Archive for the ‘Risk Managment’ Category

There’s an App for That: Benefits and Risks of Using Mobile Apps for Healthcare | The Doctors Company

February 2, 2016 Leave a comment

[The Doctors Company is a physician-owned professional liability insurer that, in my experience with my clients, does a very good job.]


With over 100,000 mobile health apps now available, physicians now have to handle an increasing amount of constant data and patient information that they did not have in the past. Mobile apps offer many benefits, but the use of these apps does not come without liability risks for doctors.

Source: There’s an App for That: Benefits and Risks of Using Mobile Apps for Healthcare | The Doctors Company

Dos and Donts of Deal Making in Healthcare

March 9, 2014 Leave a comment

Last week, I presented at a webinar sponsored by the American Association of Orthopaedic Executives.  The topic dealt was “2014 Healthcare Compliance.”  You can access the entire PowerPoint presentation at SlideShare.

I spoke about the dos and don’ts of healthcare deal making. The focus was on deals with physicians, but the concepts are applicable to deals involving all types of healthcare providers.  Below I summarize my Rules of Thumb for healthcare deals:

Rules of Thumb for Healthcare Deals

  • RULE #1:  Just because a proposed deal makes sense and would be appropriate in a business other than healthcare, doesn’t mean it’s legal. (Corollary —  Just because everyone is doing it, doesn’t mean it’s legal.)
  • RULE #2:  Determining the legality of a healthcare deal can be complicated, time consuming, expensive, and inconclusive.
  • RULE #3:  The risks of doing an illegal healthcare deal far outweigh the benefits.
  • RULE #4:  Get professional help early in the deal.

In subsequent posts, I will discuss steps in the deal and ways to screw up the deal.

USDOJ – NJ: Former director of diagnostic testing center admits bribing doctors in cash-for-patients scheme

October 20, 2012 Leave a comment

In the following post, note that the dollars involved are relatively modest:

The former executive director of Orange Community MRI LLC, today admitted paying bribes to doctors since April 2008 and agreed to forfeit $89,000 in proceeds from the crime, U.S. Attorney Paul J. Fishman announced.Chirag Patel, 37, of Warren, N.J., pleaded guilty to an Information charging him with one count of soliciting and receiving illegal cash kickbacks for patient referrals in violation of the federal health care anti-kickback statute.

According to documents filed in this case and statements made in court:

On Dec. 8, 2011, Patel was arrested and charged with offering and paying cash kickbacks to a New Jersey health care practitioner in exchange for referrals to Orange Community MRI. On Dec. 13, 2011, 13 New Jersey doctors and one nurse practitioner were arrested and charged in separate Complaints with accepting similar cash kickback payments from Orange MRI. Each of the defendants was recorded taking envelopes of cash in exchange for patient referrals.

Patel is the ninth person charged in the December 2011 takedown to plead guilty. Patel is the second member of Orange Community MRI to plead guilty; Ashokkumar Babaria, the former owner and medical director of Orange Community MRI, pleaded guilty on Sept. 27, 2012.

As part of his plea agreement, Patel agreed to forfeit $89,180 that constitutes criminal proceeds of the crime. As part of his guilty plea, Ashokkumar Babaria agreed to forfeit his revenues traceable to corrupt referrals, which the government has estimated could reach as much as $2 million. The seven health care providers that referred patients to Orange MRI who have plead guilty thus far have collectively agreed to forfeit over $150,000 in illegal kickbacks from Orange MRI.

See on

For an aggregation of other articles on Hot Topics in Healthcare Law, go to my magazine on – Hot Topics in Healthcare Law and Regulation and my newspaper on – Hot Topics in Healthcare Law.

For an aggregation of other articles on improving healthcare, go to my internet magazine! Changing Health for the Better.

USDOJ: Clinic Owners Plead Guilty in Detroit-Area Infusion Therapy Scheme

October 20, 2012 Leave a comment

Two owners and operators of clinics that claimed to specialize in treating HIV and other conditions pleaded guilty today for their roles in an infusion therapy scheme carried out at two Detroit-area clinics that submitted millions of dollars in fraudulent claims to Medicare.

The guilty pleas were announced by Assistant Attorney General Lanny A. Breuer of the Department of Justice’s Criminal Division; U.S. Attorney Barbara L. McQuade of the Eastern District of Michigan; Special Agent in Charge Robert Foley III of the FBI’s Detroit Field Office; and Special Agent in Charge Lamont Pugh III of the HHS Office of Inspector General’s (HHS-OIG) Chicago Regional Office.

Raymond Arias, 40, and his wife, Emelitza Arias, 25, of Troy, Mich., each pleaded guilty, before U.S. District Judge Paul D. Borman of the Eastern District of Michigan, to one count of conspiracy to commit health care fraud. At sentencing, the defendants each face a maximum potential penalty of 10 years in prison and a $250,000 fine. Sentencing is currently scheduled for Feb. 12, 2013.

According to plea documents, Raymond Arias conceived of and oversaw fraud schemes at two clinics for which he was a beneficial owner: Elite Wellness LLC, and Carefirst Occupational & Rehabilitation Center Inc. He admitted to paying physicians to refer Medicare beneficiaries to Elite Wellness, and to purchasing Medicare beneficiary identifications for the purpose of submitting fraudulent claims to Medicare for expensive infusion therapy services that were not rendered as claimed by Carefirst.

According to court documents, Raymond Arias attempted to hide the Elite Wellness scheme from law enforcement by directing a nominee owner to assume control of the claims submitted and the bank account into which Medicare payments were deposited. After the nominee owner became involved, Raymond Arias and his alleged co-conspirators submitted approximately $10 million in claims over a 3-month period beginning in August 2010.

See on

For an aggregation of other articles on Hot Topics in Healthcare Law, go to my magazine on – Hot Topics in Healthcare Law and Regulation and my newspaper on – Hot Topics in Healthcare Law.

For an aggregation of other articles on improving healthcare, go to my internet magazine! Changing Health for the Better.

USDOJ: Owner and Operator of Florida Halfway House Company Sentenced to 51 Months in Prison for Role in Medicare Fraud Scheme

October 20, 2012 Leave a comment

The owner and operator of New Way Recovery Inc., a Florida corporation that operated several halfway houses, was sentenced today to serve 51 months in prison for his role in a $205 million Medicare fraud scheme involving fraudulent claims for purported partial hospitalization program (PHP) services, announced Assistant Attorney General Lanny A. Breuer of the Justice Department’s Criminal Division; U.S. Attorney Wifredo A. Ferrer of the Southern District of Florida; Michael B. Steinbach, Acting Special Agent-in-Charge of the FBI’s Miami Field Office; and Special Agent-in-Charge Christopher B. Dennis of the HHS Office of Inspector General (HHS-OIG), Office of Investigations Miami Office.

Hassan Collins, 41, was sentenced by U.S. District Judge Kevin Michael Moore in the Southern District of Florida. In addition to his prison term, Collins was sentenced to serve three years of supervised release and ordered to pay $2,413,675 in restitution, jointly and severally with co-conspirators.

On June 14, 2012, Collins pleaded guilty to one count of conspiracy to receive and pay health care fraud kickbacks.

According to court documents, from approximately April 2004 through approximately September 2010, Collins, along with co-conspirators, received kickback payments in exchange for referring Medicare beneficiaries, who did not qualify for PHP treatment, for purported PHP services to American Therapeutic Corporation (ATC), a Florida corporation that operated several purported PHPs throughout Florida. Collins and his co-conspirators caused false and fraudulent claims to be submitted to Medicare for PHP services purportedly provided to Medicare beneficiaries at ATC’s locations, when, in fact, the services were never provided.

See on

For an aggregation of other articles on Hot Topics in Healthcare Law, go to my magazine on – Hot Topics in Healthcare Law and Regulation and my newspaper on – Hot Topics in Healthcare Law.

For an aggregation of other articles on improving healthcare, go to my internet magazine! Changing Health for the Better.

HHS: Hospitals ignoring requirements to report errors

July 20, 2012 Leave a comment

Hospitals are ignoring state regulations that require them to report cases in which medical care harmed a patient, making it almost impossible for health care providers to identify and fix preventable problems, a report to be released today by the Department of Health and Human Services inspector general shows.

Researchers say the hospitals’ failure to report problems isn’t a sign of a coverup but rather the staffs’ ignorance of the regulations and what they need to report.

Hope for the future lies in electronic health records, Adler says, because “we may be able to prevent events, we may be able to ameliorate events, and (electronic records) may become your surveillance system.”

Incentives included in the 2010 federal health care law to encourage more hospitals to use electronic records may change how errors are tracked and addressed, say researchers of the inspector general’s study.

The health care system is “right on the cusp” of identifying “safety issues just as they happen,” said David Classen, a University of Utah associate professor of medicine and infectious disease.

See on

For an aggregation of other articles on Hot Topics in Healthcare Law, go to my magazine on – Hot Topics in Healthcare Law and Regulation and my newspaper on – Hot Topics in Healthcare Law.

For an aggregation of other articles on improving healthcare, go to my internet magazine! Changing Health for the Better.

Hot Topics in Health Care Law — Saturday July 7, 2012

July 7, 2012 Leave a comment

Today’s edition of Hot Topics in Health Care Law is available.  This topic aggregator/newspaper contains articles that I think are on the cutting edge of health law.


Physician’s Own Use of Hydrocodone Warrants Medicare Exclusion

June 22, 2012 Leave a comment

Health care fraud is not limited to financial misconduct.  Improper drug use can lead to exclusion from Medicare. 

In the unpublished opinion from last week reproduced below, the U.S. Court of Appeals (4th Cir.) affirmed a district court’s decision that barred a West Virginia doctor from practicing in Medicare programs for five years after the doctor diverted hydrocodone samples for his personal use.,  This case has limited precedential value but physicians and other healthcare providers should be aware of how their personal conduct can have serious repercussions.

(By the way, if this were a Florida physician, he would not be allowed to renew his license in Florida by virtue of being on the excluded entities list. New thing as of 7/1/12.   The conviction, as well, could knock him out.)


Morgan v. Sebelius

       U.S. Court of Appeals, Fourth Circuit


       June 14, 2012


       May 17, 2012

BRETON LEE MORGAN, M.D., Plaintiff-Appellant, v. KATHLEEN SEBELIUS, Secretary of Department of Health and Human Services, Defendant-Appellee.

Case History and Disposition 
Appeal from the United States District Court for the Southern District of West Virginia, at Huntington, Robert C. Chambers, District Judge.        

Affirmed by unpublished per curiam opinion.

Opinion Text


Breton Lee Morgan appeals a district court order dismissing his action challenging the decision of the Secretary of the United States Department of Health and Human Services (“the Secretary”) to exclude him for five years from participating in Medicare, Medicaid, and all other federally sponsored health care programs pursuant to the applicable terms of 42 U.S.C.A. §  1320a-7(a)(3) (West 2011). Finding no error, we affirm.


Morgan is a physician licensed to practice medicine in West Virginia. In March 2007, he pled guilty to one count of violating 21 U.S.C. §  843(a)(3), which proscribes “knowingly or intentionally … acquir[ing] or obtain[ing] possession of a controlled substance by misrepresentation, fraud, forgery, deception, or subterfuge.” 21 U.S.C.A. §  843(a)(3) (West 1999). His plea was based upon several occasions in which Morgan obtained free hydrocodone samples from pharmaceutical representatives for his personal use by leading the representatives to believe that he would be giving the samples to his patients for medical purposes. As a result of the plea, Morgan was sentenced to 30 days’ imprisonment and three months of supervised release.

On May 30, 2008, the Inspector General (“I.G.”) of the Department of Health and Human Services (“HHS”) wrote Morgan, notifying him that he would be excluded for five years from participating in Medicare, Medicaid, and all other federal health-care programs pursuant to the applicable terms of 42 U.S.C.A. §  1320a-7(a)(3). This statute requires the Secretary to impose such an exclusion on “[a]ny individual or entity that has been convicted for an offense which occurred after August 21, 1996, under Federal or State law, in connection with the delivery of a health care item or service” if that offense consists of a “felony relating to fraud, theft, embezzlement, breach of fiduciary responsibility, or other financial misconduct.” 42 U.S.C.A. §  1320-7(a)(3).

Morgan appealed the I.G.’s decision in a proceeding before an Administrative Law Judge (“ALJ”) in HHS’s Departmental Appeals Board (“DAB”) Civil Remedies Division. The ALJ found that the I.G. had a sufficient basis to exclude Morgan and that the five-year term of the exclusion was not unreasonable in light of applicable law.

Morgan then appealed the ALJ’s decision to the DAB Appellate Division on April 3, 2009. In his proceeding before the Appeals Board (the “Board”), Morgan argued, as is relevant here, that to warrant an exclusion under 42 U.S.C.A. §  1320a-7(a)(3), a conviction must be for an offense that relates to financial misconduct. Morgan maintained that his fraud conviction was not related to “financial misconduct” since he neither had a corrupt motive nor received any substantial pecuniary benefit in committing the crime to which he pled guilty. The Board rejected Morgan’s argument, finding that Morgan was excludable under §  1320a-7(a)(3) because his conviction constituted “fraud” within the plain meaning of the statute regardless of whether it was related to financial misconduct. The Board additionally concluded, in any event, that his crime was related to financial misconduct insofar as he “derived some unquantifiable measure of pecuniary value by illegally diverting the controlled substances.” 

Morgan subsequently brought an action in federal district court, asserting that the Board erred in failing to recognize that §  1320a-7(a)(3) applies only to offenses relating to financial misconduct. Concluding that the statute unambiguously is not limited to offenses relating to financial misconduct, the district court dismissed Morgan’s action.


Reiterating his argument that §  1320a-7(a)(3) is limited to offenses relating to financial misconduct, Morgan argues that the district court erred in dismissing his suit. We disagree.

“We review questions of statutory construction de novo.Orquera v. Ashcroft, 357 F.3d 413, 418 (4th Cir. 2003). Because the Secretary is charged with administering §  1320a-7(a)(3), the established rules of deference in Chevron U.S.A. Inc. v. Natural Resources Defense Council, Inc., 467 U.S. 837 (1984), guide our analysis. Under Chevron, if a statute is unambiguous regarding the question presented, the statute’s plain meaning controls. See Saintha v. Mukasey, 516 F.3d 243, 251 (4th Cir. 2008). However, “[i]f … the statute is silent or ambiguous with respect to the specific issue before us, the question for this court becomes whether the [Secretary’s] interpretation ‘is based on a permissible construction of the statute.’” Id. (quoting Chevron, 467 U.S. at 843).

Under Chevron’s first step, we “employ[] traditional tools of statutory construction” in considering whether Congress addressed “the precise question at issue.” Chevron, 467 U.S. at 842, 843 n.9. In doing so, “we begin with the text and structure of the statute.” National Elec. Mfrs. Ass’n v. United States Dep’t of Energy, 654 F.3d 496, 504 (4th Cir. 2011).

Congress required the Secretary to exclude from participation in federal health-care programs any person who has been convicted of an offense “in connection with the delivery of a health care item or service” if that “offense consist[s] of a felony relating to fraud, theft, embezzlement, breach of fiduciary responsibility, or other financial misconduct.” 42 U.S.C.A. §  1320-7(a)(3). It is undisputed that Morgan was convicted of a felony relating to fraud and connected to the delivery of health care. He nevertheless maintains that his conviction was not for “a felony relating to fraud, theft, embezzlement, breach of fiduciary responsibility, or other financial misconduct” since his offense did not relate to financial misconduct. That is incorrect.

The applicable language makes clear that to warrant mandatory exclusion, an offense need only relate to at least one of five categories: (1) fraud, (2) theft, (3) embezzlement, (4) breach of fiduciary responsibility, or (5) other financial misconduct. The argument that the presence of the fifth category, “other financial misconduct,” somehow narrows the meaning of “fraud” from its ordinary usage is unpersuasive. See Carbon Fuel Co. v. USX Corp., 100 F.3d 1124, 1133 (4th Cir. 1996) (explaining that unless there is “explicit legislative intent to the contrary,” we must give words in a statute their “plain and ordinary meaning”). Morgan maintains that if the presence of the word “other” did not have this narrowing effect, “there would be no reason to have the word ‘other’ in the statute.” Appellant’s brief at 11. But that is simply not correct. That the fifth category is “other financial misconduct” reflects the fact that the other four categories can, themselves, relate to financial misconduct. In this way, the presence of “other” eliminates the possible confusion that could have resulted from a statute that applied to “embezzlement… or financial misconduct.”

In fact, it is Morgan’s interpretation that would render much of the language surplusage. See Gustafson v. Alloyd Co., 513 U.S. 561, 574 (1995) (explaining that a court should “avoid a reading which renders some words altogether redundant”). Had Congress intended that an offense must relate to financial misconduct for the mandatory exclusion to apply, then it could have omitted the terms “fraud,” “theft,” “embezzlement,” and “breach of fiduciary responsibility” and simply required the exclusion for offenses “relating to financial misconduct.”

Furthermore, Morgan’s interpretation would not serve the statute’s purposes. See, e.g., United States Nat’l Bank of Oregon v. Independent Ins. Agents of Am., Inc., 508 U.S. 439, 455 (1993) (explaining that “[i]n expounding a statute, we must not be guided by a single sentence or member of a sentence, but look to the provisions of the whole law, and to its object and policy” (internal quotation marks omitted)). Congress enacted the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), of which 42 U.S.C. §  1320-7(a)(3) is a part, “to combat waste, fraud, and abuse in health insurance and health care delivery.” Pub. L. No. 104-191, 110 Stat. 1936, 1936 (1996). In fact, the legislative history to §  1320-7(a)(3) as it was originally enacted indicates that it was specifically intended to protect federal programs from untrustworthy individuals and to “provide a clear and strong deterrent against the commission of criminal acts.” * S. Rep. 100-109, at 5 (1987), reprinted in 1987 U.S.C.C.A.N. 682, 686. These purposes indicate that Congress was targeting fraud generally, not simply fraud relating to financial misconduct, and none of the purposes would be served by narrowing the scope of the statute as Morgan urges.



* As originally enacted, the statute made exclusion from the federal programs only optional as opposed to mandatory.



Finally, it is worth noting that the Senate Report that accompanied the statute as originally enacted described the provision as applying to “a criminal offense relating to fraud, theft, embezzlement, breach of fiduciary responsibility or financial abuse.” S. Rep. No. 100-109, at 6 (1987), reprinted in 1987 U.S.C.C.A.N. 682, 687; see National Elec. Mfrs. Ass’n, 654 F.3d at 504-05 (“[W]e have described legislative history as one of the traditional tools of interpretation to be consulted at Chevron’s step one.”). Considering that the word “other” did not even appear in the description, there was no suggestion that Congress intended that “fraud” would have anything other than its ordinary meaning.

For all of these reasons, we hold that regardless of whether the district court correctly concluded that the statute unambiguously does not require that any fraud relate to financial misconduct in order to warrant the mandatory five-year exclusion, the Secretary’s construction was, at the very least, a permissible one to which we must defer.


Finding no error, we affirm the district court’s dismissal of Morgan’s case.


Organization or Development of RHIO or HIN for Risk Managers

October 18, 2011 Leave a comment

My colleagues, Steve Prom (Jacksonville) and Betsy Hodge (Tampa), healthcare attorneys at Akerman, have recently written an article for FHA on the “Organization or Development of RHIO or HIN for Risk Managers.”   Their bios are at the end of this post.   They have graciously allowed me to use their article here.   The subject matter is very timely.


So, you’re a Risk Manager and your organization is getting involved in the organization or development of a Regional Health Information Organization (“RHIO”) or a Health Information Network (“HIN”). Many hospitals, health agencies, physicians and other health care providers are scurrying about in efforts to cobble together functioning, sustainable electronic health information networks that will permit health care providers and planners to use patient health information in a meaningful way. This article is not intended to be a primer on how to accomplish that. In fact, the authors are not aware of any groups that have claimed to have been wholly successful in their efforts. This article is an effort to inform the reader, in a meaningful way, regarding some risks that will be associated with organizing a RHIO or HIN and how to deal with them.  For simplicity, the authors elected to use the term “HIN” to refer to either a RHIO, HIN, or both.

Step 1: Identify the Risks

Other than possible inaccuracies contained in an electronic medical record that is accessible in a HIN, the biggest risk that HIN participants will face is that of unauthorized disclosure.  Unauthorized disclosures can be accidental, intentional or the result of “fishing” by nosey “journalists,” fans, paparazzi or, even more likely, inquisitive persons who have access to the records and may be seeking to share or leak information for pleasure or bounty, but are not authorized by the patient to do so.  “Fishing” can also be the result of well-meaning administrators associated with a participant or host entity who accesses patient information without the patient’s authorization or consent, and is not using the information for purposes of diagnosis, treatment, health planning, or billing/collection.

Step 2: Identify the Participants

Participants in a HIN may include all or a subset of a universe of interested health care providers, including hospitals, physicians, local health agencies, not for profit health clinics, behavioral health providers, and homeless shelters.  From a practical standpoint, the initial participants will likely either be necessary or helpful. For example, they offer expertise in HIT experience, funding, leadership, community profile, legal, HIPAA, etc. The authors’ experience reflects that hospitals, a local health department and one or more clinics that would benefit from HIN use and data analysis will likely be initial organizers/participants, although larger physician groups, networks and hospital-based or affiliated groups are natural fits, as well. Since most HINs are developed in stages, good planning will probably identify not only the prospective participants, but  also their strengths, readiness and at what stage they are likely to join the HIN .

Step 3: Identify the Laws/Sanctions

A Florida patient’s rights to privacy and confidentiality with respect to his or her medical records are protected under both Florida and Federal laws. Under Florida law, a patient has a right to privacy that is protected by the Florida constitution, as well as Florida statutes. Patient medical records are to be kept confidential absent patient consent.  Additionally, patient medical records relating to substance abuse, mental health and certain diseases, such as HIV/AIDS, are afforded “super confidentiality,” which means that specific consent to disclosure must be in writing and can be withdrawn at any time, subject to limited exceptions.  Florida also has a breach notification law which requires persons who cause or learn of an unauthorized disclosure of unencrypted confidential patient records to notify the patient, take steps to lessen the damage, etc.  This can be very expensive when, for example, the “breach” is the loss or theft of a computer server that may have tens, or hundreds of thousands, or millions of patients’ records. 

In addition to Florida law protections, patient health information in both paper and electronic format is protected under the federal HIPAA and HITECH laws.  Also, , Florida and federal laws prohibit the unauthorized disclosure of “super confidential” patient information related to substance abuse, mental health and certain diseases, such as HIV/AIDS.  Of course, the key to risk management is to document and preserve patient authorization and consent to the disclosure or redisclosure of PHI and super confidential PHI.

Step 4: Identify Prevention Mechanisms

A HIN is only as good as its weakest link.  It is critical that the HIN carefully select who will participate in the network and that all participants understand from the beginning what is expected of them.

Establish credentialing criteria for participants focused on their adherence to “best practices” with respect to maintaining the privacy and security of patient information.  All participants should sign an agreement that, among other things, obligates participants to adhere to privacy and security “best practices.”  Interim Final Rule on Breach Notification for Unsecured Protected Health Information published August 24, 2009 at 74 Federal Register 42740, references many of the NIST guides related to protected health information.  The “meaningful use” requirements also mandate certain IT capabilities to protect patient information.  Best practices that HIN participants should agree to adhere include individual user IDs and passwords, sufficiently strong passwords (use of upper and lower case, numbers and symbols), work stations timing out after a specified period, and use of security audits to detect unauthorized access to patient information.  The participant agreement should also address what steps will be taken and by whom if a HIN participant or one of its employees is found to have engaged in unauthorized access or disclosure of patient information.

Additionally, HIN participants should carefully select the vendor(s) who will be providing the infrastructure.  Asking for references and actually following up with those references can provide a wealth of information about the capabilities of prospective vendors, both from a technological and a customer service perspective.  Also, it is important to have any contract with IT vendors reviewed by lawyers knowledgeable in that area especially since vendors will try to provide as few warranties and as many disclaimers as possible concerning their IT systems.

There must be a HIPAA and HITECH compliant Business Associate Agreement (BAA) with all covered entities participating in the HIN.

The HIN should have legal counsel involved in creating these “prevention mechanisms.”  At the same time, each participant should have its own counsel review documents the HIN is requiring participants to sign.  Participants need to identify in the beginning if they will be able to comply with their obligations to the HIN and identify any gaps and determine how to correct them.

 Step 5: Identify Post Event Mop Up

Regardless of efforts to prevent risk occurrence, there will be adverse “events.”  The time to plan your response to those events is before they occur. 

The HIN should develop policies and procedures (“P & Ps”) that describe what should happen when an “adverse event” occurs.  These policies and procedures should include encouraging participants to timely report to the HIN if they discover an adverse event.   As with your facilities’ internal policies and P & Ps, the HIN procedures should specify who will be the central contact person when an adverse event is discovered.  There may be more than one such person depending on the type of adverse event.  The P & Ps should also specify how the event and the response to event will be documented.

The HIN should review with legal counsel the various federal and state laws governing data breaches in developing P & Ps for responding to an event.  For example, both the federal HITECH Act and Florida’s data breach law specify steps to take in the event of a data breach.

Identify the “team” that will help respond to data breach before one occurs.  Prepare a short list of, or better yet, retain, computer forensic firms, public relation firms, outside legal counsel, and firms that provide credit monitoring in advance of an event so there can be a prompt response.

Of course, all HIN participants must be educated on these policies and procedures.

Step 6: Identify Potential Damage Claims/Fines

It is important for the HIN and the participants to identify the cost of the worst-case scenario and the most-likely scenario.  Both HIPAA and HITECH  provide for fines for improper use and disclosure of protected health information.  If there is a data breach, as defined under the HITECH Act, the entity that suffered the breach must provide notice to all who are potentially affected.  HIPAA requires that the covered entity mitigate harm to those affected by a breach.  Mitigation can include offering credit monitoring and setting up call centers to address questions, which can be expensive.  The Florida data breach law requires that an entity that conducts business in Florida notify all of those who are affected by data breach.

In addition to fines that may be imposed by Florida and the federal government, there is the cost of responding to the breach.  This may take a lot of staff time and may also require the use of outside vendors such as computer forensic specialists and outside legal counsel.  If the breach is of sufficient size, the entity may need to disclose through a media outlet and disclose to HHS (which will then publish the breach on its website.)  The cost of hiring a public relations firm to deal with the bad publicity should be considered.  As mentioned above, it may be prudent to set up a call center and provide credit monitoring to those affected by the breach.

Also, consider the potential cost of having the federal government impose a Corrective Action Plan under HIPAA.  Often, the fine is dwarfed by the costs of complying with the plan, including hiring an outside monitor, cost of updating policies and procedures regarding privacy of protected health information, training employees on the policies, and preparing various reports required under the plan.

Step 7:  Identify How to Defend/Pay Damages

Both the HIN and its participants must decide how to insure against potential claims or losses related to participation in the HIN.  One option is to obtain commercial insurance, if it is available.  Another option is to self-insure.  The HIN may also want to consider contracting responsibility for loss to its vendor.  HIN participants should check with their current liability carrier to see whether the policy will cover losses related to participation in a HIN.

The HIN needs to review what damages or costs insurance will pay.  Often insurance will not cover fines.  Insurance will not cover punitive damages.  The HIN and participants need to determine how each will pay any amounts not covered by insurance.  Another issue to consider is whether there will be any indemnification between the HIN and participants, depending on who caused the adverse event.  This should be addressed in the participation agreement.


The organization and operation of HINs presents both opportunities and challenges to the organizers and subsequent participants.  Success and sustainability will in large part depend on organizers and participant HIT and legal counsel to understand, appreciate and address the legal risks and to set up appropriate mechanisms to prevent or minimize the adverse consequences to the patients, providers and participating organizations’ future ability to achieve their missions.


About the Authors

Stephen G. Prom, Esq.
Stephen Prom  has over 30 years of multidisciplinary legal experience in the areas of corporate, business and tax, with a high concentration in the healthcare industry. His experience includes the representation of institutional, group and individual providers in connection with electronic medical records and networks. He is a shareholder in Akerman’s Jacksonville, Florida office.

Elizabeth F. Hodge, Esq.
Elizabeth Hodge has more than ten years of experience representing hospitals, physicians, and other healthcare providers in contract matters, medical record issues and general healthcare litigation, principally civil and administrative trial matters. She is Of Counsel in Akerman’s Tampa, Florida office.

Categories: Risk Managment
%d bloggers like this: