Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

CLIENT ALERT: Will Ohio Recognize a Biddle Claim in a Post-HIPAA World?

Client Alert
October 17, 2019

The Ohio Supreme Court will soon determine whether Ohio will allow patients to bring a private state law claim against a healthcare provider for an alleged HIPAA violation involving the disclosure of protected health information (“PHI”), when the healthcare provider discloses PHI for the purpose of collecting payment from a patient on a past due account.  The Ohio Supreme Court will decide this issue in a case styled Menorah Park Center for Senior Living v. Irene Rolston. [1]

                                                           

In Menorah Park, a rehabilitation center, Menorah Park, filed suit in the Shaker Heights Municipal Court to collect payment from a patient, Mrs. Rolston.  When Menorah Park filed its complaint, it attached unredacted billing statements that contained PHI, including “a description of medical services provided to [Mrs. Rolston]; the dates the services were provided; medical procedure codes; charges, credits, and balances on [Mrs. Rolston’s] account; and other information.” [2] While HIPAA generally prohibits the unauthorized disclosure of PHI, HIPAA expressly authorizes the disclosure of PHI for the purpose of collecting payment from a patient.[3]    Such disclosures are subject, however, to the minimum necessary requirement which states that the healthcare provider must make reasonable efforts to limit the disclosure of PHI “to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”[4]

In response to Menorah Park’s complaint, Mrs. Rolston filed a class-action counterclaim, on behalf of herself and others similarly situated, claiming that Menorah Park had also improperly disclosed other patients’ PHI in over 250 similar cases filed in the same court.  Mrs. Rolston claims that she suffered between $6,000 and $15,000 in damages, and that each class member (between 40-250 patients) suffered similar damages—bringing the total potential damages of the class-action to between $240,000 to $3,750,000 (or more). 

Mrs. Rolston characterized the class-action as a breach of confidence for the unauthorized disclosure of non-public medical information that [Menorah Park] learned within a physician-patient relationship.  Mrs. Rolston claims that the Ohio Supreme Court previously recognized a similar claim, referred to as a “Biddle Claim,” in a case styled Biddle v. Warren General Hospital.[5]

In Biddle, the Ohio Supreme Court recognized an independent claim for the unauthorized, unprivileged disclosure to a third party of non-public medical information that a physician or hospital has learned within a physician-patient relationship.  The Ohio Supreme Court decided Biddle, however, on September 15, 1999, before the U.S. Department of Health and Human Services (the “HHS Department”) published HIPAA’s privacy-rule regulations on December 28, 2000.

The trial court in Menorah Park dismissed the Biddle Claim, and Mrs. Rolston appealed to the Eighth District.  On appeal, Menorah Park argued that federal HIPAA regulations preempted or trumped the patient’s Biddle Claim because as a matter of well-established federal law, HIPAA does not provide a patient with a private cause of action against a healthcare provider for violating HIPAA.  Instead, as healthcare providers know, under HIPAA only the HHS Department may penalize healthcare providers for HIPAA violations.  The Eighth District rejected Menorah Park’s arguments finding that HIPAA did not preempt a Biddle claim, and reversed and remanded the class-action to the trial court for further proceedings. 

Menorah Park appealed to the Ohio Supreme Court, claiming that a split of authority exists between the Eighth District’s decision in Menorah Park, and a post-Biddle decision by the Tenth District Court of Appeals in OhioHealth Corp. v. Ryan, in which the Tenth District dismissed a Biddle Claim like the one brought by Mrs. Rolston in Menorah Park.  The Ohio Supreme Court accepted Menorah Park’s appeal on October 1, 2019.

In OhioHealth, a hospital filed suit against a patient to collect payment. [6]  The patient countered with a Biddle Claim similar to Mrs. Rolston’s in Menorah Park.[7]  In affirming the trial court’s dismissal of the Biddle Claim in OhioHealth, the Tenth District held that “HIPAA permits the use or disclosure of individually identifiable health information when it is for the purpose of obtaining payment. . .[and] [c]onsequently, the disclosure cannot be deemed ‘unauthorized, unprivileged disclosure’ as required under the theory announced in Biddle.”[8]  The Court in OhioHealth also explained “we are aware of no applicable exceptions to preemption, and because HIPAA is applicable to these circumstances, HIPAA is the governing authority.”[9]  Finally, the OhioHealth Court noted, “[s]ignificantly, HIPAA does not allow a private cause of action, according to Ohio law[,]” and therefore, even if the patient had a claim for a HIPAA violation, “he is without authority to bring it to court.”[10]

Although not as on point as OhioHealth, the decision in Sheldon v. Kettering Health Network, decided in 2015, anticipated the problem with enforcing a Biddle Claim in a post-HIPPA world: “recognition of a Biddle claim post-HIPAA presents a seemingly unsolvable conundrum” because some cases, like Menorah Park, would involve the use of HIPAA’s authorized disclosure regulations to form the basis of a state law private cause of action when HIPAA does not provide a private cause of action.[11]

The parties in Menorah Park will submit briefing to the Ohio Supreme Court soon, and it is likely that other healthcare providers and/or healthcare provider associations may file amicus briefs with the Ohio Supreme Court to take the position that Ohio should not recognize the class-action claims filed in Menorah Park.  The recognition of such a claim could lead to a flood of other similar class-actions against healthcare providers who use Ohio’s courts to collect on past due accounts.

Even if the Ohio Supreme Court decides patients cannot bring a private cause of action for an alleged HIPAA violation, healthcare providers should still nevertheless remember that HIPAA does provide for other substantial and severe penalties, including, but not limited to, potential fines by the HHS Department.  Therefore, regardless of how the Ohio Supreme Court decides Menorah Park, healthcare providers should comply with HIPAA’s regulations governing the disclosure of PHI when pursuing payment from a patient.

[1] Ohio Supreme Court Case No. 2019-0939, on appeal from Menorah Park, 8th Dist. NO. 107615, 2019-Ohio-2114.

[2] See Menorah Park, 8th Dist. No. 107615, 2019-Ohio-2114 at ¶ 3.

[3] See 45 C.F.R. 164.502(a)(1)(ii).  HIPAA defines “payment” to include, among other things, billing, claims management, collection activities, activities undertaken by a health plan to obtain premiums or provide coverage, and activities undertaken by a healthcare provider or health plan to provide reimbursement.  See 45 C.F.R. § 164.501 (“Payment” definition).

[4] See45 C.F.R. § 164.502(b).

[5] 86 Ohio St.3d 395 (1999).

[6] 10th Dist. No. 10AP-937, 2012-Ohio-60.

[7] The patient’s counterclaim in OhioHealth v. Ryan was not a class-action, and OhioHealth filed a redacted account statement as an attachment to its complaint.

[8] OhioHealth Corp., 2012-Ohio-60 at ¶ 15.

[9] Id. at ¶ 17 (citing Lumley v. Marc Glassman, Inc., 11th Dist. No. 2007-P-0082, 2009-Ohio-540, ¶ 89).

[10] Id. at ¶ 18.

[11] 2nd Dist. No. 26432, 2015-Ohio-3268 at ¶ 28.

 

HealthcareHealth LawHIPAAHIPAA ComplianceBiddle Claim
Client Alert

HIPAA Business Associate Agreements: Why These Contracts Matter

January 27, 2021No one loves drafting, reading or negotiating HIPAA Business Associate Agreements (BAAs). Yet many of us need to do so, and some of us do so daily. They are often boring, dense and technical, but BAAs are important from both a legal and a business perspective, and they deserve our attention. Failure to enter a BAA when one is required can constitute a HIPAA violation that results in substantial liability, as demonstrated by certain recent Department of Health & Human Services (HHS) settlements.1 A business associate who makes a disclosure that is not authorized by the applicable BAA or required by law can be subject to civil and, in some cases, criminal penalties. Further, parties are often presented with BAAs that contain onerous one-sided indemnification and other provisions that can be devasting to an organization in the event of a HIPAA breach. The significance of a BAA is often not fully understood by the parties until something goes wrong (e.g., a HIPAA security incident or breach, an Office of Civil Rights (OCR) audit or a fracture in the relationship between the parties) and, at that point, there is limited opportunity to mitigate legal and business risk. Ideally, attention should be given at the commencement of the business associate relationship, when the parties are able, to thoughtfully addressing regulatory requirements, planning and preparing for potential adverse events and appropriately allocating risk among the parties. As with most healthcare regulatory compliance initiatives, a proactive approach with respect to BAAs is preferable. This article provides a broad overview of certain BAA requirements and some practical negotiating tips for the parties involved.Client Alert

“I’m Out Of Here!” Now What?

January 27, 2021We all know that the healthcare industry is experiencing a wave of integration. This trend has been evident for many years. Fewer physicians are willing to assume the legal, financial and other business risks associated with owning their own practices. More and more physicians, including anesthesiologists, are becoming employed by large physician groups, health systems and national providers. This shift necessarily involves not only entry into new employment arrangements but also the termination of existing relationships. And those terminations are often governed by written employment agreements, state and federal healthcare laws and employer benefit plans and other policies and procedures. Before pursuing their next opportunity, physicians should pause for a moment and first attend to the arrangement that they are leaving. Departing physicians need to understand their legal rights and obligations when leaving their current employment relationships in order to avoid unintended consequences and detrimental missteps along the way. Here are a few words of practical advice for physicians contemplating an exit from their current employment arrangements.Client Alert

Investment Training for the Second and Third Generations

January 19, 2021Consider this scenario. Mom and Dad started the business from the ground up. Over the decades it has expanded into a money-making machine. They are able to sell the business and it results in a multimillion-dollar payday for their labors. The excess money has allowed Mom and Dad to invest with various financial advising firms, several fund management groups, and directly with new startups and joint ventures. Their experience has made them savvy investors, with a detailed understanding of how much to invest, when, and where. They cannot justify formation of a full family office with dedicated investors to manage the funds, but Mom and Dad have set up a trust fund for the children to allow these investments to continue to grow over the years. Eventually, Mom and Dad pass. Their children enjoy the fruits of their labors, and, by the time the grandchildren are adults, Mom and Dad's savvy investments are gone.Client Alert

Provider Relief Funds – Continued Confusion Regarding Reporting Requirements and Lost Revenues

January 15, 2021In Fall 2020, HHS issued multiple rounds of guidance and FAQs regarding the reporting requirements for the Provider Relief Funds, the most recently published notice being November 2, 2020 and December 11, 2020. Specifically, the reporting portal for the use of the funds in 2020 was scheduled to open on January 15, 2021. Although there was much speculation as to whether this would occur. And, as of the date of this article, the portal was not opened.Client Alert

Ohio S.B. 310 Loosens Practice Barrier for Advanced Practice Providers

January 14, 2021S.B. 310, signed by Ohio Governor DeWine and effective from December 29, 2020 until May 1, 2021, provides flexibility regarding the regulatorily mandated supervision and collaboration agreements for physician assistants, certified nurse-midwives, clinical nurse specialists and certified nurse practitioners working in a hospital or other health care facility. Originally drafted as a bill to distribute federal COVID funding to local subdivisions, the healthcare related provisions were added to help relieve some of the stresses hospitals and other healthcare facilities are facing during the COVID-19 pandemic.
Older posts
Newer posts