Pennsylvania Commonwealth Court Again Declines to Extend Consent Decree

The Pennsylvania Commonwealth Court, on remand from the Pennsylvania Supreme Court, has again decided that the previously agreed termination date of the access provisions contained in the UPMC/Highmark Consent Decrees, i.e. June 30, 2019, is not a term subject to the modification provisions of those Consent Decrees, and is definite.  The adjudication of the Commonwealth Court, attached hereto, discusses the history of the negotiation of the terms, especially the termination date, and confirms the Consent Decrees will expire on June 30, 2019.

For additional information contact Mike Cassidy.

$3,000,000 Settlement for HIPAA Breach by Diagnostic Medical Imaging Company

Today the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $3,000,000 settlement for a disclosure of patient protected health information (“PHI”) via its FTP server.

In 2014, HHS received an email tip that the social security numbers of Touchstone Medical Imaging (“Touchstone”) patients were accessible online via an insecure file transfer protocol (“FTP”) web server.  HHS confirmed that this information was accessible via a simple Google search.

Both the FBI and HHS notified Touchstone of the breach, which included the name, date of birth, phone number, and address and in some cases social security number of over 300,000 individuals.  Touchstone failed to investigate the issue until several months later.

HHS found that:

1) Touchstone impermissibly disclosed the PHI of over 300,000 individuals through its insecure FTP server.

2) Touchstone failed to have technical policies and procedures to restrict who could access the information through the server.

3) Touchstone failed to have a written business associate agreement with a business associate.

4) Touchstone continue to engage another business associate without having a business associate agreement in place.

5) Touchstone failed to thoroughly and accurate assess potential risks and vulnerabilities of electronic PHI that it held.

6) Touchstone waited well over four months to respond to the incident.

7) Touchstone failed to notify affected individuals of the breach until 147 days after it was notified of the breach.

8) Touchstone failed to notify media outlets of the breach until 147 days after it was notified of the breach.

To settle the matter, Touchstone has agreed to pay HHS $3,000,000 and enter into a Corrective Action Plan.

You can read the HHS Press Release and the Resolution Agreement here:

If your office would like guidance on how it can prevent HIPAA violations from occurring, please contact our firm.

Danielle Dietrich is a healthcare and litigation attorney in Tucker Arensberg’s Long Term Care Practice Group. She is licensed to practice law in Pennsylvania, Ohio and West Virginia.  Danielle can be reached via email:, telephone: 412-594-5605 or on Twitter at @DLDietrich.

Mike Cassidy Named a Fellow of the American Health Lawyers Association

Tucker Arensberg, P.C. is pleased to announce that Michael A. Cassidy has been honored as one of only seven healthcare lawyers in the nation to be selected in 2019 as a Fellow of the American Health Lawyers Association (“AHLA”). Only a fraction of 1% of AHLA’s nearly 14,000 members are selected for fellowship annually. This honor recognizes the career long achievements, the contributions and tenure with AHLA, and their continuing service and leadership in the legal profession. Fellows include past AHLA presidents, former members of the Board of Directors, former members of practice group and program planning committees, and others who have been very active within the association.

Mike is Chair of the Business and Finance Department and focuses his practice on compliance, credentialing and peer review, reimbursement, contracts, HIT, HIPAA and telehealth issues for physicians. Mike is also the publisher of the Med Law Blog, the firm’s health law blog, and has been certified in Healthcare Compliance (CHC) by the Health Care Compliance Association (HCCA).

Mike received his Juris Doctor from the University of Pittsburgh School of law and his undergraduate degree from Brown University.

CMS Expands Medicare Advantage Telehealth Coverage

On April 4, 2019, CMS issued the final Medicare Advantage Rule for calendar year 2020, announcing it will allow Medicare Advantage carriers to significantly increase the range of telehealth services beyond traditional Medicare Part B covered services, stipulating only that, if a service is to be covered as a telehealth service, it must also be covered as an in-person service.

Attached are:

Pennsylvania Patient Test Result Information Act Update: Act 112

The Patient Test Result Information Act was effective December 23, 2018.

The Act requires entities performing diagnostic imaging services, defined to include any medical imaging test intended to diagnose the presence or absence of a disease, to provide notice of the results to patients.  The operative language states:

“When, in the judgment of the entity performing a diagnostic imaging service, a significant abnormality may exist, the entity performing the diagnostic imaging service shall directly notify the patient or the patient’s designee by providing notice that the entity has completed a review of the test performed on the patient and has sent results to the healthcare practitioner who ordered the diagnostic imaging service”.

The notice to the patient shall include:

·         The name of the ordering healthcare practitioner

·         The date the test was performed

·         The date the results were sent to the ordering healthcare practitioner

The notice must also contain a statement to the patient that the patient is receiving the notice as a result of a determination by the diagnostic imaging services that further discussions of the test are warranted and would be beneficial.  In other words, you must make sure the patient knows that the test is significant and that their doctor has it.

The Act exempts reports regarding routine obstetric ultrasounds used to monitor the development of a fetus and imaging services performed on a patient being treated as an inpatient or in an emergency room.

The Act also exempts diagnostic radiographs, which are defined as the digital images, so the notice need not include the actual image.

The Pennsylvania Department of Health has provided a one year grace period in order for diagnostic imaging entities to become accustomed to their obligations.  Click the links to read that letter dated December 14, 2018 and the Act.

Commonwealth Court Declines to Extend Consent Decree

Although there have been a number of issues raised by the Pennsylvania Attorney General in the UPMC/Highmark situation, including UPMC’s status as a charitable institution, the primary issue in the Attorney General’s lawsuit was a request to extend the June 30, 2019 termination date for the UPMC-Highmark Consent Decrees. The Commonwealth Court declined to extend the term of the Consent Decree. Click here to read the opinion.