Special E-Mail Bulletin
February 2003
Conflicts with Your Business Associates under HIPAA

Special E-Mail Bulletin

Hello, everyone.

As you prepare for "HIPAA Day" in April more and more issues get raised that should cause everyone to re-examine the adequacy of their preparations. Here's a very interesting story that discusses possible conflicts that can come up between covered entities and their business associates in the event there's a significant HIPAA breach involving protected health information.

You'll want to have a more solid position that simply proclaiming "they're responsible, not us." You'll need to have a damage control plan that addresses the most appopriate and "quiet" means to resolve HIPAA problems.

This article discusses some of them. It's from the current issue of HealthLeaders.

Gil Weber

---

HIPAA 2003

HIPAA: The Business Case for Conflict Management Systems, Part 1 of 2

By George Karahalis, FACHE, for HealthLeaders News, Feb. 19, 2003

---

HIPAA, Title II, the Privacy Provisions, brought with it a number of new considerations for health systems. Certainly the challenges of information systems and operational security are important. Code sets require attention because of the changing rules for submitting claims - and getting paid. Indeed, many managed care organizations are requiring compliance with HIPAA as a condition of continued participation in their plan.

But there is an additional, more subtle, but more invasive long-term consideration. HIPAA creates new opportunities for disputes among Business Associates and Covered Entities. Part One of this series presents this problem, pointing out that it has always existed, but was and is rarely managed. HIPAA pressures will surface and magnify these issues. Part Two will offer solutions.

In our litigious society, HIPAA creates new avenues potentially leading to legal entanglements and public embarrassment. Consider these ideas:

1. Given the frequency and volume of disclosures of Protected Healthcare Information required for operations purposes (among other reasons), inevitably, an inadvertent disclosure of PHI will occur to the wrong person or organization. Most likely, the number of such releases will be few and limited to one patient. In fact, we know that these kinds of "losses of control" over information have occurred in the past.
2. However, despite reasonable efforts to assure information security and patient privacy when transmitting PHI, the likelihood of a catastrophic large release is still very possible, at least until we get a handle on this stuff. Even if the disclosure is not because of your action, it may be as a result of actions of your Business Associates or even other Covered Entities (such as other providers and MCOs).
   
   If the Covered Entities and Business Associates are bickering among themselves, you can imagine the ideas that might occur to a patient (and plaintiff attorney) who is suspicious that their PHI was wrongfully released.
3. Pre-HIPAA-implementation patient-privacy disputes in the courts suggest that judges are using HIPAA rules as the basis for judging inappropriate release of PHI, even though the formal implementation date is still several months away. This fact also suggests the courts see HIPAA as very important and the source of comprehensive and coordinated guidance in an area poorly regulated by local jurisdictions - an area poorly managed by providers and payers in the past - and the reason that the law was created.
4. Plaintiff's attorneys see HIPAA as a gold mine of potential class action suits. Health Lawyers Association meetings, Plaintiff's Attorney section, have had very high attendance for topics dealing with HIPAA and class actions.

How Real is This?

During Thanksgiving week 2002, Channel 2 News in Atlanta reported that their investigative reporter had been digging in dumpsters behind a physician office building connected to a chain hospital on the northeast side. While looking for financial and charge records that might lead to sources of information for "identify theft," the reporter found hundreds of partial medical records with multiple kinds of PHI that were not shredded, not "de-identified," and not otherwise protected. This fact received only a brief mention on TV during the initial report.

• The reporter observed that, under Georgia law, which is pretty strict, this event is already a violation calling for criminal penalties.
• The reporter came back two days later and found the dumpsters full of PHI ... again. The second TV discourse was less sympathetic.
• You can imagine that there might have been a disagreement between the physicians and the hospital as to who was responsible for improper disposal of medical information. If there had been an ADR agreement in the lease between the physicians and hospital, it might not have opened the door to a highly visible, image-damaging public situation, because of requirements for remediation, but also for use of confidential problem solving. This pressure will only increase.

A spectacular mass release of PHI related to one of the pharmaceutical companies in Florida in late 2001, has been certified for class action by a Miami court. In other, similar situations in the public's eye, the involved lawyers (and media) are speculating that HIPAA rules will be applied in this situation and that a large settlement will occur.

In a Midwest city, in spring 2002, an HMO was in the process of moving offices. They were fully HIPAA-compliant and were prepared to handle whatever came to them. While going through closets they discovered one was loaded with copies of thousands of medical records retained for quality review during the period 1985 to 2002.

• They called their Business Associate, a HIPAA qualified shredding company, to come dispose of the records.
• A day later, the COO, General Counsel and Privacy Officer were seen diving into dumpsters next to the loading dock of the HMO's offices because one of their employees had found that the medical records had not been shredded.
• If the quick work of the HMO's executives had not been successful and someone had found all those records, there would have been a sufficient case to certify a class action against the HMO and the executives, as well as the Business Associate.
• And, if the Business Associate contract included not only the HIPAA certification, but an ADR requirement, the whole matter could have been handled behind closed doors and, perhaps, avoided a mass disclosure situation or public embarrassment.

Meanwhile, a Federal Agency, TriCare, provides health insurance products for military dependents and military retired persons. The TriWest main office in Arizona was broken into on Dec. 14, 2002 and a large number of computers and storage devices were stolen. An estimated 500,000 health insurance records were contained in the stolen equipment. Some observations:

• If this had been after April 2003, they would have been negotiating with the Office of Civil Rights on the nature of the fines they would be paying for inadequate security leading to the PHI disclosure, because TriWest is a Business Associate of TriCare. [TriCare, the government agency, is unlikely to be charged by OCR in such situations].
• If security was provided to TriWest by an outside firm, another Business Associate, there would certainly be a need for quiet, confidential discussion of culpability and assignment of financial responsibility to remediate the losses, and to pay for tens of thousands of man-hours to answer TriCare beneficiary questions and handle loss-of-identity issues for those whose Social Security Numbers might be used for illegal purposes. A Mediation agreement, one of the steps in an Alternative Dispute Resolution process, in the Business Associate contract would permit a confidential discussion rather than public finger-pointing.
• Additionally, if an unsuspecting TriWest/TriCare patient were to subsequently come to a physician office or hospital to inquire about why their medical information was in the hands of a "bad person," what procedures are in place between and among the Covered Entities to manage the disclosure, and pay for the research to determine that it was TriWest's loss that caused the problem? It would be preferable to be able to quietly complete the investigation and design a plan of action on behalf of all service-area, TriCare patients and Covered Entities before the disclosure became grossly public. It would be nice to be able to mimic the quality of the Crisis Communication approaches used by TriWest (go to to see their approach).

5. Even if you can demonstrate reasonable steps for privacy and security, and appropriate quick action to mitigate problems, with no criminal intent, you are very likely to be exposed to civil penalties of say $500 to $1000 per occurrence. Not enough to raise the interest of a Plaintiff's Attorney, But, if you had an inadvertent release of 100 or 1000 patients' medical information for, say, the electronic transfer of multiple claims files to your MCO or "Clearinghouse," that could be a sizeable chunk of your bottom line in civil penalties and raise the interest of Plaintiff's Attorneys for class action suits.

In other words, despite the strength of your legal or regulatory situation, you might have to defend yourself in the public's eye, or in court, or both. As outlined above, it is possible, by thoughtful preparation, to limit this exposure and to moderate the effects after a disclosure becomes public. Consider these additional preparations in your HIPAA implementation:

1. Install a Conflict Management System that provides training and procedures for all employees, so that conflicts, disputes and errors are handled promptly and discretely at the lowest possible level within an organization.
2. Insist that Covered Entities and Business Associates add ADR provisions in their contracts. Be sure that they understand the importance of discretion, not just for your mutual needs, but also for the very real threat to your patients' information and your relationships with them. After all, return customers are our best customers.

In other words, make problem resolution, generally, a comfortable and routine procedure for all staff, avoid a culture of blame and, specifically, for HIPAA, be sure to address the PHI issue. In Part 2 of this series, we will further describe the value-contribution of a CMS and its components and we will provide further detail on ADR, its HIPAA benefits and some model language to assist with this process.

Return to top