Category Archives: Healthcare Regulatory Matters

THE REQUIREMENTS FOR A VALID SURROGACY PARENTAGE CONTRACT IN CALIFORNIA

This is a two part series for physicians on some of the issues that arise with the medical treatment of surrogate mothers.  This first article deals with the surrogacy contract. 

California Family Code Section 7962 provides:

“The surrogate, her spouse, or partner is not a parent of, and has no parental rights or duties with respect to, the child or children.”

Adding an additional layer to the twenty-first century notion of the family, several children are born not from their mother, but from a third party surrogate. In California, couples seeking children with some genetic connection may use these contracts to pay a surrogate mother to carry the baby through pregnancy.

What is required for a legal contract? The California Supreme Court, in the 1993 decision of Johnson v. Calvert, held that such arrangements are permissible and that the intended mother — and not the surrogate — should be deemed a child’s mother. As of January 1, 2013, California law (AB1217) added to the Family Code the Uniform Parentage Act, cited as Family Code section 7962, which codified California’s acceptance of such contracts.

Physicians, particularly obstetricians, dealing with surrogacy pregnancies have unique legal and practical issues to face when dealing with the relationships between the intended parents and the gestational mother. These relationships are governed by a contract which is defined by the Uniform Parentage Act. Presenting a valid surrogacy agreement to the court rebuts any presumptions that the surrogate and her spouse are the legal parents of the child or children.

For a surrogacy contract to be valid under the statute, the contract must have the following information:

1. The date the contract was executed;

 
2. The names of the persons from which the gametes [ova and sperm] originated, unless anonymously donated;

3. The name(s) of the intended parent(s); and

4. A disclosure of how the medical expenses of the surrogate and the pregnancy will be handled, including a review of applicable health insurance coverage and what liabilities, if any, that may fall on the surrogate.

Additional requirements are that the agreement must be entered into before any embryo transfer begins; both the intended parent(s) and the surrogate must be represented by separate, independent counsel before executing the agreement; and the agreement must be signed and notarized.

The statute also establishes that, upon proof of a valid surrogacy agreement, the court will terminate the parental rights of the surrogate and her spouse “without further hearing or evidence, unless the court or a party to the assisted reproduction agreement for gestational carriers has a good faith, reasonable belief” that the agreement or accompanying attorney declarations were not executed in accordance with § 7962.  Surrogacy contracts will be deemed “presumptively valid” and cannot be rescinded or revoked without a court order.

The statute places no conditions on who can serve as a surrogate (beyond requiring that she not be genetically related to the fetuses) or who may solicit the services of a gestational carrier. No minimum levels of income, intelligence, age, or ability are required for either the surrogate or the intended parent(s).) The statute does not require that the intended parents shoulder all costs associated with surrogacy, and only states that the financial accommodations necessary for the arrangement are to be detailed in the surrogacy contract.

Note that these principles do not apply to “traditional surrogacy.” In a traditional surrogacy, the woman carrying the child is also the genetic mother – as a general rule, she conceives through artificial insemination with the intended father’s sperm, but using her own egg.  The law on traditional surrogacy in California remains very unclear, and it is possible that the “traditional surrogate” will be the legal mother and that one or both of the intended parents will end up having to adopt the child.

This is demonstrated in the case of In re Marriage of Moschetta (1994) 25 Cal.App.4th 1218. In that case, Robert Moschetta and Cynthia Moschetta wanted to have a child.  Cynthia was sterile.  Elvira Jordan agreed to be inseminated with Robert’s sperm, and to carry the baby to term for them.  Pursuant to the agreement, Elvira was to allow Robert sole custody, and was to consent to adoption of the child by Cynthia.  However, when the Moschettas broke up during her pregnancy, Elvira decided to keep the baby, although when the couple reconciled she relented and allowed the baby to go home with them.  Seven months later, the Moschetta’s broke up for good.  Cynthia petitioned the court, arguing that Cynthia was the baby’s legal mother, not Elvira, based on the terms of the surrogacy contract and the fact that the baby had lived with Cynthia for most of its short life.  In this case, the court held the Johnson v. Calvert did not apply, since Elvira was both the genetic and the gestational mother.  Enforcing a prebirth contract to give up one’s baby would go against the public policies relating to parentage and adoption.  Legally, Elvira was the mother and Robert was the father.

Finally, additional to as what is required, the agreement should deal with issues such as an agreement as to how the gestational mother will care for herself during the pregnancy, issues related to how the a pregnancy with multiple embryos will be dealt with, genetic testing and consequences as to deal with negative genetic tests, the sex of the child, and the surrogate mother’s conduct after birth.

By Matt Kinley, Esq., founder Kinley Law Practice.

 

FORMERLY ILLICIT BUSINESSES COME INTO MAINSTREAM

Law Firm publishes “The Week in Weed”

State ballot measures and state legislatures have slowly but steadily legalized the use of marijuana.   The specifics of the law have specific ramifications for people and businesses even if they never roll a joint.

As one example, Federal law still prohibits the use and sale and marketing of marijuana.  Professionals advising employers, banks, and health care providers have unique issues in determining reactions to events.  For example, should a bank do business with an organization marketing and selling marijuana?  Can an accountant provide an appropriate audit?  Can a lawyer help create a corporation for a weed based business?

Can a physician work for one?  Most medical marijuana clinics fail to utilize doctor ownership, thus potentially violating the corporate practice of medicine doctrine in California.

The Week in Weed provides an on-going discussion of the ethical and legal issues of a weed business.  In a recent report that independent investment is slow to embrace the business but:

“Overall funding to cannabis-centered startups has ballooned in the past two years, up over 90% since 2014 despite a slight decrease in 2016′s investment levels.

While private investment to the industry remains siloed among a select group of cannabis-focused investors, institutional investors such as Founders Fund, Y Combinator, and 500 Startups are slowly taking notice.”

Keeping up to date in marijuana laws will be a state by state job.   The rules will be complex because of the intersection of state and federal law.

By Matt Kinley, Esq.  See his profile at KinleyLawPractice.com

 

California Health Record Privacy

 

In California, the Confidentiality of Medical Information Act (“CMIA”) creates rights for patients in their own personal records. While most attention is given to federal law, especially HIPAA and HI-Tech, when trying to understand what to do medical records.

California has created a strong statutory scheme to protect patients’ rights. Codified at Civil Code section 56.10, the Act provides that “No provider of health care provider, service plan or contractor shall disclose medical information regarding a patient of the provider of healthcare or an enrollee or subscriber of a health care service plan without first obtain an authorization” from the patient. The statute then goes on to proscribe in detail the requirements for authorization.

Violation the CMIA will result in fines and a civil cause of action against the party who provided the private healthcare information.

CMIA does have several exceptions. Some the exceptions require the healthcare provider to disclose information, for example under court order or for police or coroner investigations. Other exceptions allow, but do not required, the physician to disclose medical records to other health care providers and healthcare insurance companies. Healthcare providers may also provide information that has been scrubbed of identifiable information to public health studies and other companies who will allow the medical profession to better understand healthcare service.

By Matt Kinley, Esq.

WHAT ABOUT A MANAGEMENT SERVICES ORGANIZATION?

AVOIDING THE PROHIBITION AGAINST NON-PHYSICIAN OWNERSHIP OF MEDICAL ORGANIZATIONS

A management services organization (“MSO”) is an entity which would contract with a physician or a medical corporation owned and operated by physicians. The MSO could be owned by non-physicians.  The physician or medical corporation can pay the MSO for everything. Employees would work for the MSO; the MSO would pay for the lease.  The MSO would pay for all significant expenses and receive a fee for its services.

The Corporate Practice Medicine Doctrine (CPOM) is strong in California. Under this doctrine, physicians must control clinical decisions. The concern is that if business entities owned by non-physicians are permitted to control the rendering of care, they will subordinate clinical care to commercial considerations and profits. The objective, therefore, is to prevent non-physicians and non-physician-owned business entities from influencing treatment decisions.

This presents a significant constraint to physician business ventures. Specifically, if physicians or other clinical personnel work for entities other than professional medical corporations, they may be exposed to disciplinary risks, as well as to forfeiture of revenues.. For non-physician business partners, violating the CPOM may also bring both civil and, in extreme cases, potential criminal liability for engaging in medical practice without a license.

MSO

In California, the solution for avoiding violations of the CPOM in business ventures in which physicians work with businesses owned by unlicensed persons is a contractual relationship between the physician entity and the unlicensed business entity, or a “management services organization (MSO).” This is a business vehicle that permits unlicensed persons to provide services to physicians and their professional medical corporations. In its simplest form, an MSO provides basic practice support services to physicians and professional medical corporations via a contractual relationship, commonly known as a management services agreement. These services frequently include activities such as billing and collection, administrative support in certain areas, and electronic data interchange (e.g. electronic billing). Some MSO’s provide a broader set of services: the MSO may purchase many of the assets in a medical practice, such as office space or equipment. MSO’s can employ office support staff, and assist with a wide range of non-clinical functions. MSO’s can also assist in functions such as marketing. Often, MSO’s can reduce costs by bringing economies of scale and professional management experience into physician practices, thereby improving operational efficiency and reducing overhead costs.

the MSO must be carefully considered and constructed.  Review and application of relevant laws and regulations is a must.

By Matt Kinley, Esq. of the Kinley Law Practice

How to Utilize an Attorney for HIPAA Breach Analysis

Attorney’s Role in Breach Analysis

An attorney’s role in any potential breach is to lead an assessment of the breach and to help clients determine whether to disclose a breach by applying the law to the factual investigation. Such an assessment is required for covered entities when a breach is suspected under Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, and under the HITECH Act and the Genetic Information Nondiscrimination Act (GINA) and the corresponding regulations. As the company and experts review the potential breaches, the attorney should apply the  law implicated by the facts.  The appropriate law may not only be the federal law, but state law, as well.  For example,   the very stringent California Privacy Law which applies to breaches in California.

IF it is determined that there is a reportable breach, the attorney assists with the proper methods to make notification.

Any attorney chosen for this task should have experience and education in healthcare law.  Some examples include a healthcare LLM, such as the one offered by Loyola Chicago’s Beazley Institute for Health Law and Policy. and designations in compliance, such as someone certified in Healthcare Compliance (CHC).

My background includes retention by several clients to help with such an assessment, a Masters of Law (LLM) in Healthcare Law from Chicago Loyola Law School and I am Certified in Healthcare Compliance (CHC). I help healthcare institutions comply with HIPAA and other federal and state regulations.

Definition of Breach

A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment.

The risk assessment requires the following investigation:

1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the protected health information or to whom the disclosure was made;
3. Whether the protected health information was actually acquired or viewed; and,
4. The extent to which the risk to the protected health information has been mitigated.

The team must also complete an analysis on three potential exceptions to the definition of “breach.” The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

Unsecured Protected Health Information and Guidance

Covered entities must only provide the required notifications if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of specific technology or methodology.

By Matt Kinley,Esq.,  LLM, CHC

562.715.5557

 

IS YOUR HEALTHCARE COMPLIANCE PROGRAM COMPLIANT?

HEALTHCARE COMPLIANCE

10 RED FLAGS

Under current law, physicians are required to maintain an effective, comprehensive compliance program to detect, correct and prevent incidences of non-compliance with state and federal regulatory law.  Goals of a comprehensive compliance program is to prevent the significant criminal and civil penalties that might come with a violation of the False Claims Act, Stark, the Anti-Kickback Statutes, HIPAA and state law equivalents. Failure to comply might lead to exclusion from health payments. Here is a summary of the core components of a complete compliance plan:

#1  MISSING OR INCOMPLETE WRITTTEN POLICIES, PROCEDURES AND STANDARDS OF CONDUCT

#2  PEOPLE:   NO COMPLIANCE OFFICER OR COMPLIANCE COMMITTEE

#3  TRAINING:  THE FACILITY LACKS EFFECTIVE TRAINING AND EDUCATION

#4.  COMMUNICATION:  THE FACILITY LACKS

#5.  PERSONEL:  FAILURE TO PUBLISH DISCIPLINARY STANDARDS & TO EFFECTIVELY DISCIPLINE VIOLATORS

#6.  NO SYSTEM TO AUDIT AND MONITOR ORGANIZATION COMPLIANCE AND COMPLIANCE RISKS

 #7  FAILURE TO CREATE PROCEDURES TO PROMPTLY RESPOND TO IDENTIFIED ISSUES AND SELF DISCLOSURE OBLIGATIONS

#8.  LACK OF SUPPORT FROM PHYSICIANS AND LEADERSHIP OF THE ORGANIZATION

#9.  FAILURE TO INSTITUTE PRIVATE HEALTH INFORMATION POLICIES

#10. FAILURE TO MONITOR NEW LAW AND UPDATE COMPLIANCE ACCORDINGLY

By Matt Kinley,Esq., LLM, CHC

562.715.5557

             

 

                

 

 

 

Sterilize Your Potential Liability

Is your business compliant with OSHA’s Bloodborne Pathogens Standard?

If you operate a business with employees that are exposed to blood or other potentially infectious materials (OPIM), your business is subject to OSHA’s Bloodborne Pathogens Standard (BPS) under the Code of Federal Regulations. In spite of its attempt to simplify these requirements on its online fact sheet, OSHA imposes a minefield of regulations for small to midsize businesses to navigate. This post provides a brief overview of the Bloodborne Pathogens Standard and what it means to your business.

Have an Updated Plan

All good businesses have a plan right? Well, OSHA adds to your plans by requiring an “exposure control plan.” 29 C.F.R. 1910.1030 (c)(1). Under this plan, employers must create a catalogue that classifies the employee positions in the company by the level of blood and OPIM exposure. 29 C.F.R. 1910.1030 (c)(2)(i)(A). Also, this plan must detail the tasks and procedures performed by each classification of employee that causes their exposure. 29 C.F.R. 1910.1030 (c)(2)(i)(C).

The Bloodborne Pathogens Standard not only requires the employer to have an exposure control plan but also requires that it be updated annually “to reflect changes in tasks, procedures, and positions that affect occupational exposure, and also technological changes that eliminate or reduce occupational exposure.” OSHA, OSHA’s Bloodborne Pathogens Standard, OSHA Fact Sheet.

In order to make these updates to the satisfaction of OSHA, the employer must also document in their plan that they both considered and begun using safer medical devices to minimize occupational exposure and engage with their employees “in identifying, evaluating, and selecting effective engineering and work practice controls.” OSHA, OSHA’s Bloodborne Pathogens Standard, OSHA Fact Sheet,  And we’re just getting started.

Don’t Discriminate

It is imperative under the Bloodborne Pathogen Standard that the precautions used to prevent an exposure incident are universal. 29 C.F.R. 1910.1030 (b). As OSHA explains, this means “treating all human blood and OPIM as if known to be infectious for bloodborne pathogens.” OSHA, OSHA’s Bloodborne Pathogens Standard, OSHA Fact Sheet.

Be Well Stocked With the Right Equipment

The Bloodborne Pathogen Standard requires the examination, maintenance, and routine replacement of “engineering controls.” 29 C.F.R. 1910.1030 (d)(2)(ii). What are engineering controls you ask? They are “controls . . . that isolate or remove the bloodborne pathogens hazard from the workplace” such as sharps disposal cleaners and self-sheathing needles among others. 29 C.F.R. 1910.1030 (b). In other words, take the garbage out on a regular basis. Employers must also provide appropriate personal protective equipment (PPEs) for employees with occupational exposure such as “gloves, gowns, laboratory coats, face shields or masks and eye protection, and mouthpieces, resuscitation bags, pocket masks, or other ventilation devices.” 29 C.F.R. 1910.1030 (d)(3)(i). These PPEs must be provided by the employer at no cost to its employees. Id.

Take Preventative and Remedial Measures

Hepatitis B vaccinations must be made available to all employees with occupational exposure after they have received training and within 10 working days of their initial assignment. 29 C.F.R. 1910.1030 (f)(2)(i). Should there be an exposure incident, you must “make available post-exposure evaluation and follow-up to any occupationally exposed worker who experiences an exposure incident.” OSHA, OSHA’s Bloodborne Pathogens Standard, OSHA Fact Sheet. The procedures the employer must follow after an exposure incident can become complicated with consent and health-related confidentiality issues regarding investigations of the source individual and the employee.

The requirements surrounding warning labels and signs communicating hazards are lengthy enough to warrant their own blog post. The main takeaway from the BPS requirements for labels and signs is this: Anything that comes into contact in any way with blood or OPIM must have a label or sign that warns against the dangers of exposure. As the Code of Federal Regulations states, warning labels must be affixed to “containers of regulated waste, refrigerators and freezers containing blood or other potentially infectious material; and other containers used to store, transport or ship blood or other potentially infectious materials. 29 C.F. R. 1910.1030 (g)(1)(i). There are also specific regulations relating to warning signs for all entry ways in HIV and HBV research laboratories and production facilities. See 29 C.F.R. 1910.1030 (g)(1)(ii).

This post only scratches the surface of OSHA’s Bloodborne Pathogens Standard. If you run a business that exposes its employees to blood and other potentially infectious materials, you must comply with these regulations under federal law. Operating a healthcare facility is no simple task even before considering regulations such as the Bloodborne Pathogens Standard. Protect your business and ensure you are complying with these detailed requirements.

By Matt Kinley,Esq., LLM, CHC

562.715.5557

California Physicians May Be Asked to Help with Assisted Suicide

PHYSICIANS CAN OPT OUT OF ASSISTED SUICIDE LAW

California was the most recent state to adopt the End of Life Option Act, codified at Health & Safety Code section 443. It basically allows a competent patient who has been diagnosed with a terminal illness to seek and obtain a prescription for the necessary drugs to be self administered.  The law is effective on June 9, 2016.

Aid-in-dying legislation has passed in Oregon, Washington, Vermont, and Montana.   Doctors in those states are permitted to prescribe drugs to terminal patients that they will use to end their lives.  The patients must meet certain requirements and undergo a set process to receive the medication.

California’s procedures, like the other states, seek to protect terminal patients from rash decisions or over-anxious relatives.  While patients may designate agents to make all sorts of health care decisions on the patient’s behalf, an agent is not able to request aid-in-dying drugs on behalf of a patient, and therefore these drugs cannot be requested through an advanced healthcare directive.

The  Act allows doctors, medical groups and hospitals to opt out of the law.    Most, if not all, religious hospitals are expected to reject the law.  Physicians are not required to prescribe life ending drugs to patients.  The California Medical Association dropped it’s opposition to the bill.  According to news reports, the state of California will pay for the costs of the drugs to be utilized.

According to the Act, the “aid-in-dying drug” means a “drug determined and prescribed by a physician for a qualified individual, which the qualified individual may choose to self-administer to bring about his or her death due to a terminal disease.”  The Act does not describe what the appropriate drug might be.

Health and Safety Code section 443.22 provides the physician with a checklist to be used if a patient seeks the end of life drug.  See, AttendingPhysicianChecklist

To summarize the requirements, in order for a person to seek aid-in-dying drugs, they must meet the following criteria:

  • The patient must be at least 18 years old
  • They must have capacity to make medical decisions
  • Diagnosed with a terminal illness by an attending AND consulting physician
  • The individual must voluntarily express the wish to receive the aid-in-dying drug
  • They must request the drug twice orally—such requests should be made 15 days apart
  • Must request by written request which is signed/dated and witnessed by two adults
  • Must be California resident (and provide proof of such residency)
  • Must have physical and mental ability to self-administer the drug
  • The decision must be confirmed that it is not due to coercion or undue influence
  • The attending physician must offer the qualified individual to withdraw or rescind the request

Upon filling the aid-in-dying prescription, the patient must complete a “Final Attestation for an Aid-in-Dying drug to End My Life in a Humane and Dignified Manner” form 48 hours prior to self-administering the drug.

Developments in the law should be closely monitored as it is likely that that state regulators may develop more detailed and specific standards when facing a terminal patient seeking end of life drugs.

By Matt Kinley,Esq., LLM, CHC

562.715.5557

INSURANCE COMPANIES SEEK TO DEFEAT THE SURGERY CENTERS

Various news organizations (for example, Law360) reported on Aetna’s jury verdict against Northern California surgery centers for over-billing the insurer for out-of-network procedures. The jury determined that the surgery center should pay $37.4 million in damages.  The complaint by Aetna included allegations that surgery centers waived patient co-pays and other fees, sales of shares to physicians (who received substantial ROI) in addition to the physician’s own fee for service and other “fraud.”

Other lawsuits with similar allegations are pending. United Healthcare Services has a complaint against several Bay Area ASC’s claiming the ASCs’ bills are artificially inflated, that the providers utilizes different charges for different patients (out-of-network charges being the highest), that the ASCs failed to disclose waiver of co-pays, and inappropriate incentives to physicians for referring patients to the ASC.

The insurers in these cases are attempting to utilize the courts to stop out-of-network billings, especially for ASCs.   The conduct they are complaining about is a common issue of our medical landscape.  Surgery centers are typically physician owned and tend not to have insurance with the typical plans that exist.  Physicians will often promote the ASC as providing superior service, especially compared with alternative medical centers and hospitals.  In order to encourage the patient to have procedures at a facility which does not accept their insurance, the physician and the ASCs will often assure the patient that they will seek reimbursement from the out-of-network insurance provider and that any service received will be at no cost to the patient.  Freed from in-network contracts, these facilities seek their “reasonable fees” from the insurer.

The current litigation will certainly lead to appeals and opinions by courts that will alter the legal landscape. The facts in the Aetna case appear to include evidence of communications between physicians encouraging referrals to the surgery centers, which would appear inflammatory to the jury.

 

However existing law does not appear to support the insurers claims.  For instance, the Accountable Care Act actually requires discounting co-payments for out-of-network emergencies. (“Any cost-sharing requirement expressed as a copayment or coinsurance rate imposed with respect to a participant, beneficiary, or enrollee for out-of-network emergency services cannot exceed the cost-sharing requirement imposed with respect to a patient, beneficiary or enrollee if the services were provided in network.” 45 C.F.R. 147.138.)  The California Attorney General that waiver of copayments for out-of-network insurance companies was appropriate.  (Dentists routine waiver of co-pay appropriate. 64 Ops. Cal. Atty. Gen. 782 (1981).) Discounts to encourage patient referrals is not impermissible. (People v. Duz-Mor Diagnostic Laboratory, Inc. (1998) 68 Cal. App. 4th 654.)  Likewise, it is legal for physicians to refer to surgery centers where they have a financial interest. (California Business Code section 650(d).)

Providers who routinely bill to out-of-network providers should monitor these cases closely. The Courts will be making ground-making decisions in this area in coming months.

By Matt Kinley, Esq, LL.M.  Mr. Kinley represents health care clients in Southern California.

Federal Court Rules CGL Policies Cover Data Breach

Insurance companies issuing commercial general liability (CGL) policies are undoubtedly taking note of a recent noteworthy, though unpublished, federal appeals court decision. In April 2016, a federal appeals court in Virginia upheld a lower court’s ruling that a CGL policy may cover a data breach. The decision centered on the interpretation of policy language that the court said should be construed broadly. The ruling will likely cause insurers to scrutinize coverage language more closely and revise future policy definitions.  For insureds, the decision should prompt a second look at policy language to determine whether a data breach arguably falls within the scope of coverage. The case, Travelers Indemnity Company of America v. Portal Healthcare Solutions, L.L.C. (https://www.scribd.com/doc/308033367/Travelers-v-Portal-Healthcare-Fourth-Circuit-Court-of-Appeals) (hereinafter referred to as “Portal Healthcare“), is at odds with other recent state court decisions.

 

The factual prompt for the suit was a class-action lawsuit brought by a patients of a hospital whose confidential medical records were publicly posted online by the hospital’s electronic record-keeping service, Portal Healthcare Solutions (“Portal”). Portal tendered the matter under the two separate but substantially identical CGL policies issued by Travelers.  In a declaratory relief action, Travelers argued data breach was not covered under the policies, but the District Court for the Eastern District of Virginia in Alexandria ruled that Travelers had a defense obligation under its Personal and Advertising Injury coverage section of the policies. The policies language obligated coverage because of an advertising or website injury arising from the “electronic publication of material that…gives unreasonable publicity to a person’s private life” or “the electronic publication of material that discloses information about a person’s private life.”

 

Travelers argued that the action of posting the medical records online was not a “publication” within the meaning of the policy because it could not be proven that the records were actually viewed by a third-party. The lower court and appellate court rejected this narrow and “pars[ing]” definition of publication.  The appellate court also held that the class-action complaint by the patients, “at least potentially or arguably alleges a publication of private medical information” and that the conduct if proven, would have given unreasonable publicity to and disclosed information about the patients’ private lives.  The court determined that any doubt in the meaning of the word “publication” should be interpreted in a manner that grants coverage rather than withholds it.

 

The lower court’s opinion distinguished a Connecticut case which ruled that a CGL policy did not cover the loss of computer tapes that contained personal information. See Recall Total Info. Mgmt. Inc. v. Fed. Ins. Co., 83 A.3d 664 (Ct. App. Conn. 2013).  In that case, computer tapes fell out of the back of a van, were taken by an unknown person, and never recovered. Id. at 667.  This fact pattern was distinguished because it involved a single thief and no allegation that the stolen information had been placed on the internet.  In the Portal Healthcare case, the court stressed that the facts alleged “potentially or arguably” constituted “publication.”

 

While insurers offer policies specifically addressing cyber liability and data breach, these policies can often be cost-prohibitive and/or scarce. Business owners should consult with their legal counsel to look closely at the terms of the business’ CGL policies to determine whether they may potentially or arguably cover data breaches. The exorbitant cost of defending a data breach lawsuit, especially a class-action suit, may justify a declaratory relief action against a CGL carrier to determine the claims trigger a defense obligation. All companies should evaluate their cyber risks and exposures to make an informed decision about whether cyber liability insurance coverage is worth it.  Despite the holding in Portal Healthcare, securing coverage for data breach incidents under a CGL policy is still an uphill battle.

 

By Matt Kinley,Esq., LLM, CHC

562.715.5557