$3,000,000 Settlement for HIPAA Breach by Diagnostic Medical Imaging Company

By Danielle Dietrich on Posted in HIPAA, HIT and EHR

Today the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $3,000,000 settlement for a disclosure of patient protected health information (“PHI”) via its FTP server.

In 2014, HHS received an email tip that the social security numbers of Touchstone Medical Imaging (“Touchstone”) patients were accessible online via an insecure file transfer protocol (“FTP”) web server.  HHS confirmed that this information was accessible via a simple Google search.

Both the FBI and HHS notified Touchstone of the breach, which included the name, date of birth, phone number, and address and in some cases social security number of over 300,000 individuals.  Touchstone failed to investigate the issue until several months later.

HHS found that:

1) Touchstone impermissibly disclosed the PHI of over 300,000 individuals through its insecure FTP server.

2) Touchstone failed to have technical policies and procedures to restrict who could access the information through the server.

3) Touchstone failed to have a written business associate agreement with a business associate.

4) Touchstone continue to engage another business associate without having a business associate agreement in place.

5) Touchstone failed to thoroughly and accurate assess potential risks and vulnerabilities of electronic PHI that it held.

6) Touchstone waited well over four months to respond to the incident.

7) Touchstone failed to notify affected individuals of the breach until 147 days after it was notified of the breach.

8) Touchstone failed to notify media outlets of the breach until 147 days after it was notified of the breach.

To settle the matter, Touchstone has agreed to pay HHS $3,000,000 and enter into a Corrective Action Plan.

You can read the HHS Press Release and the Resolution Agreement here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/tmi/index.html

If your office would like guidance on how it can prevent HIPAA violations from occurring, please contact our firm.

Danielle Dietrich is a healthcare and litigation attorney in Tucker Arensberg’s Long Term Care Practice Group. She is licensed to practice law in Pennsylvania, Ohio and West Virginia.  Danielle can be reached via email: ddietrich@tuckerlaw.com, telephone: 412-594-5605 or on Twitter at @DLDietrich.

Mike Cassidy Named a Fellow of the American Health Lawyers Association

By ahurley on Posted in Uncategorized

Tucker Arensberg, P.C. is pleased to announce that Michael A. Cassidy has been honored as one of only seven healthcare lawyers in the nation to be selected in 2019 as a Fellow of the American Health Lawyers Association (“AHLA”). Only a fraction of 1% of AHLA’s nearly 14,000 members are selected for fellowship annually. This honor recognizes the career long achievements, the contributions and tenure with AHLA, and their continuing service and leadership in the legal profession. Fellows include past AHLA presidents, former members of the Board of Directors, former members of practice group and program planning committees, and others who have been very active within the association.

Mike is Chair of the Business and Finance Department and focuses his practice on compliance, credentialing and peer review, reimbursement, contracts, HIT, HIPAA and telehealth issues for physicians. Mike is also the publisher of the Med Law Blog https://www.medlawblog.com, the firm’s health law blog, and has been certified in Healthcare Compliance (CHC) by the Health Care Compliance Association (HCCA).

Mike received his Juris Doctor from the University of Pittsburgh School of law and his undergraduate degree from Brown University.

CMS Expands Medicare Advantage Telehealth Coverage

By Michael Cassidy on Posted in Medicare & Reimbursement

On April 4, 2019, CMS issued the final Medicare Advantage Rule for calendar year 2020, announcing it will allow Medicare Advantage carriers to significantly increase the range of telehealth services beyond traditional Medicare Part B covered services, stipulating only that, if a service is to be covered as a telehealth service, it must also be covered as an in-person service.

Attached are:

Pennsylvania Patient Test Result Information Act Update: Act 112

By Michael Cassidy on Posted in Legal News

The Patient Test Result Information Act was effective December 23, 2018.

The Act requires entities performing diagnostic imaging services, defined to include any medical imaging test intended to diagnose the presence or absence of a disease, to provide notice of the results to patients.  The operative language states:

“When, in the judgment of the entity performing a diagnostic imaging service, a significant abnormality may exist, the entity performing the diagnostic imaging service shall directly notify the patient or the patient’s designee by providing notice that the entity has completed a review of the test performed on the patient and has sent results to the healthcare practitioner who ordered the diagnostic imaging service”.

The notice to the patient shall include:

·         The name of the ordering healthcare practitioner

·         The date the test was performed

·         The date the results were sent to the ordering healthcare practitioner

The notice must also contain a statement to the patient that the patient is receiving the notice as a result of a determination by the diagnostic imaging services that further discussions of the test are warranted and would be beneficial.  In other words, you must make sure the patient knows that the test is significant and that their doctor has it.

The Act exempts reports regarding routine obstetric ultrasounds used to monitor the development of a fetus and imaging services performed on a patient being treated as an inpatient or in an emergency room.

The Act also exempts diagnostic radiographs, which are defined as the digital images, so the notice need not include the actual image.

The Pennsylvania Department of Health has provided a one year grace period in order for diagnostic imaging entities to become accustomed to their obligations.  Click the links to read that letter dated December 14, 2018 and the Act.

Commonwealth Court Declines to Extend Consent Decree

By Michael Cassidy on Posted in Legal News

Although there have been a number of issues raised by the Pennsylvania Attorney General in the UPMC/Highmark situation, including UPMC’s status as a charitable institution, the primary issue in the Attorney General’s lawsuit was a request to extend the June 30, 2019 termination date for the UPMC-Highmark Consent Decrees. The Commonwealth Court declined to extend the term of the Consent Decree. Click here to read the opinion.

Updated Procedural History of UPMC – Highmark Litigation

By Michael Cassidy on Posted in Articles, Legal News

Below is a summary of UPMC-Highmark dispute as of March 4, 2019. This information is limited to litigation proceedings with no discussion about prior contracts or negotiations.

  1. March 2011 – UPMC announces it will not renew UPMC-Highmark contract due to expire December 31, 2012.
  2. May 1, 2012 – Parties enter into mediated agreement which states that parties (UPMC and Highmark) will allow in-network access for all commercial, Medicare and Medicare Advantage members through December 31, 2014, and:
  • Parties would negotiate rates for access beginning in 2015 for Western Psych, oncology, UPMC Bedford and UPMC Northwest.
  • UPMC Children’s and Mercy agreements would remain in effect.
  1. April 23, 2013 – Pennsylvania Insurance Department approves Highmark – West Penn Allegheny Health System affiliation.
  2. June 12, 2013 – UPMC resolves to forego any extension of the existing commercial contracts, excluding Children’s, Mercy, Northwest and Western Psych as a result of the affiliation.
  3. June 27, 2014 – Pennsylvania Department of Health and Insurance intervene in the dispute and broker the Consent Decrees. EXHIBIT A
  4. October 30, 2014 – Commonwealth Departments of Health and Insurance seeks to hold Highmark in contempt of Consent Decrees for marketing a Community Blue program that excluded UPMC participation. Judge Pellegrini of Commonwealth Court denied the Commonwealth’s Petition.  EXHIBIT B
  5. November 30, 2015 – Pennsylvania Supreme Court rules that Highmark Medicare Advantage members should be treated by UPMC through June 30, 2019. EXHIBIT C
  6. February 7, 2019 – Pennsylvania Attorney General Josh Shapiro petitions Commonwealth Court to modify the 2014 Consent Decree, alleging: EXHIBIT D
  • The necessity to enforce compliance with charitable obligations
  • Violation of the Solicitation of Funds for Charitable Purposes Act
  • Breach of Fiduciary Duty
  • Violation of Uniform Trade Practices and Consumer Protection Law
  1. February 21, 2019 – UPMC files federal class action complaint in the United States District Court for the Middle District of Pennsylvania, alleging: EXHIBIT E
  • Preemption by federal law
  • Violation of Accountable Care Act (ACA)
  • Violation of ERISA
  • Antitrust violation of the Sherman Act
  • Illegal takings in violation of the “Taking Clause of the Fifth Amendment” to the U.S. Constitution
  • Violation of federal Equal Protection
  • Violation of Due Process

10. February 21, 2019 – UPMC also filed a Motion for a Preliminary Injunction in the U.S. District Court for the Middle District of Pennsylvania, in conjunction with the above Complaint, against the Attorney General. Exhibit F

11. February 21, 2019 – UPMC has also filed a Motion to Dismiss the Attorney General’s Petition to Modify the Consent Decree. Exhibit G

For additional information contact Mike Cassidy or Mark Hamilton.

Procedural History of UPMC – Highmark Litigation

By Michael Cassidy on Posted in Articles, Legal News

Below is a summary of UPMC-Highmark dispute as of February 22, 2019. This information is limited to litigation proceedings with no discussion about prior contracts or negotiations.

  1. March 2011 – UPMC announces it will not renew UPMC-Highmark contract due to expire December 31, 2012.
  2. May 1, 2012 – Parties enter into mediated agreement which states that parties (UPMC and Highmark) will allow in-network access for all commercial, Medicare and Medicare Advantage members through December 31, 2014, and:
  • Parties would negotiate rates for access beginning in 2015 for Western Psych, oncology, UPMC Bedford and UPMC Northwest.
  • UPMC Children’s and Mercy agreements would remain in effect.
  1. April 23, 2013 – Pennsylvania Insurance Department approves Highmark – West Penn Allegheny Health System affiliation.
  2. June 12, 2013 – UPMC resolves to forego any extension of the existing commercial contracts, excluding Children’s, Mercy, Northwest and Western Psych as a result of the affiliation.
  3. June 27, 2014 – Pennsylvania Department of Health and Insurance intervene in the dispute and broker the Consent Decrees. EXHIBIT A
  4. October 30, 2014 – Commonwealth Departments of Health and Insurance seeks to hold Highmark in contempt of Consent Decrees for marketing a Community Blue program that excluded UPMC participation. Judge Pellegrini of Commonwealth Court denied the Commonwealth’s Petition.  EXHIBIT B
  5. November 30, 2015 – Pennsylvania Supreme Court rules that Highmark Medicare Advantage members should be treated by UPMC through June 30, 2019. EXHIBIT C
  6. February 7, 2019 – Pennsylvania Attorney General Josh Shapiro petitions Commonwealth Court to modify the 2014 Consent Decree, alleging: EXHIBIT D
  • The necessity to enforce compliance with charitable obligations
  • Violation of the Solicitation of Funds for Charitable Purposes Act
  • Breach of Fiduciary Duty
  • Violation of Uniform Trade Practices and Consumer Protection Law
  1. February 21, 2019 – UPMC files federal class action complaint in the United States District Court for the Middle District of Pennsylvania, alleging: EXHIBIT E
  • Preemption by federal law
  • Violation of Accountable Care Act (ACA)
  • Violation of ERISA
  • Antitrust violation of the Sherman Act
  • Illegal takings in violation of the “Taking Clause of the Fifth Amendment” to the U.S. Constitution
  • Violation of federal Equal Protection
  • Violation of Due Process

10. February 21, 2019 – UPMC also filed a Motion for a Preliminary Injunction in the U.S. District Court for the Middle District of Pennsylvania, in conjunction with the above Complaint, against the Attorney General. Exhibit F

11. February 21, 2019 – UPMC has also filed a Motion to Dismiss the Attorney General’s Petition to Modify the Consent Decree. Exhibit G

For additional information contact Mike Cassidy or Mark Hamilton.

CMS Issues Hospital Price Transparency Rules

By Michael Cassidy on Posted in Medicare & Reimbursement

As part of the 2019 Medicare annual inpatient prospective payment system (PPS) fee schedule update, CMS has added a “rule” requiring hospitals to publish a list of standard charges beginning January 2019.

CMS explained this initiative under the “Transparency” and “Request for Information” topics in the following link:  https://www.cms.gov/newsroom/fact-sheets/fiscal-year-fy-2019-medicare-hospital-inpatient-prospective-payment-system-ipps-and-long-term-acute-0

CMS subsequently issued two sets of Frequently Asked Questions (FAQs) regarding this rule.

Essentially, the guidance states as follows:

  • Hospitals are free to choose whatever format they prefer as long as the information represents the hospitals’ current standard charges as reflected in their charge masters in a machine readable format.
  • The transparency requirements apply to all items and services provided by the hospitals, including medical services, drugs, biologicals, etc.
  • The transparency requirements do not transplant, replace or restrict hospitals from posting any other quality information or additional price transparency information on their websites.
  • Although CMS is fully supportive of all state online price transparency initiatives, those initiatives do not satisfy the federal requirement and do not exempt hospitals from the CMS requirements.

It is not difficult to envision why just a list of the charges might not be all that helpful.  The “charge master” is just a collection of the hospital’s list prices or fee schedule, which is what is charged for any service or product and has little relation to what the hospital actually collects from insured individuals.  Any person who has received an explanation of benefits (EOB) from a health insurance carrier indicating that the hospital or physician charges were some astronomical amount but the payment was just a fraction thereof, knows the difference between the list prices and the actual prices.  This has traditionally been a significant problem for self-pay or uninsured individuals, since the hospitals’ standard position has been that the charges, or the list price, is the appropriate fee.

One step that will make this more meaningful is disclosure of the typical Medicare payments for those services.  CMS has released an online tool called “Procedure Price Lookup” which may provide some useful price comparisons.  https://www.cms.gov/newsroom/press-releases/new-online-tool-displays-cost-differences-certain-surgical-procedures

LexBlog