HIPAA Compliance for Medical Practices
65.0K views | +0 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA and Email: there are rules

HIPAA and Email: there are rules | HIPAA Compliance for Medical Practices | Scoop.it

Email has been widely used by both business and the general public for much of the last twenty years, and reliance on it has found its way into the daily lives of millions.  Recently, email has become even more accessible with the introduction of the smartphone.  However, leave it to healthcare to throw a curve ball to this cozy relationship.  The fact is, HIPAA and email have long been at odds.

HIPAA Privacy and Security rules are concerned with email and the web in general

Across the board, healthcare providers are increasingly

  • using, or
  • are considering using, or
  • are being asked to use,

email to communicate with patients about their medical conditions.  If you find yourself described here, then it bears repeating that the Internet, and things like an email sent over the Internet, is not secure.  Although it is unlikely, there is a possibility that information included in an email can be intercepted and read by other parties besides the person to whom it is addressed.  And it’s that “possibility” that becomes the area of focus.

HIPAA and email can coexist … it’s a matter of understanding the rules

So what do the Privacy and Security rules allow – or prohibit – when it comes to HIPAA and email?

Under many of the HIPAA regulations, the standards call for reasonable safeguards, reasonable approaches, reasonable policies, etc.  But what is considered reasonable?  The Office of Civil Rights (OCR) of the Department of Health and Human Services includes several statements on its HIPAA FAQs page.  Notably …

“The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.”

 

What if a patient initiates communications with a provider using email?  The OCR says:

“Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.”

 

Must providers acquiesce to use of email for communications with patients?

Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.

 

The OCR also interprets the HIPAA Security Rule to apply to email communications.

“The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.

 The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”

To summarize the rules that apply to HIPAA and email …

  • Email communications are permitted, but you must take precautions;
  • It is a good idea to warn patients about the risks of using email that includes patient health information (PHI);
  • Providers should be prepared to use email for certain communications, if requested by the patient, but must ensure they are not exposing information the patient does not want to be shared; and
  • Providers must take steps to protect the integrity of information and protect information shared over open networks.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The Status Of HIPAA Compliance

The Status Of HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

The Office for Civil Rights (OCR), the agency within the U.S. Department of Health and Human Services tasked with HIPAA compliance enforcement, is about to start formally notifying various healthcare providers and plans that they have been selected for an audit. Those covered entities selected will be required to submit specific documentation to OCR that demonstrates how their respective organizations are complying with HIPAA compliance requirements. 

 

The goal with the Phase 2 Audit program is to determine how well covered entities are implementing the correct policies and procedures for HIPAA compliance. If the results of the Phase 2 audits are anything like the first audit, OCR is probably going to see disappointing data indicating most organizations are not fully complying with all the requirements. 

 

There is an easier way to find out the status of current compliance with covered entities, not to mention a less costly way, in saving the taxpayers money in paying a contractor to gather the needed results.  Published reports showed that OCR paid about 9 million dollars to the global audit firm KPMG in 2012 to conduct the Phase 1 audits.

 

NueMD released the results of their follow-up survey to the original survey conducted in 2014, which looked at the status of HIPAA compliance. In the updated survey, 927 respondents, which included practices and billing companies, answered a number of revealing questions about the current status of HIPAA knowledge and compliance. For comparison purposes, OCR is looking to identify about 200 covered entities for the Phase 2 audit.

 

So what did NueMD find out in their updated survey? Overall HIPAA compliance is still not close to where it needs to be with most organizations. With so many HIPAA data breaches occurring on what seems like a daily basis, the survey clearly shows why this is occurring.

 

Here are some significant findings of the survey:

 

  • Regarding the annual requirement for HIPAA Security Awareness Training, the 2014 survey indicated 62% of owners, managers and administrators claimed they provided training for their staff annually — now that number has dropped to 58%.

 

  • Appointing HIPAA Security and Privacy Officers is another requirement for compliance. The survey found an actual decrease in these appointments. Although appointments were only a few percentages down, the study said, “These may not be extraordinary changes, but the numbers are moving in the wrong direction!”  Agreed.

 

  • On the positive side, the survey showed, “A region that suggests a correlation between increased awareness and improved compliance is that of Business Associate Agreements,” (BAA).  In 2014, 60% of the respondents were aware of the use of BAAs, where in 2016, 68% now claim to know more about these rules.  

 

  • Another positive finding was in the awareness of the HIPAA Omnibus updates. In 2014, respondents indicated 64% were aware of the updates in law. That percent increased to 69% this time around. There are many additional patient rights afforded by the Omnibus Rule that healthcare providers must be aware of. Although there was an increase, providers must do a better job in understanding their responsibilities under Omnibus. 

 

The NueMD updated survey is a great barometer to gauge overall HIPAA compliance efforts, but as the survey shows, covered entities still have a long way to go to make sure they fully understand all the requirements and just not some.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Health System’s Good Deed Leads To Data Breach

Health System’s Good Deed Leads To Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

Philanthropy is a good thing, but if you’re not careful it can land you in hot water. This was the lesson learned by the Virginia Commonwealth University Health System when it recently found itself facing a breach of PHI when it donated a series of CDs to an art program for children, according to PHIprivacy.net.

VCUHS officials said notifications were being sent out to patients regarding the security of certain patient information. According to the notice, between January 2012 and October 2014, a series of compact discs that were no longer necessary for VCUHS services were donated for children’s art projects, and some of those CDs contained sensitive patient health information for approximately 1,000 medical records.

The CDs were ones that had been provided by patients who had been referred to VCU Health Systems for treatment, and included full names, medical diagnoses, medication information, and social security numbers for the involved patients.

Becker’s Hospital Review reports the CDs were accidentally donated by an employee. According to the Richmond Times-Dispatch, any potential disciplinary action involving the incident would remain confidential. VCU spokeswoman Anne Buckley asserted that no evidence of misuse of the PHI has been detected, and the notice was being sent out as a required precaution.

“The population that we are concerned about are folks that brought their information in the form of CDs that were referred to us,” John Duval, CEO of MCV Hospitals and Clinics told the Richmond Times-Dispatch. “Any breach of this type has to presume that there might be individual discs out there that are still readable, so we have the duty to both investigate this to the limits of our ability and then to notify the folks of the risk that their personal health information might have been compromised.”

“What began as a well-intentioned philanthropic effort by a staff member wanting to help turned into a serious mistake that we are working very hard to remedy,” Duval said in the press release. “This error brought to light a vulnerability in our system that developed over time and that we are working to correct, and we are deeply sorry for the inconvenience this may have caused some of our patients.”

According to Duval, rules regarding CDs and their disposal have been tightened to prevent any future breaches. “Large data breaches are happening across many industries, including health care, and are very concerning to all,” Duval said in the release. “The VCU Health System has revised its protocols regarding media destruction and will redouble its efforts to protect all sensitive information.”

more...
No comment yet.
Scoop.it!

Recent HIPAA Decisions Suggest State Courts May Look to Federal Regulations to Define Negligence in the Data-Security Context - Data Protection - United States

Recent HIPAA Decisions Suggest State Courts May Look to Federal Regulations to Define Negligence in the Data-Security Context - Data Protection - United States | HIPAA Compliance for Medical Practices | Scoop.it

A recent decision of the Connecticut Supreme Court signals a growing trend in Health Insurance Portability and Accountability Act (HIPAA) jurisprudence that could prove significant in the broader data-security context. 

Although HIPAA contains no private right of action and preempts contrary state laws, several courts have held the HIPAA does not preempt state-law negligence claims for improper disclosure of private patient information and—importantly—that HIPAA regulations may inform the state-law duty of care. This trend and the most recent case, Byrne v. Avery Center for Obstetrics & Gynecology, P.C., should be of interest not only to health care providers, but also to all companies collecting or disseminating sensitive customer information.  Courts have yet to address the contours of any common-law duty to protect consumer data in the data-security context, but Byrne suggests that courts could look to federal regulations and standards, even if the federal-law sources do not provide private rights of action.
While certainly not new, data-breach lawsuits have become more common after numerous high-profile breaches within the past year.  But most of the litigation to-date has centered on a plaintiff's ability to state a cause of action. Plaintiffs have tried numerous common-law theories: breach of contract, unjust enrichment, invasion of privacy, misrepresentation and negligence. Courts generally reject contract, unjust enrichment and misrepresentation claims unless the defendants undertook some specific security obligations in their contracts or privacy policies.  Invasion of privacy claims frequently fail for lack of "publication," and negligence claims fail for lack of actual injury—e.g., identity theft—under either the economic loss doctrine or Article III standing. 

Few cases have gone beyond the pleadings, and fewer still have reached the question of what a state-law negligence duty entails in the context of data breach.  In the HIPAA context, however, courts have begun to look to federal regulations for guidance, a trend that could inform courts in data-breach cases that survive the pleadings.

The plaintiff in Byrne received treatment in connection with her pregnancy from the defendant obstetrics center, which agreed in its privacy policy not to disclose her health information without authorization. But after the child's father filed paternity actions and served a subpoena, the obstetrics center mailed a copy of the plaintiff's medical records to the family law court without informing Byrne. Before Byrne could seal the records, the father reviewed them and allegedly harassed and threatened her.  Byrne sued the obstetrics center, alleging, in pertinent part, statutory negligence, common-law negligence and negligent infliction of emotional distress. 

The trial court dismissed the statutory and common-law negligence claims and the negligent infliction of emotional distress count, reasoning that they were essentially HIPAA claims in disguise. More specifically, addressing the state statutory negligence claim, the court wrote that "[t]o the extent that [the statute] permits disclosure of protected medical records pursuant to a subpoena without the safeguards provided by HIPAA, it is both contrary to and less stringent than HIPAA and therefore superseded by HIPAA." Similarly, the trial court opined that if "common law negligence permits a private right of action for claims that amount to HIPAA violations, it is a contrary provision of law and subject to HIPAA's preemption rule" and "[b]ecause it is not more stringent [than HIPAA], the preemption exception does not apply." The court further ruled that insofar as the doctrine of negligent infliction of emotional distress "permits a private right of action for HIPAA claims" it is also is preempted by HIPAA.

The Connecticut Supreme Court reversed the trial court's decision, holding that HIPAA does not preempt state-law negligence actions for breach of patient confidentiality, as such actions are not "contrary" to HIPAA, but either complementary or "more stringent." Of interest in the broader data-security context, Connecticut joined courts in North Carolina, Kentucky, Delaware and Maine by ruling that "HIPAA and its implementing regulations may be utilized to inform the standard of care applicable" in state-law negligence actions. In addition, district courts in Tennessee and Missouri have remanded negligence claims predicated on HIPAA regulations to the respective state courts, implying that such claims are proper under state law.

These rulings apply only in the HIPAA context and only in those specific states. Even so, the cases bear watching from a data-security perspective, as courts could employ similar reasoning in data-breach actions, looking to regulations or pronouncements by the Federal Trade Commission, Federal Communications Commission, or other federal regulatory entities that have entered or might yet enter the data-security fray. 

It is important to note that the Connecticut Supreme Court in Byrne assumed, without holding, that Connecticut's common law recognizes a negligence action for breach of patient confidentiality, so state courts could still hold that companies owe no data-security duties beyond those assumed in contract or imposed by statute.  Moreover, the court noted that HIPAA regulations are relevant to the negligence standard of care to the extent they have become "common practice" for Connecticut health care providers. On this reasoning, only those standards that achieve frequent use within an industry or locale would inform a negligence duty. 

Given the increase in data-breach lawsuits and the trend in HIPAA cases, companies should pay close attention to federal regulatory efforts, especially those that gain common use, even if those standards do not carry penalty provisions or private rights of action.


more...
No comment yet.
Scoop.it!

A Patient’s Right to Access Medical Records

A Patient’s Right to Access Medical Records | HIPAA Compliance for Medical Practices | Scoop.it

Most medical practices, healthcare organizations, and clinicians are very familiar with HIPAA rules and regulation. However, the law can be extensively complicated and is often a source of confusion and misinterpretation. According to the Office for Civil Rights (OCR), one of the most common complaints and frequently misunderstood parts of the law involves a patient’s right to access their personal medical records. Due to the recent increase of patient complaints on this subject matter the OCR has published new guidance regarding the right of access. Below are a few of the highlights. (The full text can be viewed at www.hhs.gov.)

The HIPAA Privacy Rule requires all covered entities to provide individuals with access to their personal health information in “designated record sets,” upon their request. A designated record set is a group of records maintained by or for a covered entity, including; medical and billing records, enrollment, payment, claims, or medical management record systems and other records used by a covered entity to make decisions about an individual’s health. 

Information that is not included is; PHI that is not part of the designated record set or used to make decisions about an individual's health, psychotherapy notes, and information compiled for a legal suit. 

Does the HIPAA rule apply to electronic medical records? 

Yes.  Patients have the right to access both paper and electronic medical records.  

Can a patient request that another individual be given access to their information? 

Yes.  A patient should sign a request that provides the recipient, which records to send, and where to send them.

Can a covered entity charge the patient a fee for copies of their medical records?

Yes. HIPAA allows a “reasonable fee.”  The covered entity can charge a minimal fee for supplies and labor. It is important to note that state law may limit the ability to charge for records. 

What form or format must the medical records be provided?

A covered entity must provide the patient with their medical records in the form and format requested, or if not available, in a readable format as agreed to by the covered entity and individual.

What is the timeframe in which a covered entity must provide a patient their requested records? 

A covered entity has 30 days from the date of request to produce the records.  One 30-day extension is permissible with a written notice to the patient and reason for the delay with the expected date of completion.

How quickly must an entity make corrections to inaccurate medical records?

When patients access a medical record and discover information they believe is inaccurate, they must file a written request for the record to be corrected.  The covered entity must then respond to the request within 60 days.  It may take an additional 30 days but must provide a written explanation for the delay and a date of completion.

What should patients do if they have difficulty obtaining a copy of their medical records?

It may be appropriate to contact the healthcare provider’s designated privacy HIPAA compliance officer. This action will document the complaint, and show that the patient has made an effort to resolve the problem. If the provider ignores the complaint, the individual may want to proceed with an HHS complaint.

Conclusion

Providing patients with access to their medical health information empowers individuals to take control over health decisions and enables them to effectively monitor chronic conditions, adhere to treatment plans, and track their progression.  Additional benefits include increased patient engagement, improved outcomes, and a more patient-centered health care system.

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How HIPAA applies to the burgeoning world of mobile health

How HIPAA applies to the burgeoning world of mobile health | HIPAA Compliance for Medical Practices | Scoop.it

The federal regulatory environment has not kept pace with the progress of mobile health. Mobile health is driven by consumers who expect to have all sorts of information, including health data, on their phones, said Jeffrey Dunifon, an associate attorney at Baker & McKenzie who previously was an investigator at the Department of Health and Human Services Office for Civil Rights.

 

 

To help healthcare provider organizations and mobile developers navigate the HIPAA waters, Dunifon points to the HIPAA Questions Portal at hipaaqsportal.hhs.gov, which was launched by HHS. Providers and developers ask questions, HHS provides answers, said Dunifon, who spoke today at the HIMSS and Healthcare IT News Privacy & Security Forum in Los Angeles during a session entitled "HIPAA and mHealth: Key Challenges and Solutions."

 

 

"Key issues covered on the site include businesses regulated by HIPAA, information covered by HIPAA, and HIPAA compliance measures," Dunifon said.

When it comes to mobile health, or mHealth, it's important to fully understand the entities covered by HIPAA. These include healthcare providers, health plans and clearinghouses.

"Less clear, though, is when a company becomes a business associate under HIPAA," Dunifon explained. "A business associate is any entity that accesses or discloses protected health information for or on behalf of a covered entity or another business associate. This is very relevant in the developer environment."

 

 

Examples of businesses and tools that could require a business associate agreement, according to Dunifon, include:

 

  • A cloud services vendor that hosts PHI. "OCR has said in no uncertain terms that if an organization is using a cloud services vendor to host PHI, it needs a business associate agreement," Dunifon said.

 

  • An electronic health record developer that accesses PHI to help troubleshoot technical issues. "This is more on the routine side of the business associate definition, a company that has routine, ongoing access," he said.

 

  • A live translation mobile app used between healthcare providers and patients. "If an organization is using an iPhone or iPad on a live basis to have conversations between patients and providers discussing PHI, that needs to be covered by a business associate agreement," Dunifon said.

 

  • A patient appointment scheduling and payment mobile app. "If a provider offers to let patients schedule an appointment or pay for an appointment, that app developer needs to be covered by a business associate agreement," he said. "That can be a little confusing sometimes because there's not a clear health element to it."

 

  • Remote medical devices or apps sharing health indicators. "If you have a medical device someone is wearing that's sending information to an app, which is sharing that with the healthcare provider, and the app company is playing a role in transmitting or maintaining that information, that may be PHI covered by HIPAA," Dunifon said.

 

 

"In mobile health, if a consumer is paying for a product, it might not be PHI," he added. "But if it is being tracked by a covered entity, then it may be PHI."

 

 

Dunifon pointed conference attendees to a variety of resources to help with HIPAA compliance and mHealth, including the National Institute of Standards and Technology's Special Publications, the HHS Office for Civil Rights, HIMSS and Baker & McKenzie.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

No Pre-Existing Condition Exclusions Means HIPAA Certificates No Longer Required | JD Supra

Earlier this year, the Departments of Health and Human Services, Labor and the Treasury issued a final rule implementing the Affordable Care Act (ACA) and revising the requirements of other healthcare laws and regulations affected by the ACA. One of the most significant changes made was to prohibit group health plans and issuers from imposing pre-existing condition exclusions on any enrollees in plans beginning on or after January 1, 2014. Consequently, as of December 31, 2014, health plans and issuers will no longer be required to issue the Certificates of Creditable Coverage previously required under the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA guarantees continuous healthcare coverage for employees who change policies or jobs, or who retire and take advantage of the Consolidated Omnibus Budget Reconciliation Act (COBRA). These portability provisions required health plan and COBRA administrators to ease the burden of transitioning between healthcare policies by providing a Certificate of Continuous Coverage 30 days before the expiration of the plan's coverage or before the insured leaves employment to helpoffset a preexisting condition exclusion period under a new health plan.

The ACA’s prohibition on pre-existing condition exclusions for plan years beginning on or after January 1, 2014 makes these HIPAA Certificates unnecessary — and are therefore no longer required — for plans beginning in 2015 and later. For plans beginning before January 1, 2014, plans and issuers may place limited exclusions on pre-existing conditions and must still automatically provide HIPAA Certificates to individuals when they lose coverage or upon request for a period of 24 months following termination of coverage.

This is only one of many obligations imposed on employers and health care organizations under a law aimed at protecting individual health information. HIPAA violations can have serious consequences, from employment discipline or termination for employees to criminal prosecution and civil penalties up to $250,000 for healthcare professionals. The most effective way to prevent such violations is to provide employees with HIPAA training to keep protected health information confidential and follow proper security practices when handling such information.


more...
No comment yet.
Scoop.it!

State law may provide a remedy for breach of HIPAA’s privacy rules | Lexology

State law may provide a remedy for breach of HIPAA’s privacy rules | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

When a woman received extortion threats and other forms of harassment from an ex-lover, she sued her medical provider for unauthorized disclosure of her medical records. Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 314 Conn. 433 (2014). She further alleged that the threats and harassment directly resulted from a breach of the defendant’s duty of confidentiality under the Health Insurance Portability and Accountability Act (“HIPAA”). During her course of treatment, the defendant provided her with a copy of its notice of privacy practices that expressly stated it would not disclose medical records without obtaining authorization from the patient. Additionally, the plaintiff specifically instructed the defendant not to disclose her medical records to her ex-lover. But, when her ex-lover filed a paternity suit against her and served the defendant with a subpoena requesting a copy of her medical records, the defendant failed to notify her of the subpoena, to file a motion to quash the subpoena, or to appear in court. Instead, the defendant mailed a copy of her medical records to him.

As a result, the plaintiff filed four claims against the defendant. First, the plaintiff alleged that the defendant breached its contract when it disclosed her protected health information (“PHI”) in violation of its notice of privacy practices. Second, she claimed that the defendant was negligent when it failed to care for her PHI and disclosed her PHI without her authorization. Her third and fourth claims were for negligent misrepresentation and negligent infliction of emotional distress.

Since HIPAA does not create a private right of action for breach of its privacy provisions, the trial court interpreted common law claims for negligence and negligent infliction of emotional distress that relate to a breach of HIPAA’s privacy rules as inconsistent with HIPAA. Thus, in reliance on HIPAA’s preemption provision, the trial court granted the defendant’s motion for summary judgment on the claims for negligence and negligent infliction of emotional distress. Notably, the claims for breach of contract and negligent misrepresentation were not dismissed by the trial court, thus these claims were not reviewed on appeal.

On November 11, 2014, the Supreme Court of Connecticut held that HIPAA does not preempt a private cause of action arising from the unauthorized disclosure of PHI based on state common law, thereby reversing the trial court’s dismissal of the plaintiff’s claims for negligence and negligent infliction of emotional distress. Specifically, the Court found that if state law provides a plaintiff with a remedy for a medical provider’s breach of its duty of confidentiality, HIPAA does not preempt the plaintiff’s state law remedies for negligence or negligent infliction of emotional distress. Rather, a state law will be preempted by HIPAA only if it is impossible for a medical provider to comply with both the federal and state laws. Furthermore, a state law is not preempted by HIPAA if it relates to the privacy of PHI and provides an individual with greater privacy protection than HIPAA.

The Court did not analyze whether Connecticut law provides a remedy for a medical provider’s breach of its duty of confidentiality, it only determined that HIPAA would not preempt an available remedy under state law. Thus, the Court did not decide whether the plaintiff was successful in her claims for negligence and negligent infliction of emotional distress. The Court did, however, find that HIPAA may be used to determine the applicable standard of care for such state law claims.



more...
No comment yet.