Tag Archives: health insurance portability and accountability act

Healthcare Case on Cutting Corners

Healthcare providers, health plans, healthcare clearinghouses (covered entities) and business associates that provide services that deal with protected health information received another reminder to be prepared to prove they are properly handling and administering electronic and other protected health information. This came after the Department of Health & Human Services Office of Civil Rights (OCR) announced its latest in a growing series of high-dollar resolution agreements with a covered entity that was charged with violating the privacy and security standards of the Health Insurance Portability and Accountability Act (HIPAA).

Raleigh Orthopaedic Charges and Resolution Agreement

The Resolution Agreement and Corrective Action Plan announced by OCR on April 20 requires the Raleigh Orthopaedic Clinic, P.A. to pay $750,000 to settle charges that it violated the privacy rule. The clinic handed over the protected health information of approximately 17,300 patients to a potential business partner without first executing a business-associate agreement.

Raleigh Orthopaedic is a provider group practice that operates clinics and a surgery center in the Raleigh, NC, area. OCR’s investigation indicated that Raleigh Orthopaedic violated privacy rules by releasing X-ray films and related protected health information of patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the X-ray films. Raleigh Orthopaedic failed to execute a business associate agreement with this entity before turning over the X-rays and protected health information (PHI).

Although the resolution only addresses charges OCR brought against the covered entity (Raleigh Orthopaedic), business associates need to keep in mind that both covered entities and business associates are now responsible for ensuring compliance with the business associate agreement requirements of the privacy rules — ever since the stimulus bill amended HIPAA to make most provisions of the privacy rule directly applicable to business associates, as well as covered entities.

Takeaways for Covered Entities and Their Business Associates

The resolution agreement includes a strong message for other covered entities and business associates: It’s important for an entity to take seriously its responsibility under the privacy rule to ensure the business associate agreement requirements of the privacy rule are met before business associates are allowed to receive, access or use protected health information. Jocelyn Samuels, the director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), said, “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected,” and “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise.”

In many cases, the process of evaluating the adequacy of current arrangement and of considering the advisability of changes to tighten existing practices will result in the discovery and discussion of potentially sensitive information. For example, it is possible that, in the course of review, parties may be unable to locate a signed business associate agreement that governs a relationship, or, in the course of review, information indicates breaches of protected health information or other privacy rule violations may have occurred. For this reason, most covered entities and their business associates will want to consider arranging it so this review and analysis is conducted within the scope of attorney-client privilege or under the direction of qualified legal counsel with HIPAA experience who has entered into a business associate agreement.

Untimely Notice Sustains Denial of Claim

The U.S. District Court for the Eastern District of Kentucky recently held that an insurer properly denied coverage to a hospital because the hospital gave untimely notice of the claim. In Ashland Hospital Corporation v. RLI Insurance Company, Civil Action No. 13-143-DLB-EBA (E.D. Ky. Mar. 17, 2015), the insurer avoided exposure on a $10 million directors and officers (D&O) excess policy claim by successfully arguing that the insured, a hospital association, failed to give timely notice of the claim as required under the terms of the policy.

Background
The hospital purchased $15 million in primary D&O liability insurance for Oct. 1, 2010, through Oct. 1, 2011. The hospital also purchased a $10 million excess policy from another insurer covering the same one-year period. Both policies were written on a “claims-made” as opposed to an “occurrence” basis. In July 2011, the U.S. Department of Justice issued a subpoena to the hospital as part of a Health Insurance Portability and Accountability Act (HIPAA) investigation into allegations that the hospital billed federal healthcare programs for heart procedures that were not medically necessary. Ultimately, the hospital agreed to pay $40.9 million to resolve the allegations.

The hospital notified the primary carrier of the HIPAA investigation in December 2011, which was within the 90-day notice period required by the primary policy. In June 2012, after being informed that the primary carrier’s policy covered the investigation, the hospital notified the excess insurer of the HIPAA investigation. The insurer denied coverage because the hospital failed to provide timely notice during the policy period or within the applicable 90-day extended reporting period after the policy terminated in October 2011. The insurer claimed that the notice requirement was a condition precedent to establishing coverage and that it did not have to show prejudice to deny coverage. The hospital sued for breach of the insurance contract.

Decision
The insurer argued that it correctly denied coverage because the hospital failed to provide notice within the 90-day extended reporting period after the excess policy expired. The insurer argued the excess policy followed form to the primary policy, thereby incorporating the notice provisions of the primary policy that required notice within 90 days of the end of the policy. The hospital admitted the excess policy did follow form to the primary policy but claimed that the presence of notice provisions in both policies made the primary policy’s notice provisions ambiguous.

The Ashland court rejected the hospital’s argument, holding that the notice provisions in the primary and excess policies did not conflict; to the contrary, they coexisted. Therefore, the insurer’s denial of coverage was proper because the hospital failed to provide timely notice as required by the terms of the primary policy.

The court also held that the hospital violated the notice provisions of the insurer’s excess policy, which required the insured to provide notice when specified events occurred. The hospital claimed that the notice provisions were ambiguous and did not require it to provide the insurer with notice every time an event specified in the notice provisions took place, but rather only when the most recent event occurred. The insurer countered that the terms of the policy were clear and that the hospital was required to provide notice when any event specified in the policy took place. The insurer contended that, because the hospital provided notice only when the most recent event occurred and not when previous events occurred, the hospital was not entitled to coverage. The Ashland court held that the provisions were not ambiguous and that adopting the hospital’s interpretation would effectively render the terms meaningless. The court agreed with the insurer that for coverage to exist, the hospital had to provide timely notice to the insurer when all of the events specified by the provision took place, not merely when the most recent event occurred. Because the hospital failed to do so, it forfeited its right to coverage under the terms of the excess policy.

The Ashland court also considered and rejected the hospital’s alternative argument that the insurer had to show substantial prejudice to deny coverage. In so arguing, the hospital relied on Jones v. Bituminous Casualty Corporation, 821 S.W.2d 798 (Ky. 1991), which held that absent a showing of substantial prejudice a workers’ compensation insurer could not deny coverage because of an insured’s untimely compliance with a notice provision. The Ashland court noted that Kentucky courts have not addressed whether Jones applied to claims-made insurance policies but predicted that the Kentucky Supreme Court would not extend Jones to a claims-made policy because to do so would effectively rewrite the policy without justification.

Takeaways
There are two principal takeaways from the Ashland decision:

  • First, in Kentucky, excess insurers desiring to “follow” a primary policy would be well-advised to use language that ensures neither policy conflicts. While not mentioned by the Ashland court, a simple way to accomplish this result would be for the excess policy to include language in the “following form” clause confirming that, in the event of any conflict between the primary and excess wording, the primary language should control. Failure to take these steps could render some terms of the policies ambiguous and unenforceable.
  • The second takeaway concerns the Ashland court’s sustaining the enforceability of the claims-made and reporting provisions of the policy. Earlier this year, the state supreme courts in Colorado and Wisconsin reaffirmed that the claims-made and reporting requirements in D&O and professional liability policies are conditions precedent to coverage that cannot be trumped by the notice prejudice rule applicable to occurrence-based policies. (See Craft v. Philadelphia Ins. Co., 2015 CO 11 (Colo. Feb. 17, 2015); Anderson, et al. v. Aul, et al., 2015 WI 19 (Feb. 25, 2015). Thus, Ashland is illustrative of a continuing trend of recent decisions that have reached this same conclusion.

Wilson Elser will continue to monitor this and other cases involving primary and excess policy coverage disputes.

NOTE: Patrick C. Walsh (Law Clerk-Louisville) assisted in researching and drafting this Alert.

Biometrics and Fraud Prevention: Seeing Eye to Eye

As more consumers opt for the flexibility of serving themselves, it has become essential for businesses to deploy strong systems to authenticate identity. The challenge is how to reduce fraud without frustrating consumers or compromising the customer experience.

Biometric technology has been seen increasingly as a solution in industries such as financial services, but is there a useful place in insurance? As technology becomes more convenient –and more secure — many are saying yes.

What’s What in Biometrics

By identifying individuals through their unique physiological or behavioral patterns, biometrics offers a higher level of security, ensuring that only authorized persons have access to sensitive data. Physiological biometrics include fingerprint, face, iris and hand geometry recognition. Behavioral biometrics identify signature and voice verification, including keystroke kinetics that identify a person’s typing habits.

As consumer-centric channels such as mobile and online applications continue to expand, so will the risk of fraud. And while many industries, including insurance, continue to deploy new technologies to stave off attacks, the reality is that the tools and methods by which professional fraudsters operate are becoming increasingly sophisticated.

“While insurers have applied some preventive measures against fraud, the industry as a whole needs to catch up,” says Steve Cook, director of business development, Facebanx. “They must be forward-thinking and recognize the benefits of biometric technology and how it can help in preventing fraudulent activities.”

Reducing Claim Fraud and Protecting Data

One area where biometrics has begun to take hold is healthcare insurance. A study by the Ponemon Institute found nearly 1.5 million Americans to be victims of medical identity theft. Healthcare fraud is estimated to cost between $70 billion and $255 billion a year, accounting for as much as 10% of total U.S. healthcare costs.

Many insurers are using biometrics to help reduce billing fraud by eliminating the sharing of medical insurance cards between patients, or by making it more difficult for a person to assume another’s identity. For example, as an alternative to paper insurance cards, a biometric iris scan can immediately transport proof of a patient’s physical presence at a healthcare facility.

Biometric technology is also assisting healthcare insurers with compliance and data integrity standards — in particular with those set by the Health Insurance Portability and Accountability Act (HIPAA). For example, in addition to adhering to requirements for automatic logoff and user identification, insurers must implement additional safeguards that include PINs, passwords and some method of biometrics.

Fraud Capabilities in Property and Casualty

According to a report by Aite Group, the war against fraud in property and casualty insurance is also escalating. The group estimates that claim fraud in the U.S. P&C industry alone cost carriers $64 billion in 2012 and will reach $80 billion by 2015. Customer contact centers have been hit particularly hard. While the focus on protecting consumer data has primarily centered on online channels, fraudsters are now targeting the phone channel, as well. Leveraging information obtained through social media networks, thieves are manipulating call center representatives and gathering customer information. 

For this reason, biometrics are being deployed. Representatives can cross-reference incoming calls against a watch list of known fraudsters, identifying unique voice prints. Advanced biometric techniques can also identify fraud patterns based on speech analytics, talk patterns and various “red flag” interactions.

Summary

The insurance industry is just beginning to scratch the surface when it comes to identifying areas of fraud management to which biometric science can be applied. 

“Insurance companies [that] are first to adopt this kind of technology will push the fraudsters over to the competition, because fraudsters don’t want their face or voice on a database that they can’t control,” Cook says.

Making the switch to biometric security measures can mean a substantial investment if done on a large scale. Even so, with the proliferation of online channels, consumer conveniences and ever-shifting tactics of fraudsters, deploying some degree of biometric technology will become a competitive necessity. And, as long as the insurance industry continues to expand consumer services because of e-commerce and m-commerce, no doubt new applications of biometrics will come about.

Medical Identity Theft And Fraud

Medical identity theft (MIDT) is a crime that has profound consequences for patients, insurance providers, and health care providers. The definition of medical identity theft is the fraudulent use of an individual’s personally identifiable information (PII), such as name, Social Security number, and/or medical insurance identity number to obtain medical goods or services, or to fraudulently bill for medical goods or services using an unlawfully obtained medical identity. Unfortunately, the definition of medical identity theft and the consequences that are associated with the crime are not common knowledge to the general public.

A recent study conducted by Harris Interactive on behalf of Nationwide Insurance found that only one in six (~15%) of insured adults say they are familiar or very familiar with the term “medical identity theft.” Of the 15% that professed familiarity with the term, only 38% could correctly define what a medical identity was (Medical ID Theft Study 4). Unfortunately, this lack of widespread understanding of medical identity theft by consumers is part of the problem and it is costing consumers, insurers, and healthcare providers alike.

According to the most recent Ponemon Institute Research Report, 1.85 million Americans were affected by medical identity theft in 2012. This is a dramatic increase from the 1.49 million affected by medical identity theft in 2011, amounting to an almost 25% increase in just one year (Third Annual Survey 1). This rate of growth has the potential to explode due to several reasons. First, The Affordable Care Act is estimated to reduce the number of uninsured by approximately 30 million (Insurance Coverage Provisions 13), drastically increasing the number of insurers and insured patients that are targets for medical identity theft. Second, HIPAA policies and new rules under HITECH are increasing the use of electronic health records (EHRs) which can be vulnerable to data hackers. And lastly, the data hackers themselves are more sophisticated and cognizant of ways to profit off of personal data than ever before. All these factors combined pose a very serious dilemma in controlling the rate of growth for medical identity theft. Ponemon estimates that the cost of medical identity theft to consumers in 2012 was approximately $41 billion (Third Annual Survey 1). This does not include the untold cost borne by healthcare and insurance providers. We cannot afford the cost of letting this crime grow.

In order to minimize the effects of medical identity theft we must better understand the nature of medical identity theft. The Identity Theft Resource Center (ITRC) knows it is important to assess how consumers’ identities are stolen, how they find out they have fallen victim to this crime, and how difficult it is to resolve once discovered. The Identity Theft Resource Center believes this information can be used to educate and make aware the general public as to what medical identity theft is and how they can minimize their risk or mitigate the cost once they become a victim.

Looking at how medical identity theft victims discover they have fallen victim to this crime is crucial in determining what can be done to discover medical identity theft sooner to avoid increased expenses and instances of fraud. The 2012 Ponemon report found that the most common way (39%) people discover they have become victims of identity theft is by receiving collection letters for delinquent bills. This is bad news as this means the costs for the fraudulent services worked their way through the providers’ billing systems and languished there until they were forwarded to collection departments or agencies. In the time it took for the bill to make it to the collection department or agency, the imposter could have committed many more instances of fraud in different locations. The second most common method of discovery (32%) was by noticing mistakes in their health records, tipping them off to the medical identity theft. This is also bad news as mistakes in health records can have catastrophic consequences which can be fatal.

Fortunately, the third most common method (26%) of discovering identity theft was by victims noticing suspicious postings to a statement or invoice, such as an Explanation of Benefits statement. This is very good news as this usually means the victim is discovering their medical identity theft as early as possible. The earlier the victim notices the crime, the more likely they may avoid damage to their credit score, stop future abuse of their medical identity, and reduce the amount of time and money spent to rectify the issue. This statistic is even more interesting when compared to the previous two years of the Ponemon study, where only 9% of participants indicated that they discovered their medical identity theft via suspicious statements of invoices. This is a promising example of how educating and making consumers aware of medical identity theft can make a big difference in helping reduce the incidence of medical identity theft and its costs as a whole.

Looking into the mitigation process victims are confronted with after they discover their medical identity theft reveals the costs and trouble they have to go through to clear their names. There are two distinct objectives when mitigating medical identity theft. First, the victim must deal with an individual incident such as a thief receiving medical care under the victim’s name and the associated fiscal impact the crime imposes. Second, the victim must now deal with the task of “curing” themselves of medical identity theft, insuring that their medical identity is not abused again in the future. This second objective is extremely difficult and contributes to the devastating nature of medical identity theft.

Regarding the first objective, the process for rectifying an individual incident of medical identity theft is complicated and drawn out. The victim must immediately contact the medical records and billing departments of the healthcare provider that provided the services to the imposter, request their medical records, and inform the provider that they are not responsible for the fraudulent bills. Upon learning that there may be fraudulent information in the victim’s medical record, the healthcare provider may deny the victim access to their medical record for fear of violating the Health Insurance Portability and Accountability Act (HIPAA). HIPAA protects the privacy of patients’ medical records making healthcare providers worry that they may be violating the imposter’s privacy rights by releasing the medical record to the victim. Oftentimes, the healthcare provider does not know for a fact that the fraudulent information in the medical record was a result of medical identity theft and cannot rule out that it may simply have been an accidental mixing of two patients’ records. Regardless of the situation, the healthcare provider is afraid of incurring liability under HIPAA for releasing confidential medical information even if it is under the victim’s name. The victim may have to appeal the decision in order to be able to view their records.

In one case, a medical identity theft victim was charged for bills related to the alleged amputation of one of her feet. Luckily, this was easily refutable as she would simply show the hospital billing department that she still has her two feet. Unfortunately, the imposter also had diabetes which prompted a physician, during a subsequent hospitalization, to ask the victim what medications she was taking to treat her diabetes. Note, the victim has never had the disease (Menn). This case demonstrates how frustrating correcting medical records can be and reminds us how dangerous medical identity theft is to the victim.

It is also recommended that victims file a police report and submit a copy of the report to healthcare providers as it will usually help streamline the process. It is important for victims to note that medical identity theft, like any other form of identity theft, is a crime police are required to provide a police report for in most states. Once the incorrect information is identified, the victim must request that the healthcare provider either remove the information or at least flag it should the provider be reluctant to permanently remove it. After correcting the records at the location the imposter received medical services, the victim will then have to request an accounting of disclosures listing all the entities to which the healthcare provider sent the victim’s fraudulent records. The victim must repeat this procedure at each location that has their fraudulent medical record. All of this creates mountains of work for healthcare providers, insurers, and the victims themselves which increases costs in the medical industry for everyone involved.

The second and more difficult objective, “curing” oneself of medical identity theft, does not have a set solution. The problem stems from the decentralized structure of the medical data system. Every healthcare provider, pharmacy, and insurer has its own records and records system. In contrast, the financial industry has three major credit reporting agencies through which almost all financial credit information is processed. Therefore, when you have suffered financial identity theft, a great way to mitigate future instances of fraud is to place a credit freeze with all three credit reporting agencies so that identity thieves cannot abuse your credit again. There is no such central medical record agency for medical records. Thus, it is possible for a medical identity thief to commit fraud with the same medical identity over and over again in multiple locations around the country. The victim will have to go through the individual incident mitigation process every time and just hope that the identity thief will stop using their medical identity.

Since there is no way to get ahead of the thief and prevent the medical fraud from occurring, the best way to mitigate the costs and effects of medical identity theft is for the victim to be vigilant and confront each instance of fraud as soon as possible in order to reduce the amount of wasted time and costs. This repetitive cycle is exhausting and costly for the victim as well as healthcare providers and insurers. In all three years Ponemon has conducted this survey, the number of victims who said they had completely resolved their medical identity theft never exceeded 11% (Third Annual Survey 11). This is an ongoing problem that does not yet have a solution, but it is imperative for all stakeholders to be involved.

All of this information points us to the realization that medical identity theft is a costly and potentially dangerous crime that is incredibly difficult to resolve. To make matters worse, medical identity theft often goes undiscovered for long periods of time and only becomes more detrimental and difficult to resolve the longer it goes undetected.

The Identity Theft Resource Center proposes that one of the best methods of reducing medical identity theft and the costs associated with it is an educated and aware consumer population. To make this point, it is useful to separate out the causes of identity theft listed in the Ponemon report into two groups. The first group includes causes of identity theft that victims have no control over: healthcare provider used identification to conduct fraudulent billing (22%), malicious employee in the health provider’s office stole health information (7%), and the healthcare provider, insurer or other related organization had a data breach (6%). In total, 35% of the causes of identity theft cannot be affected by actions of the consumer. The second group consists of causes of identity theft that a consumer does have a degree of control over: family member took personal identification credentials without my knowledge (35%), mailed statement or invoice was intercepted by the criminal (6%), lost a wallet containing personal identification credentials (5%), and a phishing attack by criminal who obtained personal identification credentials (4%). Thus, the total of causes of medical identity theft that can be affected by actions of the consumer is 50%. It should be noted that 15% of the participants still did not know how they had their medical identity stolen.

Looking at the numbers above, it is clear that the consumers themselves can have the largest impact in reducing the number of medical identity theft cases and the severity of the cases that still occur. Not only do the consumers themselves have the best ability to reduce the risk of medical identity theft happening to them, they are the only people that can reduce the severity of the crime when it does happen. The Identity Theft Resource Center has long understood the ramifications of medical identity theft on the consumer population as well as the medical industry itself. We know that educating the consumer population can be cost-effective and powerful.

The Identity Theft Resource Center is a founding organization of the Medical Identity Fraud Alliance, the first public/private sector-coordinated effort with a focused agenda that unites all the stakeholders to jointly develop solutions and best practices for medical identity fraud. We encourage all industry stakeholders to join so that we can work together in galvanizing the consumer population into becoming the most effective weapon yet against medical identity theft.

How Consumers Can Minimize Their Risk Of Medical Identity Theft

  • Review Explanation of Benefit statements as soon as you receive them as they may detail medical services that you never received.
  • Review your credit reports multiple times a year to see if any fraudulent accounts have been opened in your name, or if any medical bills have been reported as unpaid.
  • Be aware of phishing emails. These emails are designed to look like they are official communications from either a healthcare provider or insurer and ask for personal information such as a Social Security number, insurance policy number, or other information used to commit medical fraud in your name.
  • Do not open attachments in emails from people you are not familiar with as it may have a virus or program to steal information from your computer.
  • Use a Virtual Private Network when using the Internet outside of your home as this will encrypt your signal from your mobile device or laptop.
  • Do not carry your Medicare card, Social Security card, or certain military identification as these have your Social Security number on them. Should you lose your wallet or purse or have it stolen, this information would be extremely valuable to a medical identity thief.
  • Shred or safeguard any documents with personally identifiable information by either locking them in a safe hidden in the home or by storing them on an encrypted thumb drive and deleting them off your computer. Sensitive documents with PII include:
    • Tax preparation papers
    • Explanation of Benefits statements
    • Medical Bills or Records
    • Bank Statements
    • Passport
    • Medicare, Social Security, or military identification card

References
Nationwide Mutual Insurance Company. “Medical ID Theft Study Results.” March 2012. Print.

Ponemon Institute. “Third Annual Survey on Medical Identity Theft.” June 2012. Print.

Congressional Budget Office. Estimates for the Insurance Coverage Provisions of the Affordable Care Act Updated for the Recent Supreme Court Decision. U.S. Government Printing Office. July 2012. 13 December 2012. http://www.cbo.gov/sites/default/files/cbofiles/attachments/43472-07-24-2012-CoverageEstimates.pdf

Menn, Joseph. “ID Theft Infects Medical Records.” Los Angeles Times. 25 Sept. 2006. N.pag. Web. 20 Dec. 2012