Welcome to this week's edition of the Health Law Update. Topics covered today include:
Radiology Associates filed suit against its insurers to compel the insurers to defend Radiology Associates against claims stemming from an employee's alleged sexual assault of a patient while performing an unauthorized examination at their facility. Radiology Associates' professional liability policy, however, contained exclusions for claims arising out of any (1) sexual act, (2) act in violation of the applicable penal code or criminal statutes, or (3) intentional tort.
The district court found coverage under the policy because the patient potentially stated a claim for negligence - e.g., that the employee may have negligently thought he could undertake a vaginal exam, or that, in the course of performing the authorized ultrasound, the patient had been negligently and inappropriately touched by the employee. Based upon this speculation, the district court concluded that it was unclear whether the facts alleged in the complaint met the exclusion's criteria and, therefore, that the insurers had a duty to defend the group.
The Fifth Circuit, however, held that the insurers were not required to defend the group when the plaintiff's complaint made no allegation that the employee may have negligently believed his actions were authorized. The Fifth Circuit would not permit the district court to "imagine factual scenarios" which might avoid the consequences of an insurance policy exclusion.
Radiology Associates next argued that the court must interpret the allegations in the complaint from the standpoint of the insured and, therefore, because the employee was not an insured, and the complaint did not allege that Radiology Associates committed sexual misconduct, an intentional tort or violated a criminal code, that the insurer must defend it. The Fifth Circuit held that, even though the complaint alleges Radiology Associates was only negligent, those claims all arose out of (e.g., had a causal connection or relation) its employee's excluded conduct and, thus, were outside of the entity's professional liability policy's coverage.
Providers should carefully review the terms of their professional and general liability insurance policies to be sure they are covered for potential improper acts of their employees.
For more information, please contact Robert M. Wolin, or 713.646.1327.
top of page
Yakima Valley Memorial Hospital (Memorial) sued the Washington State Department of Health (Department) after it promulgated certificate of need (CON) regulations, arguing that the CON requirement violated the U.S. Constitution's "dormant" Commerce Clause by unreasonably burdening interstate commerce, as the regulation prevented Memorial from performing elective percutaneous coronary interventions (PCI).
Memorial also claimed that the Department's methodology for defining "need" was anticompetitive and preempted by § 1 of the Sherman Act because it allowed incumbent CON holders to expand their capacity and preclude new providers' entry into the market. The Ninth Circuit dismissed the antitrust claims because there was no concerted action. The court held that the PCI regulations were a unilateral licensing requirement rather than an agreement in restraint of trade.
More interesting, however, the court held that Congress's 1986 repeal of the National Health Planning and Resources Development Act of 1974 (NHPRDA) removed the congressional imprimatur authorizing Washington state's CON program to engage in regulation that the Commerce Clause would otherwise forbid. The Ninth Circuit held that such congressional authorizations must be "unmistakably clear" and "unambiguous." Thus, the repeal of the NHPRDA, without a savings clause, eliminated the requisite clear statement of congressional authorization for Washington's CON regulations. Congressional silence was not sufficient to sustain a Commerce Clause imprimatur.
Where a law only incidentally burdens interstate commerce, it "will be upheld unless the burden imposed on interstate commerce is clearly excessive in relation to the putative local benefits." Because the PCI regulations burdened the free flow of commerce to Memorial's financial detriment, Memorial had standing to show that the PCI regulations' burden on interstate commerce was excessive in relation to the local benefit.
The U.S. Department of Health and Human Services (HHS) recently made its first annual report to Congress regarding the number and nature of breaches reported to the Office of Civil Rights (OCR) since the effective date of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and as required by the HITECH Act. HHS also submitted information as to the actions taken by the reporting entities in response to those breaches.
From September 23, 2009, to December 31, 2010, over 30,000 healthcare data breaches have been reported to the OCR, affecting more than 7.8 million individuals. The report separates breaches into each calendar year (CY) and numbers affected. For the reporting months of 2009, 45 healthcare data breaches affecting more than 500 people (large breaches) were reported, with covered entities notifying approximately 2.4 million individuals affected by these large breaches. For breaches involving fewer than 500 people, the OCR received 5,521 reports during the 2009 reporting months affecting approximately 12,000 people. For CY 2010, 207 large breaches affecting 5.4 million individuals were reported to the OCR, with over 25,000 reports of smaller breaches involving more than 50,000 people.
According to the report, theft was the most common cause of the large breaches in both years, with stolen paper records and electronic media affecting over 4.4 million people. Many of these incidents occurred on the premises of the covered entities and involved stolen desktop computers, laptops and portable electronic devices, smart phones and flash drives. In 2009, the next most common cause was intentional unauthorized access to, use or disclosure of protected health information (PHI), such as phishing, employee misuse of credit card information and network hacking. In 2010, intentional unauthorized access was the third most common cause but included hacking and employees accessing information for personal gain. Human error and loss of electronic media or paper records containing PHI rounded out the most common causes for each year. In 2010, the second most common cause was loss of electronic media or paper records containing PHI mostly through portable electronic devices, including back-up tapes, compact discs, memory cards, flash drives and smart phones. Several of these involved breaches on the part of a business associate.
HHS also describes the most commonly reported remedial action taken by the covered entities in response to the larger breaches:
To date, the OCR has closed approximately 76 of the 252 larger breaches reported after investigating and determining that the covered entity (1) properly complied with the breach notification requirements, and (2) appropriately took corrective action for addressing the underlying causes, mitigating the harm to the affected parties and avoiding future incidents. In the remaining 176 cases, the OCR continues to investigate and work with the covered entities to ensure appropriate remedial action is taken.
In review of this report, it is clear that the OCR will investigate, in detail, the large reported breaches. Since theft and loss of PHI continue to be the most common causes of healthcare data breaches, covered entities should assess their physical security around PHI and ensure that electronic devices, including computers, laptops, smart phones and flash drives, are encrypted. Finally, business associate agreements should be scrutinized to ensure that covered entities' business associates are compliant and accountable for security of PHI.
For further information or assistance with privacy protection and data breach issues, please contact Lynn Sessions at or 713.646.1352.
On September 21, 2011, several members of Baker Hostetler's Healthcare Industry, Privacy, Security and Social Media and Intellectual Property Teams hosted a webinar on "Cloud Computing in Healthcare: HIPAA, HITECH and Contracting Considerations."
This webinar focused on the main components of a cloud computing platform and its potential ramifications or threats to healthcare providers, health plans and business associates in accordance with HIPAA and the HITECH Act.
This program also discussed how cloud computing directly relates to a company's electronic health records' meaningful use policies and goals. Key discussions focused on the contracting, negotiation and liability aspects of a cloud computing platform.
Baker Hostetler attorneys Peter Brown, John Mulhollan and Lynn Sessions led the session.
View Recorded Webinar
This program was approved for 1 CLE Ethics Credit in California, New York, Texas and is pending in Florida.
If you have any substantive questions about the topics discussed in the program please contact Peter Brown, or 212.589.4660, John Mulhollan, or 216.861.7484 or Lynn Sessions, or 713.646.1352.
October 3-4
New York partner Ted Kobus will speak on "Damages and Other Litigation Issues After a Data Breach Event" at the NetDiligence® West Coast Cyber Risk & Privacy Liability Forum sponsored by NetDiligence® in Marina Del Rey, California.
October 10
Houston partner Susan Feigin Harris will speak on "ACOs: Fact or Fiction?" at the 2011 Health Law Conference sponsored by the Texas Hospital Association in Austin, Texas.
Houston partner Donna Clark will speak on "Stark/Anti-Kickback Update" at the 2011 Health Law Conference sponsored by the Texas Hospital Association in Austin, Texas.
October 13
Houston counsel Lynn Sessions will speak on "Landmines for Litigators: What You Need to Know About HIPAA and HITECH" at the section luncheon of the Houston Bar Association Litigation Section in Houston, Texas.
October 17
New York partner Ted Kobus will speak on "Responding to Data Breaches: From A to Z" at the 2011 ASHRM Annual Conference & Exhibition sponsored by the American Society for Healthcare Risk Management in Phoenix, Arizona.
November 4
Houston counsel Lynn Sessions will speak on "Healthcare Cyber Risks and Privacy Breaches - Emergent Problem or Chronic Condition?" at the Professional Liability Underwriters Society annual conference in San Diego, California.
Baker & Hostetler LLP publications are intended to inform our clients and other friends of the Firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience. © 2011 Baker & Hostetler LLP
PRINT VERSION
Subscribe to Baker Hostetler’s Health Law Update EDITORPolicy AnalystKathleen P. Rubinstein, MPAkrubinstein@bakerlaw.com713.276.1650
EDITOR
NATIONAL CO-LEADERSThomas W. Kahletkahle@bakerlaw.com513.929.3414
NATIONAL CO-LEADERS
Christopher J. Swiftcswift@bakerlaw.com216.861.7461 CHICAGOTara Goff Kamradttkamradt@bakerlaw.com312.416.6222 CLEVELANDSteven A. Eisenbergseisenberg@bakerlaw.com216.861.7903
CHICAGO
CLEVELAND
John S. Mulhollanjmulhollan@bakerlaw.com216.861.7484
Thomas S. Campanellatcampanella@bakerlaw.com216.861.6551
Anne C. Fosterafoster@bakerlaw.com216.861.7258
Susan Whittaker Hughesshughes@bakerlaw.com216.861.7841 COLUMBUSRichard W. Siehlrsiehl@bakerlaw.com614.462.2639
COLUMBUS
M.J. Asensiomasensio@bakerlaw.com614.462.2622
Robert K. Rupprrupp@bakerlaw.com614.462.2688
Mark Hatchermhatcher@bakerlaw.com614.462.4765
Winnie Simwsim@bakerlaw.com614.462.4726 COSTA MESAGeorge T. Mooradiangmooradian@bakerlaw.com714.966.8800
COSTA MESA
DENVERDavid B. Wallerdwaller@bakerlaw.com303.764.4093 HOUSTONRobert M. Wolinrwolin@bakerlaw.com713.646.1327
HOUSTON
Susan Feigin Harrissharris@bakerlaw.com713.646.1307
Donna S. Clarkdclark@bakerlaw.com713.646.1302
B. Scott McBridesmcbride@bakerlaw.com713.646.1390
Lynn Sessionslsessions@bakerlaw.com713.646.1352
Sameer V. Mohansmohan@bakerlaw.com713.646.1309
Summer D. Swallowsswallow@bakerlaw.com713.646.1306
Ameena Ashfaqaashfaq@bakerlaw.com713.646.1329
Darby C. Allendallen@bakerlaw.com713.646.1311
Tiffany D. Reyestdreyes@bakerlaw.com713.646.1357 LOS ANGELESNeil Carreyncarrey@bakerlaw.com310.442.8835
LOS ANGELES
NEW YORKJohn J. Carneyjcarney@bakerlaw.com212.589.4255
George C. Dolatlygdolatly@bakerlaw.com212.589.4680
ORLANDOG. Thomas Balltball@bakerlaw.com407.649.4004
David L. Schickdschick@bakerlaw.com407.649.4084
Richard W. Siehlrsiehl@bakerlaw.com407.649.4076
Jessica L. Captainjcaptain@bakerlaw.com407.649.4025
WASHINGTON, DCJeffrey H. Paravanojparavano@bakerlaw.com202.861.1770 ABOUT BAKER HOSTETLER’S NATIONAL HEALTHCARE TEAMBaker Hostetler is at the forefront of national law firms providing clients involved in every facet of healthcare delivery across the country with comprehensive legal counsel of remarkable responsiveness, creativity, quality and value. We understand the unique needs of the industry, and are dedicated to helping clients achieve their strategic and operational goals and resolve day-to-day operating issues through our experience, knowledge and national perspective. Supported by more than 700 attorneys and professionals in 11 cities coast to coast, our multi-disciplinary Healthcare Team offers clients nationwide strength across a diverse array of practice areas including Medicare and Medicaid reimbursement, regulatory compliance, fraud and abuse counseling, government investigations, subpoenas and audits, FDA, pharmaceuticals and biotechnology, tax and exempt organization laws, export controls, ERISA, management labor and employment, finance and business transactions, antitrust, lobbying, commercial litigation, healthcare operations, HIPAA/HITECH and data breaches, among others.