The Pennsylvania Commonwealth Court, on remand from the Pennsylvania Supreme Court, has again decided that the previously agreed termination date of the access provisions contained in the UPMC/Highmark Consent Decrees, i.e. June 30, 2019, is not a term subject to the modification provisions of those Consent Decrees, and is definite. The adjudication of the Commonwealth Court, attached hereto, discusses the history of the negotiation of the terms, especially the termination date, and confirms the Consent Decrees will expire on June 30, 2019.
Today the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $3,000,000 settlement for a disclosure of patient protected health information (“PHI”) via its FTP server.
In 2014, HHS received an email tip that the social security numbers of Touchstone Medical Imaging (“Touchstone”) patients were accessible online via an insecure file transfer protocol (“FTP”) web server. HHS confirmed that this information was accessible via a simple Google search.
Both the FBI and HHS notified Touchstone of the breach, which included the name, date of birth, phone number, and address and in some cases social security number of over 300,000 individuals. Touchstone failed to investigate the issue until several months later.
HHS found that:
1) Touchstone impermissibly disclosed the PHI of over 300,000 individuals through its insecure FTP server.
2) Touchstone failed to have technical policies and procedures to restrict who could access the information through the server.
3) Touchstone failed to have a written business associate agreement with a business associate.
4) Touchstone continue to engage another business associate without having a business associate agreement in place.
5) Touchstone failed to thoroughly and accurate assess potential risks and vulnerabilities of electronic PHI that it held.
6) Touchstone waited well over four months to respond to the incident.
7) Touchstone failed to notify affected individuals of the breach until 147 days after it was notified of the breach.
8) Touchstone failed to notify media outlets of the breach until 147 days after it was notified of the breach.
To settle the matter, Touchstone has agreed to pay HHS $3,000,000 and enter into a Corrective Action Plan.
If your office would like guidance on how it can prevent HIPAA violations from occurring, please contact our firm.
Danielle Dietrich is a healthcare and litigation attorney in Tucker Arensberg’s Long Term Care Practice Group. She is licensed to practice law in Pennsylvania, Ohio and West Virginia. Danielle can be reached via email: firstname.lastname@example.org, telephone: 412-594-5605 or on Twitter at @DLDietrich.
Tucker Arensberg, P.C. is pleased to announce that Michael A. Cassidy has been honored as one of only seven healthcare lawyers in the nation to be selected in 2019 as a Fellow of the American Health Lawyers Association (“AHLA”). Only a fraction of 1% of AHLA’s nearly 14,000 members are selected for fellowship annually. This honor recognizes the career long achievements, the contributions and tenure with AHLA, and their continuing service and leadership in the legal profession. Fellows include past AHLA presidents, former members of the Board of Directors, former members of practice group and program planning committees, and others who have been very active within the association.
Mike is Chair of the Business and Finance Department and focuses his practice on compliance, credentialing and peer review, reimbursement, contracts, HIT, HIPAA and telehealth issues for physicians. Mike is also the publisher of the Med Law Blog https://www.medlawblog.com, the firm’s health law blog, and has been certified in Healthcare Compliance (CHC) by the Health Care Compliance Association (HCCA).
Mike received his Juris Doctor from the University of Pittsburgh School of law and his undergraduate degree from Brown University.
On April 4, 2019, CMS issued the final Medicare Advantage Rule for calendar year 2020, announcing it will allow Medicare Advantage carriers to significantly increase the range of telehealth services beyond traditional Medicare Part B covered services, stipulating only that, if a service is to be covered as a telehealth service, it must also be covered as an in-person service.
The Patient Test Result Information Act was effective December 23, 2018.
The Act requires entities performing diagnostic imaging services, defined to include any medical imaging test intended to diagnose the presence or absence of a disease, to provide notice of the results to patients. The operative language states:
“When, in the judgment of the entity performing a diagnostic imaging service, a significant abnormality may exist, the entity performing the diagnostic imaging service shall directly notify the patient or the patient’s designee by providing notice that the entity has completed a review of the test performed on the patient and has sent results to the healthcare practitioner who ordered the diagnostic imaging service”.
The notice to the patient shall include:
· The name of the ordering healthcare practitioner
· The date the test was performed
· The date the results were sent to the ordering healthcare practitioner
The notice must also contain a statement to the patient that the patient is receiving the notice as a result of a determination by the diagnostic imaging services that further discussions of the test are warranted and would be beneficial. In other words, you must make sure the patient knows that the test is significant and that their doctor has it.
The Act exempts reports regarding routine obstetric ultrasounds used to monitor the development of a fetus and imaging services performed on a patient being treated as an inpatient or in an emergency room.
The Act also exempts diagnostic radiographs, which are defined as the digital images, so the notice need not include the actual image.
The Pennsylvania Department of Health has provided a one year grace period in order for diagnostic imaging entities to become accustomed to their obligations. Click the links to read that letter dated December 14, 2018 and the Act.
Although there have been a number of issues raised by the Pennsylvania Attorney General in the UPMC/Highmark situation, including UPMC’s status as a charitable institution, the primary issue in the Attorney General’s lawsuit was a request to extend the June 30, 2019 termination date for the UPMC-Highmark Consent Decrees. The Commonwealth Court declined to extend the term of the Consent Decree. Click here to read the opinion.
Below is a summary of UPMC-Highmark dispute as of March 4, 2019. This information is limited to litigation proceedings with no discussion about prior contracts or negotiations.
March 2011 – UPMC announces it will not renew UPMC-Highmark contract due to expire December 31, 2012.
May 1, 2012 – Parties enter into mediated agreement which states that parties (UPMC and Highmark) will allow in-network access for all commercial, Medicare and Medicare Advantage members through December 31, 2014, and:
Parties would negotiate rates for access beginning in 2015 for Western Psych, oncology, UPMC Bedford and UPMC Northwest.
UPMC Children’s and Mercy agreements would remain in effect.
April 23, 2013 – Pennsylvania Insurance Department approves Highmark – West Penn Allegheny Health System affiliation.
June 12, 2013 – UPMC resolves to forego any extension of the existing commercial contracts, excluding Children’s, Mercy, Northwest and Western Psych as a result of the affiliation.
June 27, 2014 – Pennsylvania Department of Health and Insurance intervene in the dispute and broker the Consent Decrees. EXHIBIT A
October 30, 2014 – Commonwealth Departments of Health and Insurance seeks to hold Highmark in contempt of Consent Decrees for marketing a Community Blue program that excluded UPMC participation. Judge Pellegrini of Commonwealth Court denied the Commonwealth’s Petition. EXHIBIT B
November 30, 2015 – Pennsylvania Supreme Court rules that Highmark Medicare Advantage members should be treated by UPMC through June 30, 2019. EXHIBIT C
February 7, 2019 – Pennsylvania Attorney General Josh Shapiro petitions Commonwealth Court to modify the 2014 Consent Decree, alleging: EXHIBIT D
The necessity to enforce compliance with charitable obligations
Violation of the Solicitation of Funds for Charitable Purposes Act
Breach of Fiduciary Duty
Violation of Uniform Trade Practices and Consumer Protection Law
February 21, 2019 – UPMC files federal class action complaint in the United States District Court for the Middle District of Pennsylvania, alleging: EXHIBIT E
Preemption by federal law
Violation of Accountable Care Act (ACA)
Violation of ERISA
Antitrust violation of the Sherman Act
Illegal takings in violation of the “Taking Clause of the Fifth Amendment” to the U.S. Constitution
Violation of federal Equal Protection
Violation of Due Process
10. February 21, 2019 – UPMC also filed a Motion for a Preliminary Injunction in the U.S. District Court for the Middle District of Pennsylvania, in conjunction with the above Complaint, against the Attorney General. Exhibit F
11. February 21, 2019 – UPMC has also filed a Motion to Dismiss the Attorney General’s Petition to Modify the Consent Decree. Exhibit G