A law firm just filed a Chapter 11 case in U.S. Bankruptcy Court for the District of Delaware. That can be a stressful time, but the attorneys are experienced and understand the protocols and related procedures. They did the exact same thing as they’d done with prior cases. This time, however, they quickly discovered that simply by filing a routine court document they’ve inadvertently breached the privacy of millions of creditors, parties in interest, or individuals with whom the debtor has done business—and, as a consequence, violated applicable federal law.
While this may sound like a farfetched scenario, it could easily occur within the Chapter 11 proceedings of a hospital, senior living facility, healthcare facility, diagnostic testing company, or similar provider where patients, residents, or other individuals are also creditors if proper precautions are not taken.
The privacy requirements of HIPAA—the Health Insurance Portability and Accountability Act—could be implicated at several stages of a Chapter 11 case. Patients’ identities and other protected health information (PHI) would be included and potentially be disclosed within publicly available documents, such as the creditor matrix, affidavits of service, schedules of assets and liabilities, and/or statements of financial affairs (SOFAs). In addition, such information could be disclosed in claims objections and similar motions. This article describes the scope of the problem and offers some practical solutions.
Enacted by Congress in 1996, HIPAA was created to ensure the privacy of patients by safeguarding the collection, storage, and transfer of their information among providers, payers, and other third parties. Though a 22-year-old law may seem far from timely, with the number of healthcare companies almost tripling in 2017, according to data from Bloomberg,1 now more than ever legal and financial teams for healthcare companies must become acquainted with the potential hurdles associated with HIPAA within a corporate restructuring.
Ordinarily, disclosure of PHI to necessary professionals is done through a business association agreement (BAA). However, that is not an available resolution in bankruptcy proceedings, where broad public disclosure is the norm.
The issue at hand for corporate bankruptcy debtors and their professionals is that they are routinely entrusted with, and have an obligation to disclose, volumes of creditor data in the due course of the restructuring process. That data, in most instances, is usually filed with the court and/or posted on case-specific websites, where it essentially becomes public. While the debtor’s advisors can enter into a BAA, that does not remedy violations of HIPAA brought about by broad disclosure through court filings.
According to the HIPAA Journal, unpermitted disclosures of and the failure to protect PHI are two of the most common HIPAA violations.2 Examples of PHI include patient names, addresses, phone numbers, account numbers, medical record numbers, and patient ID numbers. If a patient is also a creditor, this is precisely the type of information which would be disclosed in schedules and a creditor matrix.
The fines and penalties for violating HIPAA are not to be taken lightly. They are divided into two categories: (1) reasonable cause and (2) willful neglect. Reasonable cause violations may result in fines of from hundreds of dollars to $50,000 per incident; violations by willful neglect can result in hefty fines or even criminal charges. Furthermore, these violations may prompt legal action from involved parties, which could impose the additional costs and headaches of litigation. For example, in the recent case of 21st Century Oncology, one of the active claimant classes was a group of former patients through a class action for a prepetition HIPAA violation.
Walking through a simple timeline of a hypothetical Chapter 11 case can illustrate where these pitfalls may lie and how best to avoid them.
Returning to the original hypothetical, the debtor is a community hospital system with 15 locations in 10 states and files Chapter 11 in the District of Delaware. Rule 1007(a) of the Federal Rules of Bankruptcy Procedures and Rule 1007-2(a) of the Local Rules of Bankruptcy Practice and Procedures of the United States Bankruptcy Court for the District of Delaware mandate that a list of creditors be filed with the court. That list, also known as a creditor matrix, includes the entire body of real and potential creditors. In fact, in a perfect world and with due process in mind, the creditor matrix is often an overly inclusive list. After all, a bankruptcy is only as good as the notice provided.
With that in mind and in this scenario, patients could potentially be among those creditors and therefore be listed in the matrix. For example, patients could be owed refunds from procedures that were also billed to insurance providers. In most cases, the creditor matrix, or at least the underlying data, is provided to the claims and noticing agent and is, in turn, filed with the court. In that process, there is inherent risk of public exposure of this sensitive patient information unless the data is appropriately redacted.
Post-petition, documents will be served on the creditor matrix, the first usually being the notice of a 341 hearing. And for that service and any subsequent matrix mailings—e.g., the bar date notice, notice of disclosure statement hearing, notice of confirmation hearing, notice of effective date, etc.—a corresponding affidavit of service must be filed with the court. Undoubtedly, that affidavit will detail which documents were served upon whom and how. In that otherwise routine affidavit, PHI could easily be revealed if it is not redacted appropriately to avoid HIPAA violations.
Moving along on a theoretical case timeline, the SOFAs and a schedule of assets and liabilities would then be filed with the court. These are public documents that typically appear on the case website and the court docket. However, it is quite likely that the SOFAs and schedules could include patient information.
For example, the SOFA lists payments or transfers made within 90 days prior to the petition date. For hospitals, payments to patients for reimbursement are more common than one might think. Perhaps a patient paid a bill and then the insurer also paid, leaving a credit balance that the hospital owes to the patient. This patient and payment would be listed on the SOFA, and if not redacted, could represent a HIPAA violation.
Similarly, SOFA requires a list of pending legal actions, administration proceedings, court action, and executions within one year prior to the petition date. If there is a pending lawsuit involving a patient, which is highly likely, the suit could be included and potentially expose the patient’s PHI.
Several schedules also could be problematic. This might include Schedule AB 11(a), which lists accounts receivable, typically a printout from the debtor’s database for all amounts received 90 days prior to the petition date. Within this time frame, it is likely that patients would have made payments to the hospitals and therefore could be listed. Schedule AB 63 entails customer and mailing lists, which also could potentially include patients’ PHI. Furthermore, Schedule EF lists priority and unsecured claims. If the patient is owed a refund as in the scenario described earlier, it would (and should) appear on this schedule if this data is not redacted.
Throughout the case proceedings, the claims register must be filed quarterly with the Delaware court. If a patient fills out a proof of claim, their information and identity could theoretically be included on this claims register. This claims register would appear live on the docket (and also on the case-specific website), where it typically is posted throughout a case.
On another front, debtor’s counsel may intercept calls throughout the case from patients who are creditors. The names of these patients would be included in the attorneys’ billing entries, which in turn must be filed with fee applications to the court. In doing so without redacting the patient’s identity, debtor’s counsel could risk revealing PHI.
The debtor and its professionals must also be extremely guarded in commenting publicly in any communications on a case involving specific patients. For example, if a hospital has a pending malpractice case and debtor’s counsel goes on the record by speaking with the news media or in court where the minutes are considered a public document, they risk having to defend themselves from a HIPAA violation if they mention the patient specifically.
What steps can debtors and professionals take to avoid exposing patient information in all these scenarios? Above all, it’s best for legal teams to plan early in the case to establish protocols that avoid the disclosure of HIPAA-protected information. In general, it’s best to assume that all documents potentially contain patient data and should be treated with caution. No documents should be made public on the Bankruptcy Court’s docket or the case website before they are thoroughly reviewed and redacted to remove HIPAA-protected data.
Courts are willing to provide appropriate first day relief if requests are carefully crafted to protect both the interests of creditors and the privacy rights of patients. For example, there have been in recent years a spate of Chapter 11 cases involving continuing care retirement communities (CCRC). These facilities provide seniors a continuum of care, from independent living through assisted living, memory care, skilled nursing, and hospice, all at the same campus. The residents in these facilities are counterparties to executory contracts with the debtor through residency and life case agreements. They are also creditors because of their refund rights to entrance fee deposits. Disclosure of their information is both statutorily required and relevant to the case.
Courts have permitted debtors to identify the residents in all public filings, including service affidavits, by a number known only to the particular resident and the debtor. The claims and noticing agent needs to be subject to a BAA. In the rare scenario where the identity of the resident needs to be disclosed, the court is empowered to fashion appropriate protections. Thus, the competing bankruptcy policy of disclosure and HIPAA’s privacy requirements can be reconciled.
To help with this game of juggling dynamite, it’s wise to hire a team that is familiar with healthcare bankruptcies and nuances of HIPAA—from the claims agent, financial advisor, and debtor’s counsel to the CRO and public relations firm. Corporate restructuring is complicated enough absent HIPAA concerns.
Legal and financial professionals must constantly be thinking ahead to the vast range of challenges, both known and unknown, that may present themselves. Within healthcare restructurings, they can avoid additional hurdles in the process by taking simple precautionary measures to safeguard patient privacy and stay on the road toward a successful outcome.