• 212-827-4501
10 Oct 2024
Michael Coffey, News Permalink

Hurricane Milton’s destruction: crane collapse, tornado damage, flooding

October 10, 2024

Twisters tore through neighborhoods, including Avenir in Palm Beach Gardens

Coffey Modica founding partner Michael Coffey was featured in The Real Deal, offering expert insight on the recent crane collapse in St. Petersburg caused by Hurricane Milton.

Oct 10, 2024 | By Lidia Dinkova and Katherine Kallergis

In the wake of Hurricane Milton, developers and contractors in the Tampa Bay area are evaluating damage at project sites, calling insurers and preparing to resume construction work.

Milton made landfall as a Category 3 storm with winds of 120 miles per hour on Wednesday night in Siesta Key in Sarasota County, flooding streets and homes, and spawning tornadoes as far away as western Palm Beach County. More than 3 million homes and businesses lost power. At least 12 people are confirmed dead.

The storm came nearly two weeks after Category 4 Hurricane Helene, which hit Florida’s Big Bend. But as Milton took aim at the Gulf Coast and then crossed the state, it plowed through a much more developed and populated region. Early predictions estimated losses of up to $175 billion in the Tampa Bay area due to Milton.

In St. Petersburg, where winds reached over 100 miles per hour, a crane at the construction site of developer John Catsimatidis’ luxury Residences at 400 Central condo tower partially collapsed and slammed into the office building across the street, leaving a hole in its side and bricks scattered. The offices at 490 First Avenue South house the Tampa Bay Times newspaper and other businesses.

“The good news is that the only thing that was hurt was a few bricks. No human beings were hurt,” said Catsimatidis, founder of New York-based Red Apple Group.

The 46-story, 301-unit condo tower will be the tallest building in St. Petersburg at 515 feet. It has three construction cranes reportedly rated to withstand winds of up to 110 mph.

The cranes were “fully secured,” Catsimatidis said, adding that work will resume with the two remaining cranes. “Bottom line is let the insurance companies sort it out. It’s going to be the insurance company for whoever put the crane up there.”

Attorney Michael Coffey, who has worked on construction crane accident cases, said the St. Petersburg collapse likely will prompt investigations by federal, state and local authorities. Among the inquiries will be whether the site should have used cranes made to withstand more than 110 mph winds.

“One of the questions would be who made the call that that level sufficed. Was that an appropriate crane to have been up on one of the largest construction sites in western Florida in the middle of hurricane season?” said Coffey of New York-based Coffey Modica.

Development has boomed in the Tampa Bay region in recent years. In addition to Catsimatidis’ luxury condo tower, South Florida developers Related Group and Mast Capital are active along Florida’s west coast.

Miami-based Related assessed impacts from Milton in the greater Tampa Bay area on Thursday. Related’s founder, billionaire Jorge Pérez, said this summer that he plans to spend upwards of $3 billion on projects in the Tampa area.

“Fortunately, early reports show very limited damage across projects like The Ritz-Carlton Residences, Rome Yards, and West River,” a Related spokesperson said.

Related, led by Pérez and his sons Jon Paul and Nick, broke ground on the second tower at the planned Ritz-Carlton Residences in November. The construction site at 3101 Bayshore Boulevard overlooks Hillsborough Bay.

Rome Yards and West River are both mixed-income housing developments in west Tampa.

Even if damage on project sites is minimal, developers and general contractors have a lot of work to do, said Oscar Seikaly, CEO of Miami-based NSI Insurance Group. Damage at construction sites usually is from water intrusion, which could lead to mold and mildew.

Contractors and developers have to document the issue, as well as document that it was fixed and the precautions they will take to avoid the same problem in the future.

“There’s a lot of mitigation that has to be done even if you have a small water claim,” Seikaly said. Otherwise, those water issues could cause bigger problems for buyers of those units down the line.

Also in St. Petersburg, Hurricane Milton tore through Tropicana Field Stadium’s fiberglass roof. The Tampa Bay Rays, a Major League Baseball franchise, previously announced plans to replace Tropicana Field with a new stadium as part of a larger mixed-use development. Tropicana was reportedly built to withstand winds of up to 115 miles per hour.

Though South Florida was largely spared from Milton, parts of the tri-county region suffered tornadoes. Video footage shows damage from a tornado in Avenir, a new master-planned community southeast of Lake Okeechobee, as well as a tornado that touched down in Wellington. Damage was also spotted in south Miami-Dade County and western Broward County.

Just north of South Florida in St. Lucie County, a tornado outbreak killed at least six people in the senior housing community of Spanish Lakes Country Club near Fort Pierce, according to reports.

Milton came as Florida residential and commercial property owners have been reeling from skyrocketing insurance premiums. The state’s vulnerability to hurricanes and storm surge led some carriers to opt out of providing coverage in Florida, leading to less competition among insurers and ever-increasing premiums.

Seikaly, of NSI, said he does not expect Milton will necessarily further raise builders liability premiums, or those for flood and wind policies at construction sites. But in light of the partial crane collapse, insurance for crane operators could become more challenging in South Florida where only half a dozen insurers are willing to cover the risk. The tri-county region’s dense development makes real estate damage from a crane accident more likely.

“It will make insurance companies take a much tougher look when they are asked to quote a crane company,” Seikaly said. “A crane in Brickell, I would have sleepless nights because no matter how the crane moves, it would hit something.”

 

03 Oct 2024
Michael Mezzacappa, News Permalink

Uber win on lawsuit motion highlights major role of binding arbitration

October 3, 2024

A New Jersey couple severely injured during an Uber ride must take their complaint to arbitration per the company’s use terms, a state appeals court ruled.

Justin Bachman, Senior Reporter | October 3, 2024

[Coffey Modica partner Michael Mezzacappa quoted]

Dive Brief:

  • A couple who suffered severe injuries riding with an Uber driver must take their complaint against the company to arbitration, having agreed to waive their jury trial right, a New Jersey appeals court ruled last month in a case that has drawn national media headlines. Binding arbitration clauses are common across countless consumer user and employment agreements governing products from mobile phones to tax-preparation software to cable TV service.
  • Georgia and John McGinty said their minor daughter had agreed to Uber’s “terms of use” in January 2022 while placing an Uber Eats order with her parents’ permission. Two months later, the couple were injured when their Uber driver failed to stop for a red light, according to the ruling. Uber says it has only one user agreement and that Georgia McGinty had agreed to its terms three separate times since her first use of the rideshare app in 2015.
  • “Despite assertions to the contrary, the court concluded that the plaintiff herself — not her teenage daughter — agreed to Uber’s Terms of Use, including the arbitration agreement, on multiple occasions,” Uber Technologies said Thursday in a statement. The company said its arbitration motion does not affect the plaintiffs’ claim against the driver, Jia Zheng, for whom Uber has a state-mandated $1.5 million auto liability policy, or “50 times more coverage than a typical driver is required to carry.”

Dive Insight:

Binding arbitration clauses have increased significantly in corporate user agreements and employment offer letters as companies seek to resolve disputes in a forum that offers less legal expense and quicker resolutions. Arbitration also helps defendants avoid class actions and the kind of nuclear verdicts jury trials can present.

The American Arbitration Association said in its annual report that it had more than 500,000 cases filed last year for the first time since the organization’s founding in 1926.

On Sept. 20, a three-judge panel of the New Jersey appeals court reversed a Superior Court ruling last year denying Uber’s motion to compel arbitration of the McGintys’ complaint.

The court found that Uber’s arbitration provision “clearly and unambiguously evidences a waiver of plaintiffs’ right to pursue any claims against Uber in a court of law and obligates plaintiffs to resolve their claims through binding arbitration.”

A person using Uber’s platform for a ride or restaurant delivery must agree to the user terms before they can proceed to a particular service. They must also be 18.

The couple intends to file a motion for reconsideration at the appeals court by Oct. 11, and, if the court declines, would then appeal to the New Jersey Supreme Court, one of their attorneys, Evan Lide of Stark & Stark PC, told Legal Dive Thursday in an email.

“This is not only about my clients’ plight, but this decision has a negative effect on millions of other consumers as well,” he wrote.

The Uber lawsuit is the second compelled arbitration case in three months to draw national media headlines.

In August, Walt Disney Parks and Resorts abandoned its motion to compel arbitration of a complaint filed by the husband of a New York doctor who died in October 2023 after she suffered an acute allergic reaction to nuts and dairy from a restaurant on a Disney property near Orlando, Florida.

Disney argued that the woman’s husband, Jeffrey Piccolo, had agreed in 2019 to arbitrate any disputes when he signed up for a Disney+ streaming video account. The company later dropped its motion, agreeing to let the case proceed in a court.

Walt Disney did not respond to a message from Legal Dive seeking comment on that litigation.

The company “strive(s) to put humanity above all other considerations,” Disney Experiences Chairman Josh D’Amaro said in an Aug. 20 statement to Ars Technica. “With such unique circumstances as the ones in this case, we believe this situation warrants a sensitive approach to expedite a resolution for the family who have experienced such a painful loss.”

In response to forced arbitration, many trial lawyers have filed arbitration demands in bulk, by the tens of thousands, hoping to provoke a defendant to settle, the U.S. Chamber of Commerce and Mayer Brown attorneys argued in a 2023 white paper. Defendants typically bear the fee burden for arbitration proceedings.

When a firm files as many as 100,000 demands “does it really intend to resolve those claims on the merits?” attorneys Archis Parasharami, Andrew Pincus and Kevin Ranlett wrote. “Or is the goal to use the costs of instituting an arbitration — which are disproportionately borne by companies when consumers or employees initiate arbitration — to coerce a settlement without regard to the merits of the underlying claim?”

Corporations rely heavily on arbitration as a way to obtain “fair and reasonable” outcomes, said Michael Mezzacappa, a partner with Coffey Modica LLP.  Courts have become overly burdened, with litigation taking as much as five years in many states, he said.

“The jury verdicts the last 10 and 20 years are going nuclear,” said Mezzacappa, whose defense practice focuses on insurance cases. “An arbitrator is not going to sit there and give billions of dollars to somebody. Jurors are freely giving money away and it’s a problem for all of us.”

Consumers should also focus more attention on the agreements that they’re asked to sign in the course of their everyday lives, he said. “I think that society over time has learned to sign things without reading them.”

Georgia McGinty, an attorney who practices family law, believes that “consumers need to be protected,” Lide said.

“I am hopeful that the New Jersey Supreme Court is going to continue to protect the rights of consumers, but if we are unable to overturn the appellate decision, I think we need to look to a legislative fix,” he wrote. “Although the legislative fix may be too late for the McGintys, we want to do whatever we can to help other consumers in similar situations.”

01 Oct 2024
News, Veronica Mishkind Permalink

Malpractice strategies

October 1, 2024

Practice strategies for physicians to prevent lawsuits

Medical Economics Journal

Volume 101, Issue 9
Keith Loria | October 1, 2024

[Coffey Modica associate Veronica Mishkind quoted]

Malpractice suits are something that doctors unfortunately need to be prepared for. After all, mistakes happen and sometimes patients don’t end up with the desired results, so in their minds, the doctor must be to blame.

But there are numerous safeguards physicians can engage to keep malpractice suits at bay.

Ari Gurian, founding partner of Gurian Law in Illinois whose practice represents victims of medical malpractice, notes that a plaintiff’s attorney in these lawsuits usually gets paid only if they win, so if they bring suit, most feel the case against a physician is pretty strong.

“Misdiagnosis, surgical errors, medication mistakes, lack of informed consent and improper documentation are the most common causes of malpractice claims we see,” she says. “I recommend health care professionals proactively address each of these areas of vulnerability on a continuous basis as their first defense against my firm or others.”

Danielle Kelvas, M.D., a primary care physician with The HCG Institute, says from her experience, the most effective strategies in guarding against malpractice suits are to spend more time with patients and really answer their questions, including being readily available for questions or issues later.

“Everyone just wants to feel heard, cared for and appreciated,” she says. “If you can do that, patients will like and respect you and you’ll have less disagreements. Of course, conflict is unavoidable. Even if the patient was in the wrong, I always thanked them for their feedback and reemphasized that my priority is their health and that I always had their best interest at heart.”

Veronica Mishkind, a registered nurse who is now an attorney in Coffey Modica’s medical malpractice and professional liability practices, notes that the most common cause of malpractice suits is a failure to diagnose or a delay in diagnosis.

“The risks associated with this can be catastrophic, so in order to mitigate those risks, PCPs (primary care providers) should conduct thorough head-to-toe examinations of their patients, refer patients to specialists or further tests for any complaints the patient may present,” she says. “The PCP should also refer the patient to blood panel screenings and other standard screenings such as mammograms.”

Importantly, all of this should be documented in the PCP’s chart, including the results of the head-to-toe physical examination.

Heather Warner, health care practice lead at Woodruff Sawyer, an insurance broker and consultant, notes that a lack of knowledge, fear and an inability or refusal to change their lifestyle are the most common reasons patients pursue medical malpractice lawsuits.

“Many patients don’t want to go to the doctor or face their injury or illness, and they are intimated by medical jargon and the disparate knowledge between them and their health care providers,” she says. “However, at the same time, many patients believe that doctors can fix anything with surgery or a pill without them having to actively participate in their health.

The best way to mitigate these risks is to be kind and empathetic, to put the patients at ease and to invest them in their recovery.”

Alex Foxman, M.D., F.A.C.P., medical director at the Beverly Hills Institute, says all physicians should keep their medical knowledge up to date and ensure that they are practicing within the scope of their expertise.

“Refer patients to specialists when necessary and do not hesitate to seek second opinions when faced with complex cases,” he says. “You should also conduct regular audits of your practice to identify potential areas of risk. This includes reviewing patient records, practice protocols and communication methods to ensure they meet the highest standards.”

Mistakes to avoid

Almost half of adults in the U.S. have taken at least one prescription drug in the past 30 days. And, according to the FDA, 1.5 million patients are harmed each year by preventable medication errors. That means that they either got the wrong drug, they got too much of the drug, they had allergic reactions or there was some harmful interaction with another drug they were taking.

“My advice here is to pay attention to your patients, find out what other drugs they are taking and communicate effectively about potential risks and dosage,” Gurian says. “Each one of these injuries is preventable.”

Then there are misdiagnoses, which happen most often because of inadequate patient assessment; errors in medical judgment; failure to consider all relevant information or alternative diagnoses; and communication breakdowns within a health care team.

“To avoid a misdiagnosis malpractice lawsuit, I recommend doctors keep these risk areas in mind with every patient,” Gurian says.

Communication matters

Proper patient communication is key in preventing malpractice claims. The challenge is that not all patients feel comfortable discussing their concerns and complaints, so the PCP won’t get the correct information to make a plan of care, including further evaluation.

Therefore, PCPs should practice building their patient’s trust and rapport long term with their patients and being direct and empathetic with patients about their health, their options and their prognosis without using complex medical terms is key.

“Physicians need to take the time to make sure the patients understand what’s going on and what their treatment options are in plain, simple language, and then provide them with written notes to take home that reiterate what was discussed during their visit,” Warner says. “Research has shown that patients often forget up to 80% of what was said to them during their medical visits, so being precise is important.”

Physicians can try to foster an open and communicative relationship by trying to remember personal patient details to bring up at visits and take time during their patient’s visit to ensure that all patient concerns are addressed, fully considered and answered.

Proper documentation

Comprehensive and accurate documentation is a health care professional’s best defense against malpractice claims.

“You’d be surprised how many health care professionals keep poor records, and it only makes my job easier to win cases against them,” Gurian says. “Keep records of patient assessments, diagnoses, treatment plans and follow-ups to reduce the risk of error, and stick to established documentation protocols for maintaining electronic health records.

In litigation, Warner shares that she repeatedly hears the familiar mantra: “If it wasn’t documented, it didn’t happen” from the plaintiffs’ bar, so the importance of detailed, accurate documentation cannot be overstated.

“Physicians should be consistent in their charting, provide necessary detail, document their communications with the patient and refrain from interpersonal commentary that could be perceived as judgmental or insensitive,” she says.

From the first visit, Mishkind recommends writing down everything and anything that was discussed both with and from the patient.

“Not only should results of the physical evaluation be documented, but so should what was discussed with the patient, along with next steps and future care plans,” she says. “Further, any materials provided to the patient, including medical articles and studies, referrals, etc., should also be noted in the chart.”

At the end of each documented visit, Kelvas always adds a few sentences about how she educated the patient about what would happen if they didn’t take their medication or follow our plan of action.

“If someone is nonadherent — the old term is ‘noncompliant’ — doesn’t get their regular blood work, doesn’t refill their meds on time so there’s a lapse in care, you have to document it, otherwise, you can get dinged for a failure to follow up,” she says.

For informed consent documents, things need to be detailed and complete and include only the risks/benefits of the specific treatment being provided. The written document must be written in plain language at a seventh-grade reading level or below, and the physician needs to schedule an appointment long enough to explain everything while leaving time for questions and clarification.

Information on any treatments should be provided to the patient in their fluent language and a copy of the same should also be documented in the chart and indicated as provided to the patient.

“An informed consent document should be executed by the patient prior to any treatment or procedure,” Mishkind says.

Dealing with difficult patients

Most physicians at one time or another have run into a difficult patient relationship or someone who screams a risk of potential litigation.

When encountering someone who they think could be a challenge, Warner says physicians should slow down, have a nurse or other health care provider in the room and document.

“Though there are rare patients out there who are looking for an opportunity to sue a physician, most patients are just upset about their health issues and scared of what might happen to them, which sometimes leads to lashing out at — and blaming — their health care providers,” she says. “Empathy and patience are essential in these situations, and the physician needs to remain calm and avoid getting emotional, annoyed or angry with the patient.”

Primary care physicians need to actively listen to their patients and demonstrate that they genuinely care about their well-being. If they foster a relationship of open communication without judgment or condescension from the beginning, the barriers to patient communication, such as fear and embarrassment, will be vastly reduced and the physicians will get a more complete and accurate picture of their patients’ issues and health, making treatment plan decisions easier and more informed. That will cut down on any threats of a malpractice suit.

30 Sep 2024
Jodi Ritter, News Permalink

How the restaurant, hospitality industries manage today’s risks

September 30, 2024

Natural disasters, cost increases, a rise in litigation and the lingering effects of the pandemic impact these businesses.

By Kristen Beckman| September 30, 2024

[Coffey Modica partner Jodi Ritter quoted]

Hotels, motels, restaurants and resorts are subject to an array of perils and exposures including trips and falls, theft, alcohol-related accidents, natural disasters and cybersecurity breaches. With a multitude of people visiting and working at these properties daily, insurance is crucial, although it can be complex to navigate and represent a substantial business expense.

Like other sectors, hospitality is impacted by losses related to increased natural disasters, increased costs, a rise in litigation and the lingering impacts of COVID-19. Many insurance carriers have been evaluating their participation in the hospitality market, resulting in reduced capacity and double-digit rate increases.

“Hotels are subject to the same natural catastrophe perils as other classes of business but are often disproportionately impacted by such events due to their concentration in urban population centers and coastal areas,” says Dustin Ritch, a broker at World Insurance Associates who specializes in serving the hospitality industry on the East Coast. “Aside from natural catastrophes, water damage continues to prove a loss leader in the hotel industry due to both drain backups and bursts or accidental discharge of sprinkler systems (often when a guest hangs clothing on a sprinkler head in a room).”

Rising costs

Facing a slower expected travel environment this year, the hospitality industry is keen to manage risks and related insurance costs. In 2023, hotel insurance accounted for about 1.7% of total operating revenue, up from its long-run average of 1.2%, according to CBRE Hotels Research. Some factors driving the surge in commercial insurance premiums include the number and severity of losses due to hurricanes in Florida, fires in California and Hawaii, tornadoes in the Midwest, winter freezes in Texas, and convective storms across the country, says CBRE. Concurrently, the cost of fixing damages and replacing buildings has gone up and supply chain interruptions and lack of available labor continue to inflate construction-related costs and drive building values higher, which leads to increased premiums. Hotel size and capacity impact premiums, as does claims history and risk management practices.

“Unfortunately for U.S. hoteliers, the ability to control insurance costs is limited,” says CBRE. “On property, hotel owners can make physical ‘risk improvements’ such as flood gates and earthquake seismic shutoff valves. Owners also have the option to buy less insurance, or increase their deductible, to reduce their premiums.”

Common hospitality risks

Besides trips and falls, which are a prevalent risk across most commercial entities, one of the most obvious and common risks hotels and restaurants face is fire loss, says Jodi Ritter, a partner at New York-based law firm Coffey Modica LLP and former lead of the Sompo Global Risk Solutions program at Gallagher Bassett Services. Hotels and restaurants have strict guidelines for building and health code regulations, including fire suppression in the kitchen, hard-wired smoke detectors, sprinkler systems and fire extinguisher placements. Properly marked exits and evacuation plans to assist patrons and reduce risk of liability are also warranted, she says.

One area often overlooked in hotel coverage is pair and set coverage, noted Ritter. Since hotel furniture is coordinated and matching, if only a portion of their furniture is damaged, they may need to replace an entire set to maintain their décor.

Another common risk for hospitality is around swimming pools, she says.

“The presence of a swimming pool presents safety hazards for both patrons and staff,” says Ritter. “Lifeguards can be a good investment as they supervise and assist immediately if there is a problem. Either way, rules should be posted and some level of oversight provided in order to maintain a safe place.”

Employee theft also commonly presents a risk to the hospitality industry. This can include embezzlement as well as theft of the employer’s property, says Ritter. Communicating with employees is the first step in prevention, ensuring everyone knows what constitutes theft and fraud and that there is a zero tolerance for it. Having company oversight by managers and frequent third party audits is advisable and conducting background checks on new hires is also a relevant risk management tool, she says.

Emerging risks

One emerging legal risk unique to the hospitality sector is the increasing incidence of human trafficking in hotels resulting in lawsuits. Hotels can be held civilly and criminally liable for failing to prevent and report trafficking on their premises. Days Inn, for example, was ordered to pay a multi-million-dollar settlement to eight victims in a 2023 human trafficking case. Many policies now incorporate exclusions for human trafficking and other crimes as well as for weapons, says Ritch.

In addition, communicable disease exclusions have become a mainstay in the industry following the pandemic. “It can be found baked into virtually every commercial general liability policy at this point, particularly in the hospitality space,” says Ritch. Like many other commercial entities, hospitality also faces cyber issues, and protecting guests’ personal and financial information is mandatory, says Ritter. She also noted hotels face cyber risks related to guests using hotel Wi-Fi systems to work remotely. “Safe systems are imperative to prevent cyberattacks and data breaches,” she says.

Risk mitigation

Major types of hospitality insurance include commercial general liability insurance covering guest injuries and property damage; commercial property insurance to guard against disasters, fires and storms; commercial auto insurance for properties that provide shuttles or other transportation-related services; workers compensation insurance to cover employee injuries; equipment breakdown insurance; cyber liability insurance; dram shop insurance broadly covering liquor liability concerns; and innkeeper liability insurance.

Beyond proper insurance, proactive mitigation practices can help the hospitality industry reduce its exposures. Both Ritter and Ritch encouraged regular inspection and maintenance of properties and ensuring proper security is in place. Ritter also pointed to ensuring proper contracts are in place with third-party vendors: “If you’re a mall, a restaurant, an apartment complex and you have a cleaning company, you must have a contract with an indemnification clause that if the vendor does something negligently or omits to do something and somebody is injured as a result, then they have to provide defense and indemnification to the owner.”

Training is also key to mitigating risk in hospitality, especially because risk managers often aren’t present when incidents occur. Employees should be trained to proactively watch for potential dangers, keep guests safe during incidents, and collect information and properly fill out incident reports. The American Hotel and Lodging Association (AHLA) offers free training to employers and employees on how to recognize and respond to human trafficking through its No Room for Trafficking initiative.

Broker best practices

In the increasingly challenging hospitality insurance environment, experts say property owners and managers should start working with their broker up to 120 days before renewal and make sure the broker is aware of any recent improvements to the property. The hospitality industry is increasingly looking for and may benefit from customized coverage for unique risks. In addition, digital tools tend to appeal to hospitality insurance purchasers.

10 Aug 2024
E-bikes, Michael Mezzacappa, News Permalink

Readers sound off on Laura Kavanagh’s Legacy

August 10, 2024

Partner Michael Mezzacappa was published in the New York Daily News opinion section in response to a recent editorial regarding retiring FDNY Commissioner Laura Kavanaugh and her legacy of awareness and advocacy regarding the growing threat of e-bike battery fires.

Readers sound off on who gets housing first, campaign messaging and Laura Kavanagh’s legacy 

New York Daily News | August 10, 2024

Continue her legacy 

Tarrytown, N.Y.: Former FDNY Commissioner Laura Kavanagh’s relentless advocacy for lithium-ion battery safety was rightly celebrated in your Aug. 7 editorial  “Laura Kavanagh’s mission continues.” Shining a light on the scourge of e-bike battery fires has not only inspired swift action on the part of our representatives at all levels of government, but it’s saved lives in the process. According to reporting in July 2024, e-bike battery fires had led to only one fatality versus 13 at the same point in 2023, no doubt due to greater consumer awareness of what to do in case of these fires. But more must be done, as the number of fires, year over year, has remained pretty much the same even as fatalities and injuries decline. Congress must pass federal safety standards that will keep improper equipment off the market and ensure that manufacturers doing business in the U.S. are traceable and insured. 

31 Jul 2024
E-bikes, Michael Mezzacappa, News Permalink

Opinion: E-Bike Battery Fires Demand Sweeping Safety Reforms

July 31, 2024
BATTERY FIRES
Opinion: E-Bike Battery Fires Demand Sweeping Safety Reforms
By Michael P. Mezzacappa | July 31, 2024

“E-bikes are here to stay, and without a multipronged approach demanding action from the business community and individual stakeholders, along with local governments, no meaningful difference will be achieved.”

The rash of lithium-ion battery fires across the country has finally sparked Congressional action with the introduction of the Setting Consumer Standards for Lithium-Ion Batteries Act (H.R. 1797), requiring the Consumer Product Safety Commission to establish product safety standards for rechargeable lithium-ion batteries used in e-bikes and other micro-mobility devices.

Such legislation merely touches the surface of a larger enforcement problem. E-bikes are here to stay, and without a multipronged approach demanding action from the business community and individual stakeholders, along with local governments, no meaningful difference will be achieved.

Since the onset of COVID-19, when home deliveries to locked-down residents became an essential service, e-bikes have become ubiquitous in major cities like New York. The lithium-ion batteries that power the bikes have become the leading cause of fatal fires throughout the five boroughs.

According to New York’s Fire Commissioner Laura Kavanaugh, in just the past two years, e-bike batteries have caused approximately 500 fires and killed 24 people, and there are no signs of this trend slowing down. H.R. 1797’s main sponsor is New York Congressman Ritchie Torres of the Bronx, which experienced three e-bike fires in the first half of May 2024 alone.

But the dangers of lithium-ion batteries are hardly an “only-in-New York” issue. Municipalities from coast to coast have seen a surge in incidents where exploding batteries suddenly go ablaze and trap those inside the affected home or business.

In California, San Francisco saw 58 fires involving lithium-ion batteries in 2022, with an additional 41 fires counted in 2023. Meanwhile, the San Diego Fire-Rescue Department reported at least 32 e-bike battery fires since mid-March 2024, in addition to 104 fires in 2023.

Data from the International Fire Chiefs Association found more than 60 battery fires in Houston, TX during 2023, and 73 lithium-ion battery fires were investigated by the Phoenix Fire Investigations Task Force between June 2023 and February 2024.

Even the DMV—the District of Columbia, Maryland and Virginia—is not immune, with 17 fires reported in Fairfax County in 2023, and eight Washington D.C. fires in the same year.

This ever-growing scourge has led to a patchwork of rules and regulations as cities and states tackle the problem with their own array of legislation, fire code changes and more. There is certainly an appetite for action on the federal level, as H.R. 1797 easily passed the House with bipartisan support. At a recent event in Brooklyn, New York Senator Kirsten Gillibrand voiced her support for the federal safety standards outlined in the bill and pushed for its inclusion in the Fiscal Year 2025 National Defense Authorization Act (NDAA).

While developing and enforcing safety standards for rechargeable lithium-ion batteries can aid the fight against the fires they spark, it is far from enough to solve the issue. More actions need to be considered to fully put these deadly blazes behind us.

E-bikes are often used by delivery workers who are independent contractors living on an hourly salary. When battery issues arise, these price-conscious drivers frequently gravitate toward the cheapest possible option, whether that is a disreputable online seller or a secondary market flooded with foreign-based goods.

While putting stringent safety standards on new e-bike batteries is helpful, lawmakers will not be able to go into people’s homes to confiscate older, unregulated e-bikes and batteries.

The fact is, however, that lithium-ion battery imports in the U.S. roughly doubled for the third consecutive year in 2022, according to S&P Global—a period when 60 to 70 percent of global e-bike production occurred in China.

Those majority-foreign-manufactured models currently dominate the market and will continue to be sold from person to person at garage sales or on sites such as Craigslist.

So, while legislators at the federal, state and city levels debate and design the structures of their own interventions, more needs to be done to spread responsibility to all involved.

Local municipalities should mandate the creation of an insurance market that can handle e-bikes. For those used for commercial purposes, the e-bikes in the delivery fleet should be periodically inspected by the public authorities that might license operators of these motorized devices.

Further measures must also be taken on the federal level, as any lithium-ion battery standards must ensure that manufacturers are traceable and insured, if they want to do business in the U.S.

When deadly fires do occur, high-level investigations should take place. Just as the The National Transportation Safety Board (NTSB) is called in when a train derails, a ship crashes or when airplane parts fall out of the sky, there must be a body to oversee and investigate incidents involving e-bikes on a national basis, ensuring that whatever went wrong is not constantly recurring.

While Congress should be applauded for recognizing the importance of this issue and making attempts to tackle some of the root causes head on, it is going to take a concerted effort from all of us to put a lid on these growing fire hazards and save lives.

Michael P. Mezzacappa is a partner and general counsel with Coffey Modica LLP. Admitted to practice in New York, New Jersey and the District of Columbia, he is a trial attorney who has represented insurers, property owners and managing agents, manufacturers, construction companies, trucking companies and other professionals in cases based on some of the largest and most high-profile litigations, including fires and explosions.

09 Jul 2024
Michael Coffey, News Permalink

Boeing’s Plea Deal Shows The Importance Of Accountability After A Crisis

July 9, 2024

Coffey Modica’s founding partner, Mike Coffey, comments on Boeing’s plea deal in Forbes article.

Edward Segal, senior contributor

Boeing’s plea deal with the federal government that was announced Sunday concerning issues related to the company’s 737 Max is a timely reminder for business executives about the importance of full disclosure and accountability in the aftermath of a crisis.

The failure to provide all the information that is requested by authorities about a crisis further damages the image and reputation of a company and can deepen or extend the crisis—or create a new one.

Subject To Approval

In the deal that is subject to a judge’s approval, Boeing would plead guilty to defrauding the government in a case related to the crash of two of its 737 Max planes and not adhering to the terms of an agreement with the government that enabled the company to avoid prosecution.

Boeing confirmed that it had reached an “agreement in principle in terms of a resolution with the Justice Department subject to the memorialization and approval of specific terms,” according to the Washington Post.

Another Low Point

“It is rare for a company of Boeing’s stature to plead guilty to a crime, and the moment marks another low point for the already-battered reputation of the century-old aircraft manufacturer,” the Washington Post reported.

“The plea underscores the long shadow of the deadly crashes and also comes at [a[ time when Boeing is trying to restore the trust of regulators and the flying public amid a fresh safety crisis that began in January when a panel flew off the side of a newer model Max mid-flight,” the news outlet wrote.

Ripple Effect

In addition to further damaging its reputation, the plea deal “potentially ability to secure lucrative government contracts with the likes of the U.S. Defense Department and NASA, although it could seek waivers,” Reuters reported.

“Over on-third of Boeing’s work is via government contract and [the plea] could have long ranging impact on Boeing their contracts and the lives of Boeing’s 167,000 member workforce,” Michael Coffey, an attorney and senior partner of Coffey Modica, a defense litigation firm, explained via email.

Downsides

Despite the damage the deal will have on Boeing, legal experts say it may not discourage others from similar transgressions.

Deal Lacks Teeth

“The Boeing plea deal— like others involving corporations— lacks teeth,” Wayne Cohen, a law professor at the George Washington University School of Law, said in a statement.

“The flaw here is that although individuals may go to prison for similar offenses, corporations escape with fines. This begs the question whether justice has been served. Financial penalties in civil cases are acceptable, but in criminal cases no one faces prison. That’s the problem,” he observed.

Limited Deterrence

“A criminal plea for Boeing’s misconduct is likely to have a deterrent effect on other corporations,” Jason Brown, a former Department of Justice Special Agent and a legal advisor to the FBI.

“However, if only the company pleads guilty and no individuals are held accountable, the deterrence may be limited, as individual actors might feel insulated from criminal liability behind the corporate shield. Often, the act itself isn’t enough to trigger culpability; it’s the obstruction and cover-up that lead to charges,” he noted.

Controlling The Narrative

One of the lessons to come out of the plea deal is “the importance of engaging a crisis management team and legal experts who can tactfully disclose wrongdoing while controlling the narrative,” Brown observed.

“This approach helps avoid a concealed liability that will inevitably be exposed, often through whistleblowers or other means. Business leaders should learn from this plea deal that transparency and accountability are crucial in crisis management to prevent further legal and reputational damage,” he concluded.

03 Jul 2024
Jonathan Heller, Joseph Hopkins, Maxwell Bottini, News Permalink

Coffey Modica Promotes 2 Partners, 1 Counsel In NY

July 3, 2024

Law360 | Connecticut Pulse

By Matt Perez July 3, 2024

New York litigation boutique Coffey Modica LLP announced the promotion of two attorneys to partner, including the firm’s first hire in 2021, as well as the elevation of another lawyer to counsel.

Maxwell Bottini, who joined the firm around its founding, and Joseph Hopkins have both been elevated to partner, according to a Monday statement from Coffey Modica, while Jonathan Heller steps into the counsel role. The attorneys practice within labor and professional liability law.

“Each of these talented attorneys has played a key role in the incredible growth Coffey Modica has experienced in just under three years since its founding,” said partner Robert Modica in a statement Monday. “The knowledge, dedication and integrity they bring to every client interaction is admirable.”

Bottini, who practices out of New York and Connecticut, handles labor law cases, defending both general contractors and subcontractors. He has tried over 20 cases to verdict and several more to settlement.

Before joining Coffey Modica, Bottini worked as an associate at Tyson & Mendes LLP. He began his career as an assistant district attorney with the Kings County District Attorney’s Office. Bottini earned his bachelor’s from Villanova University and his law degree from Brooklyn Law School.

“I was the first attorney hired at Coffey Modica, and it has been a privilege every day since to work alongside this top-notch team,” Bottini said in the statement. “I am grateful to all of my colleagues and mentors, especially Michael Coffey and Robert Modica, for their support and guidance, and I look forward to continuing to grow along with the firm well into the future.”

Also stepping into the partner role, Hopkins works on litigation matters related to labor law, construction defects, professional liability and casualty defense, representing developers, general contractors and real estate investment and management companies.

Hopkins runs his practice out of New York City, having joined the firm in early 2023 after previously serving as an associate at O’Toole Scrivo LLC and Wood Smith Henning & Bergman LLP. He received his bachelor’s and law degrees from Seton Hall University.

“It has been a privilege to work alongside Michael Coffey, Robert Modica and all of my esteemed colleagues, whose mentorship has helped guide my professional growth,” Hopkins said in the statement. “I am excited for the firm’s continued expansion, and I look to what the future has in store.”

Heller becomes a counsel at Coffey Modica after two years in an associate attorney role with the firm. Working out of Coffey Modica’s White Plains, New York, office, Heller also handles labor law, general liability and casualty matters. During his career, he’s represented owners, contracts and corporations across New York. He earned his bachelor’s from Queens College and his law degree from Hofstra University.

“I am thankful to the entire Coffey Modica team for their faith and trust in me to be a part of the firm’s extremely bright future,” Heller said in the statement. “I feel that every day is an opportunity to learn a better tactic or a better argument that would further assist us in getting the best results for our clients, and I look forward to further cultivating our firm’s relationships.”

Founded in 2021, Coffey Modica has several locations across New York, as well as offices in New Jersey and Connecticut. The firm represents businesses and insurance companies in litigation defense and appellate strategy, along with consulting across professional industries.

01 Jul 2024
Jonathan Heller, Joseph Hopkins, Maxwell Bottini, News Permalink

Coffey Modica Promotes Three Attorneys

July 1, 2024

Firm Announces Two New Partners, One Counsel

Coffey Modica LLP, a defense litigation firm representing prominent business and insurance companies in liability claims, excess property/casualty, medical malpractice, nursing, and other professional industries, announced that two of the firm’s attorneys have been promoted to Partner, with a third being given the role of Counsel.

“Each of these talented attorneys has played a key role in the incredible growth Coffey Modica has experienced in just under three years since its founding. The knowledge, dedication and integrity they bring to every client interaction is admirable and it is exactly that talent that our firm hopes to continue fostering with these much-deserved promotions,” said Founding Partner Robert Modica.

Partner Maxwell Bottini has been working with Coffey Modica since its founding in 2021. Practicing out of the firm’s New York and Connecticut offices, Bottini focuses on high-exposure labor law cases, defending general contractors and subcontractors alike. He has successfully tried more than 20 cases to verdict and settled even more, achieving the most favorable results possible for his clients. Bottini began his career as an Assistant District Attorney in the Kings County District Attorney’s Office, where he investigated and prosecuted hundreds of misdemeanor and felony cases. He is a graduate of Brooklyn Law School and currently lives in Fairfield, CT.

“I was the first attorney hired at Coffey Modica and it has been a privilege every day since to work alongside this top-notch team. I am grateful to all of my colleagues and mentors, especially Michael Coffey and Robert Modica, for their support and guidance, and I look forward to continuing to grow along with the firm well into the future,” said Bottini.

Partner Joseph Hopkins focuses primarily on New York Labor Law, construction defects, professional liability and casualty. A former judicial law clerk for the Honorable John I. Gizzo, Hopkins has represented prominent general contractors and developers in Manhattan on high-value matters, and he successfully achieved a defense verdict in New Jersey on behalf of a national real estate investment and management company. He practices out of the firm’s New York City office and is admitted to the Bar in both New York and New Jersey. A graduate of Seton Hall University School of Law, Hopkins currently lives in Cranford, NJ.

“I am truly honored to be elevated to Partner at Coffey Modica. It has been a privilege to work alongside Michael Coffey, Robert Modica and all of my esteemed colleagues, whose mentorship has helped guide my professional growth,” said Hopkins. “I am excited for the firm’s continued expansion, and I look to what the future has in store.”

Counsel Jonathan Heller joined Coffey Modica in 2022 and practices out of the firm’s White Plains office, where he specializes in labor law and general liability and casualty matters. As a third-generation attorney, over the course of his eight-year career, Heller has both defended and prosecuted cases on behalf of dozens of leading owners, contractors and major New York corporations, as well as one of the largest hospital conglomerates on Long Island and a host of well-known physicians and surgeons. The Long Island native is a graduate of Hofstra University’s Maurice A. Deane School of Law and currently lives in Teaneck, NJ.

“I am thankful to the entire Coffey Modica team for their faith and trust in me to be a part of the firm’s extremely bright future,” said Heller. “I feel that every day is an opportunity to learn a better tactic or a better argument that would further assist us in getting the best results for our clients, and I look forward to further cultivating our firm’s relationships. In this new role, I hope to contribute to the passion for excellent work product that makes our firm one of the top rising law firms in the United States, and one of the best places to work in the New York Metropolitan Area.”

Coffey Modica LLP is a New York-based defense litigation firm with offices in New York, New Jersey and Connecticut, and is among the fastest-growing firms in the nation. The firm represents defendants in high-profile, high exposure matters across many disciplines and industries around the country. Known for being aggressive trial attorneys and litigators, Coffey Modica resolves matters on behalf of its clients with the most cost-effective resolutions aligned with their short- and long-term business goals and culture.

01 Jul 2024
News Permalink

HITECH Audits Return: OCR Promises Enforcement Changes for HIPAA

July 1, 2024

Joelle Duval comments on the implications of the reopening of the Health Information Technology for Economic and Clinical Health (HITECH) audit program and a new round of audits of HIPAA-regulated entities.

Healthcare Risk Management | July 2024

The Health and Human Services Office for Civil Rights (HHS OCR) has reopened the Health Information Technology for Economic and Clinical Health (HITECH) audit program and will begin audits of HIPAA-regulated entities later in 2024, according to public statements by OCR Director Melanie Fontes Rainer. The audits will focus on the Security Rule, particularly the requirements for security risk analyses and risk management.

The audits will be accompanied by other enhancements intended to promote better compliance with HIPAA. These changes will put more pressure on covered entities and require work ahead of time to avoid penalties.

The impending audits may be more of a threat to smaller institutions, says John W. Leardi, JD, attorney with the Buttaci Leardi & Werner law firm in Princeton, NJ.

“I think most institutional or large providers probably, because of how resource-intensive they are compared to others, are probably fine, right? Or at least if they’re not, there’s no excuse for it,” he says. “My concern here in terms of vulnerability is going to be medium to small practices and independent practices, not part of a health system, not part of a larger institutional system.”

Leardi notes that the HIPAA Security Rule is about 20 years old now, and OCR probably is looking to update it. The audits may provide some guidance, he says.

“Some of it has become dated. The landscape of how we maintain health information is dramatically different now than it was 20 years ago,” Leardi says. “A substantial portion of the industry now has adopted electronically based storage as opposed to maintaining manila folders in the office. There has been some chatter that it needs to be revisited and, perhaps, updated to closely align with where we are in the industry. It’s not surprising that maybe these audits are designed as much about enforcement as they may be gathering data to determine the touch points in industry that are most in need of focus in any proposed rulemaking or adjustments.”

Many covered entities will not be ready for the audits, says Jeffery P. Drummond, JD, partner with the Jackson Walker law firm in Dallas.

“I think it’s going to catch people by surprise because nobody knows what we’re being tested on. There’s no study guide,” he says. “A more explicit message from OCR saying there are 10 things here that are listed, a list of possible bad things that can happen to you, would be helpful. They haven’t really done something that explicitly. It would be better for them to say we’re going to re-audit in two years and here are the things we’re going to be looking for, here is a list of things you need to do.”

No More Checking the Box

With the announcement of the return of the OCR HIPAA audit program the days of the “check the box” risk assessments and HIPAA compliance program evaluations may be gone for good, or at least until OCR pauses the program again, says John F. Howard, JD, senior attorney with the Clark Hill law firm in Scottsdale, AZ. It has long been understood that HIPAA requires covered entities and business associates to conduct accurate and thorough assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI), he says.

“But, notwithstanding entities that have fallen victim to some form of cybersecurity incident, most entities have taken this requirement as merely a quick review and response to a privacy and security questionnaire to ensure that all the requirements of the security and privacy rules are attested to for documentation purposes,” he says. “Often, this means that there is no validation of the required controls to ensure that they are operating as they should and do not need attention.”

Howard says he often has seen entities that have allowed the value of the risk assessment process to take a back seat while they focus on more seemingly pressing business matters. This is understandable to a point, he says, but clearly is not what was intended by the Rule when it was made. The announcement of the return of the federal audit should change this, he says. Howard suggests that covered entities and business associates should, at least, do the following to prepare for a potential audit by OCR:

  • Review past risk assessment results and ensure any findings were addressed or plans have been put in place to do so.
  • Conduct new risk assessments that look for validation of compliance measures being in place through pen testing, vulnerability scans, employee interviews, configuration validations, and access and control sweeps.
  • Clearly document any findings, remedial measures, and plans for moving forward based on criticality if issues are found.
  • Clearly identify any cybersecurity framework being relied on and how it has been implemented.
  • Make sure appropriate leadership is kept aware of the state of the entity’s HIPAA compliance activities.

“These are necessary basic steps that I see missed over and over again that apply to risk assessment and risk management requirements under HIPAA. It is important that these also apply equally to the security and privacy side of the house,” Howard says. “Don’t forget to review the processes and procedures for responding to patient rights requests and making sure an entity’s privacy practices are clearly communicated. This applies to privacy practices between an entity and its patients, business partners, affiliates, and vendors.”

Structured relationships are necessary to ensure compliance along the entire service chain where
(e)PHI is involved, he says. It also will be important for covered entities and business associates to remember that HIPAA requires technical and nontechnical evaluations of an entity’s policies and procedures to make sure they are compliant with HIPAA’s various requirements, he says. This is completely separate from the risk assessment requirements and can be more closely equated to a HIPAA compliance program review, Howard notes. The output of this evaluation can be used to create an audit book that can be a great resource when the auditors come knocking.

“Overall, the return of the OCR audit program returning is a good signal that it is time for regulated entities to start putting processes in place now to identify any compliance gaps they may have and develop plans for resolving the more pressing issues found through risk assessments and program evaluations,” Howard says.

OCR Sending Survey

OCR indicated in a notice published in the Federal Register that it will send an online survey consisting of 39 questions to the 207 covered entities and business associates that participated in the 2016-2017 OCR HIPAA audits, explains Layna Cook Rush, CIPP/US, CIPP/C, shareholder with the Baker Donelson law firm in Baton Rouge, LA. OCR specifically asks for information regarding subsequent HIPAA compliance actions taken by the survey recipients as a result of the previous audits to evaluate the effectiveness of the audits and the counseling the organizations obtained from OCR in response to the audits, she says. Presumably the information gathered will be used to develop an updated audit program for future use, she says, adding that OCR has not expressly stated that the audit program will return or provide information on when audits will resume or what will be different. Because the requirements for covered entities and business associates have not substantially changed since the 2016-2017 OCR HIPAA audits, if there is a next phase of audits, OCR likely will focus on the same requirements, she says.

However, there may be an increased scrutiny on cyber performance, given the proliferation of cybersecurity incidents in the healthcare industry and OCR’s focus on technological security preparedness and resiliency, she says.

While OCR has not provided details on a new audit program, it is likely that the selection process will mimic the audits in 2016 and 2017, she says. OCR identified organizations that represented a wide range of covered entities; its sampling criteria included size, affiliations, location, and whether an entity was public or private.

The audited covered entities submitted lists of all their business associates, which OCR combined to create a pool of business associates, she says. OCR randomly selected business associates from the pool to audit.

“OCR has stated that the audit program is used to identify best practices gleaned through the audit process and to inform guidance targeted to identified compliance challenges,” Rush says. “Since the last audits, OCR has routinely published sub-regulatory guidance to covered entities on different aspects of the HIPAA privacy and security rules.”

In conjunction with the previous audits, OCR also published a comprehensive audit tool that covered entities and business associates could use to gauge compliance with HIPAA, Rush notes. The prospect of an audit and the availability of the tool resulted in many organizations reviewing their compliance posture and making positive changes, she says, and the same industry response is likely if the audit program is re-instituted.

The HITECH Act requires OCR to periodically audit covered entities and business associates for HIPAA compliance, so OCR’s failure to continue the audit program is in derogation to the requirements of the HITECH Act, Rush notes. OCR may be gearing up for another phase of audits to ensure it is complying with legal directives, she says.

“Another potential driver is the increase in security-related breaches that result from cybercrime. The audits may be a piece of the overall goal of seeing covered entities and business associates strengthen their protection of PHI,” she says. Rush notes that HHS also has recently launched new Healthcare and Public Health Cybersecurity Performance Goals to provide healthcare delivery organizations with practices that will “strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety.”

“It is likely that only a few organizations will be selected for audit if the program is reconstituted, but organizations that have not utilized the OCR audit protocol should consider such a review in anticipation of OCR resuming the program,” Rush says. “Covered entities should review the OCR audit protocol in anticipation of the return of the audit program. Further, covered entities should ensure that they have conducted a recent security risk assessment, instituted a risk mitigation plan in response to the assessment, and developed policies and procedures for compliance with the HIPAA Rules.”

OCR Sending Survey

The audits should not strike too much fear in the hearts of covered entities that are making a good faith effort to comply with HIPAA, says Joelle Duval, JD, an attorney with the Coffey Modica law firm in White Plains, NY. “While it goes without saying that nobody likes to be audited, least of all by the United States government through HHS or the IRS (Internal Revenue Service), covered entities that have complied, or made a valiant and demonstrable attempt to comply with the myriad of regulations and protections mandated by HIPAA, should take comfort that their efforts will shield them from violations, or substantially reduce the crushing fines that HHS is known to give for violations of protected health information,” she says.

Duval suggests that these covered entities should even be proud to be among those selected for audit by HHS to demonstrate to other comparable covered entities that compliance is possible and slip-ups forgivable to a large degree — “even if, just like the one student that always sat in the front row of the class and raised his/her hand for every question, they are ‘hated’ for passing the course and always knowing the answer.”

For those entities that have not made the effort, the audits will be problematic. “Those covered entities who have ignored the regulations, by choice or necessity, such as perhaps lacking resources to keep up with the privacy and security rule regulations, sadly there is little advice to give them other than to say that the dice they have been rolling have just hit snake eyes,” Duval says. “Quite simply, there are few excuses covered entities can have that HHS would likely accept as mitigation to identifying violations and breaches during an audit. In fact, I cannot think of one viable excuse to suggest. Even a comet crashing to earth and knocking out the power grid would have HHS asking the covered entity about what safeguards were in place should there be a complete loss of power.”

HIPAA and its privacy and security rules have been in effect too long, and reports of data breaches, identity theft, and data ransoms are too widespread to the general population for a covered entity to be unprepared to stand up to HHS scrutiny, Duval says.

Whistleblowers Encouraged?

An unexpected effect from the reemergence of random HIPAA audits may be the encouragement of whistleblowers, she says. Covered entities often maintain a smiling public face touting their lack of any tolerance for HIPAA violations, Duval says, proclaiming “if you see something, say something” or “report and you will be supported” or “HIPAA violations will not be tolerated here.” But the actual internal practice is really one of punitive retaliation against employees reporting violations, she says. It is surprisingly common but seldom recognized, Duval says, that some of the largest private and public covered entities are the most punitive to those internal personnel voicing legitimate concerns regarding negligent data practices and the routine practice of turning a blind eye.

“HIPAA violations happen, most often inadvertently, but at times negligently. HHS recognizes this reality, and covered entities facing violations or breaches can mitigate their damages,” she says. “But, regardless of how an adverse event happens, covered entities who have made it a regular practice to bury their heads in the sand or sweep violations and reporters under the rug rather than acknowledge — by reporting when obligated to do so — and attempt to rectify the situation will find themselves in a much deeper hole than underneath the sand.”

Therefore, covered entities should be prepared for HHS to come knocking at their door by not only examining its compliance practices under HIPAA, but also looking at its actual internal practices of compliance, including how employees are received when they voice legitimate concerns to protect HIPAA, and the covered entity, Duval says.

“It should not be surprising, therefore, for a random audit by HHS to stir up unrecognized and illegal state and federal employment practices,” she says. “And those covered entities [that] have taken a punitive approach or turned a deliberate blind eye to employees reporting actual or suspected HIPAA violations may find themselves under the dual scrutiny from both HHS; state and federal Departments of Labor; and, most frightening, plaintiff attorneys.”

Weak Risk Analysis?

A crucial element of the HIPAA Security Rule is conducting risk analysis, something that historically has been a weakness for many organizations, notes Michael Parisi, head of client acquisition with Schellman, an information technology compliance and cybersecurity firm in Tampa, FL.

“Poor risk analysis practices are major contributors to the increase in breaches we’ve seen in past years,” he says. “In fact, more than 90% of the OCR HIPAA settlement actions regarding ePHI breaches involved an insufficient risk analysis or risk management program.”

With the news that OCR is reinvigorating its HIPAA audits, it is important for organizations to take a look at when their last risk assessment was — if ever — and what actions they have taken since then, Parisi says. From there, they need to identify if they acted on making the appropriate security updates to address identified vulnerabilities and whether they have maintained those practices.

Parisi highlights these pitfalls many organizations face when it comes to HIPAA risk analysis and risk management:

  • Skipping the step of threat analysis, which should happen even before the risk assessment. Organizations need to look through all potential existing threats, identify which are relevant to them, and have those threats reflected in the risk assessment.
  • Not including all systems that touch ePHI in the risk analysis/management program and what threats are relevant to the organization. Overlooking these places leaves them vulnerable to attack and vulnerable to penalties.
  • Inadequate risk analysis. Organizations should look to existing resources like the OCR Guidance on Risk Analysis Requirement or NIST SP 800-30 Guide for Conducting Risk Assessments for help when conducting analysis.
  • Neglecting to reassess on a specified basis and not performing updated analyses when a change in the environment introduces new risks.

Being caught out of compliance can mean significant financial penalties, as well as reputational damage, Parisi says. Prioritizing these risk requirements not only preserves HIPAA compliance, but also mitigates risk for a breach or cyberattack.

One suggestion is for organizations to package up their “‘HIPAA story,” he says. Instead of having a risk assessment in one place and policies and procedures in another, it behooves the company to pull everything together with a cover page that tells the story of their HIPAA compliance journey and gives OCR everything they need in an easy to access bundle, he says.

“This movement of bringing back HIPAA audits is a step in the right direction from OCR in the efforts for a more secure healthcare system,” Parisi says. “It is, however, just a first step, and I think we can anticipate seeing continued movement from the OCR and HHS to implement additional standards and requirements beyond HIPAA, especially in light of recent breaches.”