Wednesday, April 27, 2005

Alcohol Class Action Filed in West Virginia

A novel class action was filed in West Virginia on or about April 18, 2005, in Hancock County, West Virginia and is styled as Roger Bertovich and Kathy Bertovich, husband and wife on behalf of themselves, all other similarilary situated and the general public v. Advanced Brands & Importing Co., Anheuser-Busch, Inc. et. al.

The class action is directed against approximately 90 plus alcoholic-beverage producers and alleges that the manufactures diliberately and illegally targeted the marketing of alcoholic beverages to children and minors. The action is being brought under the West Virginia Consumer Protection Act, W.Va. Code 46A-6-401 et seq. and claims that the impact of the marketing generates substantial revenue from the sale of alcoholic beverages to such minors.

Similar class action lawsuits have been filed in at least four other states across the country. You can find a summary of some of the cases here.

Tuesday, April 26, 2005

Summary of West Virginia Third-Party Bad Faith Act (Senate Bill 418)

Following is a summary and commentary on the passage of West Virginia Senate Bill 418 (Third-Party Bad Faith Act) prepared by Erica M. Baumgras, one of my partners at Flaherty, Sensabaugh & Bonasso, PLLC. Erica's practice focuses primarily on insurance defense, insurance coverage and bad faith litigation. She was assisted by Jaclyn Bryk, a new associate in our firm's insurance coverage and defense practice group.

To view or download a history of Senate Bill 418 you can go to the "bill status" section of the West Virginia Legislature website.

UPDATE (5/2/2005): Senate Bill 418 was sent to Governor Manchin for approval and signature on April 27, 2005, and according to an article appearing in the May 1, 2005 Sunday Charleston Gazette Mail the bill was signed by Governor Manchin.



Summary of Senate Bill 418 (Third-Party Bad Faith Act)

The Third-Party Bad Faith Act, W.Va. Code § 33-11-4a, passed on April 9, 2005, eliminates third-party claimant actions against persons engaged in the insurance industry. Rather, third-party claimants must pursue unfair claims settlement practice claims administratively through the Commissioner of Insurance of West Virginia.

The Act requires third-party claimants to file a complaint within one year following the actual or implied discovery of the alleged unfair claims settlement practice. The complaint must be on a form provided by the Commissioner and contain the relative provisions allegedly violated, the facts and circumstances giving rise to the violation, the names of all individuals or entities involved in the alleged violation, and reference to any specific insurance policy language that is relevant to the violation. The Commissioner must provide written notice of the complaint to all persons against whom the administrative complaint is filed.

If the person against whom the complaint is filed substantially corrects, or offers to correct, the circumstances that gave rise to the alleged violation in a manner the Commissioner finds reasonable within sixty days, the complaint will be closed and no further action taken by the Commissioner or the third-party claimant. That person must report to the Commissioner on the disposition of the alleged violation within fifteen days, but no later than sixty days from receipt of the notice of the complaint. Failure to resolve the complaint within sixty days will result in an investigation by the Commissioner to determine if the allegations in the complaint are meritorious.

If the Commissioner finds merit for a complaint which has not been resolved, the Commissioner must forward a copy of the complaint to the Office of Consumer Advocacy and may order further investigation or hearing to determine if the person has committed an unfair claims settlement practice with such frequency as to constitute a general business practice. Notice of hearing must be provided to all parties at least ten days in advance, and the hearing must be held within ninety days from the date of the filing of the complaint, unless continued by agreement of the all parties or the Commissioner for good cause.

If the Commissioner finds that the accused person committed the unfair claim settlement practice with such frequency as to constitute a general business practice, the Commissioner may proceed to take administrative action. A general business practice may only be based on the existence of substantially similar violations in a number of separate claims or causes of action. A good faith disagreement over the value of a claim or the liability of any party is not an unfair claim settlement practice. If the Commissioner finds that the accused person engaged in any method of competition, act or practice that involves an intentional violation of W.Va. Code § 33-11-4(9), the Commissioner may take administrative action.

The Commissioner’s administrative action must be taken in accordance with W.Va. Code § 33-11-6(b), also passed on April 9, 2005. This section allows the Commissioner to file a cease and desist order to preclude the accused persons from engaging in the unfair claims settlement practices, and/or impose a penalty of $1,000 for each violation, up to $10,000, payable to the State of West Virginia. If the person knew or reasonably should have known he or she was in violation of the article, the penalty shall not exceed $5,000 for each act, not to exceed an aggregate penalty of $100,000 in any six-month period.

If the act involves an intentional violation of W.Va. Code § 33-11-4(9), even if it is not established that the person engaged in a general business practice, the Commissioner may require payment to the State of a penalty not to exceed $10,000. If the insurer committed unfair claim settlement practices with such frequency as to indicate a general business practice, the Commissioner may require a penalty of up to $250,000. In addition, the Commissioner may revoke or suspend the license of any person who knew or reasonably should have known he or she was in violation of the Act.

Moreover, the Commissioner may order restitution from the Unfair Claims Settlement Practice Trust Fund to a claimant who has suffered damages from a general business practice or an egregious act by a person whether or not the act constituted a patter or general business practice. Restitution may include actual economic damages, and non-economic damages up to $10,000. Restitution may not be given for attorney fees and punitive damages.

Any person aggrieved by the order of the Commissioner may appeal to the Circuit Court of Kanawha County, by filing a petition within thirty days after receipt, pursuant to W.Va. Code § 33-2-14. The Commissioner must transmit the record of the proceedings to the Clerk of the Court. The Court will set a time to hear the petition and determine the matter, without a jury, upon the record of the proceedings. The Court, at its discretion and for good cause shown, may allow the introduction of additional evidence. The Court may revise, reverse, affirm, or remand the order to the Commissioner for further proceedings. Pending such appeal, the order of the Commissioner is in full force and effect until final determination by appeal unless the Commissioner or the Court elects to stay the effect of the Order. The Supreme Court of Appeals may review the judgment of the Court upon appeal in the same manner as other civil cases to which the state is a party.

The Act goes into effect ninety days from passage – July 8, 2005.

It is important to note that W.Va. Code § 33-11-4a does not eliminate a private right of action by a first-party claimant under the Unfair Trade Practices Act (“UTPA”) or a common law cause of action by a policyholder under the implied covenant of good faith and fair dealing arising from the insurance contract.

Not defined by W.Va. Code § 33-11-4a are the scope of the investigation the Commissioner may conduct or the standard for determining whether the allegations in an administrative complaint are meritorious, whether a person has committed an unfair claims settlement practice, whether the person knew or should have known he or she was in violation of the UTPA, whether the violation of the UTPA were intentional, or whether the act was committed with such frequency as to indicate a general business practice.

It is also important to note that restitution to the claimant under W.Va. Code § 33-11-4a is paid from the Unfair Claims Settlement Practice Trust Fund, not directly by the insurer. The Fund is established by W.Va. Code § 33-11-4b. All property and casualty insurers must pay to the Commissioner annually an examination assessment fee of up to $5,000, and up to $4,200 of that amount shall be paid to the Treasurer to the credit of the Fund. The examination assessment fee may be increased ($5,250) or decreased ($800), depending upon whether the Fund has moneys in excess of or below $1 million.

W.Va. Code § 33-2-16 and 17 establish the Office of Consumer Advocacy, which is authorized to advocate the interests of policyholders or third-party claimants, at their request or in the public interest, in proceedings arising out of any filing made with the Insurance Commissioner by any insurer or relating to any complaint alleging an unfair or deceptive act or practice or an unfair claims settlement practice. The Office of Consumer Advocacy may also institute, intervene or participate, as an advocate for the public interest and the interest of insurance consumers, in proceedings in state and federal courts, before administrative agencies or before the Insurance Commissioner. The Consumer Advocate may exercise all the same rights and powers regarding examination and cross-examination of witnesses, presentation of evidence and rights of appeal as any party in interest appearing before the Insurance Commissioner or the Health Care Authority.

Theft of Computers from Texas Hospital Involve 16,000 Patient Records

IHealth Beat e-newsletter today is reporting an incident involving a stolen computer involving a Houston, TX area hospital in which 16,000 patient records might be compromised.

This type of incident shows the vulnurability of laptop computers, hand held devices and other mobile technology. It is not clear from the article that these were laptops -- in fact they might have been desktop systems since they were at a third party vendor's location as a part of a coversion process from paper to electronic health records.

The article citing an article in the April 26, 2005, Houston Chronicle states: Christus St. Joseph Hospital in Houston is informing 16,000 patients that their medical records and Social Security numbers may have been on a computer that was stolen in January, the Houston Chronicle reports. The computer was one of two machines stolen from Gateway File Systems, which was digitizing paper medical records for the hospital.

Hospital officials say evidence shows that the thieves were interested in the computers and not the data on them and that there is no indication that anyone's identity has been compromised, the Chronicle reports. The medical data on the computer were password-protected and encrypted. The hospital has terminated its contract with Gateway File Systems, said India Chumney Hancock, a hospital spokesperson.

According to the hospital's letter to patients, the only records that may have been affected are for patients who sought treatment in the emergency department in 2004; patients who sought outpatient services in radiology, sports medicine and rehabilitation from August through September 2003 and April through June 2004; and patient charts from 2001.

Hancock said the data on the stolen computer represents less than 1% of all the hospital's patient records, the Chronicle reports. The second stolen machine did not contain health records, said Gateway File Systems CEO Brian Harper (Crowe, Houston Chronicle, 4/26).

Monday, April 18, 2005

DHHS Issuing Proposed Rule On HIPAA Enforcement on April 18, 2005

The American Health Lawyers Association (AHLA) is reporting today that the Department of Health and Human Services (DHHS) has issued the final installment of the Health Insurance Portability and Accountability Act (HIPAA) Enforcement Rule on the imposition of civil money penalties for violations of the standards promulgated under HIPAA's Administrative Simplification provisions.

The proposed rule would make existing rules related to HIPAA enforcement applicable to all Administrative Simplification rules, not just the Privacy Standards.

The proposed rule completes the Enforcement Rule by addressing, among other things, the investigation process, bases for liability, determination of the penalty amount, grounds for waiver, conduct of the hearing, and the appeals process. Comments on the proposed rule are due sixty days after its publication in the Federal Register.

A full copy of proposed rule can be found via today's Federal Register here. You can also obtain a copy of the proposed rule at the Office for Civil Right, DHHS website here: http://www.hhs.gov/ocr/hipaa/enforNPRM.pdf.

Tuesday, April 12, 2005

Security Breach Information for those of you who are alumni, parents or friends of Tufts University

One of my colleagues from the American Health Lawyers Association alerted me to an April 8, 2005 letter issued by the Vice President for Institutional Advancement for Tufts University.

If you are an alum or friend of the University you can get additional security information about the Tufts University security matter here.

Yet another example of the a recent security and privacy related breach involving personal data. This is about the fourth or fifth incident that I have seen at a college or university over the same number of months.

I just hope my alma mater -- Bethany College and the West Virginia University College of Law take note of these events and make sure that their respective systems are secure and confidential data maintained on alumi and friends of the institution is protected.

Update on LexisNexis Privacy & Security Breach

Today Yahoo News is reporting that a larger pool of U.S. Citizens were impacted by the privacy and security breach reported by LexisNexis last month. For more details on the announced privacy breach you can read my post on the orginal report by Lexis Nexis in March, 2005.

Originally LexisNexis reported that the matter involved only 32,000 individuals but now is reporting that the personal information of 310,00 U.S. citizens may have been stolen.

According to the article, "An investigation by the firm's Anglo-Dutch parent Reed Elsevier determined that its databases had been fraudulently breached 59 times using stolen passwords, leading to the possible theft of personal information such as addresses and Social Security numbers."

LexisNexis issued an April 12, 2005 press release on the results of its preliminary investigation. The press release is titled "LexisNexis Concludes Review of Data Search Activity, Identifying Additional Instances of Illegal Data Access".

Medical and Health Data Privacy & Security Breach Reported

Another privacy and security breach was reported last week by MSNBC News and other news sources on April 8, 2005. The article from MSNBC can be found here.

This one involved a "low tech" approach involving the theft of laptop computers which contained sensitive patient data and health information, inclduing, names, addresses, Social Security numbers and billing codes that could be used to deduce medical histories.

According to the article, "San Jose Medical Group began sending letters to current and former patients in California earlier this week after thieves stole two office computers on March 28. The computers contained names, addresses, Social Security numbers and billing codes that could be used to deduce medical histories. It was unclear whether any patients have become victims of identity theft, police said...."



Thursday, April 07, 2005

Charleston Daily Mail Editorial Comment by Roane General Hospital Nurse

Today's Charleston Daily Mail contained the following editorial concerning the implementation of the privacy rule under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") written by Peggy Engelkemier, R.N. from St. Albans who works at Roane General Hospital. The editorial echos the frustrations that health care providers have faced trying to understand and practically implement the requirements under HIPAA. It also points out that many patients as health care consumers remain uninformed about what impact the regulations have on the handling of their own health information.

Following is a copy of the editorial from the April 7, 2005 Charleston Gazette:

Many patients don't understand the privacy rulePrior to the April 2003 implementation of the privacy rule, all health care providers were instructed to read, comprehend and educate their employees on the rule.

The complexity of the rule and lack of governmental guidance led to confusion, frustration and wasted resources.

Still, health care providers, threatened with civil and criminal penalties for noncompliance, attempted to educate their employees on the privacy rule.

Many employees were educated through brief encounters with privacy officers or referred to volumes of policy manuals.

This added to the existing confusion and resulted in inconsistencies among employees of the same entity. Again, fear of noncompliance drove health care providers to attempt to educate their consumers on the privacy rule.

Many health care providers educate consumers through their written Privacy Practices Notice. However, many consumers do not read the notice and remain uninformed of the benefits of the rule.

The government's poor implementation of the privacy rule has resulted in confused, frustrated health care providers and uninformed, dissatisfied consumers. Most importantly, consumers have not been able to reap the benefits of the new privacy safeguards.

Consumers must believe that the health care system safeguards their protected health information. Only then will individuals seek care without the fear of health information disclosure.

Peggy Engelkemier, R.N.St. Albans
Engelkemier works at Roane
General Hospital

Patient privacy goes blowing in the wind

MSNBC and the Associated Press reports that about 3,000 highly detailed patient hospital statements and records from the Cleveland Clinic blew across busy downtown streets and sidewalks Tuesday after a box fell off a delivery truck.

The patient statements included patient names, patient numbers, home addresses, insurers and policy numbers, treating physicians, admission and discharge dates and detailed billing information.

According to the news report the Cleveland Clinic was in the process of contacting all affected patients on Wednesday. The records were from two members of the Cleveland Clinic Hospital System — Lakewood and Marymount hospitals.

This is just one more example of recent reports involving the accidental release of medical and health information. This release is more traditional in the sense that it involved the release of paper data rather than a release or failure of securing electronic health data.

Friday, April 01, 2005

AHIMA - Health Information Privacy and Security Week

The American Health Information Management Assocition (AHIMA) is sponsoring April 10–16, 2005, as National Health Information Privacy and Security Week. The national event is intended to highlight the importance of protecting the privacy and security of patient information. For more information about the event go here.

Privacy Officer may want to take a look at these suggested AHIMA ideas for Privacy and Security Week activities.

As more and more data moves from paper to electronic there is a greater need to make sure that health data is maintained securely and privately. As we have seen in some very high profile breach of privacy cases in the last few months there is an ever increasing need for those in the health care industry to scrutinize and take seriously privacy and security issues.