Rapid Fire Affordable Care Act and HIPAA – Are You In Compliance? Erik P. Crep Stuart T. O’Neal Wicker, Smith, O’Hara, McCoy & Ford, P.A. Burns White Miami, Florida Philadelphia, Pennsylvania

New Approaches to Attacking Damages Affordable Care Act

What is ACA? Adopted by Congress on March 23, 2010 Held constitutional by U.S. Supreme Court in National Federations of Independent Business v. Sebelius, 132 S.Ct (2012) Provides that all persons in the U.S. be afforded health insurance, regardless of their health or financial situation Act contains 5 essential components designed to improve access to health care and health care insurance benefits: 1. The individual mandate 2. Minimum essential benefits 3. Guaranteed issue requirement 4. The employer mandate 5. Tax credits and subsidies

Individual Mandate Requires every applicable individual to obtain minimum coverage or pay a penalty. 26 USC § 500 A(a) – (e). Supreme Court upheld the law, calling it a tax (but the challenges continue) Therefore, argument is that it is not a collateral source because it is a tax Limitations on deductibles by federal law. In 2014 that maximum amount if $6, for individuals, $12,700 for families. 26 USC § 1302(b) Plaintiffs have a duty to mitigate their damages Duty to mitigate combined with the individual mandate means the Plaintiff by law must buy insurance and by case law has a duty to mitigate damages. Defense argument is that the Defendant can pay for the health insurance to allow the Plaintiff to A. Comply with the law B. Get insurance C. Get insurance with a limitation per year of $6, D. Pre-existing conditions are covered – no policy exclusions Defense argument is to be liable for the out of pocket deductible, the annual premium and any increase in the premium and co-payments.

Essential Health Coverage All qualified plans are required to provide minimum essential coverage and must include: 26 USC § 1302(b) Ambulatory patient services Emergency Room Hospitalization Maternity and Newborn Care Mental Health and Substance Abuse Prescription Drugs Lab Services Preventable Wellness Care and Chronic Disease Management Pediatric Services

Guaranteed Issue Requirement Under Act – no pre-existing exclusion No lifetime caps Can be limitations but depends on plan selected. In Florida we have Catastrophic Florida Blue Platinum 90% of actuarial level Gold80% of actuarial level Silver70% of actuarial level Bronze 60% of actuarial level Each State offers a blend of services, goods and coverage depending on the premium cost. Physical therapy, occupational therapy and speech and rehab are examples of covered services. Must check each State’s exchange for delineated services covered. Cheaper to buy insurance, calculate the out of pocket maximum and increase in premium than to pay for life care plan.

Collateral Source Rule Traditional application to prohibit reference to “collateral sources” such as Insurance, Medicare and Medicaid This Rule is the biggest obstacle to reducing damages for future medical costs for private health insurance Challenges to Collateral Source Rule Application under ACA  Future payments have to be “reasonable and necessary.” Introduction goes to “reasonableness” and refutes life care plan/economic estimates.  Individual mandate premised on a tax via Supreme Court  ACA will apply to future payments – not past amounts.  Any award will enable Plaintiff to purchase health insurance which is “affordable”.

Collateral Source Rule continued General Justification for No Offset vs. ACA Enforced principle that tortfeasor pays for the consequences of their actions Tortfeasors should not receive windfall of less or no damages based on benefits paid by a 3 rd party In the past, courts were reluctant to “reward” tortfeasors because of plaintiff’s foresight to purchase insurance – this foresight has been replaced with legal obligation to obtain insurance

Mitigation of Damages Plaintiff not entitled to recover damages for harm that he/she could have avoided by use of reasonable effort or expense Precludes recovery of unreasonably excessive expenses incurred in response to a tort All plaintiffs must take reasonable measures/effort to minimize damages

Expert Witnesses for the Defense Need experts on available plans and services implemented by each State and available to patient Need expert to opine on the annual increase of the premium and the set out of pocket maximum Attach plaintiff’s life care plan with this alternative and demonstrate many services are provided by insurance Experts to consider: Economist Insurance person Life expectancy expert Experts to explain the benefits of the ACA to the Plaintiff

Billed vs. Negotiated Insurance Rate Large difference between what is billed vs. what insurance carriers actually pay As much as 8-10 x’s higher Prior to ACA, less that 5% of patients paid a provider’s “billed” rates.

“Attack” on Defense Define damages, assessment of future medical damages. Defendants must ensure Plaintiffs establish future damages (burden of proof) Future damages need be reasonably certain to be sustained or occur in the future Future medical costs are “medically reasonable and necessary” Damages to compensate the patient or “make them whole” – not to punish the defendant

Cases: The Good, the Bad and the Ugly

Good Cases

Bad/Ugly Cases Leung v. Verdugo Hills Hospital, 2013 WL (CA. Ct. App. 2013) Med. Mal case with future medical expenses Hospital argued on appeal that it should have been permitted to introduce evidence of Plaintiff health insurance to rebut plaintiff’s future medical expenses in part due to ACA, “the availability of such federally mandated available insurance options makes the prospect of future health insurance coverage for plaintiff anything but speculative” Court NOT persuaded, holding “such evidence, standing along, is irrelevant to prove reasonably certain insurance coverage … because it has no tendency in reason to prove that specific items of future care and treatment will be covered, the amount that coverage, or the duration of that coverage.”

Defense Counter to Leung v. Verdugo Hills Hospital, 2013 WL (CA. Ct. App. 2013) Leung court failed to take into account ACA’s minimum coverage requirements Under ACA, all plans will be required to meet certain minimum coverage standard While there will be future variations above the minimum, all plan policies will maintain a certain required baseline Jury should be able to consider an attack on life care plan that fails to take into account ACA’s minimum coverage

Halsne v. Avera Health, 2014 WL (D. Minn. 2014) Issue: whether plaintiff’s future medical expense damage should be limited to projected payments of premiums and deductibles under ACA Under Minn. collateral source doctrine, plaintiff can recover full damage regardless of whether plaintiff can recover some or all of his damages from a collateral source of payment, such as insurance District Court held that any benefits received through the ACA do not provide a basis for reducing the potential award to plaintiff

Issue: Each State’s Collateral Source Doctrine --- ex. FLORIDA No known case discussing ACA in Florida However, collateral source/Medicare cases shed light State Farm v. Joerg, 2013 WL (Fla. 2d DCA 2013) Earned (paid) vs. unearned (free) benefits While it is true that the introduction of potential future Medicare benefits may be speculative to an injured plaintiff, Florida Supreme Court rejected this point. Holding: admission of evidence of disabled person’s receipt of medical services under Medicare program in determining future damages would not violate common law collateral source rule

State Farm v. Joerg, 2013 WL (Fla. 2d DCA 2013) continued … The availability of services under the [Medicare] program (including the risk of unavailability), as well as the costs and quality of such services, are relevant to the determination of the amount of future damages and relevant to assist jury in determining the reasonable cost of the plaintiff’s future care. The jury remains free to find that the publicly available services do not meet the plaintiff’s future needs.

ACA Conclusion Argue Mitigation, collateral sources and discovery of cost of care Retain experts Need to do more than just point to ACA – this strategy has already been rejected Use ACA at mediation. Show which services/care are covered by ACA. Evidence should show that future insurance coverage is reasonably certain Link covered services with items/costs listed in plaintiff’s life care plan Present reasonable basis that plaintiff reasonably certain to have coverage Present grounds to establish with reasonable certainty the time period the ACA coverage will exist

HIPAA – Are You in Compliance

HIPAA – What is it? Sets standards for confidentiality and privacy of individually identifiable health information Applies to Covered Entities Health plans Health care clearinghouses Health care providers that transmit health information electronically

Protected Health Information “PHI” is health information from an individual that is created by: Health care providers and clearinghouses Health plans Public health authorities Employers Life insurers Schools or universities

The Security Rule applies only to PHI that is transmitted or maintained electronically Requires administrative, physical and technical safeguards to ensure confidentiality, integrity and security of PHI The Privacy Rule applies to PHI that is transmitted electronically, verbally or in written form Requires safeguards to protect the privacy of PHI and set limits and conditions on the use and disclosure made without patient authorization Can’t leave voic with patient’s family Can’t discuss patient condition in waiting room Computers of physician office visible to other patients in waiting room

Allowed Disclosures Covered entities are permitted to disclose PHI without authorizations for the purposes of: Treatment: management of healthcare Payment: reimbursement and benefits Healthcare Operations: medical reviews, contracts, compliance, business planning, financial, and legal activities (45 CFR )

States and HIPAA HIPAA is a federal floor for patient protections and industry standards, each individual state maintains the ability to enforce laws which exceed those federal boundaries. HIPPA requires the states to self-determine: Which agencies meet the federal definition of a covered entity Whether those entities are governed by state law, HIPAA, or other federal privacy laws.

MYTH HIPAA does NOT apply to attorneys and law firms

FACT All attorneys who work with PHI must comply with HIPAA and HITECH rules and must ensure that their subcontractors comply as well (45 CFR )

Attorneys Representing Covered Entities Attorneys are responsible for ensuring that others hired to assist in providing legal services to the covered entity will also safeguard the privacy of the PHI. Includes joint counsel, jury consultants, experts, investigators, litigation support, etc. ** Not responsible for opposing counsel even if PHI was disclosed to them because they are not assisting in representing the covered entity (45 CFR (e))

Attorneys Representing Covered Entities Business Associate Agreements are signed to provide that the attorney will ensure the “minimum necessary” standard of disclosure of PHI are consistent with those of the covered entity’s Law firms must now have all subcontractors (ex. Experts) sign Business Associate Agreements when representing Covered Entities.

Health Information Technology for Economic and Clinical Health (HITECH) Affects Privacy: Covered entities and business associates will have to notify individuals of any security breach – sometimes the media will need to be notified as well. Vendors of personal health records and other non-HIPAA covered entities will have to report security breaches Determination of “unsecured” will be made by feds. Encryption of electronic information and destruction of PHI will render is “unusable, unreadable, or indecipherable to unauthorized individuals” and will relieve the covered entity of the need to notify individuals in case of a breach

HIPAA & HITECH Law firms representing covered entities must comply with the Administrative, Technical and Physical Safeguards required by the Security Rule.

Safeguards Risk Analysis and Risk Management: assess potential risks to the confidentiality, integrity and availability of electronic PHI Sanction Policy: against workforce members who fail to comply with security procedures Security Awareness: training, incident responses & reporting Contingency Plans, Data Backup Plan, Disaster Recovery Plans and Emergency Mode Operation Plans are required to protect electronic PHI from vandalism, natural disasters and other security incidents (45 CFR )

Technical Safeguards Electronic Access Integrity and Control Unique user ID with time-outs and automatic log-off Person or entity authentication Emergency access procedure Monitor I.T. systems containing PHI Transmission security must include encryption and decryption

Cloud Storage Compliant? Dropbox – not HIPAA compliant/secure iCloud – not HIPAA compliant/secure Amazon S3 – not HIPAA compliant/secure Google Drive – yes Egnyte – yes Symform - yes

Enforcement The Department of Health and Human Services (HHS) established rules for investigating, prosecuting, and imposing penalties for HIPAA Privacy Rule violations. Tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision Criminal violations fined up to $250,000 and up to 10 years in prison (enforced by Dept. of Justice) HHS hired auditing firms to randomly audit covered entities and business associates for compliance

Examples of Violations Not verifying individuals by phone/person/writing Faxing information to wrong fax number in error Sending information to wrong in error Leaving detailed PHI on answering machine Loss/theft of unencrypted drives/computers Careless handling of user name and password Sale of PHI to any source Failure to secure confidential information Allowing unauthorized person to enter area where PHI could have been viewed Stolen laptop/records from backseat of car

Violations and Enforcement HIPAA ViolationMinimum PenaltyMaximum Penalty Individual did not know (and by exercise of reasonable diligence would not have known) that he violated HIPAA $100/violation, annual maximum $25,000 $50,000/violation, annual max of $1.5 million Violation due to reasonable cause and not due to willful neglect $1,000/violation, annual maximum $100,000 for repeat violation $50,000/violation, annual max of $1.5 million Violation due to willful neglect but violation corrected w/in required time $10,000/violation, annual maximum $250,000 for repeat violation $50,000/violation, annual max of $1.5 million Violation due to willful neglect and not corrected $50,000/violation, annual maximum of $1.5 million $50,000/violation, annual max of $1.5 million

Examples From 2009 – 2011, records breached for over 18 million patients BCBS Fined $1.5 million for loss of 57 unencrypted drives containing data of 1 million patients Mass. General Hospital fined $1 million for loss of portable data on subway

Value on Black Market Credit Card #: $6 I.D. (SS# and D.O.B.): $15 Medical Chart/Records: $50

Questions? Comments? Erik P. Crep Wicker, Smith, O’Hara, McCoy & Ford, P.A Ponce de Leon Blvd, Suite 800 Coral Gables (Miami), FL (305) Stuart T. O’Neal, III Burns White 100 Four Falls, Suite Conshohocken State Road West Conshohocken (Philadelphia), PA (484)