Late last year, the South Dakota Supreme Court made a very significant decision relating to the medical peer review privilege in South Dakota. Boyce Law Attorney Matthew D. Murphy recently published an article on the topic in the Medlaw Update for the DRI. It can be found here.
Conflict can arise in almost every facet of health care. Issues may include employment and credentialing disputes, traditional malpractice claims, premises liability charges, family disputes in a hospital, denial of claims for reimbursement, disagreements related to the buying and selling of physician practices, and hospital mergers and acquisitions. While Alternative Dispute Resolution (ADR) is being more commonly used to efficiently resolve disputes, the American Bar Association (ABA) recently noted that “anecdotal evidence suggests that the health care industry and the legal profession with an interest in health care have lagged behind others in embracing the broad array of dispute resolution techniques to address conflicts and resolve disputes.” For this reason and others, the ABA adopted a resolution urging “lawyers and all interested parties to encourage the informed and voluntary use of alternative dispute resolution (ADR) processes as an effective, efficient and appropriate means to resolve health care disputes.”
The key to successful ADR is to address issues before relationships break down, individuals take sides, and costs begin to rise. ADR offers many benefits in comparison to traditional litigation, including:
- Cost efficiency
- Expertise of a neutral arbitrator
- Flexibility of the process and solutions
- Ability to maintain long-term relationships
- No or little discovery
- Confidentiality and privacy
- Enforceability of the resolution
Next time a conflict arises in your healthcare practice, ADR should be something considered at the outset.
Find the ABA’s resolution here:
Many data privacy and security conversations these days inevitably lead to discussions about cyberliability insurance policies. What kind? How much? Is what we have enough? Being relatively new, many cyberliability policies remain highly negotiable, although increased standardization of terms is occurring; however, coverage determinations by Courts are few, leaving clients in a somewhat precarious or uncertain position. Until Courts are presented with opportunities to provide additional coverage guidance, clients are left to their own devices to negotiate the terms and conditions of their cyberliability coverages. The prevalence of security incidents is bound to increase, so the necessity of insuring against data breach risk will remain an important risk management tool. Here are a few items to watch out for when procuring cyberliability coverage.
- Amount of Coverage
Quite literally, the million dollar threshold question needing answering is: how much coverage do I need? While there are many types of data breaches, breaches of protected health information are the most costly. According to a 2016, IBM-sponsored study conducted by the Ponemon Institute, the average cost of a data breach for health care organizations was $355 per record. This number can be used as a starting point in determining the amounts and types of coverage a company may need to protect themselves from a data breach.
- Inception Dates—Retroactivity
For first time purchasers of cyberliability coverage, retroactive dates are crucial. Oftentimes the retroactive date is set as the date the policy is procured, or the inception date. This could create a problem because any claims arising out of events that occurred prior to the inception date would not be covered under the policy. While this start-date dilemma will “right size” itself as the company continues to renew coverage, it remains a crucial issue when first procuring cyberliablity coverage.
On May 8, 2017, a federal jury awarded a $1,180,257 verdict to former Huron surgeon, Dr. Linda Miller. The jury found that Huron Regional Medical Center (HR) breached Dr. Miller’s services contract and its own bylaws in handling Dr. Miller’s privileges back in 2011.
Dr. Miller began working at HR in 2004 as a contract surgeon. In 2006, she joined the HR staff and later became an independent contractor for the clinic in 2009. In the summer of 2010, HR’s Board of Directors became concerned with some of Dr. Miller’s patients’ complications. The Board asked the MEC to investigate, which resulted in internal review of all of Dr. Miller’s cases. More patient complications arose in late 2010 and early 2011 and some additional external review was undertaken. By April of 2011, the Board and MEC felt something needed to be done, so the MEC decided to ask Dr. Miller to voluntarily reduce her surgical privileges. When confronted with this choice, Dr. Miller claimed she was given no other options. On April 26, 2011, Dr. Miller acquiesced. Even though an MEC member had apparently told her otherwise, HR concluded Dr. Miller’s decision created a reportable event and it reported Dr. Miller to the NPDB. In May of 2011, Dr. Miller requested reinstatement of some of her privileges, with additional conditions. Her request was approved and HR reported to the NPDB again, this time indicating that Dr. Miller had restrictions on her privileges. About four months later, in September of 2011, Dr. Miller resigned from HR.
A Section 1557 lawsuit is now pending in an Arizona federal court. Twelve (12) hearing-impaired individuals have brought suit alleging their health care provider discriminated against them by not providing sign language interpreters or electronic video interpretation. Instead of providing such accommodations, the lawsuit alleges, the health care staff relied on notes and lip reading in an attempt to communicate with the patients. The individuals assert that the provider should have trained the staff to recognize when interpretation is necessary, provided a functioning electronic video interpretation system, and instructed the staff on how to use electronic video interpretation.
The lawsuit underscores the requirements now imposed on health care providers under Section 1557 of the Affordable Care Act which became effective in July 2016. Section 1557 prohibits discrimination on the basis of race, color, national origin, sex, age, and disability in federal health care programs. When interacting with individuals with sensory, manual, or speaking disabilities, health care providers are required to provide communication that is as effective as the provider’s communication with non-impaired individuals. This requires that health care providers have access to sign language interpreters, Braille handouts, visual aids, auxiliary aids, or other communications formats when the need arises.
For many years, medical providers have been faced with the task of untangling the web of medical and ethical issues surrounding end of life decisions. More recently, the profession has successfully navigated the problem by pushing for patients and the general public to complete healthcare directives or other documentation clarifying their wishes. However, this most recent movement has created an interesting twist on the same old problem – what happens when a medical provider fails to actually follow a patient’s written directive?
Paula Span, a writer for the New York Times, recently published an article documenting the new trend of lawsuits brought against medical providers for ignoring a directive and actually saving a patient’s life. Among other specific accounts, her article documents a Maryland woman who had a Medical Order for Life-Sustaining Treatment stating that she did not want life saving care if her heart or lungs failed. When she was found blue in her bed at the hospital, staff revived her through CPR and defibrillation, saving her life but breaking her ribs, collapsing one of her lungs, and ignoring her wishes in the process. The patient and her family brought suit for a variety of damages, including for recovery of the cost of the hospital bills she would have never incurred. The case is set to go to trial in November of this year.
On December 21, 2016, the South Dakota Supreme Court in Wipf v. Alstiel required a defendant surgeon in a perforated bowel case to redact and provide the plaintiff with non-party patient medical records from his last five years of practice. The records became relevant to the case when the defendant’s expert testified that the plaintiff would “have to show an unacceptably high complication rate in similar procedures with different patients.”
In its 3-2 split decision, the South Dakota Supreme Court reviewed SDCL 19-19-503(b) (the physician-patient privilege). The Court took a narrow view of the privilege, finding that it only protects “confidential communications” contained in a medical record and concluding that medical records are not “confidential communications” per se. The Court did provide further guidance on the types of redactions a covered entity or provider must make before disclosing these types of records.
In an uncharacteristically scathing dissent, Chief Justice Gilbertson attacked the majority’s holding on numerous grounds, calling its analysis “result-oriented” and noting that the majority misinterpreted SDCL 19-19-503(b), undercut policy in South Dakota that encourages honest conversations between a physician and patient, and called into question the traditional scope of many other codified privileges in this state. Justice Severson penned his own dissent, joining Justice Gilbertson and further discussing the majority’s misinterpretation of SDCL 19-19-503(b).
On February 8, 2017, a Federal District Court in Texas provided a noteworthy ruling requiring a Texas hospital to void a NPDB report about a surgeon on its staff. The underlying facts are simple: The surgeon was peer reviewed as a result of two cases; The MEC recommended proctoring for five cases; The hospital’s Board followed the MEC’s recommendation, however, it did not specify a timetable for completion of the proctoring; After the five proctored cases were not completed within 30 days, the hospital reported the surgeon to the NPDB. The surgeon brought suit seeking various forms of relief, one being his request that the NPDB report be voided.
It seems we can’t have a conversation about data security these days without mentioning ransomware. Public and private companies are reporting increasing numbers of ransomware attacks, and health care providers and business associates are no exception to this trend.
Ransomware – What is it?
At its most fundamental, ransomware is a type of malicious software that infiltrates a person or company’s computer system and encrypts certain data that is stored electronically. Essentially, ransomware locks users out of accessing their data until a “ransom” is paid. Ransomware may also be used in conjunction with other malware to gain access to IT systems in an effort to steal data housed within the IT system.
Although not expressly mentioned in the Security Rule, a covered entity or business associate’s HIPAA compliance program necessarily must include analyses relating to the potential for, and responses to, ransomware attacks. Risk management plans, risk analyses, and other security assessments should identify threats and vulnerabilities to electronic protected health information (PHI) and a company needs to implement procedures to guard against and detect malicious software, including ransomware.
The Office of Civil Rights (OCR), a division of the Department of Health and Human Services, is the governmental agency responsible for investigating and providing technical assistance to covered entities and business associates on matters of HIPAA compliance. When a deficiency is found in a covered entity or business associate’s compliance with the Security Rule or the Privacy Rule, OCR takes necessary action to remedy the deficiency, including imposing penalties or requiring the covered entity or business associate to enter into corrective action plans.
As of the end of January, 2017, OCR reported that the most common HIPAA compliance issues that are investigated are as follows:
- Impermissible uses and disclosures of protected health information (PHI);
- Lack of safeguards of PHI;
- Lack of patient access to their own PHI;
- Use and disclosure of more than the minimum necessary PHI; and
- Lack of administrative safeguards of electronic PHI.
Additionally, the following covered entities are the most common with regards to taking corrective action in light of a compliance deficiency:
- Private practices;
- General hospitals;
- Outpatient facilities;
- Pharmacies; and
- Health plans.