AETNA decided it would require HIV patients to obtain their medications by mail. AETNA insureds objected to this for a number of reasons including that the policy would compromise their privacy because the HIV medications are delivered in special refrigerated packages. AETNA insureds sued and AETNA agreed to a settlement allowing its insureds to continue obtaining their prescriptions at local pharmacies. In essence AETNA rescinded its new policy.
AETNA hired Kurtzman Carson Consultants (“KCC”) to send out the settlement notifications.
At this point, it went from a silly policy proposed by AETNA to an out and out disaster. The notifications sent out by KCC were window envelopes which unfortunately allowed, at least in some cases, anyone to read language the recipient was on HIV medications. So the original suit filed against AETNA to stop the inadvertent disclosure of HIV statuses by requiring mailed prescriptions which would alert many to the nature of the medications resulted in approximately 12,000 AETNA insureds being sent envelopes that could allow disclosure of their HIV medication status.
AETNA paid over $18 Million Dollars in settlements and fines to resolve the PHI disclosure matter.
AETNA then decided it blamed KCC for the disclosing notifications and asked the Court to Order KCC to pay AETNA’s over $18 Million Dollars in fines and other costs. KCC fired back saying AETNA and its law firm Gibson Dunn saw the form of the notifications and that window envelopes would be used. KCC also accuses AETNA and Gibson Dunn of revealing PHI, over sharing PHI and other potential HIPAA violations. A classic example of you just can’t make this stuff up.
Fresenius Medical operates over 2,000 dialysis clinics, outpatient cardiac, vascular labs and urgent care centers. Fresenius has agreed to pay a $3.5 Million Dollar settlement with OCR for a 2012 series of breaches. The interesting thing about this settlement is a series of breaches at 5 locations of Fresenius in 2012 resulted in only 521 patients’ data potentially being exposed. The exposure read almost like a comedy with desktop computers stolen, USB drives stolen, hard drives missing from desktops, theft of 3 other desktop computers and, my favorite, an apparent Fresenius employee decision to leave her unencrypted laptop in her car “where it was stored in a bag with a list of passwords.” With one exception, all of the computers were unencrypted. The worst appears to be the determination by ONC that Fresenius failed to ever do proper risk analysis or to implement any policies for facility security, computer data security or for encryption. The settlement requires Fresenius actually start following HIPAA and HITECH security and privacy rules and it do what it should have done years ago with regard to facility access, computer security and encryption. Fresenius gets to pay all the costs of demonstrating compliance plus $3.5 Million Dollars and a number of years under special scrutiny by HHS. The settlement works out to approximately $6,700.00 per patient data exposed.
This settlement however, raises the age old question, did Fresenius save money by years of not complying with HIPAA and the associated costs of compliance in return for a $3.5 Million Dollar payment in 2018? Unfortunately the settlement agreement does not provide enough information to determine whether a company with 2,200 locations saved enough from its noncompliance for years over those many locations to more than fund the settlement.
I Always Wondered
AETNA made it back in the news with the announcement that a deposition of a former AETNA medical director who admitted he never looked at patient records when deciding to approve or deny care for AETNA insureds. The deposition of the former Medical Director had revealed that apparently nurses make the decisions with regard to the allowance or denial care at AETNA. Curiously the Medical Director apparently did not find one case during his years at AETNA where he believed he, as an MD, should review the medical records to determine whether the nurse’s determination was correct.
It appears from news reports that even when an insured appealed an AETNA decision for a denial of care, still no physician reviewed medical records with regard to such an appeal.
Many physicians and their patients have often wondered at insurers sometimes seemingly arbitrary denial of claims and treatment authorizations. The fact that AETNA’s Medical Director, over several years, never looked at any patient records would seem to not only raise significant questions about AETNA and its policies, but also the need for an independent board or agency to review insured authorizations and denials.
This newsletter is edited by Paul Wallace of Jones • Wallace, LLC, a member of the American Bar Association Healthcare Law Section and the American Health Lawyers Association who has been representing physicians and healthcare practices for over 25 years. Mr. Wallace assists physicians, practices and hospitals in contract items, federal legal compliance, practice entity creation, estate and wealth planning and similar issues. Please feel free to call if you have any questions on this newsletter or legal matters at (812) 402-1600 or firstname.lastname@example.org.