EU Article 29 Data Protection Working Party Releases Guidelines Stemming from Google Spain Case

Reed Smith’s Global Regulatory Enforcement Law Blog features a post on a recent set of guidelines issued by the European Union’s Article 29 Data Protection Working Party outlining how EU Data Protection Authorities (DPAs) intend to implement the judgment of the Court of Justice of the European Union in Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (C-131/12) (Google Spain), which set a milestone for EU data protection by granting individuals the right to request that search engines to delist search results relating to them. The guidelines provide a common interpretation of the ruling as well as the common criteria to be used by the DPAs when addressing complaints. For additional details, read “EU Art. 29 Releases Guidelines on the Right to be Forgotten,” by Reed Smith Partner Cynthia O’Donoghue.

OCR Settlement Reflects Continued Emphasis on HIPAA Security Rule Safeguards

This post was written by Brad Rostolsky and Jeremy Alexander.

On December 8, 2014, the HHS Office for Civil Rights (OCR) announced that it has agreed to settle potential HIPAA Security Rule violations with Anchorage Community Mental Health Services (ACMHS), a five-facility, nonprofit organization providing behavioral health care services to children, adults, and families in Anchorage, Alaska. ACMHS has agreed to pay $150,000 to settle potential violations of HIPAA following an OCR investigation triggered by a self-reported breach that affected 2,743 individuals.

Continue Reading...

Effective Cyberliability Insurance Coverage

According to a recent study, the median amount of time between a breach of a company’s cybernetwork and the discovery of that breach is 229 days. Given this lengthy amount of time, companies should consider the benefits of an expanded cyberliability insurance policy period, particularly if the company is switching from one insurance provider to another. As discussed in “Hackers Don’t Care About the Terms of Your Insurance Policy: The Importance of Retroactive Dates and Extended Reporting Periods in Effective Cyberliability Insurance Coverage,” a client alert written by Reed Smith partners Brian Himmel, Andrew Moss, David Weiss and Cristina Shea, two such options for expanding the policy period are retroactive dates (shifting the effective date of coverage back, to capture events that occurred or were occurring but were not yet discovered when the policy was purchased) and extended reporting periods (which provide additional time to report events that are not discovered until after the end of the policy period).

To read the client alert, click here.
 

OCR Releases Ebola Bulletin

This post was written by Jennifer Pike.

The recent Ebola outbreak has prompted the US Department of Health and Human Services, Office for Civil Rights (“OCR”), the agency responsible for enforcing the Health Insurance Portability and Accountability Act (“HIPAA”), to release a new bulletin for covered entities and business associates regarding their privacy obligations in emergency situations. The bulletin, entitled “HIPAA Privacy In Emergency Situations,” provides an overview of the limited ways in which covered entities and business associates may use and disclose protected health information in emergencies, such as the Ebola outbreak. The bulletin is available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/hipaa-privacy-emergency-situations.pdf.

Insights About Future Use of Protected Health Information Under HIPAA

How will Protected Health Information (PHI) be used in the future? Reed Smith partner Brad Rostolsky strives to answer this question in “HIPAA Enforcement: The Next Step,” an interview and accompanying article that appeared on HealthcareInfoSecurity on October 14th. The article discusses a number of trends predicted for the near future stemming from the HIPAA Omnibus Rule introduced last year, such as an increase in the number of investigations by the Department of Health and Human Services’ Office for Civil Rights regarding the illegal use, disclosure, and sale of PHI without patient authorization, particularly when used for marketing and fundraising purposes. The article also provides recommendations for companies preparing for HIPAA compliance audits, privacy concerns related to the use of consumer health information on social media, and potential HIPAA privacy issues involving wearable consumer health devices.

To listen to the interview and read the article, click here.

New California Amendment Aims to Increase Breach Responsibility and Accountability

Reed Smith’s Global Regulatory Enforcement Law Blog features a post on a California bill recently signed into law which expands the scope of requirements for entities that own, license, and maintain personal data or information about a California resident. “Did California Just Impose a First-in-the-Nation Requirement for Breaching Companies To Offer Identity Theft Prevention and Mitigation Services?” written by Reed Smith attorneys Paul Bond, Lisa Kim, and Leslie Chen, focuses on the three sections of the California Civil Code affected by the amendment:

  1. An entity that “maintains” an individual’s data or information – such as a retailer – is required to employ appropriate anti-breach protection. Previously this was only required of companies who “owned” or “licensed” personal information;
  2. An entity identified as the source of a breach of social security numbers or driver’s license numbers must offer affected individuals appropriate anti-breach protection and mitigation services for a period of at least one year; and
  3. An entity is disallowed – except in particular circumstances – from selling, advertising, or offering for sale an individual’s social security number.

The amendments will go into effect on January 1, 2015, after which point entities that do not follow these regulations will be at risk for legal action brought by affected individuals.

To read the full post, click here.

U.S. Senator Schumer Calls for Increased Regulation of Wearable Electronic Devices to Avoid Data Privacy Issues

Reed Smith’s Global Regulatory Enforcement Law Blog features a post on the recent phenomenon of wearable electronic devices and the legal issues that may arise from these gadgets. "Wearable Device Privacy - A Legislative Priority?," written by Reed Smith attorneys Frederick Lah and Khurram Gore, discusses a recent press release issued by U.S. Senator Chuck Schumer of New York expressing concern that personal health data collected by wearable devices and fitness apps, including medical conditions, sleep patterns, calories burned, GPS locations, blood pressure, weight, and more, will be provided to third parties without the user knowing it. Schumer, citing this as a threat to personal privacy, has urged the Federal Trade Commission to mandate that device and app companies provide users with an explicit “opt-out,” allowing them to block the distribution of this information to any third parties.

As the authors note, with the rising popularity of these types of devices, we expect regulators, legislators, and companies to start paying closer attention to the data security and privacy risks associated with their use.

Recent Data Breaches Serve as Warning for Companies to Assess Their Cybersecurity Insurance Coverage

Earlier this week, numerous media outlets reported on the Russian crime ring which had managed to steal more pieces of Internet data than any other group of hackers in history – a whopping collection of at least 1.2 billion user name and password combinations and over 500 million email addresses. The magnitude of data that this group has managed to accumulate, coupled with several other recent high-profile hacking incidents, is a wake-up call for businesses that cybersecurity has become a major contemporary concern. Data breaches are increasing in frequency, severity, and cost, and the potential consequences for an affected company can be devastating.

This trend and its insurance implications are discussed in a client alert by Reed Smith partners Doug Cameron, David Weiss, Andy Moss, and Cristina Shea, who point out that companies must start being proactive with their cybersecurity efforts. Businesses should take the time to assess their current cybersecurity insurance coverage as well as their coverage needs. Cyber-related insurance is an evolving area, so extensive research and consulting with counsel may be necessary before a company can select an insurance policy that maximizes its coverage.
 

California AG's Guidance on California Online Privacy Protection Act

The California Attorney General, Kamala D. Harris, has issued a long-awaited guide on how companies can comply with the California Online Privacy Protection Act (CalOPPA). CalOPPA applies to all companies which collect personally identifiable information from California residents online, regardless of whether that information is collected via a commercial website or a mobile application. This far-reaching statute requires virtually every company with an online presence in California, including drug and device companies, to have a company-drafted privacy policy that conforms with its guidelines.

The Attorney General’s guide, entitled “Making Your Privacy Practices Public,” can be found here. It provides specific recommendations on how businesses are to comply with CalOPPA’s requirements to disclose and comply with a company-drafted privacy policy. CalOPPA was recently amended to include information on how the website operator responds to Do Not Track signals or similar mechanisms. The law also requires company privacy policies to state whether third parties can collect personally identifiable information about the site’s users.

Reed Smith attorneys Lisa Kim, Paul Cho, and Divonne Smoyer have written a client alert summarizing the recommendations made by the Attorney General in this guide. To read the alert, click here.

Recent OCR Enforcement Activities Cause Serious Case of Déjà Vu: Theft of Unencrypted Laptops Leads to Two Separate HIPAA Settlements

This post was written by Brad Rostolsky, Nan Bonifant and Jillian Riley

We have heard this story before: unencrypted laptop containing electronic protected health information (ePHI) is stolen. The covered entity’s subsequent breach self-report triggers not only an incident investigation by the Department of Health and Human Services, Office for Civil Rights (OCR), but a de facto HIPAA compliance audit as well. While the covered entities involved change, the consequences and enforcement message remain the same.

Now, two more covered entities have settled potential violations of the HIPAA Privacy and Security Rules arising from the theft of unencrypted laptops by paying a total of $1,975,220, and agreeing to continued oversight by OCR through Corrective Action Plans (CAPs). In both instances, the breaches were self-reported and the settlements resulted from OCR’s subsequent investigations.

On December 28, 2011, Concentra Health Services (Concentra), a national health care provider and subsidiary of Humana Inc., reported to OCR that an unencrypted laptop was stolen from one of its facilities. OCR’s subsequent investigation revealed that while Concentra previously recognized that a lack of encryption on laptops, desktops, medical equipment, and tablets presented a critical risk to ePHI, Concentra failed to fully implement necessary steps to address those vulnerabilities. OCR’s investigation further found that Concentra had insufficient security management processes in place to ensure proper safeguarding of patient information. Concentra paid OCR $1,725,220 to resolve these alleged HIPAA violations and will adopt a CAP to evidence their remediation efforts.

The second settlement, which resulted in a $250,000 payment to OCR, stemmed from the theft of an unencrypted, stolen laptop from an employee’s car on October 8, 2011. The laptop, belonging to a workforce member of QCA Health Plan, Inc. of Arkansas (QCA), contained the ePHI of 148 individuals. While QCA instituted company-wide device encryption following discovery of the breach, OCR’s subsequent investigation revealed that QCA had failed to comply with multiple requirements of the HIPAA Security Rule, beginning from the Rule’s compliance date in April 2005. In addition to the monetary settlement amount, QCA agreed to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce risks to vulnerabilities of its ePHI. QCA also agreed to retrain its workforce and document its ongoing compliance efforts.

Unfortunately, as the proliferation of portable devices in the health care industry increases, the question for most covered entities is not if a laptop or mobile device will be stolen, but when. Encryption not only provides a safe harbor under the Breach Notification Rule, but it has also become a practical necessity to HIPAA compliance. Failure to address encryption of portable devices in Security Rule risk analyses and, in most cases, failure to implement some form of encryption, will continue to expose covered entities (as well as business associates) to significant compliance risk.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

County Governments Not Immune From HIPAA Enforcement: OCR Announces $215,000 Settlement with Skagit County, Washington

This post was written by Brad Rostolsky, Nan Bonifant, and Jen Pike

On March 7, 2014, the HHS Office for Civil Rights (“OCR”) announced its first settlement and corrective action plan with a county government. Skagit County in northwest Washington State has agreed to pay $215,000 to settle potential violations of the HIPAA Privacy, Security and Breach Notification Rules.

According to Susan McAndrew, deputy director of health information privacy at OCR, “this case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size.” Generally, local and county governments are subject to HIPAA because certain departments within the government are involved in the provision of or payment for health care services. The Skagit County Public Health Department provides essential services to many individuals who would otherwise not be able to afford health care. Importantly, a single legal entity whose business activities include both HIPAA covered and non-covered services (like a county government) may designate itself as a “hybrid entity” by identifying its “health care components.” This designation, however, must be formally documented in the entity’s policies and procedures. Most of the requirements of the Privacy, Security and Breach Notification Rules apply only to the hybrid entity’s health care components.

OCR began investigating Skagit County following a breach self-report notifying OCR that the electronic protected health information (“ePHI”) of seven individuals receiving services from the Skagit County Public Health Department was posted on a publicly available server maintained by the county and accessed by unknown parties. The investigation revealed that the ePHI of not just seven – but 1,581 – individuals, was made available on the public server. The ePHI, which could be accessed through a simple Google search, included highly sensitive information, such as the testing and treatment of infectious diseases. OCR’s investigation further revealed Skagit County’s general and widespread non-compliance with the HIPAA Privacy, Security and Breach Notification Rules, including the implementation of sufficient policies and procedures.

In addition to the $215,000 settlement, the Resolution Agreement between Skagit County and OCR included a corrective action plan (“CAP”) that requires Skagit County to, among other things, (1) provide substitute breach notification to affected individuals not previously notified; (2) create and revise written policies and procedures to comply with HIPAA; and (3) submit for OCR’s review and approval hybrid entity documents designating the county’s covered health care components. The CAP also requires Skagit County to provide regular status updates to OCR, which will work closely with the county to correct deficiencies.

While OCR marks this settlement as the first with a county government, it is not the first for a public entity. In June 2012, the Alaska Department of Health and Social Services agreed to pay $1.7 million to settle possible violations of the Security Rule. Notably, both of these enforcement actions, and most actions since 2012, have resulted from a breach self-report used by OCR as an opportunity to conduct a de-facto audit of the entity’s general HIPAA compliance. Whether this enforcement trend will continue will likely depend upon the scope (and perhaps more importantly, the funding), of OCR’s second round of statutorily required audits of covered entities and business associates. Regardless, given the environment of increased OCR enforcement, regulated entities should ensure, at a minimum, that they have implemented the basic elements of HIPAA compliance—performance of a Security Rule risk analysis, implementation of sufficient policies and procedures (including documentation of any hybrid entity designation), and adequate training of workforce members.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

Final Rule Gives Patients a New Right under HIPAA to Access Completed Test Reports Directly from Labs

This post was written by Nan Bonifant, Brad Rostolsky, and John Wyand

On February 6, 2014, the U.S. Department of Health & Human Services’ (HHS) Centers for Medicare & Medicaid Services (CMS), Centers for Disease Control and Prevention (CDC), and Office for Civil Rights jointly published a final rule amending the HIPAA Privacy Rule and the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to provide patients with direct access to laboratory test reports. HHS believes that a right to access these test reports under HIPAA is crucial to provide patients with vital information to empower them to better manage their health and take action to prevent and control disease. The amendments to both regulations become effective April 7, 2014, and HIPAA-covered laboratories must comply with the new right by October 6, 2014.

Under the currently enforced Privacy Rule, a patient’s right to access his or her protected health information (PHI) is limited with respect to PHI maintained by a CLIA laboratory or a CLIA-exempt laboratory. This limitation was included in the Privacy Rule because the existing CLIA regulations may prohibit such laboratories from disclosing this information. Currently, a CLIA laboratory may only disclose laboratory test results to three categories of individuals or entities: (1) the “authorized person,” (2) the health care provider who will use the test results for treatment purposes, and (3) the laboratory that initially requested the test. An “authorized person” is the individual authorized under state law to order or receive test results. If a state does not authorize patients to receive their test results, the patients must receive this information from their health care providers.

The final rule modifies the CLIA regulations to allow laboratories subject to CLIA, upon the request of a patient (or the patient’s personal representative), to provide access to completed test reports that – using the laboratory’s authentication process – can be identified as belonging to that patient. With respect to the Privacy Rule, the final rule removes the exceptions to a patient’s right of access related to CLIA and CLIA-exempt laboratories. Therefore, as of October 6, 2014, HIPAA-covered laboratories will be required to provide a patient or his or her personal representative with access, upon request, to the patient’s completed test reports, as well as to other PHI maintained in a designated record set. For purposes of the final rule, test reports are not part of a designated record set until they are “complete.” A test report is considered complete when all results associated with an ordered test are finalized and ready for release. These changes to the Privacy Rule preempt any contrary state laws that prohibit a HIPAA-covered laboratory from providing patients direct access to their completed test results.

In order to comply with the amended Privacy Rule, HIPAA-covered laboratories should develop and implement a policy and procedure to receive and respond to patient requests. Processing a request for a test report, either manually or electronically, will require completion of the following steps: (1) receipt of the request from the individual; (2) authentication of the identification of the individual; (3) retrieval of test reports; (4) verification of how and where the individual wants the test report to be delivered and provision of the report by mail, fax, email or other electronic means; and (5) documentation of test report issuance. Additionally, HIPAA-covered laboratories must revise their notice of privacy practices to inform patients of their right to access completed test reports, including a brief description of how to exercise the right, and removing any statements to the contrary.

This amendment to the regulations is consistent with OCR’s focus on improving patients’ rights under the Privacy Rule, and represents another important aspect of policy change and documentation efforts for HIPAA-covered entity providers.

ONC Tiger Team Takes a Bite Out of the Proposed Access Report Rule

This post was written by Jennifer Pike and Brad Rostolsky

The Privacy and Security Tiger Team (“Tiger Team”), a subcommittee of the Office of the National Coordinator for Health IT’s HIT Policy Committee, has recommended that the Office for Civil Rights of U.S. Department of Health and Human Services (“OCR”) abandon its May 2011 proposed rule to require covered entities to provide patients with a list of workforce members who have accessed protected health information (“PHI”) contained in an electronic designated record set (“access reports”). The proposed rule was meant by OCR to implement a provision of the 2009 HITECH Act requiring HHS to expand the existing accounting of disclosures requirement to include disclosures of PHI for treatment, payment and health care operations through an electronic health record.

After months of study and a day-long hearing in September 2013, the Tiger Team concluded that the proposal, which was widely unpopular from its inception, is overbroad and lacks value. In a meeting held December 4, 2013, the Tiger Team stated that it “does not believe the proposed access report meets the requirements of HITECH to take into account the interests of the patient and administration burden on covered entities.”

The Tiger Team proposed an alternative for implementing the HITECH Act’s accounting of disclosure mandate, urging OCR “to pursue a more focused approach that prioritizes quality over quantity, where the scope of disclosures and related details to be reported to patients provide information that is useful to patients, without overwhelming them or placing undue burden on [covered entities].” The Team further recommended that OCR take a “step-wise” approach to implementing the HITECH Act, and focus on data disclosed outside of a covered entity or organized health care arrangement.

In the December 4 meeting, the Tiger Team also recommended that OCR add two new “addressable” standards to the HIPAA Security Rule related to audit controls:

  1. Audit controls must record PHI-access activities to the granularity of (i) the individual user (e.g., human) accessing PHI and (ii) the individual whose PHI is accessed.
  2. Information recorded by the audit controls must be sufficient to support the information system activity review required by section 164.308(a)(1)(ii)(D) and the investigation of potential inappropriate accesses of PHI.

How HHS will respond to the Tiger Team’s recommendations, and when a final rule will be released, remains to be seen.

HHS Seeks to Reduce Gun Violence Via Modifications to the HIPAA Privacy Rule

This post was written by Nancy E. Bonifant and Jennifer L. Pike

After receiving more than 2,000 comments to its April 2013 Advance Notice of Proposed Rulemaking, the Department of Health & Human Services (“HHS”) has proposed to amend the HIPAA Privacy Rule to expressly permit certain covered entities to report to the National Instant Criminal Background Check System (“NICS”) the identities of individuals who are prohibited by federal law, for mental health reasons, from possessing firearms (commonly referred to as the “mental health prohibitor”).

The NICS is the system used to determine whether a potential firearms recipient is statutorily prohibited from possessing or receiving a firearm. The mental health prohibitor applies to individuals who have been (1) involuntarily committed to a mental institution; (2) found incompetent to stand trial or not guilty for reason of insanity; or (3) otherwise determined, through formal adjudication process, to have a severe mental condition that results in the individuals presenting a danger to themselves or others, or being incapable of managing their own affairs.

While most records related to involuntary commitments and mental health adjudications originate in entities affiliated with the criminal justice system (which are generally not subject to HIPAA), state entities outside the criminal justice system may also be involved. If these state entities are HIPAA-covered entities, or if a HIPAA-covered entity is the state repository for such records, then these records are subject to HIPAA.

Under the existing HIPAA Privacy Rule, there are circumstances where records subject to HIPAA may be reported to the NICS. For example, the Privacy Rule permits any covered entity to disclose information to the NICS to the extent such reporting is required by state law. In the absence of a state law requirement, however, reporting to the NICS is only permissible to the extent a covered entity designates itself as a hybrid-covered entity, and the relevant information is maintained and reported through the non-HIPAA regulated portion of that entity. As a result, OCR has cited concerns that the existing HIPAA Privacy Rule may be preventing some state entities (which likely perform both HIPAA-covered and non-covered functions) from reporting to the NICS the identities of individuals subject to the mental health prohibitor. Therefore, HHS has proposed to add to the Privacy Rule new provisions at 45 CFR § 164.512(k)(7), which would permit certain covered entities to disclose the minimum necessary demographic and other information for NICS reporting purposes.

Notably, this new permission would apply only to covered entities that function as repositories of information relevant to the federal mental health prohibitor on behalf of a state, or that are responsible for ordering the involuntary commitments or other adjudications that make an individual subject to the federal mental health prohibitor. Further, the new permission would strictly limit the information used or disclosed for NICS reporting purposes to the minimum necessary—HHS considers the minimum necessary information to include: (1) an individual’s name; (2) an individual’s date of birth; (3) an individual’s sex; (4) a code or notation indicating that the individual is subject to the federal mental health prohibitor; (5) a code or notation representing the reporting entity; and (6) a code identifying the agency record supporting the prohibition. The new permission would not permit the use or disclosure of clinical or diagnostic information.

HHS is seeking comments related to the proposed rule. Comments may be submitted in writing, or electronically at www.regulations.gov, on or before March 10, 2014.
 

OCR OUT OF COMPLIANCE? OIG Report Concludes OCR Slow To Enforce HIPAA Security Rule and To Comply with Federal Cybersecurity Requirements

This post was written Nancy E. Bonifant and Brad M. Rostolsky

According to a report published by the Office of the Inspector General (OIG) on November 21, 2013, the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is not adequately overseeing and enforcing the HIPAA Security Rule.

The OIG’s report, which followed an assessment of OCR’s Security Rule oversight and enforcement activities from July 2009 through May 2011, concluded that:

  • OCR failed to provide for periodic audits, as mandated by HITECH, to ensure that covered entities were in compliance with the Security Rule, and instead continued to follow the complaint-driven approach to assess the status of Security Rule compliance
     
  • OCR failed to consistently follow its investigation procedures and maintain documentation needed to support key decisions made during investigations conducted in response to reported violations of the Security Rule

To address these findings, the OIG recommended that OCR: (i) assess the risks, establish priorities, and implement controls for its HITECH auditing requirements; (ii) provide for periodic audits in accordance with HITECH to ensure Security Rule compliance at covered entities; and (iii) implement sufficient controls, such as supervisory reviews and documentation retention, to ensure policies and procedures for Security Rule investigations are followed.

Separately, the OIG also assessed OCR’s computer systems as of May 2011, and concluded that OCR had not fully complied with the cybersecurity requirements included in the National Institute of Standards and Technology (NIST) Risk Management Framework for its information systems used to process and store investigation data, because it focused on system operability to the detriment of system and data security. As a result, the OIG recommended that OCR implement the NIST Risk Management Framework for systems used to oversee and enforce the Security Rule.

In response, OCR generally concurred with the recommendations and described the actions it has taken to address the OIG’s concerns since May 2011. Notably, while OCR did initiate a pilot audit program in November 2011 and has subsequently audited 115 covered entities, OCR also explained that the funds used to support those audit activities are no longer available, and no funds have been appropriated for it to maintain a permanent audit program.

In consideration of the OIG’s report and OCR’s response, the looming questions that remain are how OCR will fund its statutorily required enforcement and compliance activities, and whether covered entities and business associates should expect increased enforcement to help subsidize OCR’s compliance going forward.

Physician Practice Caught in OCR Crossfire Following Theft of Unencrypted Flash Drive

This post was written by Brad M. Rostolsky and John E. Wyand

The theft of an unencrypted flash drive has led to an agreement by Adult & Pediatric Dermatology, P.C., of Concord, Mass. (APDerm), to pay $150,000 to the Department of Health and Human Services’ Office for Civil Rights (OCR) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. APDerm will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program. APDerm is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire.

This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of the American Recovery and Reinvestment Act of 2009. Significantly, it also marks one of the few instances where OCR has taken enforcement action against a smaller covered entity provider.

OCR opened an investigation of APDerm upon receiving a report that an unencrypted flash drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The flash drive was never recovered, and the investigation revealed that APDerm had not conducted “an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI” as part of its security management process. In other words, OCR continues to target the failure of covered entities to conduct a risk assessment under the Security Rule. Furthermore, OCR focused on APDerm’s failure to maintain appropriate policies and procedures, as well as the associated training, pursuant to the requirements of the Breach Notification Rule.

In addition to a $150,000 settlement, OCR imposed a corrective action plan requiring APDerm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.

A copy of the Resolution Agreement and Corrective Action Plan may be found here.
 

OCR Releases HIPAA Guide for Law Enforcement

This post was authored by Brad Rostolsky and Jennifer Pike.

On September 20, 2013, the Office for Civil Rights of the U.S. Department of Health & Human Services announced the addition of a new resource on its website to assist law enforcement and emergency planners when addressing information-sharing that may be subject to the HIPAA Privacy Rule. Among other things, the guide does the following:

  • Describes the Privacy Rule and identifies which entities are required to comply
  • Outlines several examples of when disclosures of health information to law enforcement is allowed

The guide is available online.

OCR Announces Enforcement Delay for CLIA Labs

This post was authored by Brad Rostolsky and Jennifer Pike.

The Office for Civil Rights (OCR) of the Department of Health & Human Services (HHS) announced September 19, 2013 that, until further notice, it is delaying enforcement of the requirement that certain HIPAA-covered labs revise their notice of privacy practices (NPPs) to comply with modifications made by the HITECH Final Rule. The enforcement delay applies to HIPAA-covered labs that are subject to Clinical Laboratory Improvement Act (CLIA), or exempt from CLIA, and that are not required to provide an individual with access to his or her lab test reports, because the reports are subject to the exceptions to the right of access at 45 C.F.R. § 164.524. The delay does not apply to labs that operate as part of a larger legal entity, and by virtue of that relationship do not have their own NPP.

By way of background, under the Privacy Rule, covered entities must promptly revise their NPPs whenever there is a material change to the privacy practices described in the NPP. The HITECH Final Rule made a number of such material changes, necessitating that covered entities revise their NPPs.

The enforcement delay is a result of HHS’ plan to amend the HIPAA Privacy Rule and CLIA regulations regarding the rights of individuals to receive their test reports directly from CLIA and CLIA-exempt labs. If finalized as proposed, the amendment would result in a material change to the labs’ privacy practices. The purpose of the delay is to decrease the burden on and expense to HIPAA-covered labs of having to revise their NPPs twice within a short period of time.
For more information about the HITECH Final Rule and its implementation, please see our previous discussion of this topic.
 

HHS Releases Prescription Refill Reminder Guidance

This post was written by Brad M. Rostolsky, Jennifer L. Pike and Nancy E. Bonifant

The Department of Health & Human Services (HHS) released on September 19, 2013 guidance on financially remunerated prescription refill reminders.

Under the currently enforced Privacy Rule, covered entities must obtain an individual’s valid authorization prior to using and disclosing the individual’s protected health information for “marketing” purposes – which includes communications about a product or service that encourages the recipients of the communication to purchase or use the product or service. This requirement, however, includes a significant exception for communications that also meet the definition of “treatment” or “health care operations” communications, including prescription refill reminders, even where a third party subsidizes the covered entity’s communication.

Under the Privacy Rule, determining whether a communication falls within the refill reminder exception depends on (1) whether the communication is about a currently prescribed drug or biologic, and (2) whether the communication involves financial remuneration and, if it does, whether the financial remuneration is reasonably related to the covered entity’s cost of making the communication. HHS now provides guidance on each of these aspects of the refill reminder exception.

Among other points, HHS makes the following notable determinations:

  • Communications about specific formulations of a currently prescribed medicine do not fall within the refill reminder exception
     
  • When remuneration involves payments to a business associate assisting a covered entity in carrying out a refill reminder or medication adherence program, or to make other excepted communications - which exceed the fair market value of the business associate’s services - the communication does not fall within the refill reminder exception

The release of the guidance follows an announcement September 11, 2013, that HHS has decided not to enforce the restrictions on financially remunerated prescription refill reminders until November 7, 2013, 45 days after the general HITECH compliance date of September 23, 2013. HHS’ decision to delay enforcement came on the heels of a lawsuit filed by Adheris, Inc., a Massachusetts company that provides prescription refill reminders. The lawsuit challenges the constitutionality of the HITECH Final Rule’s restrictions on remunerated prescription refill reminders.

Reed Smith’s HIPAA practice is in the process of conducting a full review of the guidance and will release additional analysis shortly.
 

HITECH FINAL RULE DELAYED ENFORCEMENT: PRESCRIPTION REFILL REMINDERS

HHS to Release Guidance on “Reasonable” Financial Remuneration by September 23, 2013; Enforcement to Be Delayed Until November 7, 2013

This post was written by Brad M. Rostolsky, Nancy E. Bonifant and Jennifer L. Pike

On September 5, 2013, Adheris, Inc. (“Adheris”), a Massachusetts company that provides, among other services, prescription refill reminders, filed a lawsuit in the U.S. District Court for the District of Columbia against Kathleen Sebelius, Secretary of Health & Human Services (“Secretary”), and the Department of Health & Human Services (“HHS”), challenging the constitutionality of the HITECH Final Rule’s restrictions on remunerated prescription refill reminders. Contemporaneous with its lawsuit, Adheris filed a Motion for Preliminary Injunction seeking to enjoin the Secretary’s enforcement of these restrictions, which was set to begin on September 23, 2013.

In a joint motion filed by the parties today seeking to suspend the court’s schedule on the Motion for Preliminary Injunction, the Secretary and HHS have informed the court that HHS expects to release guidance by September 23, 2013, on the HITECH Final Rule’s “reasonable in amount” restriction applicable to financially remunerated prescription refill reminders. The Secretary has also decided not to enforce the restrictions on financially remunerated prescription refill reminders until November 7, 2013, 45 days after the general HITECH compliance date of September 23, 2013.

Under the currently enforced Privacy Rule, covered entities must obtain an individual’s valid authorization prior to using and disclosing the individual’s protected health information for “marketing” purposes – which includes communications about a product or service that encourages the recipients of the communication to purchase or use the product or service. This requirement, however, included a significant exception for communications that also met the definition of “treatment” or “health care operations” communications, including prescription refill reminders, even where a third party subsidized the covered entity’s communication.

In a marked departure from the currently enforced Privacy Rule (and the July 2010 HITECH Proposed Rule), the Final Rule generally requires authorizations for all third-party subsidized health care operations and treatment communications, with a limited exception applicable to prescription refill reminders. With respect to prescription refill reminders, a covered entity may still receive some financial remuneration from third parties for making these communications, but this remuneration must be “reasonably related to the covered entity’s cost of making the communication.” In preamble language to the Final Rule, HHS made clear that permissible costs include only the costs of labor, supplies, and postage – where a covered entity generates a profit or receives payment for other costs in exchange for making a prescription refill reminder, the exception would not apply and the covered entity would need to obtain individual authorization.

Ultimately, what remains unknown is whether HHS will explicitly permit covered entities, and their business associates, to make a profit in connection with communicating prescription refill reminders, or if HHS will merely reaffirm its previously stated position in the preamble to the HITECH Final Rule.

For more information about the HITECH Final Rule and its implementation, please see our previous discussion of this topic.
 

If Your Old Photocopier Could Talk, What Would It Say? Health Plan's Used Photocopier Linked to $1.2 Million HIPAA Settlement

This post was written by Brad M. Rostolsky, Nancy E. Bonifant and Jennifer L. Pike.

Who knew that photocopiers stored information? Apparently "CBS Evening News" did, and now an April 2010 investigative report has led to a million-dollar HIPAA settlement.

Affinity Health Plan, Inc. (Affinity), a New York-based, not-for-profit health plan, agreed to pay the Office for Civil Rights (OCR) $1,215,780 to settle potential violations of the Health Information Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlement resulted from a breach self-report by Affinity, which first learned of the electronic protected health information (PHI) stored on its formerly leased photocopier’s hard drive from "CBS Evening News" (CBS).

In April 2010, CBS conducted an investigative report on the security risks associated with digital photocopiers, which, since 2002, typically contain hard drives that can store an image of every document copied, scanned, or emailed from the machine. As part of the investigation, CBS purchased four randomly selected used photocopiers, including one previously leased by Affinity. On the machine's hard drive, CBS found 300 pages of individuals' medical records.

Following Affinity's breach self-report, OCR found that Affinity impermissibly disclosed PHI of up to 344,579 individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the machines’ hard drives. OCR further determined that Affinity (1) failed to include electronic PHI stored on photocopiers’ hard drives in its required Security Rule risk analysis, and (2) failed to implement its existing policies and procedures when returning photocopiers to its leasing agents.

In addition to the $1.2 million settlement, the Resolution Agreement between OCR and Affinity included a corrective action plan (CAP). The CAP requires Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by Affinity and that remain in the possession of the leasing agent. Affinity must also (1) conduct a comprehensive risk analysis that incorporates all electronic equipment and systems controlled, owned, or leased by Affinity; (2) develop a plan to address and mitigate security risks and vulnerabilities found in its analysis; and (3) if necessary, revise its current policies and procedures accordingly.

The global take-away from this latest enforcement action is that an entity's failure to comply with the obligation to conduct a comprehensive Security Rule risk analysis remains OCR’s primary, and most often used, trigger to take significant enforcement action. Since almost every business uses photocopiers, Affinity serves as a reminder that all covered entities and business associates should implement policies and procedures to ensure that all hard drives are scrubbed of PHI before leaving their possession. More information on safeguarding sensitive data stored in the hard drives of digital photocopiers can be found here.

For additional information on OCR’s enforcement activities, visit the U.S. Department of Health and Human Services website.  
 

France: All Bodies Hosting Personal Medical Data Must Apply for Official Accreditation or Work With An Officially Accredited Data Host

This post was written by Daniel Kadar.

As a champion for the protection of personally identifiable information and with broad definitions for the concepts of personal and medical data, France has established a very specific set of policies requiring that all bodies hosting medical data must apply for official accreditation or work with an accredited medical data host. When medical data is hosted during a prevention, diagnosis or treatment activity – the scope of which covers most of the activities of the health care industry, which is experiencing and will experience a considerable development with telemedicine in the broad sense – the issue of the accreditation of the hosting services will be raised. To learn more about situations requiring the use of authorized hosting services in France, read our client alert.

French Ministry of Health Publishes Application Decree for "French Sunshine Act"; Requires Disclosure of Agreements With and Payments to Health Care Practitioners Dating Back to January 1, 2012

Reed Smith’s Global Regulatory Enforcement Law blog features a post on the recent publication of the application decree to the “French Sunshine Act” by the French Ministry of Health.  “A Brave New World? The ‘French Sunshine Act’ imposes online disclosure of contracts with HCPs, as well as of payments of ‘advantages’ to HCPs, dating back to 01 January 2012,” written by Daniel Kadar, discusses the specific ways and means that health care companies must disclose agreements with and “advantages” (payment or hospitality, including payment of a contractual fee) provided to health care practitioners ("HCPs") in order to comply with the application decree.  Information to be disclosed dates back 18 months, to January 1, 2012, and the first disclosure requirement is set for June 1, 2013.  According to Mr. Kadar, this tight timeframe raises compliance issues and has industry calling for reconsideration.

HHS Considers Amending the HIPAA Privacy Rule to Encourage Reporting of Mental Health Information to the National Instant Criminal Background Check System

This post was written by Jennifer L. Pike and Nancy E. Bonifant.

The Department of Health and Human Services (“HHS”) is seeking comments on a proposal to amend the HIPAA Privacy Rule to expressly permit covered entities to disclose certain mental health information to the National Instant Background Check System (NICS), the federal government’s background check system for the sale or transfer of firearms by licensed dealers.

Federal law prohibits the following persons from possessing or receiving firearms: (1) individuals who have been involuntarily committed to a mental institution; (2) individuals who have been found incompetent to stand trial or not guilty for reason of insanity; and (3) individuals who have been otherwise determined, through formal adjudication process, to have a severe mental condition that results in the individual presenting a danger to themselves or others or being incapable of managing their own affairs (collectively referred to in the proposed rule as the “mental health prohibitor”).  Federal agencies are required by the NICS Improvement Amendments Act of 2008 to report to NICS the identities of individuals who are subject to the mental health prohibitor.  The Act also authorizes incentives for States to provide such information when it is in their possession.  

HHS issued the proposed rule to address concerns that the HIPAA Privacy Rule may be preventing some States from reporting to NICS the identities of individuals subject to the mental health prohibitor.  Records related to involuntary commitments and mental health adjudications generally originate in entities in the criminal justice system.  Such entities are not HIPAA covered entities, and the records are therefore not subject to HIPAA.  However, there may be State entities outside the criminal justice system that are involved in some involuntary commitments or mental health adjudications, and these entities may be HIPAA covered entities.  Where a record of involuntary commitment or mental health adjudication originates with a HIPAA covered entity, or the HIPAA covered entity is the State repository for such records, those records are subject to HIPAA.  Therefore, the concern is that the individuals identified in such records are not being reported to NICS due to HIPAA compliance considerations.

To address these concerns, HHS is considering whether to amend the Privacy Rule to expressly permit covered entities to disclose limited information to NICS about the identities of individuals who are subject to the mental health prohibitor.  Pursuant to the HHS request for comments, the potential exception may limit the information disclosed to the minimum data necessary for NICS purposes, and limit permission to disclose to covered entities that order involuntary commitments, perform relevant mental health adjudications, or are otherwise designated as State repositories for NICS reporting purposes.

HHS is seeking comments on specific questions related to the proposal.  These questions are listed in HHS’ Advance Notice of Proposed Rulemaking, which is available here.  Comments should be submitted in writing, or electronically at www.regulations.gov, on or before June 7, 2013.

The Scope of HIPAA Preemption in Florida: More Questions than Answers

This post was written by Nancy E. Bonifant and Zachary A. Portin.

On April 9, 2013, the Eleventh Circuit held that HIPAA preempts a Florida statute that requires nursing homes to release medical records of deceased residents to their spouses, attorneys-in-fact and other enumerated parties who request them.  In Opis Management Resources LLC v. Secretary Florida Agency for Health Care Administration, the Florida agency that oversees nursing homes cited Opis Management, an operator of nursing homes, for refusing to release medical records to deceased residents’ spouses and attorneys-in-fact.  Opis Management challenged the citations arguing that the requesting parties were not “personal representatives” under HIPAA.

The HIPAA Privacy Rule requires disclosures of PHI in only two situations: (1) to the individual, and (2) to the Secretary of HHS.  Covered entities must also treat a deceased individual’s “personal representative,” who has authority to act on behalf of the deceased individual or his/her estate, as the individual for purposes of disclosures under the HIPAA Privacy Rule.  While HIPAA does not preempt “more stringent” state laws, it sets a floor for privacy protections and supersedes any contrary provision of state law.

The Eleventh Circuit held that HIPAA preempts the Florida statute because it “impedes the accomplishment and execution of the full purposes and objectives of HIPAA and the Privacy Rule,” particularly keeping an individual’s PHI confidential.  According to Judge Black, the Florida statute authorizes “sweeping disclosures” that made a deceased resident’s PHI available to certain individuals upon request without any need for authorization and “without regard to the authority of the individual making the request to act in the deceased’s stead.”  Interestingly, because the Florida agency failed to timely raise the argument, the court did not consider whether compliance with both laws was possible because HIPAA permits covered entities to disclose PHI as “required by law.”

Opis Management Resources highlights one of the many challenges that covered entities face in trying to achieve compliance under HIPAA and state privacy law.  Although the holding suggests that analogous Florida statutes mandating disclosures may too be preempted, the ruling is limited to licensed Florida nursing homes.  Clearly, the scope of HIPAA preemption remains unsettled and the issue will likely continue to be determined on a case-by-case basis.

Loose Lips Sink... Providers?

This post was written by Zachary A. Portin and Nancy E. Bonifant.

Can a medical corporation be directly liable under New York law for breaching its common law fiduciary duty of confidentiality when a non-physician employee acted outside the scope of his or her employment by making an unauthorized disclosure of an individual’s confidential health information?  This is the question that the U.S. Court of Appeals for the Second Circuit posed to the New York State Court of Appeals last month when it requested an advisory opinion from the state’s highest court in order to resolve Doe v. Guthrie Clinic Ltd. 

Plaintiff Doe sued various Pennsylvania-based entities (the “Guthrie Defendants”) that owned and operated the Guthrie Clinic Steuben (the “Clinic”) located in New York after one of the Clinic’s nurses sent six text messages to Doe’s girlfriend informing her that Doe was being treated for sexually transmitted diseases.  Plaintiff Doe brought several tort claims against the Guthrie Defendants, including a novel claim that the common law cause of action for breach of the fiduciary duty to keep medical records confidential runs directly against medical corporations, even when the employee responsible for the breach is not a physician and acted outside the scope of her employment.

Although HIPAA does not create a private right of action under federal law, an aggrieved patient may avail himself or herself to state law causes of action.  For example, New York imposes a general duty to maintain the confidentiality of personal health information as well as a specific common law cause of action against a physician who improperly discloses confidential information.  In 2000, the Appellate Division of the New York State Supreme Court also held that a patient was permitted to sue a health insurer whose records clerk wrongfully disclosed treatment information.  Nevertheless, the Second Circuit elected to certify the question to the Court of Appeals with regard to the Guthrie Defendants after it concluded that no controlling precedent existed. 

A favorable ruling for Plaintiff Doe threatens to vastly expand the scope of liability faced by providers and other entities involved in the delivery of healthcare.  Perhaps most concerning from the perspective of providers is the prospect of such entities facing liability under New York law for unforeseeable misconduct committed by non-physician employees.  Regardless of the Second Circuit’s ultimate disposition of this legal question, the case underscores the importance of developing and maintaining a robust compliance program to combat such misconduct.

CMS and OIG Propose Extension of Electronic Health Record Donation Protections

This post was written by Jennifer Pike and Brad Rostolsky.

The Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) have each proposed new rules to extend existing protections that allow hospitals to donate electronic health record (EHR) technology to physicians who refer patients to their facilities. By way of background, in 2006, CMS established an exception to the Stark self-referral law to allow hospitals to donate EHR technology to physicians under certain circumstances. Likewise, in 2006, the OIG established a safe-harbor to protect such EHR donations from enforcement under the federal anti-kickback statute. While both protections are set to expire on December 31, 2013, the proposed rules would extend the provisions until the end of 2016 as a means to facilitate the adoption of EHR technology.

In addition to extending the EHR donation protections, the proposed rules would (1) remove the requirement from the original rule that donated EHR technology contain electronic prescribing capability, and (2) update the provision under which EHR technology is deemed interoperable, which would expand the types of EHR systems that qualify for the protections.

CMS’s proposed rule is available here. The OIG’s proposed rule is available here. Comments regarding both proposed rules should be submitted in writing, or electronically at www.regulations.gov, by June 10, 2013.

France: Code of Conduct Compliance Breach Not Automatically a Sufficient Reason for Employee Termination - Employers Should be Cautious of Proper Local Implementation of Compliance Guidelines

Reed Smith's Global Regulatory Enforcement blog features a post on a December 2012 French Supreme Court ruling in a case involving a French Director in a health care company who had been dismissed on the grounds of a clear breach of health care compliance obligations as set forth in the French Public Health Code. The outcome: even though a company is acting in a highly regulated environment such as health care, compliance breaches must be integrated in the employer-employee relationship if they are to justify termination in France. As Reed Smith Partner Daniel Kadar notes, this case serves as a reminder to any international health care organization that the worldwide adoption of compliance guidelines and of a Code of Conduct is not in itself a sufficient protection against compliance breaches – everything depends on how these tools are implemented locally.

OCR Announces Expansion of its Health Information Privacy Enforcement Team

This post was written by Brad M. Rostolsky and Jennifer Pike.

On February 27, 2013, the HHS Office for Civil Rights (“OCR”) announced the availability of several Health Information Privacy Specialist positions. This expansion of OCR’s health information privacy enforcement team signals that OCR’s increased enforcement activity during 2012 will continue in 2013. In 2012, OCR announced several enforcement actions resulting from a breach self-report required by HITECH’s Breach Notification Rule, including the $1.7 million settlement in June with the Alaska Department of Health and Social Services and the Massachusetts Eye and Ear Infirmary’s $1.5 million settlement in September. OCR’s 2012 enforcement actions, and OCR leadership comments subsequent to the release of the HITECH Final Rule, suggest that the agency’s focus will be on Security Rule compliance (specifically with regard to the whether a regulated entity has conducted a Security Rule Risk Assessment), the lack of overall HIPAA compliance that may lead to a breach (as opposed to the breach itself), and issues involving marketing or the sale of Protected Health Information. Covered entities and business associates should expect OCR enforcement, including audits, to continue to increase over the next year.

More information on these positions is available at usajobs.gov

Additional information about OCR’s enforcement activities can be found at hhs.gov

The HITECH Final Rule: The New Privacy/Security Rules of the Road Have Finally Arrived

This post was written by Brad M. Rostolsky, Nancy E. Bonifant, Salvatore G. Rotella, Jr., Elizabeth D. O’Brien, Jennifer Pike and Zachary A. Portin.

On January 25, 2013, the Office for Civil Rights of the United States Department of Health and Human Services published the long-awaited final regulation implementing much of the amendments and additions to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules directed by the 2009 Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).

Noteworthy provisions of the HITECH Final Rule include:

  • Making Business Associates directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules;
  • Converting subcontractors of Business Associates that create, receive, maintain, or transmit PHI on behalf of the Business Associate into Business Associates themselves;
  • Requiring authorizations for all treatment and health care operations communications where the Covered Entity receives financial remuneration for making the communications from a third party whose product or service is being marketed;
  • Replacing the Breach Notification Rule’s “harm” threshold with a presumption that an impermissible use or disclosure of PHI is a Breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised; and
  • Mandating compliance by Covered Entities and Business Associates with applicable requirements by September 23, 2013.

Please click here to read our detailed analysis of the HITECH Final Rule. As always, please contact Brad M. Rostolsky (215-851-8195 or brostolsky@reedsmith.com), Nancy E. Bonifant (202-414-9353 or nbonifant@reedsmith.com), Salvatore G. Rotella, Jr. (215-851-8123 or srotella@reedsmith.com), or any other member of the Reed Smith Health Care Group with whom you work, if you would like additional information or if you have any questions.

 

It's Here: OCR Releases Long Awaited HIPAA/HITECH Final Rule

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

The Office for Civil Rights (“OCR”) of the Department of Health and Human Services released today the long awaited, and much anticipated, omnibus final rule modifying the HIPAA Privacy, Security, Breach and Enforcement Rules.  The final rule, which implements the statutory requirements of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Nondiscrimination Act (“GINA”), is comprised of four final rules and addresses the July 2010 HITECH proposed rule, the Breach Notification and Enforcement interim final rules, as well as the October 2009 GINA proposed rule (collectively, the “HITECH Final Rule”).  Notably, the HITECH Final Rule does not address the May 2011 proposed accounting and access report rule.

Noteworthy provisions of the HITECH Final Rule include:

  • Making Business Associates directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules;
  • Converting subcontractors of Business Associates that create, receive, maintain, or transmit PHI on behalf of the Business Associate into Business Associates themselves;
  • Requiring authorizations for all treatment and health care operations communications where the Covered Entity receives financial remuneration for making the communications from a third party whose product or service is being marketed;
  • Replacing the Breach Notification Rule’s “harm” threshold with a presumption that an impermissible use or disclosure of PHI is a Breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised; and
  • Mandating compliance by Covered Entities and Business Associates with applicable requirements by September 23, 2013.

We are in the process of conducting a full review of the HITECH Final Rule and will release shortly a Client Alert providing a detailed analysis of the Rule.  In the meantime, please contact Brad M. Rostolsky (215-851-8195 or brostolsky@reedsmith.com), Nancy E. Bonifant (202-414-9353 or nbonifant@reedsmith.com), Salvatore G. Rotella, Jr. (215-851-8123 or srotella@reedsmith.com), or any other member of the Reed Smith Health Care Group with whom you work, if you would like additional information or if you have any questions.

OCR Continues Increased Focus on Enforcement, Announces First HIPAA Breach Settlement Involving Less than 500 Individuals

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

On January 2, 2013, the HHS Office for Civil Rights (“OCR”) announced its first settlement and corrective action plan following a breach affecting fewer than 500 individuals. The Hospice of North Idaho (“HONI”) has agreed to pay $50,000 to settle potential violations of the HIPAA Security Rule following the theft of an unencrypted laptop containing electronic Protected Health Information (“ePHI”) for 441 patients. Significantly, this is the third settlement in six months involving unencrypted portable devices.

In addition to the requirement to report breaches affecting more than 500 patients “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach,” which are publicized on OCR’s website, Covered Entities must also maintain a log of all breaches affecting less than 500 patients and submit this information to OCR within 60 calendar days after the end of each calendar year. On February 16, 2011, HONI reported the theft to OCR, which commenced an OCR investigation on July 22, 2011. According to OCR, its investigation revealed that HONI had failed to conduct a risk analysis to safeguard ePHI and did not have in place policies and procedures to address mobile device security as required by the HIPAA Security Rule.

Following the $1.7 million settlement in June with the Alaska Department of Health and Social Services and the Massachusetts Eye and Ear Infirmary’s $1.5 million settlement in September, this settlement reinforces the practical necessity of encryption, which Leon Rodriguez, Director of OCR, describes as “an easy method for making lost information unusable, unreadable and undecipherable.” Easy or not, as providers face a health care environment that increasingly relies upon portable devices, encryption remains the primary answer to security risks. Furthermore, it remains the best first defense against the expensive and reputation damaging reality of notifying patients and OCR that a breach has occurred.

Beyond emphasizing the importance of encryption, OCR’s recent enforcement trends also make it clear that Covered Entities (and given the import of the forthcoming final HITECH regulation, Business Associates) should consider the Security Rule risk analysis to be the central component to Security Rule compliance. Although a risk analysis may require Covered Entities and Business Associates to spend significant resources, OCR plainly views it to be critical.

In addition to the $50,000 settlement, the Resolution Agreement between HONI and OCR included a corrective action plan, which requires HONI to investigate any report that a workforce member may have failed to comply with HONI’s Privacy and Security policies and procedures and report actual violations to OCR within 30 days. HONI did not admit any liability in the agreement and OCR did not concede that HONI was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found here.

Preparing for the HITECH Final Rule Release: HURRY UP AND WAIT!

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

It has been almost two and half years since the Department of Health and Human Services, Office for Civil Rights (“OCR”), published a notice of proposed rulemaking to implement the statutory requirements of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and amend the HIPAA Privacy and Security Rules, and almost nine months since the final rule was submitted to the Office of Management and Budget (“OMB”) for final regulatory clearance. While industry speculation, fueled by comments made by Leon Rodriguez, the Director of OCR, at the annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference, suggested that an omnibus final rule would be released by the end of summer, OMB had different ideas.

Now, as we approach HITECH’s four year anniversary in February, the industry is again speculating that release of the final rule will be before year end. As the regulation’s title makes clear, “Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules,” it is expected that this rule will address the July 2010 proposed rule, as well as the interim final rules (regarding both breach notification and enforcement) and, hopefully, the May 2011 proposed accounting and access report rule. Therefore, regardless of the ultimate release date, it remains important for Covered Entities and Business Associates to prepare for the forthcoming changes.

The following is a brief review of some key considerations in anticipation of the publication of the final HITECH omnibus rule.

Continue Reading...

OCR Releases Overdue Guidance on De-identifying Protected Health Information

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

The Office of Civil Rights (OCR) released guidance on Monday, November 26, 2012, regarding methods to de-identify protected health information in compliance with the HIPAA Privacy Rule.  This guidance, which followed a June 2012 Government Accountability Office Report criticizing the delayed publication of this and related guidance, is aimed to assist covered entities and business associates in understanding what de-identification is and how de-identified information is created.

Because the HIPAA Privacy Rule does not restrict the use or disclosure of de-identified health information, the process of de-identification allows researchers and policy workers to have access to critical health information while mitigating privacy risks to the individual.  To mitigate privacy risks, the HIPAA Privacy Rule outlines two de-identification methods that ensure the health information does not identify an individual and that an associated covered entity has no reasonable basis to believe the information can be used to identify an individual: (1) The Expert Determination and (2) The Safe Harbor. 

The Expert Determination method requires the services of an expert in statistical and scientific principles and methods to determine that the risk of re-identification is “very small” and document that determination.  This method involves a three-step process of (i) working with the covered entity to determine appropriate statistical or scientific methods of mitigate risk of identification, (ii) applying those methods to mitigate risk, and (iii) assessing the risk.  The guidance also addresses the expert’s qualifications, methods for de-identifying information, and approaches to assessing risk.

The Safe Harbor method involves removing 18 categories of identifiers of the individual or of the individual’s relatives, employers, and household members.  These identifiers include, for example, names, dates (other than year), geographic subdivisions smaller than a State (as well as ZIP codes depending on the population of a particular area), social security number, health plan and account numbers, IP addresses, and “any other unique identifying number, characteristic, or code.”  A covered entity must also not have “actual knowledge” that the remaining information could be used to re-identify the individual.  In addition to considering specific identifiers and providing examples, the guidance explains this “actual knowledge” standard as “clear and direct knowledge” that the information could be re-identified or awareness that the information is not actually de-identified.

While this subregulatory guidance does not have the force of law, it is important to remember that Section 13424(c) of the HITECH Act mandated the guidance’s release.  Therefore, covered entities, and business associate who de-identify protected health information on behalf of covered entities, are advised to consider the guidance carefully and amend their processes to align its requirements.

A copy of the guidance can be found here.

How to Mitigate Compliance Requirements and Code of Conduct Obligations with Data Protection Regulation: Reed Smith Paris Provided Some Illustrative Examples

As reported on our Global Regulatory Enforcement Blog, Reed Smith Paris partner Daniel Kadar and counsel Séverine Martel hosted on 25 October 2012, a new edition of the conference cycle organized by Reed Smith Paris with the European American Chamber of Commerce, dedicated to the mitigation of Compliance obligations, particularly as set forth in Codes of Conduct, with data protection requirements.

The panel, which included compliance directors of French health care giant SANOFI and General Electric Health, brought examples of how to mitigate compliance obligations, in particular as set forth in Codes of Conduct most International organisations have now adopted, with applicable data protection regulation.  The first example was dedicated to the New French Health Care Regulation and its transparency and disclosure requirements as to the existence (and the financial range) of agreements between the health care and cosmetics industry with health care professionals (including Medicine students), showing that the disclosure of financial and private information (such as the home address for the medicine students) had to be managed carefully with respect to the data owner’s information and access rights.  To read the full post, click here.

Reed Smith Gearing Up For "Big Data Monetization" Conference

Next week, Reed Smith will host a conference on “Big Data Monetization” at the Quadrus Conference Center in Silicon Valley (8:30-11:30 a.m. PDT). Big Data is a term used to characterize the accumulation of data. Virtually every company, in every industry, is now an information and technology company. Companies run on Big Data, whether it be customer information, employee information, or competitive intelligence. Companies store, share, and use that information in increasingly complex ways, taking advantage of cloud-based solutions and revolutions in analytics, and finding ways to turn these massive databases into revenue. There is no doubt a plethora of opportunities in Big Data, however, using it comes with its own set of risks. The key with monetizing Big Data is striking the balance between risk and reward.

View a preview of the types of issues we’ll be tackling at the conference over on our Global Regulatory Enforcement Law Blog.

OCR Continues to Use Breach Self-Reports as an Invitation to Audit General HIPAA Compliance

Massachusetts Provider Becomes Third Seven-Figure Settlement Since March

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On September 17, 2012, the HHS Office of Civil Rights ("OCR") announced another settlement and corrective action plan following an entity’s breach self-report required by HITECH’s Breach Notification Rule. Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively "MEEI") have agreed to pay $1.5 million to settle potential violations of the HIPAA Security Rule following the theft of a physician’s unencrypted, but protected, laptop, providing additional evidence that: (1) OCR will likely view any breach notification as an opportunity to conduct a de facto audit of an entity’s general HIPAA compliance; and (2) encryption of all portable devices containing electronic protected health information ("ePHI"), though not technically "required," is a critical compliance consideration.

The information contained on the laptop, which was stolen while the physician was lecturing in South Korea in 2010, included prescriptions and clinical information for approximately 3,600 patients and research subjects. According to MEEI, although unencrypted, the laptop was password protected and contained a tracking device commonly referred to as "LoJack." Using LoJack, MEEI determined that a new operating system was installed on the computer and that the software needed to access the ePHI was not reinstalled. After concluding that retrieval of the laptop was unlikely, MEEI remotely permanently disabled the hard drive and rendered any ePHI unreadable.

Although OCR’s subsequent investigation revealed no patient harm as a result of the breach, the agency did find that the breach indicated a long-term, organizational disregard for the requirements of the Security Rule. More specifically, over an extended period of time, MEEI failed to:

  • Conduct a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices;
  • Implement security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices;
  • Adopt and implement policies, and procedures to restrict access to ePHI to authorized users of portable devices; and
  • Adopt and implement policies and procedures to address security incident identification, reporting, and response.

Following on the heels of the Alaska Department of Health and Social Services’ $1.7 million settlement in June, which also followed a breach that affected a relatively small number of individuals, OCR’s recent enforcement actions suggest that its focus is on the lack of overall HIPAA compliance that may lead to a breach and not the breach itself. This settlement also reaffirms the practical necessity of encrypting all ePHI on portable devices. According to Leon Rodriguez, Director of OCR,  "[i]n an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices."

In addition to the $1.5 million settlement, the Resolution Agreement between MEEI and OCR included a corrective action plan, which requires MEEI to review, revise, and maintain policies and procedures to ensure compliance with the Security Rule, and retain an independent monitor who will conduct assessments of MEEI’s compliance with the corrective action plan and render semi-annual reports to HHS for a 3-year period. MEEI did not admit any liability in the agreement and OCR did not concede that MEEI was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at hhs.gov.

FTC Issues Guidance to Mobile App Developers

Reed Smith's AdLaw By Request blog features a post on the Federal Trade Commission's recently published "Marketing Your Mobile App: Get It Right from the Start," a set of guides addressing compliance with truth in lending and privacy principles for mobile app developers. Reed Smith partner Doug Wood notes that disclosures and privacy protection for mobile apps is a major issue and recommends that the guides should be read carefully by anyone in the mobile app business. Developers and marketers operating in the health care and life sciences industry should take note.

Whistleblower Cannot Rely on Stolen Patient Records

This post was written by Andrew Bernasconi & Nathan Fennessy.

A recent decision by the United States District Court for the Southern District of Ohio may make it much harder for qui tam relators to rely upon stolen medical records or patient information in False Claims Act (“FCA”) whistleblower actions. See Cabotage v. Ohio Hospital for Psychiatry, No. 11-cv-50 (S.D. Ohio July 27, 2012). In Cabotage, the district court held that a registered nurse was not permitted to support her allegations of FCA violations by relying on confidential protected health information that she surreptitiously removed from the hospital where she was employed.

The nurse in Cabotage purportedly removed the confidential protected health information as part of an “investigation” of alleged fraudulent conduct by the Medical Director. She subsequently provided this information to an investigator from the Department of Health and Human Services, but the agency declined to pursue a claim. After the nurse was terminated for other reasons, she commenced an action against her former employer under the FCA whistleblower provisions and the Ohio Whistleblower’s Act. During the course of discovery, the hospital learned about the nurse’s removal of confidential protected health information. After repeated requests to return the information were declined, the hospital filed a Motion for Return of Confidential Health Information.

The district court denied the motion on the grounds that the Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”) did not vest the court with jurisdiction to provide the remedy sought by the hospital. The court concluded, however, that it possessed inherent authority to issue an order preventing the nurse from using the confidential information in the instant action because the information was confidential, potentially privileged, and had been obtained outside the discovery process governed by the court.

The court’s decision is qualified and stops short of creating a new rule applicable to whistleblower cases, but nonetheless provides a step in the right direction for defendants facing whistleblowers who have inappropriately used or taken confidential information from their employer.

 

Understanding of Global Data Privacy Regulations Helps Avoid Conflicts in Cross-Border Discovery Disputes

InsideCounsel recently published, "E-discovery: The need for a transnational approach to cross-border discovery disputes," an article on international discovery issues and the benefit of a respectful approach to document productions outside of the U.S.  Written by Reed Smith Records & E-Discovery Group members David R. Cohen, Regis W. Stafford, Jr. and Caitlin R. Gifford, the piece notes that proposed EU Data Protection Directive regulations have the potential to subject multinational companies to sanctions of up to two percent of annual worldwide revenue for serious breaches, including unlawful data transfers to the U.S.  In addition, although not binding on U.S. courts, the ABA recently issued a resolution and recommendation that states in part that U.S. courts should “consider and respect the data protection and privacy laws of any foreign sovereign..."  This article underscores the importance of a comprehensive global approach to document production in cross-border litigation.

To be invited to future Reed Smith trainings on cross-border e-Discovery issues, please click here.

Massachusetts Attorney General Strikes: South Shore Hospital Settles Data Breach Allegations for $750,000

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

On May 24, 2012, the Attorney General of Massachusetts announced that South Shore Hospital of South Weymouth, Massachusetts (South Shore) agreed to settle allegations that it failed to protect the personal and protected health information of more than 800,000 individuals.  The settlement resulted from the hospital’s data breach report to the Attorney General in July 2010, which was also reported to the HHS Office of Civil Rights in accordance with the HIPAA Breach Notification Rule.  Although the Attorney General reported a $750,000 settlement, South Shore was credited $275,000 for new security measures taken after the breach, bringing the actual amount to $475,000, of which $250,000 is a civil penalty and $225,000 shall be paid to an education fund to be used by the Attorney General’s Office to promote education concerning the protection of personal and protected health information.  South Shore also agreed to undergo a review and audit of its security measures and report the results to the Attorney General.

In February 2010, South Shore contracted with Archive Data Solutions (Archive Data) to erase and re-sell 473 data tapes.  According to the Attorney General, South Shore did not inform Archive Data that the tapes contained personal and protected health information, including individuals’ names, Social Security numbers, financial account numbers, and medical diagnoses.  The tapes were then shipped to a Texas subcontractor, but in June 2010, South Shore learned that only one of the three boxes of tapes arrived.  The two missing boxes were never recovered and there have been no reports of unauthorized use of the information.

Following its investigation of South Shore’s breach report, the Attorney General filed a lawsuit under the Massachusetts Consumer Protection Act and HIPAA.  State Attorney Generals have the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules, which includes obtaining damages and enjoining further violations, pursuant to HITECH, enacted as part of the American Recovery and Reinvestment Act of 2009.  In the lawsuit, the Attorney General alleged that South Shore failed to implement appropriate safeguards, policies, and procedures to protect the information, failed to have a Business Associate Agreement in place with Archive Data, and failed to properly train its workforce.

Small Cardiology Practice to Pay $100,000 to Settle Allegations of HIPAA Violations

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On April 17, 2012, the HHS Office of Civil Rights (OCR) announced a settlement and corrective action plan with Phoenix Cardiac Surgery, P.C. (Phoenix), a small cardiology practice based in Phoenix and Prescott, Arizona. More specifically, Phoenix has agreed to pay $100,000 to settle allegations of HIPAA violations arising out of an investigation conducted by OCR.

OCR’s investigation of Phoenix followed a report that Phoenix was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR discovered the following issues:

  • Phoenix failed to implement adequate policies and procedures to appropriately safeguard patient information;
  • Phoenix failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
  • Phoenix failed to identify a security official and conduct a risk analysis; and
  • Phoenix failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its electronic protected health information.

This settlement serves as additional evidence of OCR’s increased focus on enforcement actions for alleged HIPAA violations, following just one month after the first enforcement action resulting from a breach self-report under the Breach Notification Rule. According to Leon Rodriguez, Director of OCR, he “hope[s] that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” Additionally, the settlement provides further evidence that OCR will likely view any investigation of an alleged Privacy or Security Rule infraction as an opportunity to conduct a de facto audit of the entity’s general compliance with HIPAA.

In addition to the $100,000 settlement, the Resolution Agreement between Phoenix and OCR requires Phoenix to develop and maintain written Privacy and Security policies, which will set forth, at a minimum, administrative safeguards, technical safeguards, and training of all Phoenix’s workforce members. In addition, Phoenix will provide specific training on the Privacy and Security policies within 60 days of OCR’s approval to all workforce members who use or disclose protected health information and will report any violations of those policies and procedures by a workforce member to OCR within 30 days. Phoenix did not admit any liability in the agreement and OCR did not concede that Phoenix was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

 

OCR Announces First Enforcement Action Resulting From a Breach Self-Report

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On March 13, 2012, the HHS Office of Civil Rights (OCR) announced the first enforcement action resulting from a breach self-report required by HITECH’s Breach Notification Rule. Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay HHS $1,500,000 to settle potential violations of the HIPAA Privacy and Security Rules and has entered into a corrective action plan to address gaps in its HIPAA compliance program.


The HIPAA/HITECH Breach Notification Rule requires covered entities to report a breach (e.g., an impermissible use or disclosure of protected health information that compromises the security or privacy of the protected health information) to the affected individual(s), HHS and, at times, the media. OCR’s investigation of BCBST followed a breach report submitted by BCBST informing HHS that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The hard drives contained the protected health information of more than 1 million individuals, including member names, social security numbers, diagnosis code, dates of birth, and health plan identification numbers.


According to OCR’s investigation, BCBST failed to implement appropriate administrative and physical safeguards as required by the HIPAA Security Rule. More specifically, BCBST failed to perform the required security evaluation in response to operational changes and did not have adequate facility access controls.


In addition to the $1,500,000 settlement, the Resolution Agreement between BCBST and OCR requires BCBST to revise its Privacy and Security policies, conduct robust trainings for all employees, and perform monitor reviews to ensure compliance with the corrective action plan. BCBST did not admit any liability in the agreement and OCR did not concede that BCBST was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

OCR Launches Privacy and Security Audits

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

To implement the HITECH Act’s mandate for the Office for Civil Rights (OCR) to perform HIPAA audits, OCR has just announced that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase are planned to begin with an initial 20 audits between November 2011 and April 2012. The remaining audits are scheduled to conclude by December 2012. All covered entities and business associates are eligible for audits; however, OCR has indicated that it is focusing on covered entities (range in type and size) in the initial phase. Business associates will be included in future audits.

During the pilot, every audit will include a document production and onsite visit, and will result in an audit report. OCR will notify a selected covered entity in writing and request documentation of the covered entity’s privacy and security compliance efforts. The covered entity must comply within 10 business days. OCR expects to notify selected covered entities between 30 and 90 days prior to the anticipated onsite visit. Onsite visits may take between three and 10 business days, and after fieldwork is completed, the auditor will provide the covered entity with a draft final report. Selected covered entities will then have 10 business days to review and provide written comments back to the auditor. The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR.

Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem. Significantly, OCR will not post a listing of audited entities or the findings of an individual audit that clearly identifies the audited entity.

A description of the pilot program is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html

 

Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing - Health Care in the Cloud

This post was written by Vicky G. Gormanly and Joseph I. Rosenbaum.

The interest level in storing health records in digital format has grown rapidly with the lower cost and greater availability and reliability of interoperable storage mechanisms and devices. Health care providers like hospitals and health systems, physician practices, and health insurance companies are among those most likely to be considering a cloud-based solution for the storage of patient-related health information. While lower cost, ubiquitous 24/7 availability, and reliability are key drivers pushing health care providers and insurers to the cloud, a number of serious legal and regulatory issues should be considered before releasing sensitive patient data into the cloud. The issues are highlighted in the Health Care chapter  of our Cloud Computing White Paper.

U.S. Supreme Court Strikes Down Vermont Ban on Data Mining; Rules that State Law Interferes with Drug Makers' Right to Free Speech

Today, in a 6-3 decision, the U.S. Supreme Court handed down a verdict in Sorrell vs. IMS Health, striking, on free speech grounds, a 2007 Vermont law that that bans the practice of data mining unless a physician specifically gives his or her permission to use the information. Reed Smith filed an amicus brief in Sorrell supporting IMS Health's position in order to help explain to the Court the public health benefits arising from targeted commercial use of prescription-writing data. Reed Smith's Global Regulatory Enforcement Law Blog discusses the ruling in "Supreme Court Win for Free Speech About Medical Options" by Paul Bond and Joe Metro.

HHS Issues Notice of Proposed Rulemaking Regarding the HIPAA Privacy Rules Standard for Accounting of Disclosures Requirements and Access Report

This post was written by Gina M. Cavalier and Brad M. Rostolsky.

Today the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking implementing provisions of the HITECH Act related to accounting for disclosures of protected health information (PHI). Pursuant to the HITECH Act and its more general authority under HIPAA, HHS proposed to divide the Privacy Rule provisions related to an accounting into two separate individual rights: (1) an accounting and, (2) an access report.

With respect to an accounting, HHS proposes that individuals have a right to an accounting of disclosures of PHI in a designated record set made by a covered entity or a business associate: (i) for impermissible purposes, (ii) for public health activities, (iii) for judicial and administrative proceedings, (iv) for law enforcement purposes, (v) to avert a serious threat to health or safety, (vi) for military and veterans activities, and (vii) for workers compensation. The proposed compliance date for this provision is 180 days after the effective date of the final rule.

With respect to the access report, HHS proposes to provide individuals with the right to receive a report detailing who has accessed their electronic PHI in a designated record set maintained by a covered entity or its business associates. HHS proposes that covered entities and business associates provide individuals with a right to an access report beginning January 1, 2013, for electronic designated record set systems acquired after January 1, 2009, and beginning January 1, 2014 for electronic designated record set systems acquired as of January 1, 2009.

The proposed rule is posted here.

Comments are due in 60 days - August 1, 2011.

HHS Issues Notice of Proposed Rulemaking Regarding the HIPAA Privacy Rules Standard for Accounting of Disclosures Requirements

This post was written by Gina M. Cavalier, Vicky G. Gormanly and Brad M. Rostolsky.

Pursuant to the HITECH Act, covered entities and business associates must account for disclosures of PHI for treatment, payment and health care operations if the disclosures are through an electronic health record. This represents a significant change to the requirements under the current HIPAA Privacy Rule. The Department of Health and Human Services (HHS) will shortly publish a notice of proposed rulemaking to modify the Privacy Rule’s standard for accounting of disclosures of protected health information. An advance copy of the proposed rule is available here.

HHS proposes to expand the accounting requirements of the Privacy Rule to provide individuals with the right to receive an access report detailing who has accessed their electronic PHI in a designated record set. Accordingly, HHS proposes to revise an individual’s right to an accounting under the Privacy Rule by separately setting forth an individual’s right to (a) an accounting of disclosures and (2) an access report. HHS has also proposed other changes designed to improve the workability and effectiveness of the existing accounting of disclosures requirements.

 

Comments are due 60 days after the proposed rule is published in the Federal Register.

 

More to come...

HHS Announces First Ever Civil Money Penalty for Violations of HIPAA Privacy Rule

This post was written by Gina M. Cavalier.

Earlier today the Department of Health and Human Services' (HHS), Office for Civil Rights (OCR) announced the imposition of the first ever civil money penalty for violations of the HIPAA Privacy Rule. The penalty - which is $4.3 million - was assessed against Cignet Health of Prince Georges County, a health insurer. The underlying HIPAA violations include (1) failing to provide patients with access to their medical records, and (2) failing to cooperate with OCR's investigation into the failure to provide access. The HHS press release is available here.

To discuss this or any other HIPAA or data privacy/security issue, please contact Mark S. Melodia or Gina M. Cavalier.

Final HITECH Privacy and Security Rule Expected Soon

According to a senior health information technology and privacy specialist at HHS Office for Civil Right (OCR), regulations finalizing the July 14, 2010, proposed rule implementing many of the HITECH Act's privacy, security, and enforcement requirements could be published by the end of 2010 or in early 2011.   Additionally, OCR, developing a HITECH Act required "periodic audit" plan, which will be targeted to ensure that covered entities and business associates comply with the requirements of  the Privacy and Security Rules. 

We'll keep you posted as things progress . . .

Authentication Practices and Secure Communications in the Life Sciences and Health Care Industry

Information security is paramount in the life sciences and health care industry because it is subject to affirmative regulatory requirements regarding the physical and technical safeguards used to secure electronic information. It is therefore troubling that the Internet protocols that are universally used to transmit encrypted information employ an authentication process (to verify the endpoints of a communication) that is deeply flawed. The authentication process requires the parties to the communication to trust literally hundreds of unknown third parties referred to as "certificate authorities." The closer one looks at the identity of these third parties and the processes used to carry out the authentication process, the worse it gets. It is time for GCs to get involved because Encryption is Not Enough...

New HITECH/HIPAA Proposed Rule Released Today

HHS has just released its proposed rule modifying the HIPAA Privacy, Security, and Enforcement Rules to implement the privacy, security, and certain enforcement provisions of subtitle D of the Health Information Technology for Economic and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act of 2009).  The advance version of the rule can be accessed here; the official version will be published July 14.  A press release should be available later this morning.

Pursuant to the announcement of the proposed rulemaking on the HHS Privacy website, the proposed modifications to the HIPAA Rules include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans. In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

Importantly, HHS has stated that the new HIPAA regulations will not be enforced until 180 days after the final rule has become effective. Comments will be due on or about September 13, 2010.

More to come . . . 

Mexico's Senate Passes Federal Law for Protection of Personal Data

This post was written by Mark S. Melodia, Cynthia O'Donoghue and Anthony S. Traymore

On April 27, 2010, the Mexican Senate passed Ley Federal de Protección de Datos Personales en Posesión de los Particulares (the Federal Law for Protection of Personal Data (FLPPA)).  President Felipe Calderon is expected to sign the FLPPA into law soon, and thereafter, the FLPPA will be published and its regulatory provisions enacted. The objective of the FLPPA is to provide regulatory mechanisms for the newly established replacement agency, Instituto Federal de Acceso a la Información y Protección de Datos (the Federal Institute of Information Access and Data Protection (FIIADP), to enforce the FLPPA in relation to any individual or entity engaging in the collection, storage and/or transfer of personal data, including life sciences and health care clients.

To read the full alert, click here.

HITECH Privacy and Security Regulations Currently Being Drafted

The Health Information Privacy page of the U.S. Department of Health and Human Services (HHS) website has formally announced that regulations implementing the privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act will soon be published (along with a comment period) relating to (1) business associate liability; (2) new limitations on the sale of protected health information, marketing and fundraising communications; and (3) stronger individual rights to access electronic medical records and restrict the disclosure of certain information.  Although this posting is certainly welcome news, from a timing perspective the announcement only indicates that "OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions." 

Providing further evidence that the HITECH Act provisions relative to covered entities and business associates will not be enforced until after these forthcoming regulations have been finalized, HHS stated that "[a]lthough the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements."  The HITECH Act, however, is currently effective, and questions about the effective date for enforcement of the Act's privacy and security requirements may remain until published regulations specifically postpone enforcement.  Additionally, HHS reminds us that the Breach Notification Rule and the revised Enforcement Rule are currently in effect, and that covered entities and business associates must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009.

HHS Rule Implements HITECH Act Changes to HIPAA Enforcement

On Friday, October 30, 2009, the U.S. Department of Health and Human Services ("HHS") published an interim final rule and request for comments that implements certain HIPAA enforcement changes made pursuant to the HITECH ActConsistent with the provisions of the HITECH Act, the new rule amends the HIPAA enforcement regulations applicable to violations of each of HIPAA's Administrative Simplification Rules (i.e., Privacy Rule, Security Rule, Transactions and Code Sets Rules, Standard Unique Identifier for Employers (EIN Rule), and the Standard Unique identifier for Health Care Providers (NPI Rule)) by instituting the below categories of violations and tiered penalty scheme to HIPAA violations that occur on or after February 18, 2009. 

  • Unknown violations (i.e., if a person did not know and by exercising reasonable due diligence would not have known that a violation occurred): The penalty shall be at least $100 for each violation not to exceed $25,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
  • Violations due to reasonable cause and not to willful neglect: The penalty shall be at least $1,000 for each violation not to exceed $100,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
  • Violations due to willful neglect (and the violations have been corrected): The penalty shall be at least $10,000 for each violation not to exceed $250,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
  • Violations due to willful neglect (and the violations have not been corrected): The penalty shall be at least $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.

Furthermore, the interim final rule generally amends a covered entity's ability to employ an affirmative defense against an action seeking civil monetary penalties if (i) the covered entity did not have knowledge or constructive knowledge of the violation, and (ii) the violation was not due to reasonable cause and not willful neglect. HHS is also given the authority to waive a civil monetary penalty for violations due to reasonable cause and not willful neglect if the covered entity corrects the violation within 30 days of having knowledge that the violation occurred. 

Comments on this interim final rule will be considered if received by December 29, 2009.

New HHS Regulations Impose Federal Security Breach Notification Requirements

The recently enacted Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which amends various aspects of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including the associated Privacy and Security Rules, marks a significant change in how covered entities and their business associates must respond to security breaches under HIPAA.

On August 24, 2009, the U.S. Department of Health and Human Services (“HHS”) issued its interim final rule (“the Rule”) regarding a covered entity’s obligation to notify individuals when their unsecured protected health information (“PHI”) is breached. Furthermore, and depending on the nature of the security breach, the Rule also requires a more global notification whereby covered entities must post information regarding certain breaches in newspapers and on the HHS website.

The HHS Rule is effective on September 23, 2009, however, HHS will not impose sanctions for failure to provide the required notices for breaches that are discoverable before February 22, 2010.

For additional details, read the full alert

FTC Issues Final Rule on Notifying Consumers About Breaches of Electronic Health Records

This post was written by Mark S. MelodiaMichael K. BrownJ. Ferd Convery, IIISteven J. Boranian, Brad M. Rostolsky, Shana R. Fried and Paul Bond.

Until now, the loss or theft of protected health information rarely resulted in notice to consumers. Very few state data security breach notification laws encompass medical information. The Health Insurance Portability and Accountability Act ("HIPAA") merely required an "accounting" of such events to a patient upon the patient's request.

All that has changed. Congress, in enacting the Health Information Technology for Economic and Clinical Health Act ("HITECH"), imposed breach notification obligations on many of the individuals and business entities that receive, create, or maintain patients' individually identifiable health information. Pursuant to HITECH, on Aug. 17, the Federal Trade Commission ("FTC") issued its Health Breach Notification Rule, governing the breach notification obligations of three new categories of entity: "vendors of personal health records," "PHR related entities" and "third party service providers."

To read the full alert, click here.