Doctor Sued for Posting Pictures of Drunk Model on Facebook

A Chicago physician is being sued by former Northwestern University student and freelance model Elena Chernyakova after the physician allegedly posted pictures of her drunk on Instagram and Facebook. Ms. Chernyakova has filed suit for invasion of privacy and infliction of emotional distress, seeking compensation over $1.5 million, and claims her career has been damaged.

The physician, Dr. Vinaya Puppala, allegedly knew Ms. Chernyakova through a mutual friend and took pictures of her "while she was on the hospital bed, crying and attached to an IV" in the emergency department at Northwestern Memorial Hospital, according to the complaint as reported by ABC News. He reportedly refused to take the pictures down when requested to by hospital security. 

Despite being effective for over a decade, it is amazing how many health care professionals still seem not to "get" HIPAA and patient privacy, or how many do, and just don't care. Hospitals are increasingly implementing zero tolerance policies for nurses, physicians, students and employees who fail to follow hospital policy and act in utter disregard for patient privacy.  Many have strict policies in place governing use of social media while on the hospital premises and explicitly prohibit the posting of any patient information, even descriptions of patient encounters which would seem to be de-identified, on Facebook, Twitter and other social media platforms. 

Does your organization have social media policies in place? Do your employees and other health care professionals understand the problems social media creates for patient privacy?  Is it clearly communicated that posting impermissible pictures or information about patients on social media will result in disciplinary action? And finally, is your organization consistent in enforcing its social media policies?

Will HIPAA Conviction Appeal Loss Open the "Zhou" Gates?


This post is prepared by Christopher Dodson. 

Readers of this blog are probably familiar with the case of Dr. Huping Zhou, who was successfully prosecuted for violating HIPAA's privacy protections.  Zhou accessed the patient records of celebrities and coworkers more than three hundred (300) times over the course of several months, including four times after he was fired. The case is notable, in part, because Zhou's actions were not part of a broader criminal conspiracy. He was not defrauding the government or engaging in identity theft but was merely reading patient records as a matter of curiosity. When he appealed his conviction, the Ninth Circuit ruled that HIPAA's wrongful disclosure provision does not require intent to break the law.

One of the interesting details of the case was that while Zhou accessed several hundred records, he was only charged for the four records he accessed after he was fired. Why did the Department of Justice not charge him for accessing the other records while he was employed?

§ 1320d-6 of HIPAA prohibits anyone from knowingly accessing individually identifiable health information from a covered entity without authorization.

The answer to why Zhou was only charged with four counts may lie in the phrase "without authorization." It is possible that since DOJ was already breaking new ground by prosecuting him for accessing records without criminal intent, they did not want to add a second novel issue in whether he had sufficient authorization while he was employed. 

But now that DOJ has established that criminal intent is not required to violate HIPAA's wrongful disclosure provision, is it possible that the next person in Zhou's position could be charged for inappropriately accessing records while employed?

There is an interesting parallel with the Computer Fraud and Abuse Act. As with HIPAA, the CFAA prohibits certain actions when they occur "without authorization," a phrase which is undefined. There is ongoing debate over what qualifies as authorization for purposes of the CFAA and a split has developed among the circuit courts over a theory relating to authorization for employees. The theory holds that when an employee violates the duty of loyalty, her authorization is canceled as a matter of law even while she is still employed. Under this theory, if an employee has authorization to access a computer system then violates the duty of loyalty and engages in actions prohibited under the CFAA, a court may rule that her authorization to use the computer system was terminated as a matter of law at the time of the offense. In other words, as far as the employee and her employer are concerned she is an authorized user. But sometime later the legal system determines otherwise, leaving her liable under the CFAA.

Because there is a split among the circuit courts, many observers think the issue will wind up before the Supreme Court. If the Supreme Court affirms canceling authorization retroactively based on an employee's actions, it is not a stretch to imagine DOJ developing an argument that the authorization of someone like Zhou was terminated as a matter of law prior to being fired. This would enable DOJ to charge the defendant with all of the record views that occur after the authorization-terminating event.

Christopher is a former software developer and current J.D. candidate at the Earle Mack School of Law of Drexel University.  He is working with the Attorneys at Oscislawski LLC as a summer intern.

State AG Brings First HIPAA Lawsuit Against Business Associate

Last month, I posted how treatment of business associates during HIPAA investigations remains unclear as well as assignment of liability for breaches of PHI.  A final "omnibus rule" is expected to clarify the HITECH business associate (and other) provisions this year, but in the meantime, much confusion remains. 

Despite the lack of final business associate rules, and confusion or not, Minnesota has dived head first into action against a business associate for HIPAA violations.  In the first HIPAA enforcement action directly against a business associate, Minnesota Attorney General Lori Swanson has brought an action against Accretive Health, Inc., pursuant to her authority under HITECH.  In addition, multiple violations of Minnesota law are alleged, including the Minnesota Health Records Act, debt collection statutes, and consumer protection laws.

Accretive functions in multiple capacities for covered entities in Minnesota, including as treatment coordinator, debt collector and quality cost control and management partner.  A breach last summer of data compiled by Accretive resulting from a stolen unencrypted laptop left in a rental car by an employee affected at least 23,531 patients.  Information that was on the laptop included personal identifying information (name, address, phone number, Social Security Number), "medical scores" predicting the frailty, complexity and likelihood a patient would be admitted to the hospital, and dollar amounts allocated to the patient's health care provider, as well as whether patients had certain conditions such as bipolar disorder, depression, high blood pressure, asthma and back pain.

The HIPAA violations are quite extensive, with the complaint alleging:

  • failure to implement policies and procedures to prevent, detect, contain and correct security violations;
  • failure to implement policies and procedures to ensure appropriate access to electronic PHI by members of its workforce and prevent those without authorized access from accessing such PHI in violation of HIPAA;
  • failure to effectively train all members of its workforce, agents and independent contractors, on the policies and procedures regarding PHI as necessary and appropriate to carry out their functions and maintain security of the PHI;
  • failure to identify and respond to suspected or known security incidents and mitigate to the extent practiable harmful effects known to them;
  • failure to implement policies and procedures to limit physical access;
  • faiilure to implement policies and procedures governing receipt and removal of hardware and electronic media containing electronic PHI within and without the facility;
  • failure to implement technical policies and procedures for electronic information systems to allow access only to those granted access rights; and
  • failure to implement policies and procedures as otherwise required by HIPAA.

Almost more interesting than the alleged HIPAA violations (and what could potentially have been one of the driving forces behind the Attorney General taking action rather than the HIPAA violations), the complaint also alleges deceptive and fraudulent practices in that Accretive failed to disclose how much health information it was collecting on patients and its involvement in their health care, detailing in great length the importance of transparency for patients and the doctor-patient relationship.  In the press release, Attorney General Swanson stated,

“Accretive showcases its activities to Wall Street investors but hides them from Minnesota patients.  Hospital patients should have at least the same amount of information about Accretive’s extensive role in their health care that Wall Street investors do.”

This action has the potential to set precedent in Minnesota as to just how much transparency and information should be viewed as "necessary" for patients to make informed choices regarding their health care and medical records and the extent to which health care entities must take affirmative action to notify patients of their role in their health care.   

Although the extensive HIPAA violations are merely one drop in the bucket of allegations against Accretive (e.g., fraud and deceptive practices, failure to notify of status as debt collector, release of health records in violation of the Minnesota Health Records Act), the enforcement action against Accretive makes it quite clear that covered entities aren't the only ones who need to be scrambling to get their ducks in a row.  While other state Attorney Generals have previously brought actions against covered entities (e.g., Vermont, Indiana, Connecticut), now that a state has gone after a business associate directly, it would not come as a surprise to see other states joining in, even despite the lack of business associate rules.

For more information regarding what covered entities and business associates can do to prepare for a HIPAA audit or ward off the potential for enforcement action against them, see our November 17 blog post with links to additional HIPAA resources.  A copy of the complaint against Accretive may also be found here.

Yet Another Class-Action Filed After Breaches of Patient Data

In what appears to be the trend in California for 2011, another class-action lawsuit has been filed, this time by patients of the University of California-Los Angeles (UCLA) Health System affected by a data breach in early September of this year.  An external hard drive was stolen from the home of a former UCLA physician that contained the EHR data of over 16,000 patients from July 2007 to July 2011.  No social security numbers, insurance information or credit/account information was included. Although the hard drive was encrypted, a piece of paper with the password was also missing.

Filed in mid-December, the UCLA class-action seeks as much as $16 million, asking $1,000 for each member as well as attorneys fees and other costs. The underlying data breach is hardly the first headache UCLA has had to dealt with, as UCLA paid a handsome $865,500 fine to OCR and developed a plan of corrective action this summer to settle privacy allegations that three UCLA hospitals improperly disclosed the medical records of celebrity patients as a result of employee snooping.

Several other health care entities in California have also recently had class-action lawsuits filed against them recently.  Stanford Hospital and Clinics (SHC) experienced a data breach in August of 2011 when patient information was mistakenly made available online by one of its third-party vendors and its subcontractor.  Patient names, admittance and discharge dates, and other information remained available on a commercial website for over one year, affecting approximately 20,000 patients.  The class-action lawsuit was filed in October of 2011 and alleges negligence in safeguarding patient information and delays in notifying affected patients.

Sutter Health experienced a data breach in October of 2011 when a rock was thrown into the window of the Sutter Medical Foundation business office. An unencrypted computer was stolen containing names, addresses, birthdates, phone numbers, medical diagnoses and procedures of over 4 million patients.  The class-action lawsuit against Sutter Health was filed in late November on behalf of over 900,000 patients, according to KCRA, and seeks certification of class-action status for the 4+ million patients affected. 

Notably, HIPAA does not authorize private causes of action for violations of the HIPAA Privacy and Security Rules.  The class-action lawsuits were brought under California's confidentiality laws, which, like HIPAA, set forth permissible and prohibited disclosures of patient medical information. 

The California Confidentiality of Medical Information Act gives individuals the right to bring a cause of action for negligent releases of their confidential information or records.  it also grants compensatory and punitive damages, as well as certain attorney fees, to individuals who have suffered economic loss or personal injury from a violation of their confidentiality. In addition, persons and entities face stiff administrative penalties for violations of patient information up to $2,500 per violation for negligent disclosures and $10,000-$25,000 for subsequent violations.

Supreme Court to Hear Arguments on Suit for Damages under the Privacy Act

The Supreme Court is scheduled to hear oral arguments tomorrow, November 30, in a suit for damages under the Privacy Act stemming from a wrongful disclosure of confidential information.  Federal Aviation Administration v. Cooper involves a plaintiff whose HIV information was wrongfully disclosed by federal agencies.  The suit seeks to establish that mental or emotional injuries qualify as "actual damages" for purposes of the civil remedies provision of the Privacy Act, 5 U.S.C. § 552a(g)(4)(A).  The Privacy Act regulations the collection, maintenance, use and disclosure of individuals' information collected by federal agencies.  

A private aircraft pilot since 1964, the plaintiff, Stanmore Cooper, was diagnosed with HIV in 1985. Although required to disclose the illness and any medications being taken on his "airman medical certificate," a continuing certification requirement required by the FAA for any pilot to legally operate an aircraft, Cooper chose to let his certificate lapse because he would not be permitted to fly if he disclosed his illness.  In 1994, he again submitted the application, choosing not disclose his HIV status.  For ten years, he continued to renew the application, intentionally omitting his HIV status. 

However, Cooper's information was exchanged between the Social Security Administration (SSA) and the FAA as a result of a collaboration between agencies that sought to uncover illicit efforts by pilots to obtain FAA licenses although medically "unfit." This exchange occurred without his authorization.  Cooper had provided information regarding his HIV status to the SSA in his application for long-term disability benefits.   Cooper was eventually indited on three counts of submitting false statements to the government and lost his pilot's license.

Cooper sued in 2007 alleging that the federal government had "willfully and intentionally" violated the Privacy Act and caused him “to suffer humiliation, embarrassment, mental anguish, fear of social ostracism, and other severe emotional distress.”  The Southern District of California, where the plaintiff's case was originally brought, admitted that the federal government had violated the Privacy Act, but found that regardless, Cooper had not demonstrated the "actual damages" required by the Act.  The Ninth Circuit on appeal reversed, finding mental or emotional distress was sufficient, "given the nature of the injuries that most frequently flow from privacy violations...."

The Supreme Court accepted the government's petition for certiorari in June of 2011. A key issue expected to be tackled by the Supreme Court, according to the prestigious ScotusBlog, is whether the Privacy Act was intended to broadly protect privacy rights against the government's more limited interpretation, an important step for understanding the nature of privacy injuries and privacy law generally.

If the Supreme Court sides with the government, this would not only limit damages to pecuniary ones, but potentially also deter whistleblowers as well as potentially have a negative impact on privacy law in general.  A decision will not be made until spring of next year. For a more in-depth explanation of the issues involved and an overview of tomorrow's Oral Arguments, visit ScotusBlog, or generally,      

U.S. Supreme Court Strikes Down Vermont's Prescription Drug Data Mining Ban Law

Last Friday, the United States Supreme Court struck down the Vermont Prescription Confidentiality Law allowing prescriber-identifying information to be sold and disclosed by pharmacies and pharmaceutical manufacturers for marketing purposes.  You can retrieve a copy of the U.S. Supreme Court's full opinion here.  A fantastic history of the case as well as various Amicus Briefs filed for and against Sorrell vs. IMS are posted on Vermont Office of Attorney General's website.  The case was argued on April 26, 2011, and you can listen to the oral arguments in front of the Justices here.  Many have been anxiously awaiting the Court's decision, which promised to have a profound affect either way on how deidentified information is collected and used for various purposes, including healthcare research and quality improvement, as well as for marketing.

Justice Kennedy, writing for the 6-3 majority, held that the Vermont law was an unconstitutional content-based restriction on First-Amendment protected expression. The majority asserted that speech restraint of this kind must be subject to strict judicial scrutiny. Kennedy concludes that the Vermont law fails this test because, in seeking to advance its goal of lowering health care costs and promoting public health, it restrict “certain expression by certain speakers.”

Justice Breyer, in his dissent, argued that the Vermont law only modestly affects expression, by depriving “pharmaceutical and data-mining companies of data… that could help pharmaceutical companies create better sales messages.”

The dissenting justices contend that these messages are commercial speech, and that government regulation of commercial speech has not been subjected to the heightened judicial scrutiny employed by the majority. In this light, Justice Breyer concludes that the statute permissibly regulates commercial activity. The Court’s dissent also raised concerns over long-term precedential trouble created by the majority’s decision. Justice Breyer states that, “at best the court opens a Pandora’s Box of First Amendment challenges to many ordinary regulatory practices that may only incidentally affect a commercial message… [and] at worst, it reawakens Lochner’s pre-New Deal threat of substituting judicial for democratic decision-making where ordinary economic regulation is at issue.”

For some, the Court's decision is a huge disappointment, but others will undoubtedly welcome the Court's decision as the correct outcome.  In my previous post about this case, I included the in depth analysis of Sorrell vs. IMS prepared by the Centers for Democracy and Technology (CDT).  There, CDT pointed out, among other things, that:

The first thing to recognize about the data at issue is that it contains doctors╩╝ names but it does not contain patient names. The data is [']patient de-identified['] pursuant to standards established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA already prohibits the use of patient-identified data for marketing to patients or to doctors. Vermont went one step further and said that even patient de-identified data cannot be used to market drugs to doctors.

CDT also pointed out it its analysis:

[i]f the Supreme Court were to accept some of the privacy claims, it could do damage to privacy by discouraging use of de-identified data. And claims that doctors have a privacy right in their drug prescribing practices could upset a host of policy goals associated with improving the efficiency and safety of the health care system.

Finally, the CDT memo points out:

The behavior of physicians and other health care professionals is routinely scrutinized by federal and state regulators, accrediting organizations, licensing boards, and health care plans, among others. A broadly recognized privacy interest in prescriber-identifiable data could have implications for multiple important issues, including quality measurement and public reporting, as well as comparative effectiveness research, which are critical to reform of our health care system. If the Court were to agree that prescriberrecords need to be protected like corporate “tradesecrets” or that there is no role for outside review of physician decision making, important reform activities that depend on access to and use of prescriber identified data could be impaired or prohibited.

Clearly, the U.S. Supreme Court agreed.

Class Action Sought for Charleston Area Medical Center Breach

Patients affected by a West Virginia hospital breach that went undetected for several months are seeking certification as a class action as reported by Health Data Management.  Five of the approximately 3,655 affected patients have filed suit against the Charleston Area Medical Center in circuit court seeking damages based on four counts:

  • breach of confidentiality
  • negligence
  • invasion of privacy by intrusion on seclusion
  • invasion of privacy by unreasonable publicity of private life

The lawsuit, Tabata v. Charleston Area Medical Center, stems from the availability of a database containing patient names, social security numbers, medical information and demographic information on the Internet.  A family member of a patient had found the information while searching the web.

Although the database was created in September of 2010 by a third party for patient case management in a research subsidiary of the hospital, the fact that it had inadvertently been made publically available went unnoticed until February 2011.  However, the hospital acted quickly upon being made aware of the breach and promptly notified all potentially affected patients within 8 days.

The hospital had originally offered to pay for one year of credit monitoring as well as an immediate credit freeze at the three credit bureaus for all affected patients.  Free credit reports were also made available to affected patients through the West Virginia Attorney General's Office.  In addition, after discussion with the Attorney General's Office, the hospital hired a risk management group to conduct a security assessment and undertook a number of other measures to protect against further breaches.

The patients seek as part of the damages for the hospital to extend additional credit and identify protection and monitoring services.  They also ask the court to require that the hospital establish a specific security program as well as award monetary damages for annoyance, embarrassment and emotional distress, and for the lack of security and violation of their privacy.

Although it is unclear yet what repercussions the hospital may face from the Department of Health and Human Services for the breach, the breach and accompanying lawsuit highlight the importance of monitoring business associates who have access to PHI and the resulting work product.  In addition, frequent and periodic security assessments are crucial to identifying issues before an incident or breach occurs.  A robust and proactive security assessment coupled with a strong information security program will go a long way towards effectively safeguarding patient electronic PHI as well as cutting costs associated with incident-response. 

CDT Analyzes Privacy Issues in Sorrell v. IMS Health, Inc.

In my previous post (Nov 2010) regarding the Sorrell case, I pointed out that the U.S. Supreme Court's decision (either way) will have a profound impact on data-mining and how certain patient information can be used. 

The Center for Democracy and Technology (CDT) has recently taken a closer look at the privacy issues presented in the Sorrell case, and has prepared an excellent memo that "unpacks" and carefully analyzes the legal issues and potential impact the Court's decision could have on current health care policy, and patient privacy in general.  CDT has asked Legal HIE to help get the "word out" regarding the issues presented by Sorrell and covered in the CDT memo, and Legal HIE in turn asks our readers to visit CDT's websiteand review the critical points raised in CDT's Sorrell Memo.  

CDT's blog post on the case and link to the legal memo are also reprinted below: 

A Nuanced Understanding of Privacy

by Brock N. Meeks

March 24, 2011

A case pending before the U.S. Supreme Courthas serious implications for how privacy protections are interpreted.  But understanding the various risks posed in this case requires some careful unpacking of the ways in which "privacy" is—and is not—at issue here.  CDT's Health Privacy Project team has taken a look those risks and published an in-depth memo about its findings.

In this memo CDT focuses on two aspects of the case: First, an explanation of why it is important to recognize the valid distinctions between personally identifiable data and "de-identified" data.  The paper explains that privacy could actually be harmed if the Court were to accept the claims, made in some briefs in the case, that there is no difference between identified and de-identified data.  

The second aspect of the case the paper examines is the claim that doctors have a "privacy" right in their drug prescribing practices.  CDT disagrees and explains here that, while the patient-doctor relationship is based on confidentiality and the trust it generates, it is not useful – and would undermine other health care goals – to speak of doctors as having a "privacy" right in their drug prescribing practices.

The paper concludes by saying:  

So in many ways, Sorrell v. IMS Health is not about privacy in the way that defenders of the Vermont law claim.  Yet a broad ruling by the court on de-identified data could have a negative impact on patient privacy.  And a broad statement by the Court on doctor 'privacy' could derail other very timely initiatives. This is not the case, nor is the Supreme Court the institution, to make policy on either set of issues; the parties have offered other viable rationale for the Court to use to decide this case. There needs to be a policy conversation about the viability of the current de-identification standard, but this case needs to preserve the concept that there is a meaningful distinction between identified and de-identified data. It is up to other processes to ensure a continually robust de-identification standard and strict accountability for re-identification.

A full copy of the CDT Sorrell Memo can also be reviewed under "Continue Reading" below. 

Continue Reading

The Antitrust Headache: What ACOs, AT&T and Blue Cross have in Common

So what exactly do a nation-wide health insurer and the second (potentially now first) largest U.S. wireless provider have in common? Upcoming battles over the antitrust implications of their actions and a not-so-beautiful friendship with the DOJ. 

For AT&T, its headache began last weekend when it announced its plans to buy T-Mobile for $39 billion, giving it effectively a 40% share of the current wireless market share and raising questions from network coverage to increased quality of service, pricing and competition.  AT&T and T-Mobile predict that the quality of calls would improve, coverage would be expanded, and more individuals would have access to faster wireless data connections as a result of the merger.

In a completely unrelated market and action, Blue Cross Blue Shield health insurance plans in the District of Columbia, Kansas, Missouri, North Carolina, Ohio, South Carolina and West Virginia recently found themselves on the receiving end of a U.S. Department of Justice (DOJ) subpoena.  The subpoenas come as part of a lawsuit filed last year by the DOJ against Blue Cross Blue Shield of Michigan alleging the insurer entered into agreements to raise hospital prices. 

Far from immune, health care providers and other stakeholders looking to form and operate Accountable Care Organizations (ACOs), the AT&T and Blue Cross cases serve as a reminder of the significant risk of antitrust scrutiny that such collaboratives can be subject to.  The development of such ACOs through hospital and physician joint ventures and similar relationships has the potential to create substantial market power and may encourage monopoly and price-fixing activity, thus coming under the watchful eye of the DOJ.  The DOJ and FTC are expected to address this matter soon in joint collaboration with the forthcoming proposed ACO regulations from CMS (see Statement of Sharis A. Pozen, Chief of Staff, Antitrust Division. before the Subcommittee on the Courts and Competition Policy, Concerning Antitrust Enforcement in the Health Care Industry (December 1, 2010)).

To read more, click "Continue Reading" below.

Continue Reading

CVS in the HIPAA Spotlight...Again.

On March 7, CVS Caremark (CVS) hit the HIPAA spotlight again, and not in a good way.  Back in 2009, CVS was the target of a joint U.S. Department of Health and Human Services (HHS) Offices for Civil Rights (OCR) and Federal Trade Commission (FTC) investigation after media reports alleged that certain CVS locations were disposing of pill bottles containing patient information in unsecured dumpsters.  Although CVS denied the allegations, CVS shelled out a $2.25 million settlement as well as took corrective action to settle both potential HIPAA and FTC violations.  As a result, CVS is being actively monitored by HHS until 2012 and by the FTC for the next 20 years.  Then this past October, CVS was sued by six Texas pharmacies for trade secret misappropriation and Racketeer and Influenced and Corrupt Organizations Act (RICO) violations as a result of certain CVS data-mining practices. The plaintiffs, who are board members of the American Pharmacies, alleged that CVS denied patients choice of pharmacies and smothered business competition as well as used patient PHI in violation of HIPAA. 

Now, Strike 3.  Bloomberg News reported recently that CVS has been sued by a Pennsylvania resident, Arthur Steinberg, and the Philadelphia Federation of Teachers Health and Welfare Fund, for selling patient prescription information to pharmaceutical manufacturers such as Merck & Co, AstraZeneca and Bayer.  Allegedly, CVS was paid by pharmaceutical manufacturers to encourage physicians to prescribe their drugs to patients. "CVS encouraged physicians to do so through letters which included patient names, dates of birth and what medications patients were currently prescribed, allegedly obtained from CVS pharmacy services." The lawsuit accuses CVS of unfair trade practices, unjust enrichment and violating consumer protection laws. 

As Cignet Health and Mass General know all too well from the combined $5.3 million in civil penalties imposed recently by OCR, OCR is pursuing HIPAA violations with a vengeance as a result of HITECH's increased enforcement and CVS could potentially face a HIPAA investigation in addition to the pending lawsuits.  HIPAA as amended by HITECH generally prohibits Covered Entities and their Business Associates from marketing and selling PHI without first obtaining patient authorization.  Only under very limited circumstances may patient information be "sold" or released without authorization for such purposes.  Investigation by OCR is even more likely given that CVS has been under OCR's watchful eye since 2009.  In addition, CVS's actions could also potentially violate its 2009 settlement agreement with OCR, placing it in even more hot water. 

For Lack of a Proper "Print" Function - The Difficulties in Responding to Subpoenas to Produce the EHR

Prepared by Krystyna H. Nowik, Esq.

As the use of electronic health records (EHRs) and participation in health information exchanges (HIEs) expands, so does their appearance in court.  EHRs are more and more frequently relied upon to produce all or part of a patient’s medical record in response to a discovery request.  Not only do EHRs include files, tests results and clinical notes, but they can also include images such as X-rays, charts, consent forms and other documentation, and handwritten notes.  One might be tempted to think that producing an EHR in response to a subpoena would be a fairly easy feat – the records are all available electronically so simply search the EHR for those particular records and print or save them.  But as those well versed with EHR technology are quite aware, responding to discovery requests where an EHR is involved can be a Herculean task for hospitals with anything but the newest EHR technology. 

When paper was the norm, hospital administrators could sort through and pull out only the requested (and relevant) information from the patient’s paper medical record.  With the adoption of EHR technology, however, this became more problematic because not only was there significantly more data available to sort through in a given EHR, but older EHR technology commonly lacked the capacity to efficiently track, filter and selectively “print” or save the required data.  In addition, many hospitals may still retain legacy systems in addition to their current EHR system and as such, data must be pulled from multiple sources to create a complete record.  The result? Extremely time and resource-consuming efforts to produce information in addition to a multitude of discovery problems and reliability concerns.

For hospitals with EHR systems incapable of filtering or selectively printing data, each screen may have to be printed individually using the "print screen" function.  Once printed, there is also no guarantee that the record will look like it would when viewed live in the EHR.  For example, printing may have to be by all treatment notes, then all progress notes, then medications, then audit trails (which may not even be printable at all).  This can result in boxes and boxes of disorganized information being produced, much of which may make virtually no sense at all.  And to top it off, all of the information may not have even been available to the physician at the point of care.  Because of these problems "printing" out EHRs, all too often are plaintiffs requesting access to the live EHR itself, and courts may also order hospitals to figure out how to produce the data in a computer read-only format.  This could potentially require painstaking collaboration with the vendor itself and IT professionals.   

And then come the problems with interpreting the record in court.  When looking at the traditional paper medical chart versus an EHR, it is clear that the EHR is far more complex and generally tells a different and more clinical story than the one needed for litigation.  For example, it may be commonplace for a physician to turn “off” a flag, promoting the need for an explanation as to why the “flag” was turned off or overridden under the circumstances.  Additionally, certain definitions may mean one thing for purposes of one hospital's EHR but something else for another EHR.  For example, an order "accepted" into the EHR system could mean either it was pending or that it was officially entered and signed off on by the physician.  This discrepancy would have to be explained in court by a knowledgeable member of the hospital's HIM or IT department.  Another problem is that come a plaintiff's day in court, the EHR technology, functions and capabilities may look nothing like when the physician actually had access to the information, making it impossible to reproduce exactly what the physician saw that day(s).  One can only imagine the number of people who would be required to testify as to the system’s capabilities, lags in time between when procedures were actually performed and when they were actually entered into the EHR, current and prior functionalities, and how audit trails did and currently function. 

In addition, hospitals and providers may also have trouble when patients request copies of their medical record in electronic format, as HITECH expanded patient access rights to include such copies where the information is maintained in an EHR.  HITECH requires copies to be produced in an electronic form and format if the individual so chooses.  Even if not readily producible, a hospital would still be required to produce the record in a readable electronic form agreed to by the individual and the hospital.  And if all these concerns aren’t enough to make one’s head spin, when HIEs are thrown into the blender, things get even more complicated.  Putting aside the issues surrounding whether and when an HIE may be properly served with a subpoena for medical records, where an HIE functions with a “centralized” or even a hybrid architecture (meaning it has some key components centralized and others federated), it could also be pulled into litigation along with the individual provider(s) to produce EHRs or related records that it may maintain and control.  With a centralized architecture, the HIE itself stores and controls the data or maintains registries as opposed to the individual providers storing the data and merely pushing or pulling it into and through the HIE.  Even where an HIE functions primarily with a federated architecture (de-centralized), it will have audit trails and other records which could be required during the course of litigation or even for investigation by the Office of Civil Rights (OCR).  

Even though EHR records in general are as accurate as the paper medical record would be, separating that information from its source and producing it in a readable and comprehensive format creates more challenges than many hospital and providers are capable of dealing with currently.  Although certainly EHR technology and HIE capabilities have evolved and continue to evolve rapidly (Meaningful Use, anyone?) to respond to many of these challenges, hospitals and health care providers who have not yet updated their systems, or have only updated parts of their systems, still must deal with these concerns, particularly when involved in litigation.  Developing policies and procedures to deal with discovery requests concerning EHRs is an absolute necessity as well as ensuring key management personnel, such as privacy, health information management (HIM) and information technology (IT) officers, understand exactly how the EHR functions (from audit trails to authentication of users) and what it is capable of producing for litigation and other non-clinical purposes. 

HITECH Takes a Political HIT

A Bill introduced in the House (H.R.408) Spending Reduction Act of 2011, aims to reduce spending by trillions of dollars, including by eliminating funding for Meaningful Use.  Although it is too early to tell if the Bill would get very far, it could make providers already tentative about adopting EMRs based based on the possibility of receiving Meaningful Use incentives even more hesitant. 

Patient Protection and Affordable Care Act Declared Unconstitutional

In a brief 78 page Opinion, Federal District Court Judge Roger Vinson of the U.S. District Court of the Northern District of Florida struck down portions of the the Patient Protection and Affordable Care Act on constitutional grounds.  The impact of that decision on PPACA initiatives in Florida, such as Accountable Care Organizations, remains to be seen, althought the DOJ has expressed its intent to appeal the ruling. In addition, Deputy Senior Advisor Stephanie Cutter responded:

We don't believe this kind of judicial activism will be upheld and we are confident that the Affordable Care Act will ultimately be declared constitutional by the courts.

She characterized the ruling as "well out of the mainstream of judicial opinion," noting that 12 federal judges have dismissed challenges to the law's constitutionality and two--in Michigan and Virginia--have upheld the law.

Are Cloud-based HIEs Subject to Twitter-Google-Facebook-like Subpoenas?

In a recent New York Times article, Google, Twitter and other internet companies raise concerns regarding the wave of requests they receive for customer data from law enforcement agencies. Last year, Google counted more than 4,200 such requests in the first half of 2010.  Other internet and telecommunications companies, like Twitter and Facebook, are also feeling inundated with such requests for information. The NYT articles reports that Verizon told Congress in 2007 that it received some 90,000 such requests each year, and Facebook told Newsweek in 2009 that subpoenas and other orders were arriving at the company at a rate of 10 to 20 a day. 

These companies and others are saying that the main law governing communication privacy — the Electronic Communications Privacy Act of 1986 (ECPA) -- is outdated, and affords more protection to letters in a file cabinet than personal information maintained on a server. The current ECPA does not explicitly afford protections for the vast majority of private content stored on the Internet, allowing law enforcement agencies to obtain a person’s online data with a simple subpoena from a prosecutor. This weak level of protection has created tension between privacy advocates and law enforcement agencies that consider internet data to be a valuable source of crucial information.  In fact, Google, along with other Internet companies such as Verizon, Facebook, and Twitter, have increasingly been targeted by law enfo­rcement for personal data information.

Unlike Twitter, whose policy is to notify users before releasing personal information, most Internet companies are not required to provide users with any notice, and law enforcement officials can even demand that requests be sealed from targets of investigation. Since there are no straightforward standards in the ECPA governing Internet information, courts in different jurisdictions have interpreted them differently and created a piecemeal collection of rules. Under the ECPA, emails can be accessed by the government without a warrant under certain storage conditions or after a certain amount of time has passed.

According to the Center for Democracy and Technology’s (CDT) Digital Due Process coalition, the current rules are inadequate and do not meet the Fourth Amendment’s due process clause. In December 2010, two federal appeals court decisions supported CDT’s stance, ruling that the ECPA standards for government surveillance have not kept up with technological progress and do not meet Constitutional standards. Over the past year, the CDT, along with privacy advocates, legal scholars, and major telecommunications service providers, have developed a set of standards under which they believe the ECPA should be updated. The ACLU has also created proposals designed to simplify, clarify, and strengthen the ECPA:

  1. Robustly Protect All Personal Electronic Information. Current loopholes in our privacy laws need to be closed to protect electronic information without regard to its age, whether it is "content" or "transactional" in nature, or whether an online service provider has access to it to deliver services.
  2. Safeguard Location Information. The law should require government officials to obtain a warrant based on probable cause before allowing access to location information transmitted through cell phones, which 82% of Americans own.
  3. Institute Appropriate Oversight and Reporting Requirements. To ensure adequate oversight by Congress and adequate transparency to the public, existing reporting requirements for wiretap orders must be extended to all types of law enforcement surveillance requests.
  4. Require a Suppression Remedy. If a law enforcement official obtains non-electronic information illegally, that information usually can’t be used in a court of law. The same rule, however, doesn’t apply to illegally-obtained electronic information. Such a rule only encourages government overreaching and must be changed to require a judge to bar the use of such unlawfully obtained information in court proceedings.
  5. Craft Reasonable Exceptions. Currently ECPA sometimes allows access to the content of communications without a true emergency, without informed consent and without prompt notice to the subject. ECPA must be amended on each of these fronts if electronic records are to receive the protections Americans need.

For now, it is up to Congress to decide whether to not to adopt these proposed updates and negotiate the critical balance between the protection of personal expectation of privacy and the government’s need to protect the public.  However, for RHIOs, HIOs, and software vendors offering PHR and HIE solutions via the internet, the impact of the ECPA should be evaluated as well, particularly with respect to whether data maintained in internet-based HIE repositories may be subject to disclosure pursuant to this federal law.

Prepared with assistance from Melody Hsiou, MPH Columbia University, J.D. expected from Seton Hall Unversity 2013.

Drug Database Firms Have Much to be Thankful for this Past Thanksgiving as Second Circuit says "Good-Bye" to Vermont's Drug Marketing Restrictions

On November 23, 2010, the Court of Appeals for the Second Circuit issued its ruling that Vermont’s drug-marketing restrictions were unconstitutional. The law banned the use, sale or transmission of prescriber-identifiable data for prescription drug marketing or promotional purposes without first obtaining the prescriber’s consent. Several data mining companies had brought the suit alleging that the statute impermissibly infringed upon their freedom of speech.  

As the Court of Appeals noted, data mining companies typically collect aggregate data to determine prescribing patterns and sell the information to pharmaceutical companies which, allegedly without this information, would be prevented from more effective marketing efforts, directing important information to prescribers, tracking disease prevention, and conducting clinical trial programs and post-marketing surveillance programs.  Researchers and insurance companies also use the data generated by data-mining companies, as do state law enforcement and other state agencies, and federal agencies such as the FDA, CDC and DEA.

Noting that the First Amendment protects “even dry information, devoid of advocacy, political relevance, or artistic expression,” the Court of Appeals found the Vermont statute was clearly aimed towards influencing “the supply of information,” central to First Amendment concerns, and that it restricted the data mining companies’ commercial speech.  The Court held that the statute failed to satisfy the intermediate scrutiny test because it did not assert a substantial state interest that was “directly advanced” by the statute nor was it “narrowly tailored” to achieve that interest. 

In doing so, the Court of Appeals rejected the substantial state interests alleged by Vermont - that the restrictions protected the public health and the privacy of prescribers and prescribing information (medical privacy) and the state’s interest in containing health care costs in the private and public sectors.  The Court noted that data-mining and the use of the data generated from such activities was still permitted in other contexts and found the state’s concerns for medical privacy too “speculative” under the circumstances to qualify as a substantial state interest.  Although the Court did agree that Vermont had a substantial interest in lowering health care costs and protecting public health, it found that the statute did not advance these interests in a ”direct and material way.”  The Court also found that the statute was not narrowly tailored and that Vermont had more direct and less restrictive methods available that it failed to utilize that would better serve its asserted interests.

The Vermont decision could have paramount implications for HIEs.  Secondary uses of de-identified information are often touted as a potential solution to the elusive long-term financial sustainability issue faced by all HIEs. The fact that the Second Circuit struck down as "unconstitutional" a state law enacting restrictions on data mining will most certainly give database firms and HIE stakeholders confidence that similar uses of information in other contexts could be similarly protected under the First Amendment.

The text of the court’s full decision may be found at   

Just When You Think the Breach is Over, the Lawsuit Comes

On November 16th, a class of plaintiffs sued AvMed for a massive breach that resulted in their personal information being put at risk.  In December of 2009, unencrypted laptop computers were stolen from an AvMed facility in Gainesville, Fla.  AvMed initially believed information on about 208,000 members was at risk, but by June 2009 it became apparent that the information of over 1.22 million members was at risk.  Information contained on the laptops included a mixture of name, address, date of birth, Social Security number, phone number, and diagnosis, procedure and prescription information. The attorneys representing the class of plaintiffs maintain that had AvMed taken time to encrypt their laptops, this simple step would have obviated any harm done by the theft.  

Like other breaches under HITECH involving PHI of 500 or more individuals, the AvMed breach is posted on HHS's Web site. However, although the federal government has enforcement jurisdiction over HITECH, there is still no private right that would allow one to sue under HITECH for breaches (although in the future individual may be eligible to collect a percentage of any Civil Monetary Penalties collected and resulting from violation of HIPAA and/or HITECh that result in "harm" to such individual). 

Attorneys attempting to sue for damages resulting from a breach are often hard-pressed to keep their complaint from being tossed, unless they can demonstrate the plaintiff suffered actual harm caused by the breach. However, the attorneys representing the class of plaintiffs in the AvMedcase are commercial litigators, and so it will be interesting to see if they come up with more unique causes of action under consumer protection or other laws, and how this will be tested in court.  Stay tuned...

ACLU Lawsuit Continues . . . Want Detailed Regulations Surrounding HIE Privacy

The Rhode Island chapter of the American Civil Liberties Union (ACLU) suit against the Rhode Island Department of Health (RI-DOH) remains in litigation, awaiting completion of discovery. The ACLU alleges that the state’s proposed rules for implementing the state health information exchange (HIE) failed to address certain provisions of the Rhode Island Health Information Exchange Act of 2008 that require protections for patient confidentiality, security and informed consent processes. Instead of adopting formal rules, the RI-DOH instead adopted internal policies, which the ACLU claims was both an unlawful bypass of the Administrative Procedures Act and in violation of the RI-DOH’s obligations under the HIE statute. In addition, the ACLU claims that it was not provided with a written response detailing the reasons why the RI-DOH rejected ACLU’s proffered recommendations.

The ACLU seeks to have the policies declared unenforceable and for the court to order RI-DOH to adopt formal rules addressing the statutory provisions that the ACLU alleges the RI-DOH responded to inadequately. Although the ACLU and its attorney, Frederic Marzilli, recognize the importance of HIEs and why the state approached implementation of the HIE with written policies instead of regulations, such as to better deal with the development and operation of such a new and groundbreaking mechanism, the ACLU’s position remains that the regulatory process must be followed. It argues that the critical privacy issues raised by HIEs require detailed rules as to how the state HIE system will work and protect patient confidentiality, security and informed consent. The State has continued to deny the allegations and is expected to file a motion to dismiss the case.  It remains uncertain whether ACLU will remain in court to fight another day.

For more information regarding the ACLU's specific comments on the Rhode Island's proposed rules, click on "Continue Reading" below

This post was prepared with assistance from Krystyna H. Nowik, Esq.

Continue Reading

HIE Liability and Insurance

Liability continues to be a central concern for HIEs and their stakeholders. In general, liability may arise from the acts or omissions of a party that fails to meet a responsibility or legal duty.  Last year, I discovered an excellent resource that summarizes liability coverage issues for Regional Health Information Organizations (RHIOs) that I would like to pass along to readers. Specifically, the Agency for Healthcare Research and Quality (AHRQ) published a Report in June 2009 that looked at key liability issues identified by RHIOs, as well as insurance options.  

Here are some of the key points the Report makes regarding liability concerns, as well as a few thoughts of my own:

  • Liability for Data Storage and Management.  How data is stored and managed (e.g., by the RHIO versus by its participants) will affect the distribution of liability. In general, the more authority and responsibility that the RHIO possesses in connection with the data, the more liability coverage it will need to take on. I agree.
  • Liability for Accuracy and Completeness.  Both data suppliers and data users are concerned about their respective liability in relation to data being accurate and complete.  RHIOs often will contractually limit their liability for accuracy of data supplied, or received and used.  However, if the RHIO manipulates the data in transit in anyway, it could be held responsible for such intervening acts. I note that data senders and receivers are also typically required to carry insurance and assume contractual responsibility for supplying accurate and complete data to the RHIO.
  • Duty to Review.  In a previous blog post, I discussed providers’ concerns that joining a RHIO/HIE will create a duty to review all information about a patient contained in the RHIO/HIE, and this will potentially expose them to an increased risk of “missing” relevant information. In my post, I noted why I thought that the role of HIEs in connection with the "standard of care" is still evolving. The Report additionally notes that:

there are no widely recognized standards for reasonable physician behavior in seeking or reviewing electronically available data, or for the extent to which that data should inform his/her clinical decisions.

  • Liability for Audit Logs.  The Report points out that some RHIOs have recently been compelled via subpoena to provide audit information for malpractice lawsuits involving the RHIOs participants. Although a RHIO may be legally obligated to respond to a subpoena, I note that it is still important that HIPAA’s standards for releasing PHI in response to a subpoena are complied with. 
  • Extending Liability to IT Vendors.  If the IT vendor provides any software, integration services, and operational services for the RHIO, the vendor should assume responsibility for their actions.  The Report noted that one factor that strongly influenced the amount of liability assigned to IT vendors was the negotiating power of the RHIO. The type of coverage in their liability insurance that the IT vendors were asked to carry varied, but typically total liability coverage ranged between $1 million and $3 million.

With regard to insurance coverage, the Report made the following additional points: 

  • Researching, negotiating and obtaining liability coverage takes time. Get started early.
  • There remains a high degree of uncertainty with regard to what constitute adequate coverage.
  • Insurance policy options for RHIOs are growing, but remain limited.
  • There is wide variability in liability insurance practices across RHIOs.
  • Sovereign immunity has its advantages and disadvantages. On this last point, the paper notes that while some are strong proponents of State immunity for RHIOs, citing such benefits as increased stakeholder participation, decreased start-up costs, and long-term sustainability, others are skeptical and noted that if State immunity is available, RHIOs may not be as rigorous in establishing privacy and security controls, and that stakeholders may then be targeted for lawsuits instead.  

In sum, the Report illustrates some of the complex liability questions that are being addressed in the RHIO context, and this is without even getting into other areas such as directors' and officers' liability, as well as security breaches across RHIO participants. Navigating this complex and uncertain landscape continues to be challenging, but those getting started now have some benefit from lessons learned by others over the last year, and well as a slightly more mature insurance market primed to RHIO and HIE risks.

HIE Standard of Care -- What You Don't Join Can't Hurt You.. or Could it?

It should come as no surprise that many providers are still leery about joining a HIE due to concerns over becoming potentially exposed to new liabilities. Questions such as “Who owns the data” “How can I be certain of data accuracy and completeness” and “Is the HIE secure?” are very common to hear during discussions with providers who are evaluating joining a HIE. Providers are also concerned that participation in a HIE will create a new obligation to access and review seemingly endless electronic reams of information about a patient, and many want to know if in the event that they “miss something” buried deep in the electronic HIE abyss, can they be sued and held liable for malpractice?

Whether or not a provider will be held liable for “misses” will always depend on the facts and circumstances surrounding a particular case. However, the “standard of care” in medicine evolves over time, especially when dealing with new technologies. Therefore, what may not yet be the standard of care today, may very well be just that in the very near future. Sooner or later, this will likely hold true with use of electronic medical record (EMR) and HIE technology as well.

To get a different perspective on the question, I decided to ask an old law school friend who now happens to be a successful medical malpractice attorney (I try not to hold that against him!) what he thought about HIEs and malpractice.  Initially, we both agreed that if the relevant information is hidden deep inside the HIE and is not reasonably accessible to the busy practicing provider, is not presented in a way that is of value or conducive to making clinical judgments, or it is just plain too expensive to join the HIE, then it will be unlikely that the physician's "failure" to “find” or “access” such information would be found by a jury to be negligent or falling below the “standard of care.” However, my friend then did a 180º on me when he said the following…

But, if joining the HIE is not cost prohibitive, and the information was available to the physician in a meaningful, easily-accessible and useful way that, had it been accessed through the HIE, could have prevented harm to the patient, but the physician did not join the HIE simply because he/she did not want the new obligation and burden of having to review such information, then I would definitely sue the physician for not joining the HIE and not accessing the information because it could have prevented harm to my client…

Now, I have to admit I did not see that one coming and immediately thought to myself "so, is this a case of 'damned if you do' and 'damned if you don’t'”?  I don’t think so. However, the reasons why providers decide not to join a HIE should be very carefully considered and weighed against the potential benefits joining a HIE may have for their patients, namely potentially improving safety and quality of care. That said, before HIE technology can become a standard of care, at a minimum it must be easy to use, offer useful information, be secure, and not cost prohibitive to the busy practicing provider. Once that happens, however, what will happen if providers don’t join and patients suffer as a result? .... well, I guess my old law school friend may be waiting!

HIE-ho, HIE-ho, it's off to Court ACLU Goes

The Director of the Rhode Island Department of Health (RI-DOH) was sued last week in connection with RI-DOH's proposed rules for implementing and enforcing the State's health information exchange(HIE) under the Rhode Island Health Information Exchange Act of 2008 (HIE Act).

The Rhode Island chapter of the American Civil Liberties Union (ACLU) filed the Complaint alleging that:

the proposed rules failed to comply with the HIE’s statutory mandates by not addressing provisions in the statute that require adoption of regulations on certain specific issues to further promote the confidentiality, security, due process and informed consent due the affected patients

The ACLU argues that the RI-DOH cannot supplement gaps in the proposed rules through the adoption of policies and that the RI-DOH must address these concerns through Rhode Island's public rulemaking process in order to fulfill its obligations under the HIE Act. However, the RI-DOH has countered that the policies provide sufficient safeguards to protect patients' information while offering more flexibility to make adjustments quickly as national standards for privacy and security in the HIE context continue to evolve rapidly.

The lawsuit serves as an example of how important these concerns are to the public as well as highlights the potential for challenges to others developing HIE regulations. This case is worth watching closely to see how it develops.

This post was prepared by Krystyna Nowik.  Krystyna is a graduate of Seton Hall Law School, with a concentration in Health Law.  She works with Oscislawski LLC on various Health Information Exchange matters and is a guest contributor to Legal HIE.