Rapid FireAffordable Care Act and

HIPAA – Are You In Compliance?

Erik P. Crep Stuart T. O’Neal Wicker, Smith, O’Hara, McCoy & Ford, P.A. Burns White Miami, Florida Philadelphia, Pennsylvania

New Approaches to Attacking Damages Affordable Care Act

What is ACA? Adopted by Congress on March 23, 2010 Held constitutional by U.S. Supreme Court in National

Federations of Independent Business v. Sebelius, 132 S.Ct. 2566 (2012)

Provides that all persons in the U.S. be afforded health insurance, regardless of their health or financial situation

Act contains 5 essential components designed to improve access to health care and health care insurance benefits:

1. The individual mandate2. Minimum essential benefits3. Guaranteed issue requirement 4. The employer mandate5. Tax credits and subsidies

Individual Mandate Requires every applicable individual to obtain minimum coverage or

pay a penalty. 26 USC § 500 A(a) – (e). Supreme Court upheld the law, calling it a tax (but the challenges continue) Therefore, argument is that it is not a collateral source because it is a tax Limitations on deductibles by federal law. In 2014 that maximum amount if

$6,350.00 for individuals, $12,700 for families. 26 USC § 1302(b) Plaintiffs have a duty to mitigate their damages Duty to mitigate combined with the individual mandate means the Plaintiff

by law must buy insurance and by case law has a duty to mitigate damages.

Defense argument is that the Defendant can pay for the health insurance to allow the Plaintiff to A. Comply with the law B. Get insurance C. Get insurance with a limitation per year of $6,350.00. D. Pre-existing conditions are covered – no policy exclusions

Defense argument is to be liable for the out of pocket deductible, the annual premium and any increase in the premium and co-payments.

Essential Health CoverageAll qualified plans are required to provide minimum

essential coverage and must include:

26 USC § 1302(b) Ambulatory patient services Emergency Room Hospitalization Maternity and Newborn Care Mental Health and Substance Abuse Prescription Drugs Lab Services Preventable Wellness Care and Chronic Disease Management Pediatric Services

Guaranteed Issue Requirement

Under Act – no pre-existing exclusion No lifetime caps Can be limitations but depends on plan selected. In Florida we

have Catastrophic Florida Blue Platinum 90% of actuarial level Gold 80% of actuarial level Silver 70% of actuarial level Bronze 60% of actuarial level

Each State offers a blend of services, goods and coverage depending on the premium cost. Physical therapy, occupational therapy and speech and rehab are examples of covered services. Must check each State’s exchange for delineated services covered. Cheaper to buy insurance, calculate the out of pocket maximum and increase in premium than to pay for life care plan.

Collateral Source RuleTraditional application to prohibit reference to “collateral

sources” such as Insurance, Medicare and MedicaidThis Rule is the biggest obstacle to reducing damages

for future medical costs for private health insuranceChallenges to Collateral Source Rule Application under

ACA1. Future payments have to be “reasonable and necessary.”

Introduction goes to “reasonableness” and refutes life care plan/economic estimates.

2. Individual mandate premised on a tax via Supreme Court3. ACA will apply to future payments – not past amounts.4. Any award will enable Plaintiff to purchase health insurance

which is “affordable”.

Collateral Source Rule continued

General Justification for No Offset vs. ACAEnforced principle that tortfeasor pays for the

consequences of their actionsTortfeasors should not receive windfall of less or

no damages based on benefits paid by a 3rd party

In the past, courts were reluctant to “reward” tortfeasors because of plaintiff’s foresight to purchase insurance – this foresight has been replaced with legal obligation to obtain insurance

Mitigation of DamagesPlaintiff not entitled to recover damages for

harm that he/she could have avoided by use of reasonable effort or expense

Precludes recovery of unreasonably excessive expenses incurred in response to a tort

All plaintiffs must take reasonable measures/effort to minimize damages

Expert Witnesses for the DefenseNeed experts on available plans and services

implemented by each State and available to patientNeed expert to opine on the annual increase of the

premium and the set out of pocket maximumAttach plaintiff’s life care plan with this alternative and

demonstrate many services are provided by insuranceExperts to consider:

Economist Insurance person Life expectancy expert

Experts to explain the benefits of the ACA to the Plaintiff

Billed vs. Negotiated Insurance Rate

Large difference between what is billed vs. what insurance carriers actually pay

As much as 8-10 x’s higher

Prior to ACA, less that 5% of patients paid a provider’s “billed” rates.

“Attack” on DefenseDefine damages, assessment of future medical

damages.Defendants must ensure Plaintiffs establish

future damages (burden of proof) Future damages need be reasonably certain to be

sustained or occur in the futureFuture medical costs are “medically reasonable

and necessary”Damages to compensate the patient or “make

them whole” – not to punish the defendant

Cases: The Good, the Bad and the Ugly

Good Cases

Bad/Ugly Cases Leung v. Verdugo Hills Hospital, 2013 WL 221654 (CA. Ct. App.

2013) Med. Mal case with future medical expenses Hospital argued on appeal that it should have been permitted to

introduce evidence of Plaintiff health insurance to rebut plaintiff’s future medical expenses in part due to ACA, “the availability of such federally mandated available insurance options makes the prospect of future health insurance coverage for plaintiff anything but speculative”

Court NOT persuaded, holding “such evidence, standing along, is irrelevant to prove reasonably certain insurance coverage … because it has no tendency in reason to prove that specific items of future care and treatment will be covered, the amount that coverage, or the duration of that coverage.”

Defense Counter to Leung v. Verdugo Hills Hospital, 2013 WL 221654 (CA. Ct. App. 2013)----------------------------------------------------------------

Leung court failed to take into account ACA’s minimum coverage requirementsUnder ACA, all plans will be required to meet

certain minimum coverage standardWhile there will be future variations above the

minimum, all plan policies will maintain a certain required baseline

Jury should be able to consider an attack on life care plan that fails to take into account ACA’s minimum coverage

Halsne v. Avera Health, 2014 WL 1153504 (D. Minn. 2014)

Issue: whether plaintiff’s future medical expense damage should be limited to projected payments of premiums and deductibles under ACA

Under Minn. collateral source doctrine, plaintiff can recover full damage regardless of whether plaintiff can recover some or all of his damages from a collateral source of payment, such as insurance

District Court held that any benefits received through the ACA do not provide a basis for reducing the potential award to plaintiff

Issue: Each State’s Collateral Source Doctrine --- ex. FLORIDA

No known case discussing ACA in FloridaHowever, collateral source/Medicare cases shed lightState Farm v. Joerg, 2013 WL 3107207 (Fla. 2d DCA 2013)• Earned (paid) vs. unearned (free) benefits• While it is true that the introduction of potential future

Medicare benefits may be speculative to an injured plaintiff, Florida Supreme Court rejected this point.

• Holding: admission of evidence of disabled person’s receipt of medical services under Medicare program in determining future damages would not violate common law collateral source rule

State Farm v. Joerg, 2013 WL 3107207 (Fla. 2d DCA 2013) continued …

The availability of services under the [Medicare] program (including the risk of unavailability), as well as the costs and quality of such services, are relevant to the determination of the amount of future damages and relevant to assist jury in determining the reasonable cost of the plaintiff’s future care. The jury remains free to find that the publicly available services do not meet the plaintiff’s future needs.

ACA ConclusionArgue Mitigation, collateral sources and discovery of cost of

careRetain expertsNeed to do more than just point to ACA – this strategy has

already been rejectedUse ACA at mediation. Show which services/care are covered

by ACA. Evidence should show that future insurance coverage is

reasonably certain Link covered services with items/costs listed in plaintiff’s life

care plan Present reasonable basis that plaintiff reasonably certain to have

coverage Present grounds to establish with reasonable certainty the time

period the ACA coverage will exist

HIPAA – Are You in Compliance

HIPAA – What is it?Sets standards for confidentiality and privacy of

individually identifiable health informationApplies to Covered Entities

Health plansHealth care clearinghousesHealth care providers that transmit health

information electronically

Protected Health Information “PHI”

is health information from an individual that is created by: Health care providers and clearinghousesHealth plansPublic health authorities Employers Life insurersSchools or universities

The Security Rule applies only to PHI that is

transmitted or maintained electronically Requires administrative, physical and technical

safeguards to ensure confidentiality, integrity and security of PHI

--------------------------------------------------------------------------------The Privacy Rule applies to PHI that is transmitted

electronically, verbally or in written formRequires safeguards to protect the privacy of PHI and

set limits and conditions on the use and disclosure made without patient authorizationCan’t leave voicemail with patient’s familyCan’t discuss patient condition in waiting roomComputers of physician office visible to other patients in

waiting room

Allowed DisclosuresCovered entities are permitted to disclose

PHI without authorizations for the purposes of: Treatment: management of healthcarePayment: reimbursement and benefitsHealthcare Operations: medical reviews,

contracts, compliance, business planning, financial, and legal activities

(45 CFR 164.501)

States and HIPAAHIPAA is a federal floor for patient protections

and industry standards, each individual state maintains the ability to enforce laws which exceed those federal boundaries.

HIPPA requires the states to self-determine: Which agencies meet the federal definition of a

covered entityWhether those entities are governed by state law,

HIPAA, or other federal privacy laws.

MYTHHIPAA does NOT apply to attorneys and law firms

FACTAll attorneys who work with PHI must comply with HIPAA and HITECH rules and must ensure that their subcontractors comply as well

(45 CFR 160.102)

Attorneys Representing Covered Entities

Attorneys are responsible for ensuring that others hired to assist in providing legal services to the covered entity will also safeguard the privacy of the PHI. Includes joint counsel, jury consultants, experts,

investigators, litigation support, etc. ** Not responsible for opposing counsel even if PHI

was disclosed to them because they are not assisting in representing the covered entity

(45 CFR 164.504(e))

Attorneys Representing Covered Entities

Business Associate Agreements are signed to provide that the attorney will ensure the “minimum necessary” standard of disclosure of PHI are consistent with those of the covered entity’s

Law firms must now have all subcontractors (ex. Experts) sign Business Associate Agreements when representing Covered Entities.

Health Information Technology for Economic and Clinical Health

(HITECH) Affects Privacy:Covered entities and business associates will have to

notify individuals of any security breach – sometimes the media will need to be notified as well. Vendors of personal health records and other non-HIPAA

covered entities will have to report security breachesDetermination of “unsecured” will be made by feds. Encryption of electronic information and destruction of

PHI will render is “unusable, unreadable, or indecipherable to unauthorized individuals” and will relieve the covered entity of the need to notify individuals in case of a breach

HIPAA & HITECHLaw firms representing covered

entities must comply with the Administrative, Technical and Physical Safeguards required by the Security Rule.

SafeguardsRisk Analysis and Risk Management: assess potential

risks to the confidentiality, integrity and availability of electronic PHI

Sanction Policy: against workforce members who fail to comply with security procedures

Security Awareness: training, incident responses & reporting

Contingency Plans, Data Backup Plan, Disaster Recovery Plans and Emergency Mode Operation Plans are required to protect electronic PHI from vandalism, natural disasters and other security incidents

(45 CFR 164.308)

Technical SafeguardsElectronic Access Integrity and Control

Unique user ID with time-outs and automatic log-off

Person or entity authenticationEmergency access procedureMonitor I.T. systems containing PHITransmission security must include encryption

and decryption

Cloud Storage Compliant? Dropbox – not HIPAA compliant/secureiCloud – not HIPAA compliant/secureAmazon S3 – not HIPAA compliant/secure --------------------------------------------------------------------Google Drive – yesEgnyte – yes Symform - yes

EnforcementThe Department of Health and Human Services

(HHS) established rules for investigating, prosecuting, and imposing penalties for HIPAA Privacy Rule violations.Tiered ranges of increasing minimum penalty

amounts, with a maximum penalty of $1.5 million for all violations of an identical provision

Criminal violations fined up to $250,000 and up to 10 years in prison (enforced by Dept. of Justice)

HHS hired auditing firms to randomly audit covered entities and business associates for compliance

Examples of Violations Not verifying individuals by phone/person/writing Faxing information to wrong fax number in error Sending information to wrong email in error Leaving detailed PHI on answering machine Loss/theft of unencrypted drives/computers Careless handling of user name and password Sale of PHI to any source Failure to secure confidential information Allowing unauthorized person to enter area where PHI could

have been viewed Stolen laptop/records from backseat of car

Violations and Enforcement

HIPAA Violation Minimum Penalty Maximum PenaltyIndividual did not know (and by exercise of reasonable diligence would not have known) that he violated HIPAA

$100/violation, annual maximum $25,000

$50,000/violation, annual max of $1.5 million

Violation due to reasonable cause and not due to willful neglect

$1,000/violation, annual maximum $100,000 for repeat violation

$50,000/violation, annual max of $1.5 million

Violation due to willful neglect but violation corrected w/in required time

$10,000/violation, annual maximum $250,000 for repeat violation

$50,000/violation, annual max of $1.5 million

Violation due to willful neglect and not corrected

$50,000/violation, annual maximum of $1.5 million

$50,000/violation, annual max of $1.5 million

Examples

From 2009 – 2011, records breached for over 18 million patients

BCBS Fined $1.5 million for loss of 57 unencrypted drives containing data of 1 million patients

Mass. General Hospital fined $1 million for loss of portable data on subway

Value on Black Market Credit Card #: $6I.D. (SS# and

D.O.B.): $15Medical

Chart/Records: $50

Questions? Comments?Erik P. Crep

Wicker, Smith, O’Hara, McCoy & Ford, P.A.

2800 Ponce de Leon Blvd, Suite 800

Coral Gables (Miami), FL 33134

(305) 448-3939

ecrep@wickersmith.com

Stuart T. O’Neal, III Burns White

100 Four Falls, Suite 515

1001 Conshohocken State Road

West Conshohocken (Philadelphia), PA 19428

(484) 567-5700

soneal@burnswhite.com