Category Archives: HIPAA


How should physicians deal with contractually arranged pregnancies?
Physicians, particularly obstetricians, dealing with surrogate pregnancies have unique legal and practical issues to face when dealing with the contractual obligations of the surrogate mother.

Physicians are not lawyers and shouldn’t pretend to help the parties with the surrogate contract issues. However, they can help the parties understand the medical issues such contracts create.

Treat Surrogate Mother and the Fetus

According to the recommendations of a 2008 American Congress of Obstetricians and Gynecologists (ACOG) committee opinion, a medical professional’s obligation is to care from the pregnant woman and the fetus.

“While caring for a surrogate mother it is the professional obligation of the obstetrician to support the well-being of the pregnant woman and her fetus, to support the pregnant woman’s goal for the pregnancy, and to provide appropriate care regardless of the patient’s plan to keep or relinquish the child. The obstetrician must make recommendations that are in the best interests of the pregnant woman and her fetus, regardless of prior agreements between her and the intended parents.”

This contrasts sharply with  California law since 1993 when the California Supreme Court approved surrogacy agreements for gestational surrogacy (Johnson v. Calvert). The court ruled that as between the genetic relationship of the woman who donated the egg, and the relationship of the surrogate, “she who intended to procreate the child-that is, she who intended to bring about the birth of a child that she intended to raise as her own-is the natural mother under California law.”

The parties who hired the surrogate should be the parents. By making this ruling, the Court signaled it’s intent to look at the intent of the parties to determine who was the parent.

How does the healthcare system respond to conflicts between the birth mom and the contracting parents? The ACOG Opinion requires the physician to support the goals of the pregnancy of the birth mother. The California Supreme Court (later codified), gives the mantel of parenthood to the parties who hired the surrogate. How does the doctor decide when the parties disagree?

California Case Demonstrates the Issues.

One California case demonstrates some of the issues (CM v. MC.) In the case, a 50-year old male postal worker who lived with his mother wanted a male child. Though a surrogacy agency, he contracted with a 47-year old women to carry his surrogate baby. The intended father and the surrogate mother never met. Through the broker, a 75-page agreement was signed. The agreement provided that the mother would receive $27,000, with a $6,000 bonus in the case of multiple pregnancies, that the woman would become impregnated by implantation of donor eggs fertilized by the postal worker’s sperm, and that the intended father would pay medical bills and insurance for the surrogate during the pregnancy. The agreement further provided that the intended father wanted a male child and that in the event of a multiple pregnancy, the intended father had the right to require “selective reduction” of the pregnancy.

The surrogate mother became impregnated by implantation, resulting in a pregnancy of three males. The surrogate mother either did not read or did not understand the agreement she signed. The agreement allowed the intended father to make a decision about selective reduction if there was a multiple pregnancy. The surrogate mother, however, did not believe in abortion. When the father instructed that she reduce the pregnancy, because he was running out of money and could not handle triplets, the surrogate mother refused. Litigation resulted. The end result was that the triplets were born and the intended father got custody.

Guidelines for Treating Surrogate Mothers

The following is a list of guidelines for caring for surrogate mothers.

First a warning: there is little legal guidance for many of these guidelines and there has been too little discussion about the legal obligations of the physician in these situations.
Get a copy of the Surrogacy Contract.

The purpose of obtaining this agreement is not to give legal advice or to make decisions based upon the agreement. Rather, knowledge of the agreement can give the obstetrician important information about the medical choices made by the parties. Some of them include:

a. HIPAA Waiver. Surrogate contracts usually give the intended parents the right to information about the pregnancy. This should be reviewed by compliance professionals. If it’s not sufficient, the practices’ HIPAA waiver should be offered to the surrogate so that the intended parents can receive information and possibly attend in office appointments.

b. Surrogate Mother’s Behavior During the Pregnancy. Standard contracts provide for behavior of the surrogate mother during the pregnancy, including diet, abstention from tobacco, achohol, drugs, etc., the utilization of vitamins, exercise, and frequency of visits to the physician. Agreements may even require treatment of the child before birth, like reading to the child, or music, or birth methods, etc.

c. Decision Points During the Pregnancy. The physician can take note of the obligations of the surrogate to make certain decisions, such as DNA testing, or selective reduction as described in the case above.

Note that there is some risk in obtaining the Surrogacy Contract:  By having knowledge of the terms of the agreement, a slighted party may try to sue the physician for a tort called “interference with contract.”  This would be an allegation that the physician intentionally attempted to get the surrogate to breach the contract.  There is no known case in the country for this cause of action at this time.

Follow The Instructions of the Surrogate Mother.

As the pregnancy unfolds, the ideal situation would be when the surrogate mother and the intended parents visit the physicians’ offices together, and they make joint decisions as the pregnancy proceeds. However, if there should be conflict, or if the physician is faced with a situation where the surrogate mother is not following the surrogacy contract, the physician should follow instructions of the surrogate mother unless and until the surrogate parents obtain a court order. The physician should stay out of any legal dispute.

Inform Intended Parents.

As long as the surrogate mother has allowed the intended parents access to medical information, and as long as such waiver of privacy is not terminated by the surrogate mother, the physician should share information about the pregnancy with the intended parents. If such privacy waiver is revoked, the physician should inform the intended parents of such revocation, and stop sharing information without a court order.

 Absentee Intended Parents.

Often, the intended parents are absent until the birth. In such cases, the physician should only follow the surrogates instructions during the pregnancy.
 After Birth Issues.

Generally, surrogate contracts allow intended parents to go into court and get an order of custody at the time of birth. If such an order exists, the intended parents would usually have the right to make all decisions regarding children born to surrogate parents. Without such order, the surrogate mother’s instructions should be followed.

This article is meant as guidelines in an area of law that has no real guidelines. Suggestions or different experiences are welcomed.

By Matt Kinley, Esq.  Founder of Kinley Law Practice.

California Health Record Privacy


In California, the Confidentiality of Medical Information Act (“CMIA”) creates rights for patients in their own personal records. While most attention is given to federal law, especially HIPAA and HI-Tech, when trying to understand what to do medical records.

California has created a strong statutory scheme to protect patients’ rights. Codified at Civil Code section 56.10, the Act provides that “No provider of health care provider, service plan or contractor shall disclose medical information regarding a patient of the provider of healthcare or an enrollee or subscriber of a health care service plan without first obtain an authorization” from the patient. The statute then goes on to proscribe in detail the requirements for authorization.

Violation the CMIA will result in fines and a civil cause of action against the party who provided the private healthcare information.

CMIA does have several exceptions. Some the exceptions require the healthcare provider to disclose information, for example under court order or for police or coroner investigations. Other exceptions allow, but do not required, the physician to disclose medical records to other health care providers and healthcare insurance companies. Healthcare providers may also provide information that has been scrubbed of identifiable information to public health studies and other companies who will allow the medical profession to better understand healthcare service.

By Matt Kinley, Esq.



University of California, Riverside. HIPAA and the Hi-Tech regulations impose burdens on healthcare providers on how private health information can be utilized.  Given the potential penalties for missteps, this is an important topic for the healthcare industry to grasp.  Tickets are still available!

As a recent Office of Civl Rights Report recently pointed out, 2016 was a record year for enforcement: “OCR has been on a tear, settling 11 cases in 2016 with resolution agreements and corrective action plans. The agency also won a decision by an administrative law judge in an enforcement action contested by a home healthcare and medical equipment supplier (see OCR Slaps Home Health Provider with Penalty.”

Private Health Information must be maintained and utilized in ways that protect the information from exposure.

Matt Kinley is a health care attorney and founder of Kinley Law Practice in California. You can contact him at


How to Utilize an Attorney for HIPAA Breach Analysis

Attorney’s Role in Breach Analysis

An attorney’s role in any potential breach is to lead an assessment of the breach and to help clients determine whether to disclose a breach by applying the law to the factual investigation. Such an assessment is required for covered entities when a breach is suspected under Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, and under the HITECH Act and the Genetic Information Nondiscrimination Act (GINA) and the corresponding regulations. As the company and experts review the potential breaches, the attorney should apply the  law implicated by the facts.  The appropriate law may not only be the federal law, but state law, as well.  For example,   the very stringent California Privacy Law which applies to breaches in California.

IF it is determined that there is a reportable breach, the attorney assists with the proper methods to make notification.

Any attorney chosen for this task should have experience and education in healthcare law.  Some examples include a healthcare LLM, such as the one offered by Loyola Chicago’s Beazley Institute for Health Law and Policy. and designations in compliance, such as someone certified in Healthcare Compliance (CHC).

My background includes retention by several clients to help with such an assessment, a Masters of Law (LLM) in Healthcare Law from Chicago Loyola Law School and I am Certified in Healthcare Compliance (CHC). I help healthcare institutions comply with HIPAA and other federal and state regulations.

Definition of Breach

A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment.

The risk assessment requires the following investigation:

1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the protected health information or to whom the disclosure was made;
3. Whether the protected health information was actually acquired or viewed; and,
4. The extent to which the risk to the protected health information has been mitigated.

The team must also complete an analysis on three potential exceptions to the definition of “breach.” The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

Unsecured Protected Health Information and Guidance

Covered entities must only provide the required notifications if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of specific technology or methodology.

By Matt Kinley,Esq.,  LLM, CHC






Under current law, physicians are required to maintain an effective, comprehensive compliance program to detect, correct and prevent incidences of non-compliance with state and federal regulatory law.  Goals of a comprehensive compliance program is to prevent the significant criminal and civil penalties that might come with a violation of the False Claims Act, Stark, the Anti-Kickback Statutes, HIPAA and state law equivalents. Failure to comply might lead to exclusion from health payments. Here is a summary of the core components of a complete compliance plan:











By Matt Kinley,Esq., LLM, CHC








Federal Court Rules CGL Policies Cover Data Breach

Insurance companies issuing commercial general liability (CGL) policies are undoubtedly taking note of a recent noteworthy, though unpublished, federal appeals court decision. In April 2016, a federal appeals court in Virginia upheld a lower court’s ruling that a CGL policy may cover a data breach. The decision centered on the interpretation of policy language that the court said should be construed broadly. The ruling will likely cause insurers to scrutinize coverage language more closely and revise future policy definitions.  For insureds, the decision should prompt a second look at policy language to determine whether a data breach arguably falls within the scope of coverage. The case, Travelers Indemnity Company of America v. Portal Healthcare Solutions, L.L.C. ( (hereinafter referred to as “Portal Healthcare“), is at odds with other recent state court decisions.


The factual prompt for the suit was a class-action lawsuit brought by a patients of a hospital whose confidential medical records were publicly posted online by the hospital’s electronic record-keeping service, Portal Healthcare Solutions (“Portal”). Portal tendered the matter under the two separate but substantially identical CGL policies issued by Travelers.  In a declaratory relief action, Travelers argued data breach was not covered under the policies, but the District Court for the Eastern District of Virginia in Alexandria ruled that Travelers had a defense obligation under its Personal and Advertising Injury coverage section of the policies. The policies language obligated coverage because of an advertising or website injury arising from the “electronic publication of material that…gives unreasonable publicity to a person’s private life” or “the electronic publication of material that discloses information about a person’s private life.”


Travelers argued that the action of posting the medical records online was not a “publication” within the meaning of the policy because it could not be proven that the records were actually viewed by a third-party. The lower court and appellate court rejected this narrow and “pars[ing]” definition of publication.  The appellate court also held that the class-action complaint by the patients, “at least potentially or arguably alleges a publication of private medical information” and that the conduct if proven, would have given unreasonable publicity to and disclosed information about the patients’ private lives.  The court determined that any doubt in the meaning of the word “publication” should be interpreted in a manner that grants coverage rather than withholds it.


The lower court’s opinion distinguished a Connecticut case which ruled that a CGL policy did not cover the loss of computer tapes that contained personal information. See Recall Total Info. Mgmt. Inc. v. Fed. Ins. Co., 83 A.3d 664 (Ct. App. Conn. 2013).  In that case, computer tapes fell out of the back of a van, were taken by an unknown person, and never recovered. Id. at 667.  This fact pattern was distinguished because it involved a single thief and no allegation that the stolen information had been placed on the internet.  In the Portal Healthcare case, the court stressed that the facts alleged “potentially or arguably” constituted “publication.”


While insurers offer policies specifically addressing cyber liability and data breach, these policies can often be cost-prohibitive and/or scarce. Business owners should consult with their legal counsel to look closely at the terms of the business’ CGL policies to determine whether they may potentially or arguably cover data breaches. The exorbitant cost of defending a data breach lawsuit, especially a class-action suit, may justify a declaratory relief action against a CGL carrier to determine the claims trigger a defense obligation. All companies should evaluate their cyber risks and exposures to make an informed decision about whether cyber liability insurance coverage is worth it.  Despite the holding in Portal Healthcare, securing coverage for data breach incidents under a CGL policy is still an uphill battle.


By Matt Kinley,Esq., LLM, CHC




In December of 2015 Congress passed a 2000-page spending bill which was enacted into law. Included in the text was the Cybersecurity Information Sharing Act of 2015 (CISA). While that legislation received most of the headlines, the spending bill also implemented some major developments in the field of privacy for the healthcare industry. Section 405 of Title IV directs the Department of Health and Human Services (HHS) to develop best practices for organizations in the healthcare industry.

The legislation mandates HHS to report to Congress regarding the preparedness of the health care industry in responding to cybersecurity threats. This includes identifying the HHS official responsible for coordinating threat efforts and including plans on how HHS divisions communicate with one another regarding threats. Congress also mandated a one-year task force to plan a threat reporting system in real time, and to prepare a cybersecurity preparedness information for dissemination in the healthcare industry. Most notably, HHS has been directed to collaborate with other governmental entities and experts to establish a best practices standards specific to healthcare cybersecurity. The intent is to create an industry standard and cost-effective method to reduce cybersecurity risks for healthcare organizations.

Inclusion of Section 405 of the Cybersecurity Act of 2015 reinforces the federal government’s well-established priority of protecting personal health information. Protection is necessary because of the high value of personal health information on the black market. According to the The Insurance Journal, a complete health record containing a patient’s entire health profile can fetch as much as $500. The value is based on the ability of lawbreakers to fraudulently bill insurers for medical services. Compared to industries like the credit card payment industry—which has implemented its own cybersecurity standards—the healthcare industry is woefully behind in its efforts to protect valuable private information.

Healthcare facilities, both public and private, should stay ahead of HHS and develop their own internal policies, security measures, and best practices to protect confidential information of their patients. While guidance form HHS in the future will help establish industry standard best practices, healthcare providers should evaluate their cybersecurity needs and work with experts—attorneys, technologists, and governmental agencies—to stay ahead of the curve. Undoubtedly the attention given to healthcare cybersecurity in the next years will increase the scrutiny on healthcare providers who fail to meet industry standards.

By Matt Kinley,Esq., LLM, CHC




The Occupational Safety and Health Act of 1970 requires employers to provide their employees with working conditions that are free from known dangers.  There are thousands of pages interpreting the meaning of that simple statement, including primarily what is a “known danger.”

For medical facilities, OSHA has attempted to provide guidelines for protecting healthcare workers from violence in the work place.  In OSHA: Guidelines for Preventing Workplace Violence for Healthcare Workers (2015) OSHA explores its expectations for organizations in complying with the obligation to provide a safe workplace and to prevent violence.  Many of the obligations are structural, that is, they provide for a system to protect against violence:  polices, training, work place evaluation, and documentation of an organizations efforts to complete these tasks.  Like HIPAA and Compliance, the solution to medical office problems are a new policy, a committee and training.

Along with this new resource comes a new obligation.  In an OSHA Instruction, OSHA reviews the inherent dangers in the healthcare setting and the higher rates of violence and injury in the healthcare setting.  It instructs it’s investigators to pay more attention to the healthcare setting utilizing its 2015 guidelines.

If you are a healthcare company, it makes sense to pay attention to these OSHA materials.  Even if you are not investigated by OSHA itself, it does set up a standard for behavior and a potential negligence suit should your facility suffer violence.

By Matt Kinley,Esq., LLM, CHC



When is an “electronic signature” legally appropriate in the medical context?

More than one would think. Electronic signatures are appropriate under HIPAA and other federal and state laws, and they are enforceable under California’s Uniform Electronic Transactions Act (Civil Code section 1633.1 et seq, “UETA”). There are some cautions, though. Digital signatures on custodian affidavit/declaration forms, consents to treatment, and generally all document where a patient must sign are permissible and legally enforceable.
Electronic & Digital Signatures.

There is a distinction between an “electronic” and a “digital” signature. Federal law and many state laws allow electronic signatures on some documents. Electronic signatures can be a picture of a signature, an agreed-upon string of characters, a symbol, a signature typed into a signature block in an ¬electronic form, and other personal non-encrypted, agreed-upon identifiers. A digital signature is an encrypted “hash” or tag that is registered to an individual and ¬accompanies transmission of electronic data or forms signed via computer. They are much more reliable than electronic signatures because they allow recipients to validate senders and prevent repudiation at a later date.

California Law: the UETA

California law provides in the UETA: “(a) A record or signature may not be denied legal effect of enforceability solely because it is in electronic form. (b) A contract may not be denied legal effect or enforceability solely because an electronic record was used in its formation (c)If a law requires a record to be in writing, an electronic record satisfies the law. (d) If a law requires a signature, an electronic signature satisfies the law.”

What is an electronic signature? The language of the statute is simple: an electronic signature satisfies the law. Typically, if the person “signing” types his name on an email, formatted screen or word processing document, that will suffice as a signature. The document with the signature should be reliable: sent from the signers email, or delivered by him or her in some way.


As in all contracts, the surrounding circumstances are important. In a recent California Court of Appeals case, (JBB Investment Partners v. B. Thomas Fair), the court looked at the actions surrounding a parties alleged electronic signature to a contract. The Court determined that while the party had printed his name in an electronic communication, other communications had determined that there had not been “a meeting of the minds,” or a final agreement as to terms.

Even with this this cautionary case, most of the time electronic signatures will be acceptable for medical records.  If the party signing gives indications of some doubt about what is being signed, you might want to get the document signed in your facility.

By Matt Kinley, Esq.




Compliance in Physician Offices

Compliance guidance for physician practices was issued by the Office of Inspector General in 2000. Since that time, many physician practices, especially more complex specialty practices, have developed some sort of compliance plan. Compliance covers many areas of a healthcare practice.

Although compliance plans have not previously been mandatory, they have become “industry standard” as a way to minimize risks associated with health care regulations such as the Health Insurance Portability and Accountability Act of 1996, the Medicare and Medicaid Fraud and Abuse Laws, Anti- kickback Statute, Civil Monetary Laws, False Claims Act, the Clinical Laboratory Improvement Act and all other state and federal statutes, regulations and directives that apply to the operation of a complex physician’s practice.

The Patient Protection and Affordable Care Act of 2010, in section 6401, requires Health and Human Services and the Office of Inspector General to promulgate regulations that require most healthcare providers and suppliers to establish compliance programs. The compliance programs are intended to be “effective in preventing and detecting criminal, civil, and administrative violations” under the Medicare and Medicaid laws and other laws that govern operations.

Under the Affordable Care Act, physicians and group practices, will be required to establish compliance programs as a condition of enrollment in the Medicare program.HHS is required to issue regulations creating a timetable and basic core compliance program requirement.

Physician groups should begin the process of establishing compliance programs as soon as possible and not wait for final regulations. Compliance programs are a good way for physician practices to reduce risk associated with fraud and abuse and other legal matters that present risk to their operations. It makes sense for physicians to begin development now to provide ample time for creation of appropriately scaled policies and input from various personnel in the group.

It will not be sufficient to adopt pre-written compliance policies. Rather, physician offices must establish a continuing system of review for their office. Practices may need to be modified based upon their specialization. The seven core elements of effective compliance programs have been released by the Office of Inspector General, including the Physician Practice Guidelines.
A compliance program requires the physician to perform a risk assessment in their organization and document the outcomes of that assessment. The risk assessment could take many forms. Compliance professionals talk about a “gap analysis” which is an approach to help determine the vulnerabilities of your organization. Areas of risk provide emphasis to appropriate areas of risk that are identified through your risk assessment.
The seven areas of emphasis include:
1. Adoption of written guidelines and policies to promote the organization’s commitment to compliance;
2. Identification and appointment of a high ranking individual within the organization to serve as compliance officer;
3. Establishment of anonymous reporting systems, preferably through multiple pathways, to encourage individuals to make complaints regarding compliance items without fear of retaliation;
4. Effective education and training programs for all levels of employees and others with close relationships to the organization;
5. Ongoing auditing systems to assess the effectiveness of the compliance program and to provide input into areas that require additional emphasis;
6. Mechanisms to enforce the requirements of the compliance program and to discipline employees for violations of the organization’s commitment to compliance; and
7. An ongoing system of program modification based upon audit, feedback and experience that can further adapt the compliance policies to the specific issues faced by the organization.

By Matt Kinley, Esq