A lawsuit has been filed against HealthAlliance Hospital and Ciox Health, its health record management vendor, for denying a widow from obtaining her deceased husband’s medical records.

Sherry Russell, 62, from Woodstock NY, lost her husband of 42 years to lung cancer in October 2020. Mr. Russell visited HealthAlliance Hospital: Broadway Campus for a chest x-ray in March 2017 but lung cancer was not diagnosed. The cancer diagnosis came two years later when the tumor was 2 inches in diameter and it was too late to provide treatment.

Mrs. Russell believes the radiologist failed to identify the tumor on the x-ray, resulting in a misdiagnosis. Had the tumor been found earlier, it is possible that treatment could have been provided in time to save her husband’s life.

Mrs. Russell requested a copy of her husband’s medical records from HealthAlliance Hospital in order to obtain a copy of the chest x-ray report to support her malpractice lawsuit against the hospital over the failure to diagnose lung cancer; however, she has been unable to obtain a copy of the report.

Under HIPAA, patients are allowed to obtain a copy of their medical records from their healthcare providers. The HITECH Act of 2009 amended 164.510(b) of HIPAA to “permit covered entities to disclose a decedent’s protected health information to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with prior expressed preference of the individual that is known to the covered entity.”

When a request is made to obtain a copy of a person’s medical records from a healthcare provider, copies of paper records and electronic records must be provided. The provider can charge a reasonable, cost-based fee for providing copies, which should be provided in the format of the patient’s choosing, if it is technically feasible for a provider to release records in that format. Hospitals can receive thousands of requests for copies of medical records, so many choose to use a health record management vendor to manage those requests, in this case, Ciox Health.

The medical records lawsuit claims that under the federal HITECH Act of 2009, Mrs. Russell is entitled to a copy of her husband’s medical records and that the hospital and Ciox are only permitted to charge $6.50 for providing those records. The lawsuit also alleges both parties have been unresponsive and have been difficult to deal with. When both parties did respond to requests, Mrs. Russell was informed that it was only possible to provide a copy of paper records, not any electronic health records, and Ciox said it charges 75 cents per page for providing those records.

“[Mrs.] Russell can’t even determine the name of the correct physician liable for wrongdoing, without the medical records,” said Sherry Russel’s lawyer, John Fisher. “HealthAlliance Hospital, the very entity that has wronged her, is continuing to wrong her by stonewalling her.” Due to the statute of limitations in New York, the malpractice lawsuit must be filed by Friday this week. Fisher said that the malpractice lawsuit would be filed, even if the medical records are not provided.

Fisher is also seeking class action status for the medical records lawsuit against HealthAlliance Hospital and Ciox Health and claims he has dozens of clients that have similarly faced difficulties exercising their HIPAA Right to obtain medical records from HealthAlliance Hospital and Ciox Health.

The issue of charging excessive amounts for copies of medical records was addressed by the HHS in guidance on fees issued in 2016. The HHS confirmed that a $6.50 flat fee can be charged for providing copies of medical records, although it is also possible to charge average labor costs or actual costs for providing a copy to a third party. The HHS also recently launched a HIPAA Right of Access Initiative to vigorously enforce compliance with this important right of HIPAA, and has already issued two financial penalties over the failure to honor this right.

Ciox Health is no stranger to legal action over medical record access. A federal lawsuit was filed against Ciox Health and 62 hospitals in Indiana over the falsification of records and for participating in a kickback scheme involving overbilling for releasing patient EHRs, although the case was dropped. In 2018, Milwaukee-based Aurora Health Care and Ciox Health settled a class-action lawsuit alleging overcharging for medical record requests. A predecessor company of Ciox Health had charged an average fee of $22.58 for providing copies of health records. A $35.4 million settlement was proposed and Alpharetta, Georgia-based Ciox Health agreed to make the funds available to cover claims submitted by patients.

In January 2018, Ciox Health filed a lawsuit against the HHS to stop HHS enforcement of the HIPAA Right of Access Rule based on the 2016 changes, claiming the HHS updates were “irrational, arbitrary, capricious and absurd.” Ciox argued, “a $6.50 flat fee that was drawn from thin air and bears no rational relationship to the actual costs associated with processing such requests.”

In January 2020, a federal judge ruled against the HHS stating that the fee limitations only apply to an individual’s right of access, and not to requests for copies of medical records from third parties, such as attorneys.

The post HealthAlliance Hospital and Ciox Health Facing Class Action Medical Records Lawsuit appeared first on HIPAA Journal.

Konica Minolta Healthcare Americas Inc. has agreed to pay a $500,000 financial penalty to settle a case against its former subsidiary, Viztek LLC, to resolve False Claims Act violations related to its electronic health record (EHR) product.

The American Recovery and Reinvestment Act of 2009 established the Medicare & Medicaid EHR Incentive Programs to encourage healthcare providers to adopt a certified EHR. Healthcare providers that adopted a certified EHR were entitled to claim incentive payments to offset the cost purchasing the solution, provided they were able to demonstrate meaningful use of the EHR technology.

Companies that developed and marketed EHR solutions were required to demonstrate that their products met the HHS-adopted criteria and obtain certification for their solutions. According to a Viztek whistleblower, a former product manager at the company, Viztek and Konica Minolta Healthcare had falsified testing results of the Viztek solution, EXA EHR, in 2015 and misrepresented the capabilities of the product. Konica Minolta acquired Viztek in October 2015 during the period when the EHR was being tested.

The whistleblower filed a lawsuit against Viztek and Konica Minolta in December 2017 under the whistleblower provisions of the False Claims Act, alleging that as a result of the falsified testing results, healthcare providers using the solution had submitted false claims to the HHS for EHR incentive payments in 2015 and 2016.

According to the lawsuit, the capabilities of EXA EHR that were necessary to obtain certification had not been built into the product at the time of testing. Viztek attested to EHR testing company Infogard that the product met the HHS-adopted criteria, and hard-coded the software to ensure it passed the certification tests, even though the solution could not support the applicable criteria for its customers.

Infogard was also named as a defendant in the lawsuit. The lawsuit alleged Infogard either knew that EXA EHR did not meet all applicable requirements for certification or recklessly disregarded the fact that it did not meet the required criteria.

Under the Whistleblower provisions of the False Claims Act, the whistleblower is entitled to share in any settlement if they bring civil actions on behalf of the U.S government. The whistleblower is due to receive $100,000 of the settlement amount.

The post Konica Minolta Settles EHR False Claims Case for $500,000 appeared first on HIPAA Journal.

In 2019, Beaver, PA-based Heritage Valley Health System filed a lawsuit against its vendor Nuance Communications over its NotPetya malware attack in 2017. The lawsuit was recently dismissed by a federal judge for the US District Court of the Western District of Pennsylvania.

The NotPetya attacks occurred a short time after the WannaCry ransomware attacks in 2017 and targeted the same vulnerability in Windows Server Message Block (SMB). NotPetya encrypted the master boot record of infected computers, rendering them unusable. The attacks occurred in July 2017, four months after Microsoft released a patch to fix the SMB vulnerability that was exploited in the attacks.

The cyberattack on Nuance Communications saw 14,800 servers and 26,000 workstations encrypted by NotPetya. The extent of the damage meant 7,600 servers and 9,000 workstations needed to be replaced. Heritage Valley Health System was also affected by the attack, with the investigation revealing the malware had spread to the health system’s computer network via a trusted virtual private network (VPN) connection with Nuance. Once NotPetya was transferred to Heritage Valley, its servers and workstations were also encrypted, preventing the devices from being booted and rendering data inaccessible.

Heritage Valley filed a lawsuit against Nuance alleging the NotPetya cyberattack was the result of negligence and poor security practices and governance oversight. The lawsuit also alleged breach of implied contract and unjust enrichment. The damage to its computer systems forced Heritage Valley to temporarily cancel many of its patient care services for almost a week. The loss of business and damage to computer hardware cost the heath system millions.

The attack on Nuance was certainly preventable, as had Nuance applied the patch in the four months prior to the attack, infection would not have been possible. The forensic investigation also confirmed that Heritage Valley was infected through Nuance. The reason for the lawsuit being dismissed was due to the contract between Heritage Valley and its vendor. Heritage Valley had signed a contract with vendor Dictaphone Inc. in 2003. Dictaphone was acquired by Nuance in 2006.

In the lawsuit, Heritage Valley argued “Nuance is liable for any contractual obligations and tort liability arising from the plaintiff’s use of the products acquired from Dictaphone, and Nuance should be held liable for poor security practices and governance oversight as it had a broader duty to prevent the cyberattack.”

Since the acquisition of Dictaphone in 2006, Nuance had acquired more than 50 other companies and had more than 150 subsidiaries. “The sheer number of Nuance’s corporate acquisitions and the reach and pace of its global expansion combined to make meaningful integration of acquired systems and meaningful segmentation of Nuance’s growing global network difficult,” argued Heritage Valley in the lawsuit. “With each acquisition and international expansion, Nuance exposed itself and its customers to increasing cybersecurity risk, all the while Nuance did not have the management or funding in place to sufficiently protect against these risks.”

In its motion to dismiss, Nuance argued that it could not be held liable for negligence because it was not party to the Master System Procurement Agreement between Dictaphone and Heritage Valley in 2003, through which Heritage Valley purchased hardware and software from Dictaphone. The hardware and software were then maintained through a private portal-to-portal network.

The judge accepted Heritage Valley’s arguments and did not dispute the facts of the claims, but ruled that Dictaphone and Nuance were both exempted from product liability claims as external sources were involved and that Nuance could not be liable as the 2003 contract was signed between Heritage Valley and Dictaphone.

The post Federal Judge Dismisses Heritage Valley Health System NotPetya Lawsuit Against Nuance Communications appeared first on HIPAA Journal.

It is becoming increasingly common for healthcare organizations to face legal action after experiencing a ransomware attack in which patient data is stolen. The Florida Orthopedic Institute, one of the largest orthopedic providers in the state, is one of the latest healthcare providers to face a class action lawsuit over a ransomware attack.

The ransomware attack was detected on April 9, 2020 when staff were prevented from accessing computer systems and data due to the encryption of files. A third-party computer forensics firm was engaged to assist with the investigation and determined on May 6, 2020 that the attackers may have accessed and exfiltrated patient data. A range of sensitive data was potentially compromised including names, dates of birth, Social Security numbers, and health insurance information. Affected patients were notified about the breach on or around June 19, 2020 and were offered complimentary identity theft and credit monitoring services for 12 months. At the time of issuing notifications, no evidence had been found to suggest patient data had been misused.

Attorney John Yanchunis of the law firm Morgan & Morgan recently filed a lawsuit against Florida Orthopedic Institute in Hillsborough County, FL alleging the healthcare provider failed to implement appropriate safeguards to ensure the confidentiality of patient data. He claimed “Certainly, this information was in the hands of cybercriminals and was being used maliciously.”

The lawsuit alleges the healthcare provider was “lackadaisical, cavalier, reckless, or in the very least, negligent” with respect to maintaining the privacy of its patients and basic cybersecurity best practices were not followed. In addition to negligence, the lawsuit alleges invasion of privacy, breach of fiduciary duty, breach of implied contract, unjust enrichment and violation of the Florida’s Deceptive and Unfair Trade Practices Act.

While patients were offered complimentary identity theft protection services, Yanchunis claims that 12 months of coverage is not nearly enough to protect victims, since affected individuals now face an elevated risk of financial harm as a result of the breach for many years to come.

The lawsuit seeks extended credit monitoring for breach victims and at least $99 million in damages on behalf of the current and former patients.

The incident has yet to appear on the breach portal maintained by the HHS’ Office for Civil Rights so it is currently unclear how many patients have been affected by the attack. According to the lawsuit, at least 100,000 patients were affected and potentially more than 150,000.

Other recent ransomware attacks that have resulted in lawsuits include the attack on DCH Health System and BST & Co CPAs LLC. Grays Harbor Community Hospital recently proposed a $185,000 settlement to resolve a potential class action lawsuit filed on behalf of a victim of the breach.

The post Florida Orthopaedic Institute Facing Class Action Lawsuit Over Ransomware Attack appeared first on HIPAA Journal.

On July 1, 2020, enforcement of the California Consumer Privacy Act (CCPA) of 2018 began. The CCPA took effect on January 1, 2020 and all companies covered by the Act were given a 6 month grace period before compliance with the CCPA would be enforced, although compliance with the provisions of the Act have been mandatory since January 1, 2020.

The grace period has now elapsed. California Attorney General Xavier Bercerra confirmed there will be no delay to enforcement, even though dozens of requests were made by companies and trade associations asking for the grace period to be extended for a further 6 months due to the 2019 Novel Coronavirus pandemic. The requests were acknowledged but no extension was given.

“Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first,” said Attorney General Bercerra in a statement to Forbes. “We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.”

Now that the CCPA has teeth it means that any violation of the CCPA from July 1, 2020 can attract a financial penalty of up to $7,500 per violation. If a company is believed to be in violation of the CCPA, a warning will be issued, and the company will be given 30 days to correct the violation or financial penalties and lawsuits may follow.

The CCPA introduced a swathe of new privacy protections for California consumers and many individuals outside of California, mirroring several of the rights introduced by the EU’s General Data Protection Regulation (GDPR). The CCPA applies to all companies that have over $25 million in annual revenue, companies that collect the personal information of more than 50,000 consumers, households, or devices, and any business that derives more than 50% of its annual revenue from selling the personal information of consumers.

The CCPA gives consumers in the state of California the right to know what personal information companies are collecting and the purpose for which data is being collected. No other personal data can be collected other than the data types covered by the consent given by consumers.

Companies covered by the act must have a banner on their website informing consumers about their rights, which includes the right to opt out and not have their personal data collected. Consumers can request all personal information collected by a company be deleted and companies must have a process in place to delete personal information if such a request is received.

The CCPA prohibits the sale of the personal information of minors under the age of 16 without their permission, and the sale of the personal information of minors under the age of 13 is only permitted with parental consent. The CCPA also prohibits companies from discriminating against consumers who choose to exercise their rights under the CCPA.

There is also a private cause of action, so consumers can take legal action against companies over breaches of their unredacted, unencrypted personal information and can claim $100 and $750.

The post The California Consumer Privacy Act is Now Being Enforced appeared first on HIPAA Journal.