KING HIPAA. PERVASIVE AND POWERFUL.
The HIPAA law was just enhanced and made more powerful on January 25, 2013 with a compliance deadline of September 23, 2013
. The penalties for violation of HIPAA were increased to $1.5M per violation per year for similar violations, depending on the type of violation and whether it was negligent or intentional. The federal Department of Health and Human Services (DHHS) has said it is stepping up enforcement. HIPPA now covers not only all covered entities, such as doctors, clinics, medical groups, IPAS, ACOs, health plans, hospitals, surgery centers, but all ancillary healthcare businesses as well, such as PTs, labs and dialysis centers, as well as all businesses and their subcontractors who handle PHI (protected health information) on their behalf. Examples of business associates would be IT firms, law firms, consulting, accounting, accreditation, financial services (e.g., billers and collectors) and data aggregators.
The definition of PHI has been expanded to include individually identifiable health information transmitted or maintained in electronic media or in any other form or medium so long as there is a reasonable basis to believe the information can be used to identify the individual.
As a covered entity you are subject to audit by the HHS at any time. A critical part of the audit with be your compliance with the Security Rules of HIPAA and whether you have created a ‘PHI Map’ of the electronic PHI that flows in and out of your offices
, and have conducted a‘security risk analysis’
to identify the potential risks of improper uses and disclosures of ePHI and the vulnerability of the PHI maintained and transmitted by your offices.
This is where E2o health can be your compliance solution and guard against potential legal exposure and damages. E2o health does business with Amador Kelly, LLP a business and healthcare law firm based in Long Beach and Torrance California specializing in HIPAA compliance
). Amador Kelly, LLP works with E2o health in preparing custom policies and procedures, business associate agreements and subcontractor agreements for clients in collaboration with the security risk analysis conducted by E2o. Amador Kelly also represents healthcare clients facing notification to the DHHS and patients of a breach of their PHI, or who are facing litigation for breach of privacy or similar claims involving their information, such as healthcare trade secrets.
Protecting Your Trade Secrets In Healthcare
Despite its humanitarian goals, healthcare is a trade and business like any other and has valuable assets to protect. One those assets is confidential information such as patient lists, financial information, contract rates, client lists, and methods of doing business. This type of information can be protected as a trade secret which gives you powerful legal rights
. Documents, files and information in any format, hard copy or computerized can be protected as confidential or trade secrets.
The protection of your valuable information arises often when a physician employee, partner or shareholder, or other employed healthcare professional, leaves one employer to work for a competitor, or sets up new competition. Even if you have an employment agreement with them containing a non-compete agreement, such a provision generally is enforceable in California. However, you can stop them from using your confidential and trade secret information if you take the required steps to protect the information.
Healthcare providers and businesses often fail to appreciate the value of their information as assets and what they need to do to protect them. More and more healthcare providers and businesses are being required by HIPAA and HITECH and other similar laws to maintain the confidentiality of their records, but those requirements do not suffice for trade secret protection under the law. Further, HIPAA and HITECH generally involve only patient information and not financial and other confidential information of the business such as contract rates. This article sets forth why it is important for healthcare providers and businesses to be aware of the requirements and what those requirements are.
If healthcare providers and businesses, no matter what their size, do not take measures to protect their information, they will have great difficulty protecting it when the need arises. For example, your IT person leaves your employ and joins a competitor. The IT person could be an independent contractor. Next thing you find out, your competitor is undercutting your rates and you start losing contracts. You believe he shared confidential information about your business. How do you stop this person? The trade secret law gives you the right to an injunction which is an immediate court order stopping them from using the information. However, you will need to show the Court that you took reasonable steps to protect the information and treated it as a trade secret.
Another example is a physician partner or shareholder leaves your group to join another who does not yet compete with you. In the course of the discussions with the new medical group the physician shares some of your financial information enabling the group to set up a new division or practice area it did not have before which competes with you. You start losing business as a result and suffer damages. The California trade secret law gives you the right to sue them for damages and for unjust enrichment.
A further example is a medical device manufacturer whose engineer leaks information to a start-up company that he owns an equity interest in. The start-up unfairly competes and begins to take market share away from you. If the manufacturer has not taken steps to protect the information, it will not be able to protect the information and stop the theft.
What is a trade secret legally
Under the California Uniform Trade Secrets Act (which begins at Section 3426 of the California Civil Code) “trade secret” is defined very broadly. It means information, including a formula, pattern compilation, program, device, method, technique, or process that:
a) Derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by, proper means by other persons who can obtain economic value from its disclosure or use; and
b) Is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.
Both a) and b) must be met in order for a healthcare provider to protect its information. Patient lists and contract rates are good examples of information that is not generally known to the public and which have independent economic value from not being known. The rates could be used by other providers to undercut the competition in contract negotiations. The patient lists could be used to solicit patients and use their protected health information for improper purposes. This type of information cannot usually be ascertained from public records or other proper means.
For example, information such as billed charges is sent out to insurance companies and to the patients themselves in the form of EOBs, such that they would not be considered confidential or a trade secret because they are known to the public. Further, billed charges, in today’s world, do not have any real independent economic value because they are generally discounted by contract or fee schedule and the like. However, contract rates or financial information is not generally sent anywhere, is proprietary and could be a trade secret if it meets the above tests and you have the taken the steps described below to protect them.
Physician productivity information, such as RVUs, is not usually shared with others and could be deemed a trade secret. However, there may be instances where such information is generally ascertainable from MGMA reports or other trade publications which could diminish its independent economic value and thus not make it a trade secret. Keep in mind that there are some cases holding that even though information by itself was not a trade secret, when combined with other information in a novel way, it could be deemed a trade secret.
Whether the information shared has actual or potential economic value, and whether it can be readily ascertained by proper means, is often the subject of expert testimony. Amador Kelly, LLP was successful in a similar case in which expert testimony was used widely by both sides.
You cannot control what a judge or a jury will determine with respect to information that was misappropriated from you or your business, or what value it may have. What you can control is what you can do to protect your information, and you should take action as soon as possible.
What should healthcare providers and businesses do to protect their information as trade secrets?
The following are the criteria for a judge or jury to decide if you or your business took reasonable steps to protect your information:
- Whether the information was marked with confidentiality warnings (mark your files);
- Whether you instructed your employees and advised them as to the confidential nature of the information (train your employees);
- Whether you restricted access to those who have a business reason to know the information (limit the access);
- Whether you kept the information in a restricted or secure area (lock file cabinets and offices and actively passwords and encryption if possible);
- Whether you required employees or others with access to the information to sign confidentiality or non-disclosure agreements (have employees sign the agreements);
- Whether you took any action to protect the specific information or whether you relied on general measures (an employee handbook will not suffice);
- The extent to which any general measures taken by you would prevent the unauthorized disclosure of the information; and
- Whether there were other reasonable measures available to you that you did not take.
Examples of trade secrets in healthcare
The following are examples of possible trade secrets in healthcare: patient lists, RVU information, contract rates, contract terms, financial information, collection rates, methods and practices of doing business.
More Important Now Than Ever To Take Action
In today’s competitive marketplace it is more important than ever to take steps to protect your company’s valuable confidential information. It is also more important than ever to enforce your rights when an employee, competitor, partner or other person misappropriates your information. Amador Kelly, LLP provides advice and litigation services to protect your company in this valuable area.