data security these days without mentioning ransomware.  Public and private companies are reporting increasing numbers of ransomware attacks, and health care providers and business associates are no exception to this trend.

Ransomware – What is it?

At its most fundamental, ransomware is a type of malicious software that infiltrates a person or company’s computer system and encrypts certain data that is stored electronically.  Essentially, ransomware locks users out of accessing their data until a “ransom” is paid.  Ransomware may also be used in conjunction with other malware to gain access to IT systems in an effort to steal data housed within the IT system.

Although not expressly mentioned in the Security Rule, a covered entity or business associate’s HIPAA compliance program necessarily must include analyses relating to the potential for, and responses to, ransomware attacks. Risk management plans, risk analyses, and other security assessments should identify threats and vulnerabilities to electronic protected health information (PHI) and a company needs to implement procedures to guard against and detect malicious software, including ransomware.

Continue Reading HIPAA and Ransomware – A Primer

The Office of Civil Rights (OCR), a division of the Department of Health and Human Services, is the governmental agency responsible for investigating and providing technical assistance to covered entities and business associates on matters of HIPAA compliance.  When a deficiency is found in a covered entity or business associate’s compliance with the Security Rule or the Privacy Rule, OCR takes necessary action to remedy the deficiency, including imposing penalties or requiring the covered entity or business associate to enter into corrective action plans.

As of the end of January, 2017, OCR reported that the most common HIPAA compliance issues that are investigated are as follows:

  • Impermissible uses and disclosures of protected health information (PHI);
  • Lack of safeguards of PHI;
  • Lack of patient access to their own PHI;
  • Use and disclosure of more than the minimum necessary PHI; and
  • Lack of administrative safeguards of electronic PHI.

Additionally, the following covered entities are the most common with regards to taking corrective action in light of a compliance deficiency:

  • Private practices;
  • General hospitals;
  • Outpatient facilities;
  • Pharmacies; and
  • Health plans.

Complete Wellness, a Baltimore treatment center for patients with behavioral health and substance use disorders, was recently forced to post a Warning of Potential Privacy Violation relating to the loss of an unencrypted flash drive containing information of over 600 patients.  The employee who lost the flash drive had downloaded, without authorization, certain patient information including patient name, address, phone numbers, email address, birthdate, age, social security number, languages spoken, emergency contact, level of education, employer information, primary care physician, list of medications at admission, list of allergies, ethnicity, race, marital status, hurricane victim status, living situation, military service, arrest history, and hearing or vision difficulties.  Complete Wellness’ post fails to delineate a reason why the employee believed there was a need to put this extremely broad and detailed level of information for over 600 patients on a flash drive.

This incident is a good reminder for providers and other entities handling protected health information (PHI).  Strong policies and procedures, including disciplinary procedures, must be implemented to deter employees from making these types of mistakes.  IT systems, if possible and if reasonable, should not allow the downloading of PHI onto portable media without a certain level of authorization.  And, if it becomes necessary to place PHI on portable media, that portable media must be encrypted, logged/tracked, and it should only contain the absolute minimum amount of PHI necessary for the intended purpose.

Below is a link to the Complete Wellness notification:



Health care facilities, health plans, and business associates are increasingly turning to cloud service providers to store, maintain, and, at times, wholly manage, the covered entity or business associate’s electronic protected health information (ePHI).  As covered entities and business associates migrate their data to the cloud, these entities need to take a closer look at their obligations under the Privacy Rule and the Security Rule.

When a covered entity or business associate contracts with a cloud service provider, the cloud service provider is a business associate of the hiring party.  As a threshold matter, the covered entity or business associate needs to enter into a HIPAA-compliant business associate agreement with the cloud service provider.  This agreement, often used alongside or as an attachment to a larger, service-level agreement, establishes the permitted and required uses and disclosures of ePHI by the cloud service provider.

Continue Reading ePHI Migrates to the Cloud

House Bill 1040 is now headed to the South Dakota Governor’s desk.  The Bill, which passed the SD Senate on February 7, adds “community living home” to the definition of a regulated health care facility, bringing such facilities under the guise of South Dakota’s laws and regulations governing health care institutions under Title 34 of the South Dakota Code.

The Bill defines a “community living home” as any family-style residence whose owner or operator is engaged in the business of providing individualized and independent residential community living supports for compensation to at least one unrelated adult, but no more than four, and provides one or more regularly scheduled health related services, either administered directly or in collaboration with an outside health care provider.

If signed, the Bill will require operators of community living homes to apply for and receive a license prior to commencing operation.

On April 13, 2016, the South Dakota Supreme Court issued an important opinion in Berry Thomas Pitt-Hart, MD v. Sanford USD Medical Center.  The Pitt-Hart case involved a patient who had knee surgery at Sanford USD Medical Center (“Sanford”) on November 10, 2009.  The day after surgery, he alleged he was dropped and injured due to the negligence of a patient-care tech.  He commenced suit against Sanford on September 14, 2012.  Sanford argued that the claim was barred by SDCL 15-2-14.1’s two year limitations period.

The patient tried to circumvent the reach of SDCL 15-2-14.1 in three ways.  First, he argued that, since his claim was based upon the simple negligence of a tech, not the negligence of a health care practitioner like a surgeon negligently completing a procedure or a physician making the wrong diagnosis, the traditional, longer, three year negligence statute of limitations should apply.  The Court rejected this argument, reasoning that when a defendant like a hospital is named, SDCL 15-2-14.1 applies to all the alleged “errors” and “mistakes” committed in the healthcare setting.

Next, the patient argued that SDCL 15-2-14.1 should have been tolled based upon Sanford’s fraud and estoppel.  In prior case law, the South Dakota Supreme Court had gone back and forth in referring to SDCL 15-2-14.1 as a period of limitations on some occasions, and of repose on others.  Here, the Court took the opportunity to clarify and confirm that SDCL 15-2-14.1 is a statute of repose that cannot be delayed by estoppel, tolling, or fraudulent concealment.  Per SDCL 15-2-14.1, two years after a medical error or mistake occurs, liability “no longer exist[s].”

Lastly, the patient argued that SDCL 15-2-14.1 should be tolled based upon the continuing treatment doctrine.  The South Dakota Supreme Court also rejected this argument, clarifying that South Dakota does not recognize a continuing treatment doctrine, but only a continuing tort theory that could delay the start of the statute of repose “(1) [when] there was a continuous and unbroken course of negligent treatment; and, (2) [when] the treatment was so related as to constitute one continuing wrong.”

The full version of the Pitt-Hart opinion can be found here:


SDCL 15-2-14.1 can be found here: