Life Sciences Legal Update : Life Sciences Lawyers & Attorneys : Reed Smith Law Firm : Healthcare, Food and Drug Law, Biotechnology, Privacy, Product Liability

Reed Smith’s Global Regulatory Enforcement Law blog features a post on the recent publication of the application decree to the “French Sunshine Act” by the French Ministry of Health.  “A Brave New World? The ‘French Sunshine Act’ imposes online disclosure of contracts with HCPs, as well as of payments of ‘advantages’ to HCPs, dating back to 01 January 2012,” written by Daniel Kadar, discusses the specific ways and means that health care companies must disclose agreements with and “advantages” (payment or hospitality, including payment of a contractual fee) provided to health care practitioners ("HCPs") in order to comply with the application decree.  Information to be disclosed dates back 18 months, to January 1, 2012, and the first disclosure requirement is set for June 1, 2013.  According to Mr. Kadar, this tight timeframe raises compliance issues and has industry calling for reconsideration.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Jennifer L. Pike and Nancy E. Bonifant.

The Department of Health and Human Services (“HHS”) is seeking comments on a proposal to amend the HIPAA Privacy Rule to expressly permit covered entities to disclose certain mental health information to the National Instant Background Check System (NICS), the federal government’s background check system for the sale or transfer of firearms by licensed dealers.

Federal law prohibits the following persons from possessing or receiving firearms: (1) individuals who have been involuntarily committed to a mental institution; (2) individuals who have been found incompetent to stand trial or not guilty for reason of insanity; and (3) individuals who have been otherwise determined, through formal adjudication process, to have a severe mental condition that results in the individual presenting a danger to themselves or others or being incapable of managing their own affairs (collectively referred to in the proposed rule as the “mental health prohibitor”).  Federal agencies are required by the NICS Improvement Amendments Act of 2008 to report to NICS the identities of individuals who are subject to the mental health prohibitor.  The Act also authorizes incentives for States to provide such information when it is in their possession.  

HHS issued the proposed rule to address concerns that the HIPAA Privacy Rule may be preventing some States from reporting to NICS the identities of individuals subject to the mental health prohibitor.  Records related to involuntary commitments and mental health adjudications generally originate in entities in the criminal justice system.  Such entities are not HIPAA covered entities, and the records are therefore not subject to HIPAA.  However, there may be State entities outside the criminal justice system that are involved in some involuntary commitments or mental health adjudications, and these entities may be HIPAA covered entities.  Where a record of involuntary commitment or mental health adjudication originates with a HIPAA covered entity, or the HIPAA covered entity is the State repository for such records, those records are subject to HIPAA.  Therefore, the concern is that the individuals identified in such records are not being reported to NICS due to HIPAA compliance considerations.

To address these concerns, HHS is considering whether to amend the Privacy Rule to expressly permit covered entities to disclose limited information to NICS about the identities of individuals who are subject to the mental health prohibitor.  Pursuant to the HHS request for comments, the potential exception may limit the information disclosed to the minimum data necessary for NICS purposes, and limit permission to disclose to covered entities that order involuntary commitments, perform relevant mental health adjudications, or are otherwise designated as State repositories for NICS reporting purposes.

HHS is seeking comments on specific questions related to the proposal.  These questions are listed in HHS’ Advance Notice of Proposed Rulemaking, which is available here.  Comments should be submitted in writing, or electronically at www.regulations.gov, on or before June 7, 2013.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Nancy E. Bonifant and Zachary A. Portin.

On April 9, 2013, the Eleventh Circuit held that HIPAA preempts a Florida statute that requires nursing homes to release medical records of deceased residents to their spouses, attorneys-in-fact and other enumerated parties who request them.  In Opis Management Resources LLC v. Secretary Florida Agency for Health Care Administration, the Florida agency that oversees nursing homes cited Opis Management, an operator of nursing homes, for refusing to release medical records to deceased residents’ spouses and attorneys-in-fact.  Opis Management challenged the citations arguing that the requesting parties were not “personal representatives” under HIPAA.

The HIPAA Privacy Rule requires disclosures of PHI in only two situations: (1) to the individual, and (2) to the Secretary of HHS.  Covered entities must also treat a deceased individual’s “personal representative,” who has authority to act on behalf of the deceased individual or his/her estate, as the individual for purposes of disclosures under the HIPAA Privacy Rule.  While HIPAA does not preempt “more stringent” state laws, it sets a floor for privacy protections and supersedes any contrary provision of state law.

The Eleventh Circuit held that HIPAA preempts the Florida statute because it “impedes the accomplishment and execution of the full purposes and objectives of HIPAA and the Privacy Rule,” particularly keeping an individual’s PHI confidential.  According to Judge Black, the Florida statute authorizes “sweeping disclosures” that made a deceased resident’s PHI available to certain individuals upon request without any need for authorization and “without regard to the authority of the individual making the request to act in the deceased’s stead.”  Interestingly, because the Florida agency failed to timely raise the argument, the court did not consider whether compliance with both laws was possible because HIPAA permits covered entities to disclose PHI as “required by law.”

Opis Management Resources highlights one of the many challenges that covered entities face in trying to achieve compliance under HIPAA and state privacy law.  Although the holding suggests that analogous Florida statutes mandating disclosures may too be preempted, the ruling is limited to licensed Florida nursing homes.  Clearly, the scope of HIPAA preemption remains unsettled and the issue will likely continue to be determined on a case-by-case basis.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Zachary A. Portin and Nancy E. Bonifant.

Can a medical corporation be directly liable under New York law for breaching its common law fiduciary duty of confidentiality when a non-physician employee acted outside the scope of his or her employment by making an unauthorized disclosure of an individual’s confidential health information?  This is the question that the U.S. Court of Appeals for the Second Circuit posed to the New York State Court of Appeals last month when it requested an advisory opinion from the state’s highest court in order to resolve Doe v. Guthrie Clinic Ltd. 

Plaintiff Doe sued various Pennsylvania-based entities (the “Guthrie Defendants”) that owned and operated the Guthrie Clinic Steuben (the “Clinic”) located in New York after one of the Clinic’s nurses sent six text messages to Doe’s girlfriend informing her that Doe was being treated for sexually transmitted diseases.  Plaintiff Doe brought several tort claims against the Guthrie Defendants, including a novel claim that the common law cause of action for breach of the fiduciary duty to keep medical records confidential runs directly against medical corporations, even when the employee responsible for the breach is not a physician and acted outside the scope of her employment.

Although HIPAA does not create a private right of action under federal law, an aggrieved patient may avail himself or herself to state law causes of action.  For example, New York imposes a general duty to maintain the confidentiality of personal health information as well as a specific common law cause of action against a physician who improperly discloses confidential information.  In 2000, the Appellate Division of the New York State Supreme Court also held that a patient was permitted to sue a health insurer whose records clerk wrongfully disclosed treatment information.  Nevertheless, the Second Circuit elected to certify the question to the Court of Appeals with regard to the Guthrie Defendants after it concluded that no controlling precedent existed. 

A favorable ruling for Plaintiff Doe threatens to vastly expand the scope of liability faced by providers and other entities involved in the delivery of healthcare.  Perhaps most concerning from the perspective of providers is the prospect of such entities facing liability under New York law for unforeseeable misconduct committed by non-physician employees.  Regardless of the Second Circuit’s ultimate disposition of this legal question, the case underscores the importance of developing and maintaining a robust compliance program to combat such misconduct.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Jennifer Pike and Brad Rostolsky.

The Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) have each proposed new rules to extend existing protections that allow hospitals to donate electronic health record (EHR) technology to physicians who refer patients to their facilities. By way of background, in 2006, CMS established an exception to the Stark self-referral law to allow hospitals to donate EHR technology to physicians under certain circumstances. Likewise, in 2006, the OIG established a safe-harbor to protect such EHR donations from enforcement under the federal anti-kickback statute. While both protections are set to expire on December 31, 2013, the proposed rules would extend the provisions until the end of 2016 as a means to facilitate the adoption of EHR technology.

In addition to extending the EHR donation protections, the proposed rules would (1) remove the requirement from the original rule that donated EHR technology contain electronic prescribing capability, and (2) update the provision under which EHR technology is deemed interoperable, which would expand the types of EHR systems that qualify for the protections.

CMS’s proposed rule is available here. The OIG’s proposed rule is available here. Comments regarding both proposed rules should be submitted in writing, or electronically at www.regulations.gov, by June 10, 2013.

• Print
• Comments
• Trackbacks
• Share Link

Reed Smith's Global Regulatory Enforcement blog features a post on a December 2012 French Supreme Court ruling in a case involving a French Director in a health care company who had been dismissed on the grounds of a clear breach of health care compliance obligations as set forth in the French Public Health Code. The outcome: even though a company is acting in a highly regulated environment such as health care, compliance breaches must be integrated in the employer-employee relationship if they are to justify termination in France. As Reed Smith Partner Daniel Kadar notes, this case serves as a reminder to any international health care organization that the worldwide adoption of compliance guidelines and of a Code of Conduct is not in itself a sufficient protection against compliance breaches – everything depends on how these tools are implemented locally.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Brad M. Rostolsky and Jennifer Pike.

On February 27, 2013, the HHS Office for Civil Rights (“OCR”) announced the availability of several Health Information Privacy Specialist positions. This expansion of OCR’s health information privacy enforcement team signals that OCR’s increased enforcement activity during 2012 will continue in 2013. In 2012, OCR announced several enforcement actions resulting from a breach self-report required by HITECH’s Breach Notification Rule, including the $1.7 million settlement in June with the Alaska Department of Health and Social Services and the Massachusetts Eye and Ear Infirmary’s $1.5 million settlement in September. OCR’s 2012 enforcement actions, and OCR leadership comments subsequent to the release of the HITECH Final Rule, suggest that the agency’s focus will be on Security Rule compliance (specifically with regard to the whether a regulated entity has conducted a Security Rule Risk Assessment), the lack of overall HIPAA compliance that may lead to a breach (as opposed to the breach itself), and issues involving marketing or the sale of Protected Health Information. Covered entities and business associates should expect OCR enforcement, including audits, to continue to increase over the next year.

More information on these positions is available at usajobs.gov. 

Additional information about OCR’s enforcement activities can be found at hhs.gov. 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Brad M. Rostolsky, Nancy E. Bonifant, Salvatore G. Rotella, Jr., Elizabeth D. O’Brien, Jennifer Pike and Zachary A. Portin.

On January 25, 2013, the Office for Civil Rights of the United States Department of Health and Human Services published the long-awaited final regulation implementing much of the amendments and additions to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules directed by the 2009 Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).

Noteworthy provisions of the HITECH Final Rule include:

• Making Business Associates directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules;
• Converting subcontractors of Business Associates that create, receive, maintain, or transmit PHI on behalf of the Business Associate into Business Associates themselves;
• Requiring authorizations for all treatment and health care operations communications where the Covered Entity receives financial remuneration for making the communications from a third party whose product or service is being marketed;
• Replacing the Breach Notification Rule’s “harm” threshold with a presumption that an impermissible use or disclosure of PHI is a Breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised; and
• Mandating compliance by Covered Entities and Business Associates with applicable requirements by September 23, 2013.

Please click here to read our detailed analysis of the HITECH Final Rule. As always, please contact Brad M. Rostolsky (215-851-8195 or brostolsky@reedsmith.com), Nancy E. Bonifant (202-414-9353 or nbonifant@reedsmith.com), Salvatore G. Rotella, Jr. (215-851-8123 or srotella@reedsmith.com), or any other member of the Reed Smith Health Care Group with whom you work, if you would like additional information or if you have any questions.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

The Office for Civil Rights (“OCR”) of the Department of Health and Human Services released today the long awaited, and much anticipated, omnibus final rule modifying the HIPAA Privacy, Security, Breach and Enforcement Rules.  The final rule, which implements the statutory requirements of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Nondiscrimination Act (“GINA”), is comprised of four final rules and addresses the July 2010 HITECH proposed rule, the Breach Notification and Enforcement interim final rules, as well as the October 2009 GINA proposed rule (collectively, the “HITECH Final Rule”).  Notably, the HITECH Final Rule does not address the May 2011 proposed accounting and access report rule.

Noteworthy provisions of the HITECH Final Rule include:

• Making Business Associates directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules;
• Converting subcontractors of Business Associates that create, receive, maintain, or transmit PHI on behalf of the Business Associate into Business Associates themselves;
• Requiring authorizations for all treatment and health care operations communications where the Covered Entity receives financial remuneration for making the communications from a third party whose product or service is being marketed;
• Replacing the Breach Notification Rule’s “harm” threshold with a presumption that an impermissible use or disclosure of PHI is a Breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised; and
• Mandating compliance by Covered Entities and Business Associates with applicable requirements by September 23, 2013.

We are in the process of conducting a full review of the HITECH Final Rule and will release shortly a Client Alert providing a detailed analysis of the Rule.  In the meantime, please contact Brad M. Rostolsky (215-851-8195 or brostolsky@reedsmith.com), Nancy E. Bonifant (202-414-9353 or nbonifant@reedsmith.com), Salvatore G. Rotella, Jr. (215-851-8123 or srotella@reedsmith.com), or any other member of the Reed Smith Health Care Group with whom you work, if you would like additional information or if you have any questions.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

On January 2, 2013, the HHS Office for Civil Rights (“OCR”) announced its first settlement and corrective action plan following a breach affecting fewer than 500 individuals. The Hospice of North Idaho (“HONI”) has agreed to pay $50,000 to settle potential violations of the HIPAA Security Rule following the theft of an unencrypted laptop containing electronic Protected Health Information (“ePHI”) for 441 patients. Significantly, this is the third settlement in six months involving unencrypted portable devices.

In addition to the requirement to report breaches affecting more than 500 patients “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach,” which are publicized on OCR’s website, Covered Entities must also maintain a log of all breaches affecting less than 500 patients and submit this information to OCR within 60 calendar days after the end of each calendar year. On February 16, 2011, HONI reported the theft to OCR, which commenced an OCR investigation on July 22, 2011. According to OCR, its investigation revealed that HONI had failed to conduct a risk analysis to safeguard ePHI and did not have in place policies and procedures to address mobile device security as required by the HIPAA Security Rule.

Following the $1.7 million settlement in June with the Alaska Department of Health and Social Services and the Massachusetts Eye and Ear Infirmary’s $1.5 million settlement in September, this settlement reinforces the practical necessity of encryption, which Leon Rodriguez, Director of OCR, describes as “an easy method for making lost information unusable, unreadable and undecipherable.” Easy or not, as providers face a health care environment that increasingly relies upon portable devices, encryption remains the primary answer to security risks. Furthermore, it remains the best first defense against the expensive and reputation damaging reality of notifying patients and OCR that a breach has occurred.

Beyond emphasizing the importance of encryption, OCR’s recent enforcement trends also make it clear that Covered Entities (and given the import of the forthcoming final HITECH regulation, Business Associates) should consider the Security Rule risk analysis to be the central component to Security Rule compliance. Although a risk analysis may require Covered Entities and Business Associates to spend significant resources, OCR plainly views it to be critical.

In addition to the $50,000 settlement, the Resolution Agreement between HONI and OCR included a corrective action plan, which requires HONI to investigate any report that a workforce member may have failed to comply with HONI’s Privacy and Security policies and procedures and report actual violations to OCR within 30 days. HONI did not admit any liability in the agreement and OCR did not concede that HONI was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found here.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

It has been almost two and half years since the Department of Health and Human Services, Office for Civil Rights (“OCR”), published a notice of proposed rulemaking to implement the statutory requirements of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and amend the HIPAA Privacy and Security Rules, and almost nine months since the final rule was submitted to the Office of Management and Budget (“OMB”) for final regulatory clearance. While industry speculation, fueled by comments made by Leon Rodriguez, the Director of OCR, at the annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference, suggested that an omnibus final rule would be released by the end of summer, OMB had different ideas.

Now, as we approach HITECH’s four year anniversary in February, the industry is again speculating that release of the final rule will be before year end. As the regulation’s title makes clear, “Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules,” it is expected that this rule will address the July 2010 proposed rule, as well as the interim final rules (regarding both breach notification and enforcement) and, hopefully, the May 2011 proposed accounting and access report rule. Therefore, regardless of the ultimate release date, it remains important for Covered Entities and Business Associates to prepare for the forthcoming changes.

The following is a brief review of some key considerations in anticipation of the publication of the final HITECH omnibus rule.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

The Office of Civil Rights (OCR) released guidance on Monday, November 26, 2012, regarding methods to de-identify protected health information in compliance with the HIPAA Privacy Rule.  This guidance, which followed a June 2012 Government Accountability Office Report criticizing the delayed publication of this and related guidance, is aimed to assist covered entities and business associates in understanding what de-identification is and how de-identified information is created.

Because the HIPAA Privacy Rule does not restrict the use or disclosure of de-identified health information, the process of de-identification allows researchers and policy workers to have access to critical health information while mitigating privacy risks to the individual.  To mitigate privacy risks, the HIPAA Privacy Rule outlines two de-identification methods that ensure the health information does not identify an individual and that an associated covered entity has no reasonable basis to believe the information can be used to identify an individual: (1) The Expert Determination and (2) The Safe Harbor. 

The Expert Determination method requires the services of an expert in statistical and scientific principles and methods to determine that the risk of re-identification is “very small” and document that determination.  This method involves a three-step process of (i) working with the covered entity to determine appropriate statistical or scientific methods of mitigate risk of identification, (ii) applying those methods to mitigate risk, and (iii) assessing the risk.  The guidance also addresses the expert’s qualifications, methods for de-identifying information, and approaches to assessing risk.

The Safe Harbor method involves removing 18 categories of identifiers of the individual or of the individual’s relatives, employers, and household members.  These identifiers include, for example, names, dates (other than year), geographic subdivisions smaller than a State (as well as ZIP codes depending on the population of a particular area), social security number, health plan and account numbers, IP addresses, and “any other unique identifying number, characteristic, or code.”  A covered entity must also not have “actual knowledge” that the remaining information could be used to re-identify the individual.  In addition to considering specific identifiers and providing examples, the guidance explains this “actual knowledge” standard as “clear and direct knowledge” that the information could be re-identified or awareness that the information is not actually de-identified.

While this subregulatory guidance does not have the force of law, it is important to remember that Section 13424(c) of the HITECH Act mandated the guidance’s release.  Therefore, covered entities, and business associate who de-identify protected health information on behalf of covered entities, are advised to consider the guidance carefully and amend their processes to align its requirements.

A copy of the guidance can be found here.

• Print
• Comments
• Trackbacks
• Share Link

As reported on our Global Regulatory Enforcement Blog, Reed Smith Paris partner Daniel Kadar and counsel Séverine Martel hosted on 25 October 2012, a new edition of the conference cycle organized by Reed Smith Paris with the European American Chamber of Commerce, dedicated to the mitigation of Compliance obligations, particularly as set forth in Codes of Conduct, with data protection requirements.

The panel, which included compliance directors of French health care giant SANOFI and General Electric Health, brought examples of how to mitigate compliance obligations, in particular as set forth in Codes of Conduct most International organisations have now adopted, with applicable data protection regulation.  The first example was dedicated to the New French Health Care Regulation and its transparency and disclosure requirements as to the existence (and the financial range) of agreements between the health care and cosmetics industry with health care professionals (including Medicine students), showing that the disclosure of financial and private information (such as the home address for the medicine students) had to be managed carefully with respect to the data owner’s information and access rights.  To read the full post, click here.

• Print
• Comments
• Trackbacks
• Share Link

Next week, Reed Smith will host a conference on “Big Data Monetization” at the Quadrus Conference Center in Silicon Valley (8:30-11:30 a.m. PDT). Big Data is a term used to characterize the accumulation of data. Virtually every company, in every industry, is now an information and technology company. Companies run on Big Data, whether it be customer information, employee information, or competitive intelligence. Companies store, share, and use that information in increasingly complex ways, taking advantage of cloud-based solutions and revolutions in analytics, and finding ways to turn these massive databases into revenue. There is no doubt a plethora of opportunities in Big Data, however, using it comes with its own set of risks. The key with monetizing Big Data is striking the balance between risk and reward.

View a preview of the types of issues we’ll be tackling at the conference over on our Global Regulatory Enforcement Law Blog.

• Print
• Comments
• Trackbacks
• Share Link

Massachusetts Provider Becomes Third Seven-Figure Settlement Since March

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On September 17, 2012, the HHS Office of Civil Rights ("OCR") announced another settlement and corrective action plan following an entity’s breach self-report required by HITECH’s Breach Notification Rule. Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively "MEEI") have agreed to pay $1.5 million to settle potential violations of the HIPAA Security Rule following the theft of a physician’s unencrypted, but protected, laptop, providing additional evidence that: (1) OCR will likely view any breach notification as an opportunity to conduct a de facto audit of an entity’s general HIPAA compliance; and (2) encryption of all portable devices containing electronic protected health information ("ePHI"), though not technically "required," is a critical compliance consideration.

The information contained on the laptop, which was stolen while the physician was lecturing in South Korea in 2010, included prescriptions and clinical information for approximately 3,600 patients and research subjects. According to MEEI, although unencrypted, the laptop was password protected and contained a tracking device commonly referred to as "LoJack." Using LoJack, MEEI determined that a new operating system was installed on the computer and that the software needed to access the ePHI was not reinstalled. After concluding that retrieval of the laptop was unlikely, MEEI remotely permanently disabled the hard drive and rendered any ePHI unreadable.

Although OCR’s subsequent investigation revealed no patient harm as a result of the breach, the agency did find that the breach indicated a long-term, organizational disregard for the requirements of the Security Rule. More specifically, over an extended period of time, MEEI failed to:

• Conduct a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices;
• Implement security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices;
• Adopt and implement policies, and procedures to restrict access to ePHI to authorized users of portable devices; and
• Adopt and implement policies and procedures to address security incident identification, reporting, and response.

Following on the heels of the Alaska Department of Health and Social Services’ $1.7 million settlement in June, which also followed a breach that affected a relatively small number of individuals, OCR’s recent enforcement actions suggest that its focus is on the lack of overall HIPAA compliance that may lead to a breach and not the breach itself. This settlement also reaffirms the practical necessity of encrypting all ePHI on portable devices. According to Leon Rodriguez, Director of OCR,　 "[i]n an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices."

In addition to the $1.5 million settlement, the Resolution Agreement between MEEI and OCR included a corrective action plan, which requires MEEI to review, revise, and maintain policies and procedures to ensure compliance with the Security Rule, and retain an independent monitor who will conduct assessments of MEEI’s compliance with the corrective action plan and render semi-annual reports to HHS for a 3-year period. MEEI did not admit any liability in the agreement and OCR did not concede that MEEI was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at hhs.gov.

• Print
• Comments
• Trackbacks
• Share Link

Reed Smith's AdLaw By Request blog features a post on the Federal Trade Commission's recently published "Marketing Your Mobile App: Get It Right from the Start," a set of guides addressing compliance with truth in lending and privacy principles for mobile app developers. Reed Smith partner Doug Wood notes that disclosures and privacy protection for mobile apps is a major issue and recommends that the guides should be read carefully by anyone in the mobile app business. Developers and marketers operating in the health care and life sciences industry should take note.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Andrew Bernasconi & Nathan Fennessy.

A recent decision by the United States District Court for the Southern District of Ohio may make it much harder for qui tam relators to rely upon stolen medical records or patient information in False Claims Act (“FCA”) whistleblower actions. See Cabotage v. Ohio Hospital for Psychiatry, No. 11-cv-50 (S.D. Ohio July 27, 2012). In Cabotage, the district court held that a registered nurse was not permitted to support her allegations of FCA violations by relying on confidential protected health information that she surreptitiously removed from the hospital where she was employed.

The nurse in Cabotage purportedly removed the confidential protected health information as part of an “investigation” of alleged fraudulent conduct by the Medical Director. She subsequently provided this information to an investigator from the Department of Health and Human Services, but the agency declined to pursue a claim. After the nurse was terminated for other reasons, she commenced an action against her former employer under the FCA whistleblower provisions and the Ohio Whistleblower’s Act. During the course of discovery, the hospital learned about the nurse’s removal of confidential protected health information. After repeated requests to return the information were declined, the hospital filed a Motion for Return of Confidential Health Information.

The district court denied the motion on the grounds that the Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”) did not vest the court with jurisdiction to provide the remedy sought by the hospital. The court concluded, however, that it possessed inherent authority to issue an order preventing the nurse from using the confidential information in the instant action because the information was confidential, potentially privileged, and had been obtained outside the discovery process governed by the court.

The court’s decision is qualified and stops short of creating a new rule applicable to whistleblower cases, but nonetheless provides a step in the right direction for defendants facing whistleblowers who have inappropriately used or taken confidential information from their employer.

• Print
• Comments
• Trackbacks
• Share Link

InsideCounsel recently published, "E-discovery: The need for a transnational approach to cross-border discovery disputes," an article on international discovery issues and the benefit of a respectful approach to document productions outside of the U.S.  Written by Reed Smith Records & E-Discovery Group members David R. Cohen, Regis W. Stafford, Jr. and Caitlin R. Gifford, the piece notes that proposed EU Data Protection Directive regulations have the potential to subject multinational companies to sanctions of up to two percent of annual worldwide revenue for serious breaches, including unlawful data transfers to the U.S.  In addition, although not binding on U.S. courts, the ABA recently issued a resolution and recommendation that states in part that U.S. courts should “consider and respect the data protection and privacy laws of any foreign sovereign..."  This article underscores the importance of a comprehensive global approach to document production in cross-border litigation.

To be invited to future Reed Smith trainings on cross-border e-Discovery issues, please click here.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

On May 24, 2012, the Attorney General of Massachusetts announced that South Shore Hospital of South Weymouth, Massachusetts (South Shore) agreed to settle allegations that it failed to protect the personal and protected health information of more than 800,000 individuals.  The settlement resulted from the hospital’s data breach report to the Attorney General in July 2010, which was also reported to the HHS Office of Civil Rights in accordance with the HIPAA Breach Notification Rule.  Although the Attorney General reported a $750,000 settlement, South Shore was credited $275,000 for new security measures taken after the breach, bringing the actual amount to $475,000, of which $250,000 is a civil penalty and $225,000 shall be paid to an education fund to be used by the Attorney General’s Office to promote education concerning the protection of personal and protected health information.  South Shore also agreed to undergo a review and audit of its security measures and report the results to the Attorney General.

In February 2010, South Shore contracted with Archive Data Solutions (Archive Data) to erase and re-sell 473 data tapes.  According to the Attorney General, South Shore did not inform Archive Data that the tapes contained personal and protected health information, including individuals’ names, Social Security numbers, financial account numbers, and medical diagnoses.  The tapes were then shipped to a Texas subcontractor, but in June 2010, South Shore learned that only one of the three boxes of tapes arrived.  The two missing boxes were never recovered and there have been no reports of unauthorized use of the information.

Following its investigation of South Shore’s breach report, the Attorney General filed a lawsuit under the Massachusetts Consumer Protection Act and HIPAA.  State Attorney Generals have the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules, which includes obtaining damages and enjoining further violations, pursuant to HITECH, enacted as part of the American Recovery and Reinvestment Act of 2009.  In the lawsuit, the Attorney General alleged that South Shore failed to implement appropriate safeguards, policies, and procedures to protect the information, failed to have a Business Associate Agreement in place with Archive Data, and failed to properly train its workforce.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On April 17, 2012, the HHS Office of Civil Rights (OCR) announced a settlement and corrective action plan with Phoenix Cardiac Surgery, P.C. (Phoenix), a small cardiology practice based in Phoenix and Prescott, Arizona. More specifically, Phoenix has agreed to pay $100,000 to settle allegations of HIPAA violations arising out of an investigation conducted by OCR.

OCR’s investigation of Phoenix followed a report that Phoenix was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR discovered the following issues:

• Phoenix failed to implement adequate policies and procedures to appropriately safeguard patient information;
• Phoenix failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
• Phoenix failed to identify a security official and conduct a risk analysis; and
• Phoenix failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its electronic protected health information.

This settlement serves as additional evidence of OCR’s increased focus on enforcement actions for alleged HIPAA violations, following just one month after the first enforcement action resulting from a breach self-report under the Breach Notification Rule. According to Leon Rodriguez, Director of OCR, he “hope[s] that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” Additionally, the settlement provides further evidence that OCR will likely view any investigation of an alleged Privacy or Security Rule infraction as an opportunity to conduct a de facto audit of the entity’s general compliance with HIPAA.

In addition to the $100,000 settlement, the Resolution Agreement between Phoenix and OCR requires Phoenix to develop and maintain written Privacy and Security policies, which will set forth, at a minimum, administrative safeguards, technical safeguards, and training of all Phoenix’s workforce members. In addition, Phoenix will provide specific training on the Privacy and Security policies within 60 days of OCR’s approval to all workforce members who use or disclose protected health information and will report any violations of those policies and procedures by a workforce member to OCR within 30 days. Phoenix did not admit any liability in the agreement and OCR did not concede that Phoenix was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On March 13, 2012, the HHS Office of Civil Rights (OCR) announced the first enforcement action resulting from a breach self-report required by HITECH’s Breach Notification Rule. Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay HHS $1,500,000 to settle potential violations of the HIPAA Privacy and Security Rules and has entered into a corrective action plan to address gaps in its HIPAA compliance program.

The HIPAA/HITECH Breach Notification Rule requires covered entities to report a breach (e.g., an impermissible use or disclosure of protected health information that compromises the security or privacy of the protected health information) to the affected individual(s), HHS and, at times, the media. OCR’s investigation of BCBST followed a breach report submitted by BCBST informing HHS that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The hard drives contained the protected health information of more than 1 million individuals, including member names, social security numbers, diagnosis code, dates of birth, and health plan identification numbers.

According to OCR’s investigation, BCBST failed to implement appropriate administrative and physical safeguards as required by the HIPAA Security Rule. More specifically, BCBST failed to perform the required security evaluation in response to operational changes and did not have adequate facility access controls.

In addition to the $1,500,000 settlement, the Resolution Agreement between BCBST and OCR requires BCBST to revise its Privacy and Security policies, conduct robust trainings for all employees, and perform monitor reviews to ensure compliance with the corrective action plan. BCBST did not admit any liability in the agreement and OCR did not concede that BCBST was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

To implement the HITECH Act’s mandate for the Office for Civil Rights (OCR) to perform HIPAA audits, OCR has just announced that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase are planned to begin with an initial 20 audits between November 2011 and April 2012. The remaining audits are scheduled to conclude by December 2012. All covered entities and business associates are eligible for audits; however, OCR has indicated that it is focusing on covered entities (range in type and size) in the initial phase. Business associates will be included in future audits.

During the pilot, every audit will include a document production and onsite visit, and will result in an audit report. OCR will notify a selected covered entity in writing and request documentation of the covered entity’s privacy and security compliance efforts. The covered entity must comply within 10 business days. OCR expects to notify selected covered entities between 30 and 90 days prior to the anticipated onsite visit. Onsite visits may take between three and 10 business days, and after fieldwork is completed, the auditor will provide the covered entity with a draft final report. Selected covered entities will then have 10 business days to review and provide written comments back to the auditor. The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR.

Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem. Significantly, OCR will not post a listing of audited entities or the findings of an individual audit that clearly identifies the audited entity.

A description of the pilot program is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Vicky G. Gormanly and Joseph I. Rosenbaum.

The interest level in storing health records in digital format has grown rapidly with the lower cost and greater availability and reliability of interoperable storage mechanisms and devices. Health care providers like hospitals and health systems, physician practices, and health insurance companies are among those most likely to be considering a cloud-based solution for the storage of patient-related health information. While lower cost, ubiquitous 24/7 availability, and reliability are key drivers pushing health care providers and insurers to the cloud, a number of serious legal and regulatory issues should be considered before releasing sensitive patient data into the cloud. The issues are highlighted in the Health Care chapter  of our Cloud Computing White Paper.

• Print
• Comments
• Trackbacks
• Share Link

Today, in a 6-3 decision, the U.S. Supreme Court handed down a verdict in Sorrell vs. IMS Health, striking, on free speech grounds, a 2007 Vermont law that that bans the practice of data mining unless a physician specifically gives his or her permission to use the information. Reed Smith filed an amicus brief in Sorrell supporting IMS Health's position in order to help explain to the Court the public health benefits arising from targeted commercial use of prescription-writing data. Reed Smith's Global Regulatory Enforcement Law Blog discusses the ruling in "Supreme Court Win for Free Speech About Medical Options" by Paul Bond and Joe Metro.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Gina M. Cavalier and Brad M. Rostolsky.

Today the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking implementing provisions of the HITECH Act related to accounting for disclosures of protected health information (PHI). Pursuant to the HITECH Act and its more general authority under HIPAA, HHS proposed to divide the Privacy Rule provisions related to an accounting into two separate individual rights: (1) an accounting and, (2) an access report.

With respect to an accounting, HHS proposes that individuals have a right to an accounting of disclosures of PHI in a designated record set made by a covered entity or a business associate: (i) for impermissible purposes, (ii) for public health activities, (iii) for judicial and administrative proceedings, (iv) for law enforcement purposes, (v) to avert a serious threat to health or safety, (vi) for military and veterans activities, and (vii) for workers compensation. The proposed compliance date for this provision is 180 days after the effective date of the final rule.

With respect to the access report, HHS proposes to provide individuals with the right to receive a report detailing who has accessed their electronic PHI in a designated record set maintained by a covered entity or its business associates. HHS proposes that covered entities and business associates provide individuals with a right to an access report beginning January 1, 2013, for electronic designated record set systems acquired after January 1, 2009, and beginning January 1, 2014 for electronic designated record set systems acquired as of January 1, 2009.

The proposed rule is posted here.

Comments are due in 60 days - August 1, 2011.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Gina M. Cavalier, Vicky G. Gormanly and Brad M. Rostolsky.

Pursuant to the HITECH Act, covered entities and business associates must account for disclosures of PHI for treatment, payment and health care operations if the disclosures are through an electronic health record. This represents a significant change to the requirements under the current HIPAA Privacy Rule. The Department of Health and Human Services (HHS) will shortly publish a notice of proposed rulemaking to modify the Privacy Rule’s standard for accounting of disclosures of protected health information. An advance copy of the proposed rule is available here.

HHS proposes to expand the accounting requirements of the Privacy Rule to provide individuals with the right to receive an access report detailing who has accessed their electronic PHI in a designated record set. Accordingly, HHS proposes to revise an individual’s right to an accounting under the Privacy Rule by separately setting forth an individual’s right to (a) an accounting of disclosures and (2) an access report. HHS has also proposed other changes designed to improve the workability and effectiveness of the existing accounting of disclosures requirements.

Comments are due 60 days after the proposed rule is published in the Federal Register.

More to come...

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Gina M. Cavalier.

Earlier today the Department of Health and Human Services' (HHS), Office for Civil Rights (OCR) announced the imposition of the first ever civil money penalty for violations of the HIPAA Privacy Rule. The penalty - which is $4.3 million - was assessed against Cignet Health of Prince Georges County, a health insurer. The underlying HIPAA violations include (1) failing to provide patients with access to their medical records, and (2) failing to cooperate with OCR's investigation into the failure to provide access. The HHS press release is available here.

To discuss this or any other HIPAA or data privacy/security issue, please contact Mark S. Melodia or Gina M. Cavalier.

• Print
• Comments
• Trackbacks
• Share Link

According to a senior health information technology and privacy specialist at HHS Office for Civil Right (OCR), regulations finalizing the July 14, 2010, proposed rule implementing many of the HITECH Act's privacy, security, and enforcement requirements could be published by the end of 2010 or in early 2011.   Additionally, OCR, developing a HITECH Act required "periodic audit" plan, which will be targeted to ensure that covered entities and business associates comply with the requirements of  the Privacy and Security Rules. 

We'll keep you posted as things progress . . .

• Print
• Comments
• Trackbacks
• Share Link

Information security is paramount in the life sciences and health care industry because it is subject to affirmative regulatory requirements regarding the physical and technical safeguards used to secure electronic information. It is therefore troubling that the Internet protocols that are universally used to transmit encrypted information employ an authentication process (to verify the endpoints of a communication) that is deeply flawed. The authentication process requires the parties to the communication to trust literally hundreds of unknown third parties referred to as "certificate authorities." The closer one looks at the identity of these third parties and the processes used to carry out the authentication process, the worse it gets. It is time for GCs to get involved because Encryption is Not Enough...

• Print
• Comments
• Trackbacks
• Share Link

HHS has just released its proposed rule modifying the HIPAA Privacy, Security, and Enforcement Rules to implement the privacy, security, and certain enforcement provisions of subtitle D of the Health Information Technology for Economic and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act of 2009).  The advance version of the rule can be accessed here; the official version will be published July 14.  A press release should be available later this morning.

Pursuant to the announcement of the proposed rulemaking on the HHS Privacy website, the proposed modifications to the HIPAA Rules include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans. In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

Importantly, HHS has stated that the new HIPAA regulations will not be enforced until 180 days after the final rule has become effective. Comments will be due on or about September 13, 2010.

More to come . . . 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark S. Melodia, Cynthia O'Donoghue and Anthony S. Traymore

On April 27, 2010, the Mexican Senate passed Ley Federal de Protección de Datos Personales en Posesión de los Particulares (the Federal Law for Protection of Personal Data (FLPPA)).  President Felipe Calderon is expected to sign the FLPPA into law soon, and thereafter, the FLPPA will be published and its regulatory provisions enacted. The objective of the FLPPA is to provide regulatory mechanisms for the newly established replacement agency, Instituto Federal de Acceso a la Información y Protección de Datos (the Federal Institute of Information Access and Data Protection (FIIADP), to enforce the FLPPA in relation to any individual or entity engaging in the collection, storage and/or transfer of personal data, including life sciences and health care clients.

To read the full alert, click here.

• Print
• Comments
• Trackbacks
• Share Link

The Health Information Privacy page of the U.S. Department of Health and Human Services (HHS) website has formally announced that regulations implementing the privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act will soon be published (along with a comment period) relating to (1) business associate liability; (2) new limitations on the sale of protected health information, marketing and fundraising communications; and (3) stronger individual rights to access electronic medical records and restrict the disclosure of certain information.  Although this posting is certainly welcome news, from a timing perspective the announcement only indicates that "OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions." 

Providing further evidence that the HITECH Act provisions relative to covered entities and business associates will not be enforced until after these forthcoming regulations have been finalized, HHS stated that "[a]lthough the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements."  The HITECH Act, however, is currently effective, and questions about the effective date for enforcement of the Act's privacy and security requirements may remain until published regulations specifically postpone enforcement.  Additionally, HHS reminds us that the Breach Notification Rule and the revised Enforcement Rule are currently in effect, and that covered entities and business associates must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009.

• Print
• Comments
• Trackbacks
• Share Link

On Friday, October 30, 2009, the U.S. Department of Health and Human Services ("HHS") published an interim final rule and request for comments that implements certain HIPAA enforcement changes made pursuant to the HITECH Act. Consistent with the provisions of the HITECH Act, the new rule amends the HIPAA enforcement regulations applicable to violations of each of HIPAA's Administrative Simplification Rules (i.e., Privacy Rule, Security Rule, Transactions and Code Sets Rules, Standard Unique Identifier for Employers (EIN Rule), and the Standard Unique identifier for Health Care Providers (NPI Rule)) by instituting the below categories of violations and tiered penalty scheme to HIPAA violations that occur on or after February 18, 2009. 

• Unknown violations (i.e., if a person did not know and by exercising reasonable due diligence would not have known that a violation occurred): The penalty shall be at least $100 for each violation not to exceed $25,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
• Violations due to reasonable cause and not to willful neglect: The penalty shall be at least $1,000 for each violation not to exceed $100,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
• Violations due to willful neglect (and the violations have been corrected): The penalty shall be at least $10,000 for each violation not to exceed $250,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
• Violations due to willful neglect (and the violations have not been corrected): The penalty shall be at least $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.

Furthermore, the interim final rule generally amends a covered entity's ability to employ an affirmative defense against an action seeking civil monetary penalties if (i) the covered entity did not have knowledge or constructive knowledge of the violation, and (ii) the violation was not due to reasonable cause and not willful neglect. HHS is also given the authority to waive a civil monetary penalty for violations due to reasonable cause and not willful neglect if the covered entity corrects the violation within 30 days of having knowledge that the violation occurred. 

Comments on this interim final rule will be considered if received by December 29, 2009.

• Print
• Comments
• Trackbacks
• Share Link

The recently enacted Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which amends various aspects of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including the associated Privacy and Security Rules, marks a significant change in how covered entities and their business associates must respond to security breaches under HIPAA.

On August 24, 2009, the U.S. Department of Health and Human Services (“HHS”) issued its interim final rule (“the Rule”) regarding a covered entity’s obligation to notify individuals when their unsecured protected health information (“PHI”) is breached. Furthermore, and depending on the nature of the security breach, the Rule also requires a more global notification whereby covered entities must post information regarding certain breaches in newspapers and on the HHS website.

The HHS Rule is effective on September 23, 2009, however, HHS will not impose sanctions for failure to provide the required notices for breaches that are discoverable before February 22, 2010.

For additional details, read the full alert. 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark S. Melodia, Michael K. Brown, J. Ferd Convery, III, Steven J. Boranian, Brad M. Rostolsky, Shana R. Fried and Paul Bond.

Until now, the loss or theft of protected health information rarely resulted in notice to consumers. Very few state data security breach notification laws encompass medical information. The Health Insurance Portability and Accountability Act ("HIPAA") merely required an "accounting" of such events to a patient upon the patient's request.

All that has changed. Congress, in enacting the Health Information Technology for Economic and Clinical Health Act ("HITECH"), imposed breach notification obligations on many of the individuals and business entities that receive, create, or maintain patients' individually identifiable health information. Pursuant to HITECH, on Aug. 17, the Federal Trade Commission ("FTC") issued its Health Breach Notification Rule, governing the breach notification obligations of three new categories of entity: "vendors of personal health records," "PHR related entities" and "third party service providers."

To read the full alert, click here.

• Print
• Comments
• Trackbacks
• Share Link