July 3, 2020

Volume X, Number 185

July 02, 2020

Subscribe to Latest Legal News and Analysis

July 01, 2020

Subscribe to Latest Legal News and Analysis

June 30, 2020

Subscribe to Latest Legal News and Analysis

Unique Issues Encountered in Unclaimed Property Audits of Covered Entities and Business Associates in the Health Care Industry

In recent years, as receipts from escheated property have continued to swell state coffers, unclaimed property administrators have become increasingly aggressive in enforcing compliance through unclaimed property audits. We’ve recently had several occasions to assist clients operating in the broadly defined health care space in responding to state-initiated unclaimed property audits. Such audits offer interesting challenges in weighing the conflicting obligations of covered entities and business associates as they balance their legal obligation to respond to a properly issued subpoena with their duty to protect personally identifiable and protected health information. Holders of potentially reportable unclaimed property in the health care space must keep in mind their obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) while responding to state-initiated audits.

Under HIPAA, covered entities (health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form) and business associates (organizations or individuals that provide services to a covered entity which involve the use of protected health information (PHI)) are limited in their ability to use and disclose PHI. Accordingly, certain requirements must be met before PHI is disclosed to a government agency (or its agent/contractor) in response to a state-initiated audit.

PHI is broadly defined under 45 C.F.R. § 160.103 as patient information that is created or received by a health care provider, which relates to the past, present, or future physical or mental health or condition of an individual or the provision of health care to an individual, and either identifies the individual or provides a reasonable basis for belief that the information can be used to identify the individual. PHI includes, but is not limited to, patient names, dates of services, addresses, account numbers, and dates of birth. In many instances, state unclaimed property auditors request information including certain PHI to determine whether certain types of property held by a business – such as refunds, deposits, overpayments, and credit balances – constitute unclaimed property subject to escheat. When an escheat auditor requests information, covered entities and business associates should first determine whether the information requested constitutes or contains PHI. If so, next steps depend on whether the holder is a covered entity or a business associate under HIPAA.

If the holder is a covered entity, it should first determine whether the requested information can be deidentified pursuant to 45 C.F.R. § 164.514(b)(2)(i) by removing names, geographic subdivisions smaller than a state, all elements of dates (except year) for dates directly related to an individual, telephone numbers, fax numbers, email addresses, social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and serial numbers (including license plate numbers), device identifiers and serial numbers, web universal resource locators (URLs), IP address numbers, biometric identifiers, and full-face photographic images and comparable images associated with the patient and/or the patient’s relatives, employers, or household members. Before delivering any requested information to the auditors, the covered entity should deidentify the information and ensure that it does not have actual knowledge that the deidentified information can be used alone or in combination with other information to identify the individual who is the subject of the information. If the requested information cannot be deidentified, the covered entity should review HIPAA and consult with legal counsel to determine whether the information can be provided without a patient authorization. Legal counsel can also assist in determining whether the state in which the covered entity operates has more stringent data protections for PHI or other personally identifiable information, and whether any requested information could be shared through a state-recognized all-payor claims database.

If the holder is a business associate, it should first review its business associate agreement to determine the appropriate next steps. These steps, depending on the terms of the agreement, may include notifying the covered entity of the audit, determining whether the information can be deidentified, and/or reviewing HIPAA to determine whether the requested information can be provided without patient authorization.

Legal counsel can assist in determining the respective rights and obligations of covered entities and business associates with respect to unclaimed property audit requests, and in navigating the audit response process in accordance with applicable federal and state law.

©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume X, Number 2


About this Author

Marc Musyl, Greenberg Traurg Law Firm, Denver, Corporate, Finance and Energy Law Attorney

Marc J. Musyl has wide-ranging experience representing public and private business clients in a mergers and acquisitions, dispositions, leveraged buyouts, tender offers, capital markets including public and private offerings of equity and debt, securities, licensing and corporate governance and compliance. He has a broad range of industry experience including financial services; energy; mining and natural resources; agriculture; aerospace; bioscience; manufacturing; and computer software. In addition, Marc chairs the firm’s Unclaimed Property Practice Group.

Michi Tsuda Shareholder Health Care & FDA Practice

Michi Tsuda focuses his practice on operational, regulatory, transactional, and litigation matters in the health care sector. Michi’s clients include hospitals, physician groups, accountable care organizations, management services organizations, private-equity funds, sovereign governments, and health-related joint ventures. He regularly represents private equity clients in the acquisition of health care facilities, with a focus on acute care hospitals, freestanding emergency centers, diagnostic laboratories, and senior care communities, and advises physician practice groups on the organization, sale, and acquisition of physician groups.

Michi also counsels clients on regulatory and compliance matters, including corporate governance, reimbursement, fraud and abuse, and data privacy and security. He routinely drafts compliance program documents, including medical staff bylaws, codes of conduct, and policies and procedures, and represents providers before the Provider Reimbursement Review Board (PRRB), as well as in the Medicare Claims Appeals Process, appealing determinations by Recovery Audit Contractors (RACs), Zone Program Integrity Contractors (ZPICs), and Medicaid Integrity Contractors (MICs).