Hacked Hospital Network Includes Outstate Missouri Hospitals

Laura Gerdes Long

By Laura Gerdes Long



4.5M Records Stolen, HIPAA violation

In June 2014, hackers in China used high-end, sophisticated malware to launch criminal cyber-attacks to access patient information from a national hospital system. Community Health Systems, Inc. (“CHS”), operates 206 hospitals across the U.S. in 29 states, including four located in Missouri (Kennett, Kirksville, Moberly, and Poplar Bluff). The breached data is considered protected health information under the Health Insurance Portability and Accountability Act (“HIPAA”).

In a filing with the U.S. Securities and Exchange Commission, CHS said the attacker was an “Advanced Persistent Threat” group which bypassed CHS’ security measures, successfully copying and transferring certain data outside CHS. Although CHS has confirmed that this data did not include patient credit card, medical, or clinical information, the breach does include patient names, addresses, birth dates, telephone numbers and Social Security numbers. CHS has been working closely with federal law enforcement authorities in connection with their investigation and potential prosecution of those determined to be responsible for this attack.

Under various state and federal laws, CHS is obligated to notify affected patients. The Department of Health and Human Services provides a web page describing the breach notification requirements of covered entities to effected individuals, the Secretary of Health and Human Services, and, in certain circumstances, to the media. Continue reading »

Mizzou Story Highlights Tension Between Doctor-Patient Privilege and Protecting the Patient

Laura Gerdes Long

By Laura Gerdes Long



A story concerning the death of a female athlete by suicide, her alleged rape, and the role played by the university she attended in the tragic facts has placed the issue of patient confidentiality squarely in the headlines.  The story highlights the care that must be taken to protect a patient’s ability to speak candidly and honestly to his or her medical provider without fear that such information will be divulged to anyone else without the patient’s permission.

The female student athlete had committed suicide in 2011, approximately 16 months after her alleged rape in 2010 by another student athlete at the school.  According to an email posted to Mizzou’s website on January 24, 2014, an ESPN producer of “Outside the Lines” wanted to know if University of Missouri officials planned to investigate or notify law enforcement about the alleged rape.  Just hours before publishing the story, the ESPN producer asked university officials: Continue reading »

HIPAA vs. Florida and HIPAA Wins!

Laura Gerdes Long

By Laura Gerdes Long



In a battle between a state statute and the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (42 U.S.C. § 1320d to d-9), the Eleventh Circuit Court of Appeals has held that a Florida statute is preempted by HIPAA because it is an obstacle to the “accomplishment and execution of the full purposes and objectives of HIPAA in keeping an individual’s protected health information strictly confidential.” OPIS Management Resources, LLC, et al. v. Secretary Florida Agency for Health Care Administration, No. 12-12593 (11th Cir. April 9, 2013).

OPIS, and the other plaintiff parties, are operators and managers of skilled nursing facilities in Florida. In the course of their operations, the nursing facilities received requests from spouses and attorneys-in-fact for the medical records of deceased nursing home residents. Because the parties requesting the records were not “personal representatives” pursuant to HIPAA and its implementing regulations, the facilities refused to disclose the records.  As a result, the requesting parties filed complaints with the U.S. Department of Health and Human Services Offices for Civil Rights, which concluded that the nursing facilities acted properly.

The Florida Agency for Health Care Administration, however, issued citations against the nursing facilities for violating Florida law by refusing to release the records because the state statute requires licensed nursing homes to release a former resident’s medical records to the spouse, guardian, surrogate, or attorney-in-fact of any such resident. Fla. Stat. § 400.145(1). Because of the conflicting interpretations of the relevant laws, the nursing facilities filed a complaint for declaratory judgment. The district court granted the nursing facilities’ motion for summary judgment, explaining that the Florida statute affords nursing home residents less protection than is required by the federal law; therefore, the state law is preempted by HIPAA.

Stricter Federal HIPAA Law Trumps State Law

At the heart of the issue is whether the state statute, in which the “unadorned text…. authorizes sweeping disclosures, making a deceased resident’s protected health information available to a spouse or other enumerated party upon request, without any need for authorization, for any conceivable reason and without regard to the authority of the individual making the request to act in a deceased resident’s stead,” conflicts with federal law, according to Judge Susan H. Black. Finding that it does conflict, the jurist wrote, the state law “frustrates the federal objective of limiting disclosures of protected health information” and is therefore “preempted by the more stringent privacy protections” imposed by federal law. Continue reading »

New Family and Medical Leave Act Guidance for Families of Adult Children with Disabilities

Estate Planning Practice Group

By Estate Planning Practice Group



Families now have clarification on when parents may use leave to care for an adult child with a mental or physical disability.

On January 14, 2013, the Wage and Hour Division of the Department of Labor issued additional guidance to help employers determine eligibility of employees to take leave under the Family and Medical Leave Act (FMLA) when the employee has an adult child with a mental or physical disability incapable of self-care due to a serious health condition.

Generally,  entitlement to FMLA leave ends when a child is 18 years old. “Incapable of self-care” means that the individual requires active assistance or supervision to provide daily self-care in three or more of the “activities of daily living” or “instrumental activities of daily living.” Continue reading »

Employers and the Health Reform Law

Laura Gerdes Long

By Laura Gerdes Long



On June 28, 2012, the Supreme Court, in a 5-4 decision, upheld the Patient Protection and Affordable Care Act (the “Act”), more commonly known as the health reform law, including the highly controversial individual mandate. While the Court limited the Act’s planned expansion of Medicaid, the decision was overwhelmingly a “win” for President Obama.

Now that President Obama has been elected to a second term, those who resisted implementing the first set of provisions (waiting for the Court to rule) will have to begin earnestly working to comply with both provisions already in effect and forthcoming provisions, including key provisions which require compliance in 2014: the individual mandate and the employer mandate.

Provisions currently in effect include:

  • No lifetime limits on coverage.
  • Restrictions on annual limits.
  • No “rescissions,” meaning health plans cannot cancel coverage once you are sick unless you committed fraud when you applied for coverage.
  • Dependent care coverage is provided up to age 26 for adult children without employer-sponsored coverage.
  • Federal small business tax credits have also been available for employers who provide coverage, with credits differing depending on the size of the company and increasing to 50 percent in 2014.
  •  Many consumer employees have already experienced not having to pay out-of-pocket costs for certain preventative services, such as breast cancer screenings and cholesterol tests, and the disqualification of over-the-counter drugs as medical expenses for Flexible Spending Accounts (FSAs) and Health Savings Accounts (HSAs).
  • Insurers will have to provide rebates to consumers if they spend less than 80 to 85 percent of premium dollars on medical care.

The impact of both the individual mandate and the employer mandate will not be fully known until closer to 2014; however, there has been great speculation about who will be most impacted. Continue reading »

The Impact of Electronic Storage on Mental Health Care Records

Laura Gerdes Long

By Laura Gerdes Long



The looming clash over the privacy of mental health care records as they are increasingly being stored electronically was revealed in “As Records Go Online, Clash over Mental Care Privacy,” an article in the June 21, 2012 issue of the Boston Globe.

The Globe article highlighted the case of a patient who attended weekly therapy sessions and, as is typical, revealed her most private secrets, including depression and childhood sexual abuse.  Her psychiatrist at Massachusetts General Hospital would then type a summary into her computerized medical record.  With that, more than 200 pages of sensitive notes became available to any doctor who cared for her within the sprawling Partners HealthCare system.  She discovered this only when a doctor later referenced the notes.

On one hand, Partners (the hospital system) argues that doctors must have a complete picture to make accurate diagnoses and having different rules for psychiatric records contributes to the stigma of mental illness.

On the other hand, this article highlights the delicate privacy issues that are surfacing as electronic medical records become widespread.  Providers in separate networks are preparing to share patients’ records more widely online — to better coordinate care and cut wasteful spending.  This will probably intensify the debate about what should and should not be shared, as well as fears about the unauthorized release of patient information.

As Dr. David Blumenthal, Partners’ chief health information and innovation officer and former national coordinator for health information technology for the Obama administration, said: Continue reading »

Breastfeeding in Public: Mother Sues Sheriff’s Deputy

Laura Gerdes Long

By Laura Gerdes Long



Co-authored by Laura Gerdes Long and Adrienne R. Lauf

A mother is suing a sheriff’s deputy in Cook County, Illinois for violation of the state’s Right to Breastfeed Act. The mother, who was at the courthouse to apply for food-assistance benefits, was breastfeeding her seven-week-old daughter in the lobby of the courthouse. The mother and her daughter were covered by a blanket at the time of the feeding. The deputy demanded that the mother move from the courthouse lobby to a public bathroom to breastfeed the baby. Because the mother feared she would disrupt the application process for her benefits if she were kicked out of the courthouse, she quit feeding her daughter instead of moving.

Right to Breastfeed in Illinois

In 2004 the General Assembly of Illinois passed the Right to Breastfeed Act. The stated purpose being:

“The General Assembly finds that breast milk offers better nutrition, immunity, and digestion, and may raise a baby’s IQ, and that breastfeeding offers other benefits such as improved mother-baby bonding, and its encouragement has been established as a major goal of this decade by the World Health Organization and the United Nations Children’s Fund. The General Assembly finds and declares that the Surgeon General of the United States recommends that babies be fed breast milk, unless medically contraindicated, in order to attain an optimal healthy start.”

Continue reading »

Is This by Consent? Changes to Missouri Supreme Court Rule Affect Use of Non-party Subpoenas

David R. Bohm

By David R. Bohm



Part of a series on issues related to Manufacturers, Distributors and International Trade

Co-authored by David R. Bohm and David A. Zobel

A major change involving subpoenas to non-parties has hit the business world in the state of Missouri.

A new amendment to the Missouri Supreme Court Rules now requires non-party record custodians to physically appear at deposition to produce subpoenaed items, unless all parties to the litigation have agreed that the subpoenaed party may produce the items without appearing.

The amendment changes the prevailing practice where parties send out subpoenas to third parties with a letter explaining that they will be excused from appearing at deposition if they produce the requested items along with what is known as a business records affidavit.

Rule 57.09, as amended, now requires parties to first obtain consent from all other parties to the litigation before a subpoenaed witness may produce documents without attending the deposition. This agreement must be communicated to the witness in writing. Absent this agreement, a witness must appear to produce subpoenaed items at deposition.

What does this mean to you? If you receive a subpoena, you may only produce the documents to the party serving the subpoena without appearing at deposition if that party represents to you in writing (e.g., in a letter) that all other parties have consented to production of the docume

nts without need for you to appear at the deposition. Such a letter should protect you from allegations that you improperly produced records by mail, instead of bringing the documents to the deposition. You do not need to see the actual agreement. If you have any questions as to whether you can simply mail the documents, instead of appearing at deposition, you should either call your attorney for advice or simply wait and bring the documents at the time and place designated in the subpoena.

Continue reading »

Supreme Court: Will Five and a Half Hours Be Enough?

Laura Gerdes Long

By Laura Gerdes Long



Fate of the Patient Protection and Affordable Care Act Lies in Hands of Supreme Court

According to the National Law Journal, the Supreme Court justices granted review in three of the five petitions that it had before them regarding the Patient Protection and Affordable Care Act, all from the 11th Circuit Court of Appeals. That court had struck down the mandate that individuals who can afford health insurance must purchase coverage or pay a penalty.

The Journal article lists the issues on which the Court would hear arguments and the amount of time allotted to each issue, for a total of five and one-half hours.

Oral arguments will be made by the United States Solicitor General, 26 state attorneys general (handled by a single lawyer from a Washington firm), and the National Federation of Independent Business (NFIB).

Typically, Supreme Court oral arguments are scheduled for two hours of argument. Arguments are likely to be held in March.

Undoubtedly, with all of the questions raised by the health care act, five hours will not be sufficient time to answer all of them.

Posted by Attorney Laura Gerdes Long. Long practices in tort, insurance defense, legal malpractice, health care, and employment law. Well-versed in employment law policies and processes related to HIPAA, she serves as a trainer and advisor to health care providers, insurers, self-insured employers, and municipalities.

Electronic Health Records: Could Your Practice Be at Risk?

Laura Gerdes Long

By Laura Gerdes Long



The federal government’s efforts at incentivizing medical providers to use electronic health records (EHRs) may be putting some practices at risk.

In Electronic Records May Increase Malpractice Lawsuit Risk,” Neil Versel with Information Week refers to a white paper published by the AC Group, a Montgomery, Texas, health IT research and consulting firm. The white paper describes the kinds of risks that medical practices may face if they try to implement EHRs too quickly without the appropriate vendors.

Even vendors who have been certified by the Office of the National Coordinator for Health Information Technology (ONC) have been found lacking in the area of “medico-legal training.” For example, according to Versel, it has been discovered that ONC certification may not require providers “to check drug orders against laboratory results or take into account social and family medical history in creating alerts,” such as the need for more frequent mammograms for a female patient with a mother who has had breast cancer.

Here are just a few other issues that have arisen :

  • Critical safety alerts are being missed due to incomplete medication lists;
  • Problems with time synchronization of records between electronic charting systems; and
  • A high percentage of EHRs do not run drug interaction checks when filling prescriptions.

So to the medical practice community: buyer beware.

Posted by Attorney Laura Gerdes Long. Long practices in tort, insurance defense, legal malpractice, health care, and employment law. Well-versed in employment law policies and processes related to HIPAA, she serves as a trainer and advisor to health care providers, insurers, self-insured employers, and municipalities.