A roundup of recent cases and enforcement actions involving the diagnostics industry
$4.3 Million Is Too High a Penalty for HIPAA Violation, Says Federal Court Case: A federal appeals court has shot down what had been the fourth largest OCR penalty for a HIPAA violation as having “no lawful basis.” That decision means that instead of $4.3 million, the University of Texas MD Anderson Cancer Center will have to pay $450,000 for failing to encrypt protected patient data. OCR doled out the fine in 2018 to settle alleged HIPAA violations associated with a trio of separate data breaches that occurred in 2012 and 2013, involving the loss and theft of an unencrypted laptop and two unencrypted flash drives containing data on approximately 33,800 patients. Significance: HIPAA requires covered entities to “implement a mechanism to encrypt and decrypt” ePHI. There was no dispute that Anderson fell short in meeting this requirement. The issue was how big a penalty it deserved. It wasn’t like Anderson was cavalier. There were policies and training in place. But the employees involved in the breaches apparently didn’t follow them. The mechanism existed, “even if it could or should have been better,” the Fifth Circuit reasoned. The court also found that OCR failed to abide by per-year penalty caps […]
$4.3 Million Is Too High a Penalty for HIPAA Violation, Says Federal Court
Case: A federal appeals court has shot down what had been the fourth largest OCR penalty for a HIPAA violation as having “no lawful basis.” That decision means that instead of $4.3 million, the University of Texas MD Anderson Cancer Center will have to pay $450,000 for failing to encrypt protected patient data. OCR doled out the fine in 2018 to settle alleged HIPAA violations associated with a trio of separate data breaches that occurred in 2012 and 2013, involving the loss and theft of an unencrypted laptop and two unencrypted flash drives containing data on approximately 33,800 patients.
Significance: HIPAA requires covered entities to “implement a mechanism to encrypt and decrypt” ePHI. There was no dispute that Anderson fell short in meeting this requirement. The issue was how big a penalty it deserved. It wasn’t like Anderson was cavalier. There were policies and training in place. But the employees involved in the breaches apparently didn’t follow them. The mechanism existed, “even if it could or should have been better,” the Fifth Circuit reasoned. The court also found that OCR failed to abide by per-year penalty caps for HIPAA violations.
[University of Texas M.D. Anderson Cancer Center v. U.S. Dept. of Health and Human Services, Case 19-60226, U.S. Fifth Circuit, January 14, 2021]
Genetic Testing Lab Pays $2.5 Million to Settle Kickback and False Claims Charges
Case: The feds accused a California-based molecular diagnostics firm of working with a marketing firm to carry out a scheme to falsely bill Medicare for medically unnecessary genetic tests performed on patients of 76 nursing homes generated via paid referrals. Rather than risk a trial, the firm agreed to settle the case for $2,538,000.
Significance: The DOJ claims that the lab agreed to pay the marketing firm a cut on the Medicare reimbursement for every genetic test referred by the firm’s clients. If Medicare didn’t pay for the test, the firm didn’t get the fee. The firm then teamed up with a Wisconsin nursing homes owner and operator to identify Medicare patients the firm could approach to obtain buccal cell samples that could be sent to the lab for genetic testing. In subsequently billing Medicare for the tests, the lab added False Claims Act violations to its kickback offenses. For its part, the nursing home operator has agreed to pay $1 million to settle claims arising from its role in the scheme.
DME Company Must Pay $762K for Retaliating against Whistleblower
Case: A key account manager (KAM) filed a qui tam lawsuit against the medical device company that employer her for allegedly accepting kickbacks from a leading client. When the client found out that it was named as a defendant in the case, it demanded that the company take the KAM off its account. The company not only agreed to the request but also put the KAM on indefinite paid administrative leave and assigned her to less favorable accounts when she returned. The KAM claimed retaliation. The jury agreed and awarded her $762,525 in damages. The company appealed but to no avail.
Significance: The False Claims Act bans employers from discriminating against employees “because of” their protected conduct. As is often the case in retaliation cases, the key question was whether the company took unfavorable action against the KAM “because” she filed the whistleblower lawsuit. Courts are split over what “because of” means. In some courts, to prove causation the whistleblower need only show that the lawsuit was just one factor. Other courts impose a stricter standard and require the whistleblower to prove that the protected action was the “but for” or motivating cause of the action. Addressing the issue for the first time, the U.S. Court of Appeals for the Third Circuit opted for the “but for” test. But it also concluded that the KAM produced enough evidence to meet this more stringent test and upheld the jury award.
[Lestage v. Coloplast Corp., 2020 U.S. App. LEXIS 38366, 982 F.3d 37]
CLIA Lab Subject to HIPAA Not Necessarily Exempt from State Medical Privacy Law
Case: Plasma donors filed a class action claiming that a plasma donation company’s use of a donor-identification system based on a donor’s fingerprints and biometric information without consent violated Illinois medical privacy laws. The company, which happened to be a CLIA lab, claimed that the state law didn’t apply citing the definition of biometric identifiers as excluding “information collected, used, or stored for health care treatment, payment, or operations under” the federal HIPAA law. The exclusion applied, the company argued, because as a CLIA lab, it might have to disclose lab testing results of a donor subject to HIPAA. But the Illinois federal court would let the company use the defense.
Significance: The defense failed not because the application of HIPAA would have exempted the company from the state law but because it didn’t adequately explain the connection between collecting a biometric template from donors on the front end and how that template is “collected, used, or stored for health care treatment, payment, or operations under [HIPAA].” The mere fact that the company was a lab subject to CLIA, which in turn made it subject to HIPAA wasn’t enough to establish such a connection, the court explained.
[Crumpton v. Octapharma Plasma, Inc., 2021 U.S. Dist. LEXIS 9520]
Employee Can’t Blame Positive Marijuana Test on Testing Lab’s Negligence
Case: An oil and gas worker was reassigned to a less desirable warehouse position after his hair follicle test came back positive for marijuana. The worker insisted he was clean—his urine drug and alcohol breathalyzer tests both came back negative—and blamed the positive result on the negligence of the lab in collecting and testing the hair sample. The lab contended that the case was baseless. The Louisiana court agreed and dismissed the negligence claims without a trial.
Significance: During the summary judgment phase, the plaintiff doesn’t have to prove the case but must show that it’s legally valid to win the chance to go to trial. The worker in this case didn’t do that. The first problem with his negligence case against the testing lab is that it didn’t actually collect the hair sample. Under the employer’s testing regime, a separate lab collects the samples and sends them to the testing lab for analysis. Nor was there any evidence that the lab was negligent in testing the sample, the court concluded, citing the written statement from the lab’s senior analytical chemist for mass spectrometry describing the lab’s utilization of a two-part, FDA-approved hair sample drug test for marijuana detection.
[Bass v. DISA Global Sols., Inc., 2020 La. App. LEXIS 1943, 2020 0071 (La.App. 1 Cir. 12/30/20), 2020 WL 7770253]
Subscribe to view Essential
Start a Free Trial for immediate access to this article