Healthcare Law News - Volume 127
Over the last decades the Indiana Attorney General’s Office has had, at best, a spotty record in actually making recoveries for Indiana consumers and residents.
Earlier this month, the Indiana Attorney General participated in securing a $5+ Million settlement from two dental firms accused of improperly billing Indiana Medicaid for underperformed or unnecessary dental services. The claims were against ImmediaDent of Indiana, LLC and Samson Dental Partners, LLC, a company related to ImmediaDent.
The settlement resulted from a 2013 Qui Tam complaint and represents at least one small step for the Attorney General’s Office in protecting Indiana residents from corporate level fraud.
Even more surprising than the recovery discussed above, Indiana through its Attorney General has now sued Purdue Pharma for damages alleged to have arisen from Purdue Pharma policies and law violations related to Oxycontin. Indiana alleges that more than $200 Million has been spent on opiod prescriptions and for significant costs incurred by the State of Indiana.
We have not seen a copy of the suit itself but Indiana follows other states who have sued Purdue Pharma for its vigorous marketing of opiods and its sales of opiods at levels that clearly were not justifiable by the defined opiod treatment market.
It will be interesting to watch Purdue Pharma’s response and its choice whether to go to trial in this matter or try to settle the allegations.
Previously Purdue Pharma had floated the concept of a global settlement to try to avoid further state investigations and further state lawsuits. Certainly Indiana’s Attorney General did not appear to be convinced that Purdue Pharma was likely to settle in a manner advantageous to the Indiana Attorney General or the citizens of Indiana.
$4.3 Million HIPAA Penalty
Earlier this year, HHS by an Administrative Law Judge imposed over $4.3 Million in civil monetary penalties against the University of Texas MD Anderson Cancer Center. This substantial penalty stems from three separate HIPAA incidents including the theft of an unencrypted laptop computer from an MD Anderson employee resident, a loss the same year of an unencrypted thumb drive on an MD Anderson shuttle bus and the 2013 loss of an unencrypted thumb drive by a visiting researcher. These three incidents created a potential breach relating to approximately 30,000 patients.
How does a reasonably respected institution’s HIPAA breaches which affect a relatively small group (compared to Anthem and similar breaches) result in such a large penalty?
The most technically interesting part of the ALJ’s decision in this matter and the history of the case is that in 2006, MD Anderson conducted a risk assessment and itself determined that encryption of electronic devices that store EPHI was reasonable, appropriate and necessary throughout the enterprise. The fact that MD Anderson failed to implement its policy until as late as 2013, may have helped justify the relatively large penalty. While encryption itself may not always be necessary, this decision and penalty seem to indicate that once an enterprise determines that encryption is needed, it needs to make a rapid progression towards encryption.
Note also in this case, the devices that were involved in the three incidents were all portable devices, a laptop and two thumb drives. This would also imply there is a greater obligation to encrypt data on mobile or portable devices.
Combined with the basic safe harbor under HIPAA regulations for encrypted data, it is hard to understand how any medical provider that places patient information on any portable or transportable device can do so without encryption of that data.
In Oklahoma, a jury awarded over $25 Million to the family of a cancer patient who was denied treatment by Aetna. The case arose from a 2014 denial of coverage for a patient who had stage 4 nasopharyngeal cancer near her brain stem. Her doctors proposed proton beam therapy which they believe would have the maximum effectiveness with minimum side effects. Aetna denied the coverage request and called the therapy proposed by her doctors “investigational and experimental.” The patient died in 2015 and the lawsuit was a result of the patient and her husband filing suit for a bad faith denial of the claim and therapy. Apparently the jury was not impressed by the way Aetna defended the case and its three medical directors who denied coverage. In testimony in the case, it was determined the three medical directors spent more time preparing for the lawsuit than they did investigating or reviewing the patient’s request for the proton beam therapy. The jury indicated they believe Aetna acted recklessly and intended to send a message to Aetna to change the way it reviews such claims and requests for treatment.
CMS had recently pulled back on some mandatory cardiac bundling payment models. However, CMS recently has floated the idea of mandatory episode-based payment models including some in cardiac care and radiation oncology. It appears cancer care will be CMS’s first mandatory bundle. CMS Secretary Azar believes that bundle payments allow providers to receive financial rewards from patient health as opposed to being financially rewarded for patient illness.
This newsletter is edited by Paul Wallace of Jones ∙ Wallace, LLC, a member of the American Bar Association Healthcare Law Section and the American Health Lawyers Association who has been representing physicians and healthcare practices for over 25 years. Mr. Wallace assists physicians in health practices in contract items, federal legal compliance, creation of practice entities, estate and wealth planning and similar issues. Please feel free to call if you have any questions on this newsletter or legal matters at (812) 402-1600 or firstname.lastname@example.org.