HIPAA — Are Healthcare Providers doing their own Version of Captain America’s 70 year “Sleep?”

 

hipaa-complaint

     One of my favorite of the recent spate of Marvel superhero movies is “Captain America: The First Avenger”.  In that movie, Captain America fights Red Skull to protect earth from utter destruction.  One scene near the end of the movie actually makes me think of HIPAA.  Captain America awakens in a 1940s-style hospital room. Deducing from an outdated radio broadcast that something is wrong, he flees outside and finds himself in present-day Times Square, where S.H.I.E.L.D.  Director Nick Fury informs him that he has been “asleep” for nearly 70 years.
     When we discuss HIPAA with healthcare providers, we find that many simply do not take it very seriously.  The “teeth” of HIPAA regulations seem not to have been vigorously enforced in the past, leading many providers to believe there is little reason to worry about the details, thinking it was all bark, but no bite. As time has gone by, while some physicians and groups have tried to stay updated and compliant, many have taken no steps whatsoever, actually creating more chaos.  For example, when we first moved back to Missouri a few years ago, my wife took our kids to the doctor for the first time, and she was asked to fill out one form and put all the kids’ names on it, so that the practice could request their records from Michigan.  When the Michigan office got the form they then informed my wife that she had to fill out a form for each child to request records.  However, our new Missouri doctor said that the Michigan office was just being “overly cautious,” and that the one form should have been all that they needed.  We finally got the kids records, but it was rather difficult when one practice took HIPAA seriously and the next office did not.
     Within the last few years or so, the Department of Health and Human Services seems to be putting much more emphasis on the “bite” of HIPAA, and essentially to try to wake up those ignoring the HIPAA legislation from their Captain America “sleep”.  In 2014, HHS started conducting audits to find out whether covered entities were complying with the law.  The audits found that only 2-5% of those audited were actually in full compliance with HIPAA.  After this report, the Office of Inspector General (OIG) recommended that HHS begin implementing a permanent audit program to ensure compliance with HIPAA.  The enforcement efforts of these two agencies are effectively waking up many who are covered by HIPAA from their Captain America “sleep”, but just like in the movie, that awaking is not a relaxed, easing out of bed, but a cold slap-in-the-face type of awaking.
     As the enforcement efforts expand, HHS began another round of audits this year, and will actually be increasing the number of audits that will be conducted. Several covered entities have received notification that they are among the first round to be audited.  As random audits take place, every doctor, group, hospital, clinic, and other covered entities required to comply with HIPAA must awaken from their Captain America “sleep” as well, or they could face massive fines being imposed upon them for non-compliance.
     When we speak with doctors about HIPAA, most tell us that the law is simply an annoyance with which they would prefer not to hassle.  When we explain our detailed system for providing complete HIPAA compliance protection, many simply rely upon the fact that they “have never been audited before”, so they assume that they’re safe and won’t ever be audited. We point out that, just as it is too late to buy malpractice insurance after one has been sued, it likewise makes no sense to take chances on HIPAA compliance by waiting to see what happens.  The “sleep” from which they may awaken the day an auditor shows up in their office will be a harsh and sudden, and far too late to prepare for what might come from the audit being conducted. Likewise, many also seem to believe that if they are audited, they are either already compliant enough, or that any fine assessed against them will not be significant. That belief tends to ignore the very statistics (noted above) regarding how few providers have actually been found to be in compliance through the audits already conducted.
     While the details of HIPAA law are rather complex, it is pretty straight-forward about some of the basics — what it is you need to have and need to do — to comply with HIPAA.  You must have a HIPAA policy and procedure manual specific to your practice (so those who buy generic “manuals” on the internet are still asleep, as those simply do not constitute full compliance).  You must fully train every person on your staff on those policies and procedures at least twice a year (and you can’t “sleep” through this process with a short pamphlet for the staff to read). Likewise, you must conduct a thorough risk analysis at least twice a year to look for vulnerabilities and make sure you’re staying in compliance. Given that this is the hardest part of HIPAA compliance generally, one can see why physicians haven’t “awaken” to this part of the process.
     Those who are subject to HIPAA laws need to continually monitor the ever-changing regulations to stay aware of any updates or revisions that need to be made to their manual, training materials, and the type of risk analysis to be conducted.  There is a lot to do to stay in full compliance and it is clearly time for physicians and healthcare entities to wake from their sleep in order to be ready. Otherwise, that awakening will seem much like it did for Captain America, with a shock-to-the-system type of reaction the day the auditors appear.
#confidential #dentist #doctors #HIPAA #liability #medical practice #medical records #patient’s privacy

 

Nothing posted on Evidentiary Matters is to be considered legal advice or advertising.
The choice of a lawyer is an important decision and should not be based solely upon advertisements.

Save

Save

Save

Hospital Tort Liability to Third Parties for Failure to Diagnose Ebola?

??????????????????????????????????????????????????????????????????????????????????????????????????????????????

If the revelation this week that a patient in the United States has been diagnosed with Ebola virus is not scary enough, the news that the hospital at which the diagnosis was made actually sent him home days earlier without considering that diagnosis may be scarier still. Apparently, a patient landed in Dallas on a flight from Liberia (Africa) on September 20. After a few days visiting family, the patient started to feel ill, and finally went to the emergency room of Texas Health Presbyterian Hospital on September 26 with symptoms that were consistent with, among numerous other things, Ebola. However, the hospital discharged him that same day. Two days later, on September 28, he was taken by ambulance back to the same hospital, where he was admitted and diagnosed presumptively with Ebola virus.

What is currently cause for general public concern about whether his disease may spread may also ultimately be a tort lawyer “think tank’s” dream discussion topic. Does a hospital have a duty to protect the public – not just its patients – from contracting a contagious and potentially fatal disease? The Ebola virus purportedly does not spread through the air, but only by physical contact with the infected person’s bodily fluids. Moreover, an infected person is apparently not actually contagious until he/she becomes symptomatic, which may take up to 21 days from his/her own initial infection. In this case, the patient in question arrived in the United States symptom-free, but then developed symptoms within days of his arrival, and by the time he first presented to the hospital, was likely susceptible of passing the virus to others. From news accounts to date, it appears that during his initial ER visit, however, he either was not asked if he had recently traveled abroad, or that information was not fully appreciated or communicated, and as a result, an opportunity was missed to at least consider the possibility of an Ebola infection in their differential diagnosis. From the standpoint of medical malpractice law, such a failure to diagnose might expose the hospital to liability to the patient. But what about to third persons?

If during his two days between hospital visits this patient somehow infected others (sneezing or coughing in a movie theater, vomiting on a bus, passing sweat or blood to the skin of a passerby in a grocery store), do those individuals have a cause of action against the hospital? They were not the hospital’s patients – in fact, it is conceivable that some person who becomes infected lives many states away — so what is the hospital’s duty to them? No doubt it is cause for some alarm that the CDC is now aggressively trying to locate anyone who had contact with this patient before his second hospital admission. While the country holds its collective breath that this incident will be as isolated as this patient now is himself in the hospital, we all know how devastating a disease this can be. Those who contract it may suffer horrific symptoms and the death rate is substantial. Does an individual who suffers severe Ebola virus symptoms through contact with the Dallas patient have a claim for damages? Does a family that potentially loses a loved one to this horrible disease have any recourse? And if the disease has been passed broadly and injuries are wide-spread, what are the limits of the hospital’s potential liability?

In most states, “foreseeability” of potential harm is a key factor in tort liability. Several years ago, however, in the context of dangerous psychiatric patients (via a case from California called Tarasoff), healthcare providers were handed the responsibility of protecting third persons from foreseeable harms that might be caused by a psychiatric patient when the clinician had knowledge that the patient had the potential to injure or kill specific individuals. Over the years, that obligation has been eroded, revised, updated and manipulated from state-to-state, and probably does not serve as relevant comparison to the Ebola issue here. However, given the potential for extreme and widespread injury, will healthcare providers once again be held accountable for any injury they might have prevented, even beyond the walls of the hospital? For the population that lives in fear of what Ebola may bring, do viable claims for “negligent infliction of emotional distress” have merit?

We can only hope that Ebola is contained, not only in the United States, but in Africa, where it devastates large areas. From the tort law perspective, we doubt that any wants to see a case develop in which the “zone of danger”, for all intents and purposes, is the entire country.