Fifth National HIPAA Summit November 1, 2002 High-Stakes Medical Privacy Litigation: The Top HIPAA Threats and How to Avoid Them Leigh-Ann M. Patterson, Esq. Nixon Peabody LLP, Partner, Litigator on the HIPAA Task Force Raymond Gustini, Esq. Nixon Peabody LLP, Partner, HIPAA Task Force Salvatore Colletti, Esq. Pfizer Inc., Assistant General Counsel High-Stakes Medical Privacy Litigation: The Top HIPAA Threats and How to Avoid Them Introduction This session is about high-stakes medical privacy litigation in the context of what is called “preventive law,” which is analogous to preventive medicine. To explain: “Using the analogy with preventive medicine, preventive law is the legal specialty of preventing the disease of litigation. Litigation is a serious disease that leaves its victims financially and emotionally weakened and, in some cases, may lead to their economic demise. It is a contagious disease characterized by a latent state with intermittent crises (individual suits). Symptomatic treatment of the crisis phase may lead to a remission, but the disease usually recurs in a more serious form. ... The disease cannot be cured, but it can be controlled by carefully monitored therapy and regular checkups.” ~ National Center for Biotechnology Law To this end, our session will cover the following: I. “Litigation 101” • What is high-stakes litigation ? • Why should you be concerned about it? • How HIPAA and medical privacy issues lend themselves to high-stakes litigation II. The Top HIPAA Threats • HIPAA 101 – brief overview of provisions discussed in session • Low-stakes medical privacy exposure • High-stakes medical privacy exposure: (1) Inadvertent mass disclosure due to poor security (2) Failure to follow one’s own privacy policies and procedures (3) Medical data abuses or breaches by business associates III. How To Minimize the Risk of Future HIPAA Litigation (a.k.a. How to Reduce Your Chances Of Becoming The First HIPAA Litigation Posterchild) • Think differently about HIPAA and Medical Privacy Issues • Building a Strong Privacy Foundation • Training, Awareness, and Self-Audits B641906.2 2 I. “Litigation 101” A. What is High-Stakes Litigation? As an overview, the legal system in the U.S. has three general categories of personal injury lawsuits. The first, and largest, category is known as “low-stakes” litigation. This type of litigation involves a single plaintiff who has been injured in a common type of accident, such as a car accident or a slip-and- fall. The injured plaintiff seeks restitution and compensation for her injury. Her injuries are usually not severe and, as a result, her recovery is usually a low-dollar amount. The second category is known as “high-stakes” litigation. This type of litigation involves many plaintiffs who have been injured in a common way by one or more defendants, such as in the products liability context or the medical marketing context. The distinguishing characteristic of this type of litigation is that the group of plaintiffs seek not only compensation, but also deterrence of the defendants’ allegedly harmful conduct, which gives rise to the possibility of a large damage award. The third category is known as “mass torts” litigation and it is the smallest category of cases. These cases involve a large number of plaintiffs who have been harmed by a single defendant or product, such as the asbestos and Dalkon shield cases. B. Why Be Concerned About High-Stakes Litigation? Companies need to be concerned about high-stakes litigation because it is the fastest growing type of lawsuit in almost every one of the 50 state court systems. Over the past 10 years, not only has the sheer number of suits grown, but so have the average jury awards and the plaintiffs’ chances of winning. The stakes in these cases are higher -- for both plaintiffs and defendants -- than in the other two types of personal injury cases because of the “deterrence factor.” The plaintiffs’ interest in deterring a defendant from future harmful conduct is realized by secur ing a large punitive damages award. Plaintiffs’ attorneys often invest more resources in high-stakes cases because of the potential for a high-dollar pay-off. The defendants’ interest in deterring future high-stake litigation from being brought against them is realized by going to trial, winning the case, and setting precedent. In some cases, the entire future of the company may rest on the outcome of a particular piece of high-stakes litigation, making the company more willing to invest big dollars in defending against the case, rather than settling. Many defendants fear that settling such a suit will not be an effective deterrent. Indeed, many fear that settling will serve as an invitation for others with similar complaints to file similar lawsuits. In short, the “deterrence factor” gives both sides in high-stakes litigation big incentives to try the case rather than settle out of court. Serious risks exist in taking a case to trial, especially for defendants. First, the case could be lost and a huge punitive damage award entered, which would set a dangerous precedent and perhaps jeopardize the future financial viability of the defendant-company. Second, negative B641906.2 3 publicity will be generated by a trial, especially if the press takes an interest in the case. Such publicity could tarnish a company’s reputation and image, as well as damage existing customer relationships. This is especially so because high-stakes cases tend to be highly-emotional cases on the part of the plaintiffs, which lend themselves to dramatization. Publicity may also encourage the filing of “copy cat” lawsuits against the defendant. C. How Do HIPAA and Medical Privacy Issues Lend Themselves to HighStakes Litigation? HIPAA and medical privacy issues lend themselves to high-stakes litigation in two fundamental ways: the ease of disclosure and the sensitivity of the information. First, gone are the days of medicine in a manila folder. Historically, medical record keeping consisted of a physician keeping notes on a sheet of paper placed in a manila folder kept in the physician’s office. The modern-day medical information system is marked by medicine on electronic and magnetic media. While technological advances arguably improve health care delivery, the ease of collection, storage, and transmission of data over electronic networks poses a threat to patient confidentiality and privacy. Second, health care information is perhaps the most intimate, private, and sensitive type of information maintained about a person. Used properly, medical records can be used to save one’s life. Used improperly, disclosure can damage one’s reputation or be used for discriminatory purposes in the employment context. The sensitivity of this type of information makes medical privacy an emotionally- charged topic, which naturally lends itself to the highstakes deterrence game. Indeed, the plaintiffs’ bar is keenly anticipating the opportunities that HIPAA presents, calling HIPAA litigation the next “tobacco litigation,” “breast implant litigation,” etc. II. The Top HIPAA Threats A. HIPAA 101 – Brief Overview As a brief overview, the general rule is that HIPAA prohibits “covered entities” from using or disclosing protected health information (“PHI”), except as allowed by HIPAA. HIPAA applies to certain health care entities – called “covered entities” – which include health care providers, insurers (including corporate employers’ self- insured plans), and health care clearinghouses (such as third-party administrators of self- insured plans). HIPAA also restricts the use of health information by business associates of covered entities. For purposes of the rule, a business associate is any entity or individual with whom the covered entity does business, and includes accountants and lawyers. Business associates who receive PHI are required to safeguard the information and restrict their use to the same extent as the covered entity, and it requires that covered entities receive satisfactory assurances that business associates will safeguard health information. B641906.2 4 B. Low-Stakes Medical Privacy Cases Even though HIPAA’s privacy rule does not go into effect until April 2003, low-stakes medical privacy cases based on state- law claims already abound. In general, these cases involve an individual plaintiff claiming that medical information has been wrongfully disclosed to a third-party. For example: • • • • • A patient sued the Washington Hospital Center in Washington, DC, when a hospital employee revealed to the patient’s co-workers his HIV-positive status. The patient was awarded $25,000 in damages for invasion of privacy. A patient who had overdosed and was treated by an emergency medical technician in Waukesha, Wisconsin, sued the EMT for disclosing the overdose to the patient’s co-workers. The patient was awarded $3,000 in damages for invasion of privacy. A nurse sued the Emory School of Medicine when her supervisor posed as her treating physician and wrongfully accessed her medical records without permission. This suit is still pending. An employee sued a San Francisco law firm that represented her employer, claiming that the law firm wrongfully shared information, including a psychiatric evaluation, about her workers’ compensation claim with one of the plaintiff’s coworkers. This suit is still pending. A former patient of Johns Hopkins Hospital sued Johns Hopkins for $12 million, alleging that the hospital wrongfully released his medical records to a former friend and business partner. The court held that Johns Hopkins was not liable because it did not knowingly release the information to the former friend. An appeal is presently pending. Some of these low-stakes cases are beginning to incorporate HIPAA into their state- law claims and theories of liability for invasion of privacy, notwithstanding the fact that HIPAA does not create a private right of action. One Court has already recognized that HIPAA sets a national standard of care. C. High-Stakes Medical Privacy Cases According to our research, the first high-stakes HIPAA medical privacy case has not yet been filed, but by looking at trends in other areas of high-stakes litigation, such as products liability, we surmise that the high-stakes HIPAA litigation is likely to fit the following profile. 1. Inadvertent Mass Disclosure Due To Poor Security Security is the framework within which all HIPAA’s privacy and transaction requirements are implemented. If a covered entity cannot “ensure” security, then privacy measures are an empty gesture and HIPAA transactions may be jeopardized. B641906.2 5 a. The Existing Security Requirement Even though a final security rule has not yet been published, a security standard is in existence right now in the underlying HIPAA statute. HIPAA’s standard for security is found at 42 U.S.C. §1320d-2(d)(2): Safeguards “Each [covered entity] who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards – (A) to ensure the integrity and confidentiality of the information; (B) to protect against any reasonably anticipated – (i) threats or hazards to the security or integrity of the information; and (ii) unauthorized uses or disclosures of the information; and (C) otherwise to ensure compliance with this part by the officers and employees of such person.” What does this mean? It means that a strict security requirement is already in force! And it applies to all covered entities that use or transmit “individually identifiable health information” (not just PHI). Furthermore, by virtue of §1320d, all covered entities have been on notice since 1996 that a high level of security is required by the federal statute. The Final Privacy Rule contains parallel “safeguard” requirements. These are found in Subsection 164.530(c). This section creates what has been called a “mini” security rule within the Privacy Rule. Once the final security rule is published, it will essentially be incorporated wholesale into the privacy rule by virtues of subsection 164.530(c). b. How Plaintiffs’ Lawyers Might Use The Security Rule As A Basis For A Lawsuit Some have feared that the plaintiffs’ bar would come up with creative theories under which plaintiffs might assert that they have a private right of action under HIPAA. Having a private right of action under a federal statute means that a plaintiff can file a lawsuit against an entity alleging a breach of the federal statute. Although commentators have opined that HIPAA does not provide a private cause of action, we now have a solid body of federal court cases which expressly states this. See: • • • • B641906.2 Means v. Independent Life and Acc. Ins. Co., 963 F. Supp. 1131 (M.D.Ala. 1997) Wright v. Combined Insurance Co. of America, 959 F. Supp. 356 (N.D. Miss. 1997) Brock v. Provident America Ins. Co., 144 F. Supp.2d 652 (N.D.Tex. 2001) Dixie O’Donnell v. Blue Cross Blue Shield of Wyoming, 173 F. Supp. 2d 1176 (Dst.Wy., 2001) 6 In the latest of these cases, a plaintiff in Wyoming filed suit against her health insurer, claiming breach of contract and violation of HIPAA, based on its denial of a certain medical claim. Dixie O’Donnell v. Blue Cross Blue Shield of Wyoming, 173 F. Supp. 2d 1176 (Dst.Wy., 2001). Specifically, the plaintiff claimed that the insurer’s denial of her medical claim violated HIPAA’s requirements involving pre-existing conditions. The federal court for the District of Wyoming dismissed the case, holding that : (1) there is no specific right of enforcement for a violation under HIPAA, (2) no implied private cause of action existed, and (3) the only entity with enforcement authority for a HIPAA violation is Health and Human Services (“HHS”). With no private right of action, how then might plaintiffs’ lawyers use HIPAA’s security rule in a lawsuit? They might use it in connection with a state law negligence claim by patients for disclosure of PHI due to a security breach. The theory of liability would likely be along these lines. The covered entity owed a duty of care to its patients to maintain reasonable and appropriate technical and physical safeguards. Does this language sound familiar? It should because it is lifted from the “safeguard requirement” of 42 USC §1320d to ensure the privacy and security of confidential medical information. Plaintiff-patients can be expected to point to the security obligation in §1320d to establish the existence of that duty of care. Their experts can be expected to testify that this statutory standard requires covered entities to exercise a high level of care where the security of PHI is at stake. To avoid being negligent, covered entities must keep up with technological advances and innovations which set the standard of care in the industry for covered entities. Some additional causes of action which might be expected to surface are: • • • • • • Negligent disclosure of PHI Any state statue giving rise to a right of action for breach of confidentiality Intentional revelation of PHI by employee Inadequate policies and procedures Negligent supervision and training Negligent/intentional infliction of emotional distress These causes of action and theories of liability appear in the complaint in the case of Jane Doe v. Community Health Plan-Kaiser Corp., No. 8529 (N.Y.App. Div. 05/11/2000) (medical record clerk improperly released records). c. How and Where A Security Breach Might Occur How and where might a breach of security occur? This depends on who you are and what you do. Some common ways in which security breaches might occur: • • • • • B641906.2 Computer security – workstations, laptops and mobile medical devices Communications security Physical security: access to premises, equipment, people, data Personnel security Procedural (business process) security 7 d. Some Pre -HIPAA Examples of Litigation Based On Security Breaches Several pre-HIPAA examples of litigation involving breaches due to poor security: • • • • • 2. University of Montana: Hundreds of pages of detailed psychological records concerning visits and diagnoses of at least 62 children and teenagers were accidentally posted on the University of Montana web site for 8 days. Results of psychological tests, names, birthdays, and home addresses were disclosed. Eli Lilly and Co.: Lilly inadvertently revealed over 600 patient e- mail addresses when it sent a collective message to every individual registered to receive reminders about taking Prozac. Although in the past emails had been addressed to individuals, the email announcing the end of the reminder service was inadvertently addressed to all of the participants. The incident prompted the FTC to file a complaint against Lilly alleging that the disclosure constituted an unfair or deceptive act under federal law. As part of its settlement with the FTC and attorneys general from 8 states, Lilly agreed to increase existing security and create an internal program to prevent future privacy violatio ns. University of Michigan Medical Center: Several thousand patient records at the University of Michigan Medical Center inadvertently lingered on public Internet sites for two months. The situation was discovered when a student searching for information about a doctor was linked to files containing private patient records with numbers, job status, treatment for medical conditions, and other data. Medlantic Healthcare Group Inc.: Plaintiff sued hospital for lack of adequate security measures in protecting patient medical records when a part-time, unauthorized employee accessed and discussed with plaintiff’s co-workers the plaintiff’s HIV status. The hospital was held liable for $250,000, due in large part to lax security, including the inability of the medical records software used by the hospital to trace and identify who had accessed the records. Doe v. Medlantic Healthcare Group Inc., No. 97-CA3889 (D.C.Super.Ct. 11/30/99). Easton Hospital: Medical records with lab reports, drug reports, and doctor’s examination notes were found on the streets of Allentown, PA. All of the records had patient names and many included addresses and phone numbers. Officials at Easton Hospital determined the disclosure was due to poor security at the hospital (The Morning Call, August 8, 2002). Failure to Follow One’s Own Privacy Policies and Procedures a. The Existing Requirement HIPAA requires covered entities to adopt policies and procedures governing the protection of patient privacy. HIPAA also requires that notice be given to patients informing them of the covered entity’s privacy policies and the patient’s right to request restrictions as to use and disclosure of their PHI. B641906.2 8 b. How Plaintiffs’ Lawyers Might Use Non-Compliance Or Breach Of One’s Own Privacy Policy As A Basis For A Lawsuit Much like the breach of security scenario, plaintiffs’ lawyers may be expected to connect a covered entity’s violation of its own policy with state law claims for negligence, breach of contract, and misrepresentation. A negligence allegation could be framed in terms of a covered entity assuming a duty of a certain level of care by virtue of its privacy policy, in other words, assuming a duty greater than the covered entity would otherwise have by law. Further, breach of one’s own privacy policy might be used as evidence of negligence in connection with a negligence claim based on other underlying conduct. An argument might be made under certain state law that a privacy policy creates a type of contractual undertaking or that it is incorporated into the contractual relationship between the covered entity and the patient, similar to the argument that an employee handbook becomes part of the employment contract. A misrepresentation claim could potentially be made out by arguing that the covered entity represented to the patient that it would adhere to certain policies and procedures in handling the patient’s PHI and that the covered entity either intentionally or negligently misrepresented how it actually handles PHI. In addition, violation of one’s own privacy policy could potentially give rise to an unfair or deceptive practice claim or a qui tam violation. c. How And Where This Type Of Violation Might Occur (See powerpoint chart) d. Some Pre -HIPAA Examples of Investigations and Litigation Based On Failure To Follow One’s Own Privacy Policies and Procedures Several pre-HIPAA examples of investigations and litigation involving failing to follow one’s own policies and procedures: • B641906.2 Arkansas Dept. of Human Services: Confidential Medicaid records were disclosed during the sale of surplus equipment by the Arkansas Dept. of Human Services twice in 6 months. In October 2001, the state stopped the sale of the department’s surplus computer storage drives when it was discovered that Medicaid records that were supposed to be erased pursuant to Department policy were found on the computers. In April 2002, a man who bought a file cabinet from the department found the files of Medicaid clients still in one of the cabinet’s drawers, in violation of the Department’s document destruction policy (Associated Press, April 3, 2002). 9 • • Aetna: Health insurance claim forms from Aetna, the nation’s largest health insurer, blew out of a truck on the way to a recycling center and scattered on I-84 in East Hartford during the evening rush hour. The forms contained names and personal health information of patients. Aetna quickly dispatched employees to gather up all the forms. The forms should have been shredded under company policy, but weren’t (The Hartford Courant, May 14, 1999). Health Central.com and iVillage.com: FTC launched an investigation of health care websites’ privacy practices to determine whether personal information had been improperly shared. FTC action followed the California Healthcare Foundation’s allegations that medical websites had shared personal data with third parties and failed to follow privacy policies. Websites contacted by FTC include: Health Central.com and iVillage.com (Wall Street Journal, Feb. 18, 2000). 3. Medical Data Abuses Or Breaches By Business Associates The third type of HIPAA litigation threat is likely to come from actions and conduct of one’s business associates. a. The HIPAA Framework Governing Business Associates What is a business associate? HIPAA defines this as: A “business associate means, with respect to a covered entity, a person who: (i) On behalf of such covered entity or of an organized health care arrangement (as defined in § 164.501 of this subchapter) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of: (A) A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or (B) Any other function or activity regulated by this subchapter; or (ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.” Also, a covered entity may be a business associate of another covered entity. B641906.2 10 b. Legal Liability For The Activities Of One’s Business Associates Business associates are not directly regulated by HIPAA. Covered entities are. Thus, covered entities are “their brother’s keeper,” to an extent. Before a covered entity may use or disclose PHI to a business associate, the covered entity must obtain in writing satisfactory assurances that the business associate will properly safeguard the PHI. “Standard: disclosures to business associates. (i) A covered entity may disclose protected health information to a business associate and may allow a business associate to create or receive protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information.” The mandatory “satisfactory assurance” requirement does not mean that a covered entity is automatically liable for wrongdoing of business associates. Section 164.504(e) of the Privacy Rule states that: “We have eliminated the requirement that a covered entity actively monitor and ensure protection by its business associates.” 65 Fed. Reg. 82641. However, “covered entities cannot avoid responsibility by intentionally ignoring problems with their contractors.” c. How Plaintiffs’ Lawyers Might Use The Satisfactory Assurance Requirement As A Basis For A Lawsuit How might plaintiffs’ lawyers use HIPAA’s satisfactory assurance requirement to hold a covered entity liable for medical data abuses or breaches by business associates? Much like the theory with HIPAA’s security rule, the plaintiffs’ bar might use the satisfactory assurance requirement in connection with a state law negligence claim by patients for wrongful disclosure of PHI. The theory of liability would likely be along these lines: The covered entity owed a duty of care to the patient to ensure that the patient’s PHI was not negligently entrusted with a third-party who failed to take appropriate steps to safeguard it. The applicable standard of care would likely be the prudent behavior standard, which plaintiffs’ lawyers could be expected to argue is enhanced by the HIPAA statutory standard of “satisfactory assurance.” Plaintiffs’ lawyers might also be expected to argue that HIPAA requires covered entities to exercise a certain amount of due diligence in scrutinizing its business associates’ security practices. Here are some likely issues which could be explored in deposition in this type of litigation: • • • B641906.2 how much the covered entity knew, or should have known, about the security systems of its business associates what conversations the covered entity had with the business associate about security issues whether the covered entity deliberately did not ask its business associate for all the details 11 • • whether this was the first violation by the business associate of which the covered entity was aware if not, when was the first violation and what, if anything, did the covered entity do in response; is this the second breach in two weeks or is the second breach in two years -- big difference between the two A covered entity could be in violation of HIPAA, as well as state statutory and common law, if the covered entity knew of an uncured “pattern of activity or practice” by the business associate in breach of the business associate’s contract and failed to either terminate the contract “if feasible” or, “if not feasible,” then report the problem to the Secretary of HHS. d. How and Where A Wrongful Disclosure By A Business Associate Might Occur How and where might a business associate wrongfully disclose PHI? This depends on who the business associate is and what it does. Refer to the chart which shows the possible disclosures by a business associate. e. Some Pre -HIPAA Examples of Litigation Based On Activities of Business Associate Type Entities/Persons Several pre-HIPAA examples of litigation involving wrongful disclosure of PHI by business associate type entities/persons: • • • • B641906.2 Unauthorized, unprivileged disclosure of PHI obtained by counsel for a hospital, despite the fact that disclosure was made to counsel who represented the hospital in a proceeding that required knowledge. Biddle v. Warren Gen. Hospital, 715 N.E.2d 518 (OH. 1999). A medical student in Colorado sold the medical records of patients to malpractice lawyers (1997). Alleged wrongful disclosure of medical information by drugstore chain CVS to direct marketing company in connection with patient compliance program. CVS and Elensys Care Services Inc. agreed to send refill reminders and drug advertisements to CVS pharmacy customers. The mailings were sent on CVS letterhead but were paid for by the drug manufacturers whose drugs were advertised. This litigation is still pending. Weld v. CVS Pharmacy, Inc., C.A. No. 98-0897 (Mass. Super.Ct., Suffolk Co. 1998) http://www.masslaw.com/masup/1007501.htm. Class certified of accused criminals whose psychiatric and medical records were made accessible to the public as part of the state’s determination of who was fit to stand trial. Plaintiff prisoners claimed violations of their privacy rights under New York and federal law. Hirschfeld v. Stone, 193 F.R.D. 175 (S.D.N.Y. 2000). 12 Some examples from outside the medical context: • • III. (financial context) NationsBank was forced to pay more than $6.5 million to settle allegations that it provided its subsidiary NationsSecurities with customer names, financial statements, and account balances in order to help the company sell closed-end bond funds to bank customers as their certificates of deposits matured. (financial context) Bank of America was sued in a class action for selling unauthorized consumer credit reports to entities that were unaffiliated with the company in alleged violation of the Fair Credit Reporting Act. 32 Plaintiffs v. Bank of America, (D.Md. 2001). How To Minimize Your Risk Of Future HIPAA Litigation (Or How To Reduce Your Chances Of Becoming The First HIPAA Litigation Posterchild) A. Think Differently About HIPAA And The Medical Privacy Function No one wants to be the first HIPAA litigation posterchild. Despite the very real threat of high-stakes medical privacy litigation, a covered entity can take preventative and precautionary measures to minimize its risk of future HIPAA litigation. It’s important for us to recognize the significant challenges this environment creates for covered entities whose various operations rely so heavily on the personal medical information of individuals. HIPAA’s numerous requirements do create many impediments to our access to and transfer of important medical information, and they create real legal exposure to fines and lawsuits. Our challenge to you today is to look beyond the obstacles that this business environment creates. We believe that, with the right approach, covered entities cannot only successfully navigate this difficult terrain of HIPAA’s privacy and security requirements, but can also help to create an improved landscape for the future. We’ll show you just such an approach for successful navigation and landscape improvement and hope you can adapt it for your organization. B. Two General Points Form The Foundation For Our Approach Two general points form the foundation of this approach. First, the approach is based on attacking HIPAA and medical privacy in a positive, pro-active way, as opposed to acting in a defensive and reactive way. This means, for example, not merely recording the company’s policies in its legal documents, but figuring out how to enable our colleagues to best implement the key principles of those policies. That’s what we mean by active, not reactive or passive -anticipating change not merely responding to it. On this point, we recently found a quote from an authority on data protection that drew an interesting analo gy. Deidre Mulligan said, “Privacy is to the information age what environment is to the industrial age: something that needs to be attended to on the front end.” B641906.2 13 This means that we can’t afford to sit back and assess the damages of poorly guided privacy practices just like we can’t afford to sit back and assess damage of poorly guided environmental policies. They both need to be attacked pro-actively. The second general point forming the foundation for our approach is simply to always keep the patient or data subject in mind. There’s a motto we have at Pfizer that we inherited from the Warner-Lambert Company – “the patient is waiting.” With all that we do as a pharmaceutical company – from laboratory discovery to clinical development to consumer advertising, from safety monitoring to manufacturing and everything in between – we must never lose sight of the ultimate users of our products, the patients who rely so heavily on the health care treatment we make possible. The same applies in the area of HIPAA and medical privacy protection. It is ultimately the interests of patients, consumers, and employees that should guide our efforts. These interests are, after all, the very basis for all the various rules and regulations. We should, therefore, adopt approaches that always ask questions like, “If I were a clinical trial participant or a patient being admitted to a hospital, what would I want to know about how my personal medical information would be used?” and “If I were sending information to a covered entity over the internet, how would I expect them to treat it?” This may seem obvious or simplistic, but I am convinced that if we adopt this perspective and urge our colleagues to do the same, we will go a long way toward meeting our legal obligations as well as fostering well-earned trust among patients and the public. C. Building A Strong Privacy Structure In Your Organization With these two primary points as a foundation – being pro-active and emphasizing the patient’s perspective – we’ll now turn to some of the specific considerations and strategies of our approach. Two fundamental problems that every covered entity faces are first, the wide-ranging activities within the entity’s medical operations that handle protected health information, and, second, the myriad regulatory and legal requirements in the U.S. at the federal and state level addressing medical privacy issues and, therefore, affecting these activities of the entity. The first I’ll call “medical function diversity” and the second “regulatory diversity.” The right strategic approach, therefore, has to take these two factors into account. 1. Medical Function Diversity To address the medical function diversity factor, we need to: (1) take a good inventory to identify potential “hot spots” and (2) build bridges in our organizations. Let’s start with the threshold matter of an inventory. This enables us to define the problem and identify the hot spots. To do this, we should carefully take an inventory of the many parts of our organizations to determine where we handle personally identifiable data of individuals and where those areas intersect with HIPAA’s privacy and security requirements. In addition to the more obvious areas, like patient intake and clinical trials, we also need to look at emerging areas like disease management programs and interactive internet sites. B641906.2 14 For example, in the pharmaceutical industry, there were the widely publicized problems Eli Lilly encountered with a disease management program database for Prozac patients and the disclosure of the email addresses of the participants in that program to all the other 600+ participants. We could easily see how this type of privacy nightmare could happen. It was a direct to consumer initiative, involving a sensitive medical condition, utilizing advanced communication technology. In a situation with those three elements at play, it is critical to pay careful attention to concerns about medical privacy protection – in this case, the risk of an inappropriate disclosure of the email addresses. Remember what we said earlier about proactively addressing privacy on the front end. Lilly was easily able to develop a technical fix to this particular situation, but only after it came to light and the damage was done. Our inventory is a tool that could help you screen for and identify these types of situations in advance. So, our organizational inventory of personal data protection areas must include all areas where privacy medical information is handled. As examples again from the pharmaceutical industry, in addition to research, safety monitoring and disease management programs, some other areas to look at include human resources databases, employee benefit plans, customer service phone lines, indigent patient programs, and genetic research. You will have to look at your organization to determine the particular areas relevant for you The key question as we look at any specific operation to determine if it is an area for our HIPAA medical privacy protection scrutiny is “Do we handle PHI as part of this business function?” If the answer is “yes,” we know that we will have to proceed by applying our company’s core information handling principles, which most of your organizations have already clearly articulated in written policy documents, in light of various laws and regulations. In some cases, this will be very straightforward. In other cases it will be more involved. In either case, the inventory provides a good starting point by generating a comprehensive list, a checklist, of the areas we need to address. 2. Regulatory Diversity This inventory helps with what we referred to as the business function diversity problem. As for Regulatory Diversity, we remind you that HIPAA will establish a federal floor as to the privacy standards. It does not preempt more stringent state law – so you may have to comply with both. And state law in this area abounds. It will be necessary for organizations to make a case-by-case assessment of the law applicable to a given business activity based on the jurisdiction in which that activity is carried out. The first step in such an assessment is finding any relevant state law. This in itself could be a vexing task. There could be dozens of different types of diverse statutes and case law in any one state that regulate different aspects of privacy: e.g., professional licensing (medical, pharmacy practice, etc.) laws, insurance laws, consumer protection statutes, laws regulating particularly sensitive areas like mental health, AIDS or sexually transmitted diseases, laws governing on- line content, state medical privilege laws, informed consent laws or general laws that try to regulate medical privacy in a comprehensive way. And then, once you’ve identified the applicable state law, a comparison to HIPAA must be made to determine if it conflicts with, B641906.2 15 and is “less stringent” than, the HIPAA regulations, in which case it is preempted or if it is more stringent, in which case it is not preempted. This determination promises to be more of an art than a science, but something that will have to be undertaken to address the regulatory diversity we face.. D. Consciousness Raising Once we have inventoried our organization to identify the hot spots, determined the applicability of the various regulations and their impact on our organization’s operations and once we’ve developed well-conceived privacy policies to address this landscape, we are only part of the way there. We still need to effectively sensitize our work force to recognize the need to apply our policies and give them the tools to do so. The first step in this regard is to raise consciousness in the organization. Because we’ll find the issues affecting wide-ranging parts of our company, it will not be a simple task. My suggestion is to team up with the communications professionals in your company to develop a strategy to get the message out and to highlight the importance of the issue to the company. They could suggest the tools typically used by your company to communicate programs of importance. For instance, how would the organization announce something like a universal change to an employee benefits program or a institutional position on a major policy issue. You will most likely want to utilize more than one means of communication to maximize your “share of voice” and chances of connecting with your target audience. At Pfizer, we developed and circulated broadly throughout the company a glossy, informational brochure explaining Pfizer’s commitment to personal data protection and the substance of our policies. One of the key success factors, we are told, in developing these messages, is to be able to articulate how an individual employee is affected – why should the reader care about the issue in their day-to-day life? This day-to-day relevance can be demonstrated in at least two ways. On one level, we all have concerns about compromises of our own personal information. Reminding people of their own concerns might get their attention and suggest that they give thought to how the y approach their handling of others’ information. Remember my earlier suggestion of always taking into account the concerns of customers. I believe that applies at the broad level in developing policy, but also on the individual level in how individuals can best relate to those policies. On a second level, the day-to-day relevance of privacy issues can be demonstrated by evidence of the relationship of building patient trust to the bottom line. The growing field of consumer relationship marketing is providing evidence that it is simply good business to treat people’s information with the right degree of confidentiality when we are trying to establish a long term relationship with them. Building trust with consumers is critical and respect for their privacy is a big part of it. Another of the key factors to the success of a communications effort will be the support that the messages have from senior management. It has been demonstrated that people tend to respond to messages from their leadership, so we are well-advised to seek out senior management endorsement for our program if that is possible. B641906.2 16 As we discussed earlier, we should look at issues from the perspective of the individuals and explain to them why it is in their interest to support our proposals for reasonable privacy protection policies. And we need to engage the policy types in our companies to understand this and to help us achieve it. E. Training And On-Going Compliance Support An important part of operational change and compliance involves training personnel about HIPAA-compliant policies and procedures. No matter how good an organization’s policies and procedures are, if employees do not follow them, the corporation – and its executives – are vulnerable to civil and criminal penalties under HIPAA. No matter how much effort is spent on prevention, no corporation is immune from employee misconduct. A wellknown corporate compliance survey, conducted by Corporate Legal Times and PricewaterhouseCoopers, found that despite having written policies and procedures on various compliance matters, 60% of the corporation interviewed had been faced with litigation, claims, and government investigations on the very same policies and procedures covered by their written compliance programs. This suggests that employee training and periodic assessments to identify risks and vulnerability should be key components of any HIPAA compliance program. To minimize the risk of HIPAA-based claims, disputes and litigation, organizations should: • • • F. Conduct various training sessions to educate employees about their HIPAA-compliance obligations, making sure that everyone from receptionists to computer technicians to senior executives are informed. Provide on-going compliance support for employees, such as periodic HIPAA-awareness initiatives, which provide additional tools for effective implementation of the compliance program and remind employees of the serious civil and criminal consequences the corporate faces for noncompliance. Periodically measure and mo nitor actual practices to determine if compliance policies are being followed and to identify compliance risks, vulnerabilities, and potential exposure. Periodic Self-Audits/Internal Investigations Covered entities can minimize their exposure to civil liability by conducting internal investigations. Here are some tips on how to maximize the benefits and minimize the risks. 1. Inside v. Outside Counsel Counsel should have the primary role in overseeing the investigation. This will maximize confidentiality though the availability of the attorney-client privilege and the work product privilege. Where the misconduct involved is relatively minor, the investigation may be conducted by in- house counsel. Where the misconduct is significant, however, it is best for B641906.2 17 outside counsel to conduct or oversee the investigation, particularly where inside counsel may be a witness or where senior management may be implicated. Outside counsel usually brings a greater degree of objectivity and credibility because of their lack of self- interest in validating the conduct. In addition, use of outside counsel increases the ability to achieve confidentiality because there is a reduced risk that a plaintiff’s lawyer could argue that communications involve business advice as opposed to legal advice. 2. Maintaining the Attorney-Client Privilege Cloak the investigation with the attorney-client privilege. The investigation should be initiated under circumstances that make it clear that it is for the purpose of providing legal advice rather than just investigation of facts or business advice. As few non-attorneys as possible should be involved. If non-legal personnel are involved, they should be directly supervised by attorneys.. Any non- legal outside experts sho uld be hired by counsel rather than the corporation. All privileged communications should be clearly marked with the words “privilege attorneyclient communication.” 3. Document Preservation Order Document retention policies should be reviewed immediately and a document preservation directive issued by inside counsel or senior management. It is critical to preserve all relevant documents and prevent the destruction of documents. As evidenced by the Enron case, the destruction of documents will be interpreted by the Government, plaintiffs’ counsel, and the public at large as an admission of guilt. 4. Interview Employees All interviews should be conducted by counsel in order to preserve confidentiality. Refusal of an employee to cooperate in an internal investigation is generally appropriate grounds for discharge. 5. Preparation of the Investigative Report At the conclusion of the investigation, a written report is normally prepared addressed to the individual or committee which ordered the internal investigation. The report generally will summarize the circumstances which led to the investigation; detail the investigative steps which were taken; summarize the facts revealed by the investigation, analyze the applicable law, develop the arguments for and against liability, prosecution, or sanctions, identify internal policies, procedures, or practices which led to the events or which could be improved to prevent future violations; and recommend any appropriate remedial actions. The report sho uld also describe facts and circumstances that reflect well on the corporation. Eventual disclosure of the report will then include positive evidence that may influence the Government or Court. For example, the report may show how the corporation’s compliance program was effective in discovering and addressing the violation. B641906.2 18 IV. Conclusion In conclusion, HIPAA and medical privacy issues naturally lend themselves to highstakes litigation. By thinking differently about these issues, building a strong privacy structure in your organization, and incorporating training and periodic self-assessments into your business, you can minimize your exposure to this type of potentially devastating litigation. How to Reach Us Leigh-Ann M. Patterson, Esq. Nixon Peabody LLP, Partner Litigator on HIPAA Task Force [email protected] Boston: 101 Federal Street Boston, MA 02110 617.345.1258 New York: 437 Madison Avenue New York, NY 10022 212.940.3000 Raymond Gustini, Esq. Nixon Peabody LLP, Partner HIPAA Task Force Washington D.C. 202.585.8725 [email protected] Salvatore Colletti, Esq. Pfizer Inc. Assistant General Counsel New York, NY 212.573.7596 [email protected] B641906.2 19 Leigh-Ann M. Patterson, Esq. Experience LEIGH-ANN M. PATTERSON Partner Nixon Peabody LLP Boston: 101 Federal Street Boston, Massachusetts 02110 617.345.1258 New York: 437 Madison Avenue New York, NY 10022 212.940.3000 www.nixonpeabody.com [email protected] Practice Areas: False Claims Medical Privacy Litigation HIPAA and Privacy Compliance Complex Commercial Litigation Education: Suffolk University, J.D., cum laude Miami University of Ohio, B.A. Bar and Court Admissions: Massachusetts; Rhode Island; the United States Supreme Court; U.S. District Court, Districts of Massachusetts and Rhode Island; First Circuit Court of Appeals B641906.2 A partner in the Litigation Department, Leigh-Ann M. Patterson, Esq., is an experienced trial lawyer who focuses her practice on healthcare litigation, HIPAA compliance, and medical privacy issues. Ms. Patterson founded Nixon Peabody’s HIPAA Task Force in 2001. Working closely with the firm’s health care attorneys, she advises health care organizations and major pharmaceutical companies on HIPAA compliance, as well as litigation risk management and litigation avoidance practices. Ms. Patterson has successfully defended major business and corporate clients against claims for privacy violations, securities and financial fraud, False Claim Act (qui tam) violations, and complex contract disputes. Ms . Patterson is presently defending a major pharmaceutical company against alleged privacy violations in a class action lawsuit filed in Massachusetts. Affiliations Ms. Patterson is the immediate past President of the Women’s Bar Association of Massachusetts. She is a member of the Health Law Section of the Boston Bar Association and serves on the Association’s HIPAA Task Force; and is a member of the International Association of Privacy Officers; serves on the Board of Editors of Nixon Peabody’s “Privacy Alert” newsletter; and served on the organizing committee for the Harvard Law School Berkman Center for Internet & Society’s online course and conference on the evolving role of the Chief Privacy Officer. In 2000, Ms. Patterson was named as one of Boston Business Journal’s “40 Under 40” awardees, recognizing young business and professional leaders in the greater Boston area. Ms. Patterson has published numerous legal and non-legal articles on HIPAA issues, high-stakes medical privacy litigation, financial privacy, contract issues, and business torts. She has presented at various local, regional and national conferences on HIPAA and medical privacy issues. She may be reached at via e-mail at [email protected]. 20 Salvatore Colletti, Esq. Assistant General Counsel 235 East 42nd Street Legal Division, 24th Floor New York, NY 10017-5755 212.573.7596 [email protected] Sal Colletti is an Assistant General Counsel in the Legal Division of Pfizer Inc. His responsibilities include providing legal support for a broad range of Pfizer’s pharmaceutical and other business activities. These include leading the team of attorneys that support the Pfizer Global Manufacturing business unit, participating on the Pharmaceutical Legal Leadership Group and serving as the primary legal advisor to the company on personal data protection and medical privacy matters. He is currently a member of the Board of Directors of the International Pharmaceutical Privacy Consortium. He has also represented Pfizer in the negotiation and closing of numerous major business transactions. In his career at Pfizer, Mr. Colletti has also held legal positions supporting the company’s international operations and its consumer/OTC business unit, and was a member of the Corporate Governance group, where he handled corporate and SEC matters. He earned his B.A. in Economics magna cum laude and his J.D. Degree from Fordham University and his M.B.A. in Finance (with a concentration in International Business) from New York University’s Stern School of Business. B641906.2 21
© Copyright 2024