Federal Court Rules CGL Policies Cover Data Breach

Insurance companies issuing commercial general liability (CGL) policies are undoubtedly taking note of a recent noteworthy, though unpublished, federal appeals court decision. In April 2016, a federal appeals court in Virginia upheld a lower court’s ruling that a CGL policy may cover a data breach. The decision centered on the interpretation of policy language that the court said should be construed broadly. The ruling will likely cause insurers to scrutinize coverage language more closely and revise future policy definitions.  For insureds, the decision should prompt a second look at policy language to determine whether a data breach arguably falls within the scope of coverage. The case, Travelers Indemnity Company of America v. Portal Healthcare Solutions, L.L.C. (https://www.scribd.com/doc/308033367/Travelers-v-Portal-Healthcare-Fourth-Circuit-Court-of-Appeals) (hereinafter referred to as “Portal Healthcare“), is at odds with other recent state court decisions.

 

The factual prompt for the suit was a class-action lawsuit brought by a patients of a hospital whose confidential medical records were publicly posted online by the hospital’s electronic record-keeping service, Portal Healthcare Solutions (“Portal”). Portal tendered the matter under the two separate but substantially identical CGL policies issued by Travelers.  In a declaratory relief action, Travelers argued data breach was not covered under the policies, but the District Court for the Eastern District of Virginia in Alexandria ruled that Travelers had a defense obligation under its Personal and Advertising Injury coverage section of the policies. The policies language obligated coverage because of an advertising or website injury arising from the “electronic publication of material that…gives unreasonable publicity to a person’s private life” or “the electronic publication of material that discloses information about a person’s private life.”

 

Travelers argued that the action of posting the medical records online was not a “publication” within the meaning of the policy because it could not be proven that the records were actually viewed by a third-party. The lower court and appellate court rejected this narrow and “pars[ing]” definition of publication.  The appellate court also held that the class-action complaint by the patients, “at least potentially or arguably alleges a publication of private medical information” and that the conduct if proven, would have given unreasonable publicity to and disclosed information about the patients’ private lives.  The court determined that any doubt in the meaning of the word “publication” should be interpreted in a manner that grants coverage rather than withholds it.

 

The lower court’s opinion distinguished a Connecticut case which ruled that a CGL policy did not cover the loss of computer tapes that contained personal information. See Recall Total Info. Mgmt. Inc. v. Fed. Ins. Co., 83 A.3d 664 (Ct. App. Conn. 2013).  In that case, computer tapes fell out of the back of a van, were taken by an unknown person, and never recovered. Id. at 667.  This fact pattern was distinguished because it involved a single thief and no allegation that the stolen information had been placed on the internet.  In the Portal Healthcare case, the court stressed that the facts alleged “potentially or arguably” constituted “publication.”

 

While insurers offer policies specifically addressing cyber liability and data breach, these policies can often be cost-prohibitive and/or scarce. Business owners should consult with their legal counsel to look closely at the terms of the business’ CGL policies to determine whether they may potentially or arguably cover data breaches. The exorbitant cost of defending a data breach lawsuit, especially a class-action suit, may justify a declaratory relief action against a CGL carrier to determine the claims trigger a defense obligation. All companies should evaluate their cyber risks and exposures to make an informed decision about whether cyber liability insurance coverage is worth it.  Despite the holding in Portal Healthcare, securing coverage for data breach incidents under a CGL policy is still an uphill battle.

 

Michael Hellbusch is a privacy and cyber liability attorney at TLDlaw. He is a member of the Sedona Conference’s Working Group 11 on Data Security and Privacy Liability and International Association of Privacy Professionals.

Los Angeles Medical Association: Navigating the Hornet’s Nest of Reimbursement

Matt Kinley Speaks to Los Angeles County Medical Association on March 23, 2016.  Contact Mr. Kinley at mkinley@tldlaw.com if your interested in attending.

photo

HHS TO CREATE NEW CYBERSECURITY REGULATIONS FOR HEALTH CARE

CONGRESS DIRECTS ACTION IN HEALTHCARE CYBERSECURITY

In December of 2015 Congress passed a 2000-page spending bill which was enacted into law. Included in the text was the Cybersecurity Information Sharing Act of 2015 (CISA). While that legislation received most of the headlines, the spending bill also implemented some major developments in the field of privacy for the healthcare industry. Section 405 of Title IV directs the Department of Health and Human Services (HHS) to develop best practices for organizations in the healthcare industry.

The legislation mandates HHS to report to Congress regarding the preparedness of the health care industry in responding to cybersecurity threats. This includes identifying the HHS official responsible for coordinating threat efforts and including plans on how HHS divisions communicate with one another regarding threats. Congress also mandated a one-year task force to plan a threat reporting system in real time, and to prepare a cybersecurity preparedness information for dissemination in the healthcare industry. Most notably, HHS has been directed to collaborate with other governmental entities and experts to establish a best practices standards specific to healthcare cybersecurity. The intent is to create an industry standard and cost-effective method to reduce cybersecurity risks for healthcare organizations.

Inclusion of Section 405 of the Cybersecurity Act of 2015 reinforces the federal government’s well-established priority of protecting personal health information. Protection is necessary because of the high value of personal health information on the black market. According to the The Insurance Journal, a complete health record containing a patient’s entire health profile can fetch as much as $500. The value is based on the ability of lawbreakers to fraudulently bill insurers for medical services. Compared to industries like the credit card payment industry—which has implemented its own cybersecurity standards—the healthcare industry is woefully behind in its efforts to protect valuable private information.

Healthcare facilities, both public and private, should stay ahead of HHS and develop their own internal policies, security measures, and best practices to protect confidential information of their patients. While guidance form HHS in the future will help establish industry standard best practices, healthcare providers should evaluate their cybersecurity needs and work with experts—attorneys, technologists, and governmental agencies—to stay ahead of the curve. Undoubtedly the attention given to healthcare cybersecurity in the next years will increase the scrutiny on healthcare providers who fail to meet industry standards.

TLD Law regularly advises healthcare industry clients in all aspects of their business practices. Questions regarding the healthcare industry and cybersecurity can be addressed to Matt Kinley and/or Michael Hellbusch.

PHYSICIAN ALIGNMENT WITH HEALTH CARE SYSTEMS

HEALTH CARE SYSTEMS SHOULD UTILIZE REAL ESTATE TO CAPITALIZE ON PHYSICIAN ALIGNMENT

Health care systems have recently increased acquisitions and joint ventures with physician groups in order to increase hospital exposure and revenue.  While regulations which limit referrals should be carefully considered and followed, some of the following real estate assets that hospital systems have can be utilized to attract new physicians.

Office Condo Projects:  Allows physicians to invest in projects on or near campus.

New Construction: Building new office buildings with an eye toward comprehensive care and alignment of patient experience.

Hosting New Clinics and facilities which promote the hospital community.

Key to complying with regulations is fair market value agreements and documentation. Both the hospital and physician should have appropriate legal representation to assure compliance.

By:  Matt Kinley, Esq.

 

 

OSHA GUNNING FOR MEDICAL PRACTICES

NEW GUIDE LINES BRING NEW RESPONSIBILITIES

The Occupational Safety and Health Act of 1970 requires employers to provide their employees with working conditions that are free from known dangers.  There are thousands of pages interpreting the meaning of that simple statement, including primarily what is a “known danger.”

For medical facilities, OSHA has attempted to provide guidelines for protecting healthcare workers from violence in the work place.  In OSHA: Guidelines for Preventing Workplace Violence for Healthcare Workers (2015) OSHA explores its expectations for organizations in complying with the obligation to provide a safe workplace and to prevent violence.  Many of the obligations are structural, that is, they provide for a system to protect against violence:  polices, training, work place evaluation, and documentation of an organizations efforts to complete these tasks.  Like HIPAA and Compliance, the solution to medical office problems are a new policy, a committee and training.

Along with this new resource comes a new obligation.  In an OSHA Instruction, OSHA reviews the inherent dangers in the healthcare setting and the higher rates of violence and injury in the healthcare setting.  It instructs it’s investigators to pay more attention to the healthcare setting utilizing its 2015 guidelines.

If you are a healthcare company, it makes sense to pay attention to these OSHA materials.  Even if you are not investigated by OSHA itself, it does set up a standard for behavior and a potential negligence suit should your facility suffer violence.

By Matt Kinley, Esq.

Fraud Alert Issued by OIG Puts Medical Directorships Under Suspicion

Make Sure Your Medical Directorship is Legal

HHS’s Office of Inspector General’s Fraud Alert issued in June of this year  puts an often-used tool for compensating physicians in the regulatory cross hairs. “Medical directorships,” or the payment of a physician for overseeing clinics or other medical services, will violate the Federal and state Anti-Kickback statutes if “even one purpose of the arrangement is to compensate a physician for his or her past or future referrals.”

Compensation arrangements between hospitals, physician groups and other medical providers that contemplate management or directorships by a physician should be carefully evaluated by competent counsel. OIG has said that it will be reviewing such arrangements with particular interest. If a violation is found, the result could include criminal, civil and regulatory fines, and exclusion from federal health care payment systems.

Some of the elements of an appropriate directorship or management position for a physician might include a written contract for at least a year with a salary that constitutes a fair market value for services actually provided. Such an agreement should be backed up by salary surveys or other documentation that the compensation is based on similar positions within the community.

By Matt Kinley, Esq.

NY TIMES ARTICLE: MISUSE OF HIPAA PREVELANT

IN this important article,  the author makes the point of the misuse of HIPAA.  Medical privacy is an important subject, but hospitals and doctor’s offices sometimes misunderstand and misapply the law.

http://www.nytimes.com/2015/07/21/health/hipaas-use-as-code-of-silence-often-misinterprets-the-law.html?_r=2

Matt Kinley, Esq.

 

PHYSICIAN COMPENSATION UNDER OIG REVIEW

Physician Compensation Arrangements Under Scrutiny

On June 9, 2015, the Office of Inspector General issued a special Fraud Alert warning physicians that compensation arrangements (such as medical directorships) must ensure that the arrangement reflects fair market value. Such arrangements “may violate the anti-kickback statute even if one purpose of the arrangement is to compensation a physician for his or her past or future referrals of Federal health care program business.”

California statures and rules can be even stricter.

In this era of merger and consolidation, medical providers must be careful to create appropriate compensation arrangements. They must carefully document attempts at establishing fair market value, or be subject to regulatory prosecution.

This alert comes after the OIG recently reached settlements with 12 physicians who entered into medical directorships and other arrangements, which the OIG concluded violated the Federal Anti-Kickback Statute. In those cases, the arrangements appeared to be illegal for one or more of the following reasons:

• The payments to the physicians took into account the physicians’ volume or value of referrals.

• The payments did not reflect fair market value for the physicians’ services.

• The physicians did not actually provide the services required under the agreements.

• The entities contracting the physicians paid the salaries of the physicians’ front office staff.

Certain physician compensation arrangements – and particularly medical director arrangements – are perceived as risk areas for Anti-Kickback Statute violations. Facilities and physicians entering into such arrangements should review existing and new arrangements for compliance in light of this Fraud Alert and should seek the expertise of health care legal counsel.

By Matt Kinley, LL.M., Esq.

Home Care Stakeholder Workshop

The Home Care Services Bureau conducts Care Services Consumer Protection Act Stakeholder’s Meetings pursuant to California’s AB 1217, the Home Care Licensure Act.   Those who are interested in the subject are encouraged to submit their questions to: HCSB@dss.ca.gov AND to our Policy Director, Braden Oparowski at boparowski@cahsah.org.

The Department has announced that they expect to release the licensing fees and aide registration fees sometime in July. Information was also presented on the following topics: fingerprint transfer process, home care aide training requirements, written directives verses regulations, licensing inspections, personnel and administrative file requirements, abuse reporting requirements, reporting organizational changes and TB clearance.

The Home Care Bureau’s website DSS’ Home Care Services Bureau will be posting the Power Point presentation from the webinar on the main page of their website. Additional questions about the Home Care Services Consumer Protection Act Stakeholder Meetings or AB 1217, may be directed to CAHSAH’s Legislative Specialist Mary Adorno at
(916) 641-5795 extension: 124.

LAWS AND REGULATIONS SPECIFIC TO IN HOME CARE ORGANIZATIONS IN CALIFORNIA

New Emphasis on Patient Safety Will Cause Greater Scrutiny of Home Care Providers

While In Home Care Organizations (“HCOs”) have been relatively free of laws and regulation, such companies are coming under increasing scrutiny in California. There have been concerns about patient safety and security, which has caused the state to enact laws and regulations that impose safety checks and training. There are also concerns about abuse of HCO workers, causing minimums standards for companies employing such workers. While many of these reforms appear to be appropriate, they also make the utilization of in home services more expensive, which will make such services unaffordable for a large segment of the population.

HOME CARE SERVICES CONSUMER PROTECTION ACT

The most significant reform is the Home Care Services Consumer Protection Act of 2013 (AB 1217), signed into law on October 13, 2013. It covers “home care services,” which are formally defined as nonmedical services and assistance provided by a registered home care assistant (“HCA”) to a client who, because of advanced age or physical or mental disability needs assistance in activities of daily living, allowing the client to stay in their residence. Such services include assistance in the following areas:
• Dressing
• bathing
• exercising
• personal hygiene and grooming
• transferring
• ambulating
• positioning
• toileting and incontinence care
• housekeeping
• meal planning and preparation
• laundry
• transportation
• correspondence
• making telephone calls
• shopping for personal care items or groceries
• companionship

WHAT IS INCLUDED IN THE ACT?

This legislation requires agencies to: List aides in an online registry, conduct background checks on workers, obtain finger prints of all aides, provide five hours of training for new hires, and obtain a license from the state certifying their compliance with basic standards.

The commencement date of the law was extended to January 1, 2016. It provides that the California Department of Social Services (CDSS) will regulate HCOs and provide background checks of affiliated Home Care Aides (HCAs) and independent HCAs who wish to be listed on the Home Care Services (HCS) Registry. Currently CDSS is implementing regulations, including the formation of newly formed Home Care Services Bureau (HCSB)  in partnership with the Caregiver Background Check Bureau (CBCB). HCSB will oversee the licensing and oversight of the HCOs and CBCB will oversee the background checks for the HCAs and will maintain the HCS Registry.

Some of the penalties found in the Act include:
• $900 fine per day for each day if not licensed by Department of Social Services

• Potential cease and desist order, which shall remain in effect until the individual or entity has obtained a license pursuant to this chapter.

Potential imposition of a civil penalty; or

Potential civil action against the individual or entity.
If CDSS finds that an individual has been convicted of a crime other than a minor traffic violation, the individual cannot work for or be present in any community care facility unless they receive a criminal record exemption from the Community Care Licensing Division, Caregiver Background Check Bureau.

CALIFORNIA’S IHSS PROGRAM

California has established the In Home Supportive Services (IHSS)  program, which is a Medi-Cal program providing payment to providers who are serving aged and/or disabled patients who are without the means to pay for such services Persons wanting to become a IHSS provider must provide a U.S. government issued picture identification and an original Social Security card and the provider must complete the Provider Enrollment Form (SOC 426) and obtain finger prints. The California Department of Justice (DOJ) will obtain a criminal background check on the individual.

DEPARTMENT OF LABOR WAGE AND HOUR RULES

On January 1, 2015, the Domestic Worker Bill of Rights (AB 241), took effect. It regulates the number of consecutive hours for home health care workers and requires overtime pay for long work shifts.
California now is one of 16 states with some type of overtime requirement for home health workers. Personal attendants covered by this law are now entitled to overtime pay at 1.5 times their regular rate of pay for any hours worked in excess of nine (9) hours in a day or in excess of 45 hours in a week.

The new law, due to sunset in 2017, calls for formation of an evaluation committee to review and analyze the effectiveness of the overtime provision over the next three years. The California Department of Industrial Relations is charged with reviewing the law.
One of the areas the committee will monitor is whether the law prompts more underground caregiving, as Janz said is happening.
MINIMUM WAGE

Domestic workers are entitled to the minimum wage, with the exception of babysitters under the age of 18 and the employer’s parent, spouse, or child. The Labor Commissioner enforces the California minimum wage. The Labor Commissioner may enforce local minimum wage laws if the work is performed in a city and/or county that has a higher minimum wage ordinance.

If your employer discriminates or retaliates against you in any manner whatsoever (for example by terminating you or giving you fewer hours), you can file a discrimination/retaliation complaint with the Labor Commissioner’s Office. Alternatively, you can file a lawsuit against your employer in court.

ACTION ITEMS

Institute security check program with all home aides working for your organization, including back ground check and finger printing.

Obtain an exemption or terminate those home aides that fail the background check.

Institute a training program for all home aides working for your organization
Review wage and hour polices and ensure that your organization has all employee manuals with the proper overtime and minimum wage rules.

By Matt Kinley, Esq