Putative Class Action Underscores Need for HIPAA Covered Entities to Diligence Business Associates

Seth Goldberg
Seth Goldberg

Last week, in a putative class action, the Eastern District of Wisconsin in Dusterhoft v. OneTouchPoint Corp., 2024 U.S. Dist. LEXIS 170993 (ED WI 2024), issued a decision denying a motion to dismiss, in part, that underscores the importance for healthcare entities of strong privacy compliance, including due diligence and auditing with respect to HIPAA-protected information provided to “business associates.”

OneTouchPoint provides brand management, marketing, printing, and supply chain logistics to healthcare providers. In connection with those services, “OneTouchPoint collects and maintains names, addresses, Social Security numbers (SSNs), member IDs, dates of birth, health insurance information, and other medical information provided during health assessments.” OneTouchPoint discovered that its servers had been improperly accessed causing a breach of 2.6 million individuals’ data, including patients of nearly 40 health insurers and healthcare service providers.

After receiving letters from OneTouchPoint advising them of the breach, nine named plaintiffs from Arizona, Georgia, Maine, Minnesota, South Carolina, and Wisconsin claimed that they provided information to OneTouchPoint clients, who in turn provided to OneTouchPoint their HIPAA-protected information that was disseminated in the breach. Pertinent to this article, the only injuries alleged by five of the named plaintiffs is spending time and money combatting the effects of the breach, such as calling banks, credit card companies, etc., and dimunition in the value of their information.

The Court held the dimunition in value claim was insufficient to establish standing, but he time the named plaintiffs spent mitigating the effects of the breach was an injury sufficient to establish standing. The Court further held that the complaint sufficiently alleged a claim for negligence because, as alleged damages, the mitigation efforts were not too speculative, and could be shown to be causally related to the breach.

Importantly, the Court rejected OneTouchPoint’s assertion that HIPAA and Section 5 of the FTC Act do not create a private right of action to assert a claim for negligence per se, i.e., a violation of those Acts’ requirements with respect to protected information, explaining that statutory intent should dictate whether a claim for negligence per se can be asserted, and the parties did not brief that issue sufficiently. This argument, held the Court, could be raised again on summary judgment.

That the named plaintiffs will be able to proceed on their negligence and negligence per se claims, at least until a dispositive motion is filed, highlights the importance of a “Covered Entity,” like a hospital or medical practice, sufficiently understanding how a Business Associate will secure protected information. OneTouchPoint may now have to incur the significant expense of class discovery, which could lead to a settlement-leveraging class certification motion. Given that a HIPAA “Covered Entity” can be liable under HIPAA for failing to properly diligence a Business Associate, one can envision negligence and negligence per se claims being brought against a Covered Entity for a Business Associate’s data breach. Consequently, a Covered Entity should be vigilant when it diligences a Business Associate, and insist on indemnification for any claims that result from the Business Associate’s data breach.

Duane Morris attorneys are experienced in advising clients with respect to HIPAA’s privacy and security requirements.

Don’t Leave CARES Act Dollars on the Table (or in the Wrong Pocket)

As part of a suite of COVID-19 relief programs, the CARES Act appropriated $100 billion into a Provider Relief Fund meant for “hospitals and other healthcare providers on the front lines of the coronavirus response.” Medicare providers and facilities should have seen funds appear in their accounts between April 10 and April 17 when the first $30 billion of the $50 billion general allocation was distributed. Further, eligible recipients should begin to see funds from the remaining $20 billion of the general allocation as well as additional targeted allocations for hospitals in hot zones or rural areas.

The initial distribution was based on providers’ proportional share of Medicare Fee-For-Service reimbursements in 2019. For the sake of efficiency, these distributions were made based on the Tax Identification Numbers used when submitting bills. This approach, while expeditious, has also resulted in several potentially undesirable consequences. For example, practices or facilities that experienced a change of ownership during 2019 may notice that their distribution excluded the proportional share of reimbursement for the period prior to the change of ownership when the prior owner’s TIN was still in place. In fact, the prior owner may have received those funds attributable to that time period. Additionally, the interests of facilities and group practices may not align with the providers for whom they bill as they face the dilemma of how to appropriately allocate relief funds and whether credit should be given for compensation based on collections. The resolution of these issues will likely hinge on the terms of the contracts that govern these employment relationships.

Hospitals, facilities, providers, and all other affected parties are advised to consult with legal counsel when faced with the nuances of CARES Act funding. Further, as Congress debates additional funding packages, stakeholders should have a plan in place that suits their particular and unique needs. The Health Law Practice Group at Duane Morris is prepared to guide clients through the intricacies of these programs and advise on the most advantageous approach for future relief fund packages. Facilities and providers should contact Neville Bilimoria, Erin Duffy, Kirk Domescik, Ryan Wesley Brown, or your usual contact within the Health Law Practice Group with any questions regarding CARES Act funding.

Illinois Posts Medicaid Managed Care Performance Report

In January 2018, The Office of the Auditor General for the State of Illinois published its Performance Audit (“Audit Report”) of Medicaid Managed Care Organizations (“Medicaid MCOs”) for Fiscal Year 2016. What was unleashed was a startling review of the Medicaid MCOs’ performance over FY 2016 in administering the Medicaid Program for what was then called the Integrated Care Program (“ICP”) or Medicare/Medicaid Alignment Initiative (“MMAI”) Programs. You may recall these ICP and MMAI Medicaid MCO programs in Illinois involved almost a dozen Medicaid MCOs that covered about 70% of the State of Illinois Medicaid recipients.

The Audit Report played into health care providers’ deepest fears in Illinois: showing that Medicaid Managed Care may not be working as it was intended; namely, to reduce costs and improve quality of care in the Medicaid Program in Illinois. For example, long term care providers in Illinois had to fight tooth and nail with Medicaid MCOs under the ICP and MMAI programs, experiencing cumbersome Medicaid contracts, denied claims, delayed claims, and worse yet, a prior authorization administration problem (administrative MCO delay) which in some instances prevented residents from receiving care timely. Most, but not all, of those issues are still being resolved, but providers had hoped that there was a good reason for this madness involving Medicaid MCOs: better and lower cost care for Medicaid beneficiaries. Continue reading “Illinois Posts Medicaid Managed Care Performance Report”

Specific Facts Suggest Hospitals and Insurers Agreed to Group Boycott

A per se violation of Section 1 of the Sherman Act, 15 U.S.C. § 1, generally requires an agreement among horizontal competitors that unreasonably restrains trade. To withstand a motion to dismiss, a Section 1 plaintiff must allege facts that suggest direct of evidence of an agreement among the defendants, as opposed to alleging facts that merely are consistent with parallel conduct. These principles have been referred to by some courts as creating a heightened pleading standard for Section 1 claims.

In Arapahoe Surgery Center, LLC, et al. v. Cigna Healthcare, Inc., et al., 2015 U.S. Dist. Lexis 28375 (D. CO.), the Colorado District Court determined that the plaintiffs’ allegations of a group boycott were sufficient to meet the pleading requirements under Section 1, and therefore denied a motion to dismiss filed by three insurance carrier defendants. The specificity of the factual allegations concerning the agreement among the defendants, and the acts in furtherance thereof, underscore the importance of antitrust compliance in the healthcare and health insurance industries. Continue reading “Specific Facts Suggest Hospitals and Insurers Agreed to Group Boycott”

Don’t Just Pay the RAC

Medicare Recovery Audit Contractors (RACs) mine data using automated systems to detect and recover improper Medicare payments. RAC audits pick up billing and coding errors and deny claims based on those errors. In many instances, the service was provided and was billable. In some cases, the coding error makes no difference in reimbursement, sometimes reimbursement should be higher, sometimes lower, but still reimbursable, under some code. In some cases, the RAC’s automated systems deny claims that were properly billed, because of software coding flaws. RAC auditors don’t correct billing errors, they just take the money back.

Continue reading “Don’t Just Pay the RAC”

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress