We previously wrote an article about the ransomware attack striking a Michigan doctor’s office, leaving their patients with no medical records and leading the practice to closure. This article is intended to provide professional insight into the liability of the practice despite its decision to close its doors.
The following blog was written by Matthew Fisher, Chair of Health Law Group and a Partner at the law firm of Mirick O’Connell where Matt focuses on guiding practices and companies through the labyrinth of healthcare regulations.
A two physician practice in Michigan recently drew significant attention for deciding to unexpectedly close after losing all of its patient and billing records. In brief, the practice suffered a ransomware attack that blocked access to all files. The attackers demanded a ransom of $6,500 to restore access. The physicians refused to pay the ransom (a response that in isolation is not a bad one). The publicly stated reason for not paying is that the physicians could not receive a guarantee that the attackers would actually restore access. When the ransom was not paid the attackers deleted all of the files.
The expected next step would be for the practice to pull out one of hopefully many backups, restore all files up to the point of the backup, and then continue on its way. Since this particular practice made the headlines, that usual course outcome did not happen. In this particular instance, the physician practice did not have a backup (or at least none that has been reported) and declared that all of its files were lost. As a result of not having any files and not wanting to take the time to restore the practice, the physicians provided roughly thirty days notice of the practice shutting down entirely.
Will closure of the practice be the end of the story? Unfortunately, the physicians likely may only hope that closure ends the entire story. In all likelihood, this practice could help set precedent for future claims in the event of a catastrophic outcome from a ransomware attack.
Finding one silver lining may be a good way to approach the assessment of potential liability. Instead of shutting down immediately, as noted above, the practice provided slightly over thirty days advance notice of the closure. Giving patients thirty days to find a new physician is consistent with the suggested course of action contained in model ethical guidelines. The ethical guidelines look to provide a patient with sufficient or reasonable time to transition and that the physician terminating the relationship continue to provide care during the transition period. The thirty days here may be enough for that to happen.
Now for the potential liabilities. If all records have been lost, then the practice will clearly not be able to respond to any patient’s request for access under HIPAA. Failure to respond to a request for access is one of, if not the, most common types of non-compliance with HIPAA. When access is denied, many individuals will submit a complaint to the Office for Civil Rights. In this case, the entire patient population of the practice could theoretically submit such a complaint. Given the total breakdown, could the loss of all records be the spur for OCR to issue the first fine for a denial of access? It is possible, especially since OCR has used settlements in the past to provide lessons about key issues of HIPAA compliance. For example, OCR could point not only to the need to fully respond to a request for access, but fault the practice for not having a disaster recovery and backup plan, and very likely for not having done a risk analysis.
A second area of potential is malpractice related claims. A patient could assert an adverse outcome from a procedure or service and the physicians would be without records to defend against the claim. Malpractice claims can rely heavily upon pouring through medical records to piece together exactly how care was provided and to assess the quality of care provided by the physician(s) who are the subject of the claim. If no records exist, then how can services be assessed? Unless some supporting records could be found from another facility, it could leave the physicians severely handicapped in their ability to produce any sort of defense.
A third potential liability could arise from claims brought by patients in repeat care is not covered by insurance and/or a patient is forced to pay out of pocket due to being in a deductible range. Since all of the records are gone, tests will very likely need to be repeated to obtain relevant and needed information. While the practice may not have the records, each patient’s health insurance company will certainly have a record of a claim being submitted for the service and in all probability the claim being paid. While the health insurance company may be made aware of the record loss, a natural response from insurance would be that it will not cover the service again because it will then be forced to pay for the failure of the physician practice. Alternatively, even if insurance is willing to cover the service again, a patient could have a high deductible health plan or other form of coverage where that patient will need to pay out of pocket for the service. In either scenario, whoever pays for the service could look to the physicians who lost the records and seek to make them pay for the unnecessary repetitive services. The argument would flow that the loss of records was the direct cause of the repeat service being needed and that any financial harm should fall on the causative actor.
While those are only three potential liabilities, each possibility could easily occur. A natural response could be for the physicians to seek liability insurance carriers for the practice to cover any damages. Without being able to get into the exact specifics of the case, the insurance carriers could seek to deny coverage. If the practice was negligent in protecting its records, was not fully accurate in filling out an insurance application, or took other steps not called for by the insurance policy, then coverage could be denied. As such, the physicians could easily be fully on the hook for any resulting damages.
While no data breach is good, when extreme outlier cases arise the outcomes become even worse. While it is too late for the particular practice in Michigan to change the outcome, the total loss of data should be a wake up call to other practices and organizations that good, comprehensive security is essential.