EU Justice Ministers Reach Partial General Approach on Aspects of Data Protection Regulation

Reed Smith’s Global Regulatory Enforcement Law Blog features a post on a recent meeting at which Justice ministers from across the European Union managed to agree on a partial general approach on several aspects of the draft Data Protection Regulation, which aims to set out a general EU framework for data protection. The ministers have not yet been able to reach a consensus on the proposed structure for resolving disputes related to data protection and privacy, which would involve the creation of a single European Data Protection Board. According to the press release, while the majority of ministers appear to be in favor of the “general architecture” of the proposed structure, more work will be needed before the final Data Protection Regulation is approved and adopted – which may not happen until 2016. For more information, read “EU Council Agrees on Partial General Approach to General Data Protection Regulation” by Reed Smith Partner Cynthia O’Donoghue.

EU Article 29 Data Protection Working Party Releases Guidelines Stemming from Google Spain Case

Reed Smith’s Global Regulatory Enforcement Law Blog features a post on a recent set of guidelines issued by the European Union’s Article 29 Data Protection Working Party outlining how EU Data Protection Authorities (DPAs) intend to implement the judgment of the Court of Justice of the European Union in Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (C-131/12) (Google Spain), which set a milestone for EU data protection by granting individuals the right to request that search engines to delist search results relating to them. The guidelines provide a common interpretation of the ruling as well as the common criteria to be used by the DPAs when addressing complaints. For additional details, read “EU Art. 29 Releases Guidelines on the Right to be Forgotten,” by Reed Smith Partner Cynthia O’Donoghue.

Effective Cyberliability Insurance Coverage

According to a recent study, the median amount of time between a breach of a company’s cybernetwork and the discovery of that breach is 229 days. Given this lengthy amount of time, companies should consider the benefits of an expanded cyberliability insurance policy period, particularly if the company is switching from one insurance provider to another. As discussed in “Hackers Don’t Care About the Terms of Your Insurance Policy: The Importance of Retroactive Dates and Extended Reporting Periods in Effective Cyberliability Insurance Coverage,” a client alert written by Reed Smith partners Brian Himmel, Andrew Moss, David Weiss and Cristina Shea, two such options for expanding the policy period are retroactive dates (shifting the effective date of coverage back, to capture events that occurred or were occurring but were not yet discovered when the policy was purchased) and extended reporting periods (which provide additional time to report events that are not discovered until after the end of the policy period).

To read the client alert, click here.
 

New California Amendment Aims to Increase Breach Responsibility and Accountability

Reed Smith’s Global Regulatory Enforcement Law Blog features a post on a California bill recently signed into law which expands the scope of requirements for entities that own, license, and maintain personal data or information about a California resident. “Did California Just Impose a First-in-the-Nation Requirement for Breaching Companies To Offer Identity Theft Prevention and Mitigation Services?” written by Reed Smith attorneys Paul Bond, Lisa Kim, and Leslie Chen, focuses on the three sections of the California Civil Code affected by the amendment:

  1. An entity that “maintains” an individual’s data or information – such as a retailer – is required to employ appropriate anti-breach protection. Previously this was only required of companies who “owned” or “licensed” personal information;
  2. An entity identified as the source of a breach of social security numbers or driver’s license numbers must offer affected individuals appropriate anti-breach protection and mitigation services for a period of at least one year; and
  3. An entity is disallowed – except in particular circumstances – from selling, advertising, or offering for sale an individual’s social security number.

The amendments will go into effect on January 1, 2015, after which point entities that do not follow these regulations will be at risk for legal action brought by affected individuals.

To read the full post, click here.

U.S. Senator Schumer Calls for Increased Regulation of Wearable Electronic Devices to Avoid Data Privacy Issues

Reed Smith’s Global Regulatory Enforcement Law Blog features a post on the recent phenomenon of wearable electronic devices and the legal issues that may arise from these gadgets. "Wearable Device Privacy - A Legislative Priority?," written by Reed Smith attorneys Frederick Lah and Khurram Gore, discusses a recent press release issued by U.S. Senator Chuck Schumer of New York expressing concern that personal health data collected by wearable devices and fitness apps, including medical conditions, sleep patterns, calories burned, GPS locations, blood pressure, weight, and more, will be provided to third parties without the user knowing it. Schumer, citing this as a threat to personal privacy, has urged the Federal Trade Commission to mandate that device and app companies provide users with an explicit “opt-out,” allowing them to block the distribution of this information to any third parties.

As the authors note, with the rising popularity of these types of devices, we expect regulators, legislators, and companies to start paying closer attention to the data security and privacy risks associated with their use.

Recent Data Breaches Serve as Warning for Companies to Assess Their Cybersecurity Insurance Coverage

Earlier this week, numerous media outlets reported on the Russian crime ring which had managed to steal more pieces of Internet data than any other group of hackers in history – a whopping collection of at least 1.2 billion user name and password combinations and over 500 million email addresses. The magnitude of data that this group has managed to accumulate, coupled with several other recent high-profile hacking incidents, is a wake-up call for businesses that cybersecurity has become a major contemporary concern. Data breaches are increasing in frequency, severity, and cost, and the potential consequences for an affected company can be devastating.

This trend and its insurance implications are discussed in a client alert by Reed Smith partners Doug Cameron, David Weiss, Andy Moss, and Cristina Shea, who point out that companies must start being proactive with their cybersecurity efforts. Businesses should take the time to assess their current cybersecurity insurance coverage as well as their coverage needs. Cyber-related insurance is an evolving area, so extensive research and consulting with counsel may be necessary before a company can select an insurance policy that maximizes its coverage.
 

California AG's Guidance on California Online Privacy Protection Act

The California Attorney General, Kamala D. Harris, has issued a long-awaited guide on how companies can comply with the California Online Privacy Protection Act (CalOPPA). CalOPPA applies to all companies which collect personally identifiable information from California residents online, regardless of whether that information is collected via a commercial website or a mobile application. This far-reaching statute requires virtually every company with an online presence in California, including drug and device companies, to have a company-drafted privacy policy that conforms with its guidelines.

The Attorney General’s guide, entitled “Making Your Privacy Practices Public,” can be found here. It provides specific recommendations on how businesses are to comply with CalOPPA’s requirements to disclose and comply with a company-drafted privacy policy. CalOPPA was recently amended to include information on how the website operator responds to Do Not Track signals or similar mechanisms. The law also requires company privacy policies to state whether third parties can collect personally identifiable information about the site’s users.

Reed Smith attorneys Lisa Kim, Paul Cho, and Divonne Smoyer have written a client alert summarizing the recommendations made by the Attorney General in this guide. To read the alert, click here.

EU Research Group Condemns EU Regulation for Restricting Growth in Life Sciences Sector; NHS Advocates Selling Confidential Patient Data For Secondary Purposes

Reed Smith’s Global Regulatory Enforcement Law blog features two posts of interest to those in the life sciences industry, both written by Reed Smith partner Cynthia O’Donoghue. “EU Research Group Condemns EU Regulation for Restricting Growth in Life Sciences Sector” discusses the opposition of a lobbying group, led by the Wellcome Trust, to amendments to the proposed General Data Protection Regulation – amendments that they believe could severely inhibit future growth of the life sciences sector in the European Union. “NHS Advocates Selling Confidential Patient Data For Secondary Purposes” discusses the criticism of the UK’s Health and Social Care Information Centre and NHS England’s new initiative known as ‘care.data,' which involves the extraction, anonymization, and aggregation of patient data from GP practices in a central database for sale to third parties such as drug and insurance companies.

Physician Practice Caught in OCR Crossfire Following Theft of Unencrypted Flash Drive

This post was written by Brad M. Rostolsky and John E. Wyand

The theft of an unencrypted flash drive has led to an agreement by Adult & Pediatric Dermatology, P.C., of Concord, Mass. (APDerm), to pay $150,000 to the Department of Health and Human Services’ Office for Civil Rights (OCR) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. APDerm will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program. APDerm is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire.

This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of the American Recovery and Reinvestment Act of 2009. Significantly, it also marks one of the few instances where OCR has taken enforcement action against a smaller covered entity provider.

OCR opened an investigation of APDerm upon receiving a report that an unencrypted flash drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The flash drive was never recovered, and the investigation revealed that APDerm had not conducted “an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI” as part of its security management process. In other words, OCR continues to target the failure of covered entities to conduct a risk assessment under the Security Rule. Furthermore, OCR focused on APDerm’s failure to maintain appropriate policies and procedures, as well as the associated training, pursuant to the requirements of the Breach Notification Rule.

In addition to a $150,000 settlement, OCR imposed a corrective action plan requiring APDerm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.

A copy of the Resolution Agreement and Corrective Action Plan may be found here.
 

OCR Releases HIPAA Guide for Law Enforcement

This post was authored by Brad Rostolsky and Jennifer Pike.

On September 20, 2013, the Office for Civil Rights of the U.S. Department of Health & Human Services announced the addition of a new resource on its website to assist law enforcement and emergency planners when addressing information-sharing that may be subject to the HIPAA Privacy Rule. Among other things, the guide does the following:

  • Describes the Privacy Rule and identifies which entities are required to comply
  • Outlines several examples of when disclosures of health information to law enforcement is allowed

The guide is available online.

OCR Announces Enforcement Delay for CLIA Labs

This post was authored by Brad Rostolsky and Jennifer Pike.

The Office for Civil Rights (OCR) of the Department of Health & Human Services (HHS) announced September 19, 2013 that, until further notice, it is delaying enforcement of the requirement that certain HIPAA-covered labs revise their notice of privacy practices (NPPs) to comply with modifications made by the HITECH Final Rule. The enforcement delay applies to HIPAA-covered labs that are subject to Clinical Laboratory Improvement Act (CLIA), or exempt from CLIA, and that are not required to provide an individual with access to his or her lab test reports, because the reports are subject to the exceptions to the right of access at 45 C.F.R. § 164.524. The delay does not apply to labs that operate as part of a larger legal entity, and by virtue of that relationship do not have their own NPP.

By way of background, under the Privacy Rule, covered entities must promptly revise their NPPs whenever there is a material change to the privacy practices described in the NPP. The HITECH Final Rule made a number of such material changes, necessitating that covered entities revise their NPPs.

The enforcement delay is a result of HHS’ plan to amend the HIPAA Privacy Rule and CLIA regulations regarding the rights of individuals to receive their test reports directly from CLIA and CLIA-exempt labs. If finalized as proposed, the amendment would result in a material change to the labs’ privacy practices. The purpose of the delay is to decrease the burden on and expense to HIPAA-covered labs of having to revise their NPPs twice within a short period of time.
For more information about the HITECH Final Rule and its implementation, please see our previous discussion of this topic.
 

HHS Releases Prescription Refill Reminder Guidance

This post was written by Brad M. Rostolsky, Jennifer L. Pike and Nancy E. Bonifant

The Department of Health & Human Services (HHS) released on September 19, 2013 guidance on financially remunerated prescription refill reminders.

Under the currently enforced Privacy Rule, covered entities must obtain an individual’s valid authorization prior to using and disclosing the individual’s protected health information for “marketing” purposes – which includes communications about a product or service that encourages the recipients of the communication to purchase or use the product or service. This requirement, however, includes a significant exception for communications that also meet the definition of “treatment” or “health care operations” communications, including prescription refill reminders, even where a third party subsidizes the covered entity’s communication.

Under the Privacy Rule, determining whether a communication falls within the refill reminder exception depends on (1) whether the communication is about a currently prescribed drug or biologic, and (2) whether the communication involves financial remuneration and, if it does, whether the financial remuneration is reasonably related to the covered entity’s cost of making the communication. HHS now provides guidance on each of these aspects of the refill reminder exception.

Among other points, HHS makes the following notable determinations:

  • Communications about specific formulations of a currently prescribed medicine do not fall within the refill reminder exception
     
  • When remuneration involves payments to a business associate assisting a covered entity in carrying out a refill reminder or medication adherence program, or to make other excepted communications - which exceed the fair market value of the business associate’s services - the communication does not fall within the refill reminder exception

The release of the guidance follows an announcement September 11, 2013, that HHS has decided not to enforce the restrictions on financially remunerated prescription refill reminders until November 7, 2013, 45 days after the general HITECH compliance date of September 23, 2013. HHS’ decision to delay enforcement came on the heels of a lawsuit filed by Adheris, Inc., a Massachusetts company that provides prescription refill reminders. The lawsuit challenges the constitutionality of the HITECH Final Rule’s restrictions on remunerated prescription refill reminders.

Reed Smith’s HIPAA practice is in the process of conducting a full review of the guidance and will release additional analysis shortly.
 

HITECH FINAL RULE DELAYED ENFORCEMENT: PRESCRIPTION REFILL REMINDERS

HHS to Release Guidance on “Reasonable” Financial Remuneration by September 23, 2013; Enforcement to Be Delayed Until November 7, 2013

This post was written by Brad M. Rostolsky, Nancy E. Bonifant and Jennifer L. Pike

On September 5, 2013, Adheris, Inc. (“Adheris”), a Massachusetts company that provides, among other services, prescription refill reminders, filed a lawsuit in the U.S. District Court for the District of Columbia against Kathleen Sebelius, Secretary of Health & Human Services (“Secretary”), and the Department of Health & Human Services (“HHS”), challenging the constitutionality of the HITECH Final Rule’s restrictions on remunerated prescription refill reminders. Contemporaneous with its lawsuit, Adheris filed a Motion for Preliminary Injunction seeking to enjoin the Secretary’s enforcement of these restrictions, which was set to begin on September 23, 2013.

In a joint motion filed by the parties today seeking to suspend the court’s schedule on the Motion for Preliminary Injunction, the Secretary and HHS have informed the court that HHS expects to release guidance by September 23, 2013, on the HITECH Final Rule’s “reasonable in amount” restriction applicable to financially remunerated prescription refill reminders. The Secretary has also decided not to enforce the restrictions on financially remunerated prescription refill reminders until November 7, 2013, 45 days after the general HITECH compliance date of September 23, 2013.

Under the currently enforced Privacy Rule, covered entities must obtain an individual’s valid authorization prior to using and disclosing the individual’s protected health information for “marketing” purposes – which includes communications about a product or service that encourages the recipients of the communication to purchase or use the product or service. This requirement, however, included a significant exception for communications that also met the definition of “treatment” or “health care operations” communications, including prescription refill reminders, even where a third party subsidized the covered entity’s communication.

In a marked departure from the currently enforced Privacy Rule (and the July 2010 HITECH Proposed Rule), the Final Rule generally requires authorizations for all third-party subsidized health care operations and treatment communications, with a limited exception applicable to prescription refill reminders. With respect to prescription refill reminders, a covered entity may still receive some financial remuneration from third parties for making these communications, but this remuneration must be “reasonably related to the covered entity’s cost of making the communication.” In preamble language to the Final Rule, HHS made clear that permissible costs include only the costs of labor, supplies, and postage – where a covered entity generates a profit or receives payment for other costs in exchange for making a prescription refill reminder, the exception would not apply and the covered entity would need to obtain individual authorization.

Ultimately, what remains unknown is whether HHS will explicitly permit covered entities, and their business associates, to make a profit in connection with communicating prescription refill reminders, or if HHS will merely reaffirm its previously stated position in the preamble to the HITECH Final Rule.

For more information about the HITECH Final Rule and its implementation, please see our previous discussion of this topic.
 

If Your Old Photocopier Could Talk, What Would It Say? Health Plan's Used Photocopier Linked to $1.2 Million HIPAA Settlement

This post was written by Brad M. Rostolsky, Nancy E. Bonifant and Jennifer L. Pike.

Who knew that photocopiers stored information? Apparently "CBS Evening News" did, and now an April 2010 investigative report has led to a million-dollar HIPAA settlement.

Affinity Health Plan, Inc. (Affinity), a New York-based, not-for-profit health plan, agreed to pay the Office for Civil Rights (OCR) $1,215,780 to settle potential violations of the Health Information Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlement resulted from a breach self-report by Affinity, which first learned of the electronic protected health information (PHI) stored on its formerly leased photocopier’s hard drive from "CBS Evening News" (CBS).

In April 2010, CBS conducted an investigative report on the security risks associated with digital photocopiers, which, since 2002, typically contain hard drives that can store an image of every document copied, scanned, or emailed from the machine. As part of the investigation, CBS purchased four randomly selected used photocopiers, including one previously leased by Affinity. On the machine's hard drive, CBS found 300 pages of individuals' medical records.

Following Affinity's breach self-report, OCR found that Affinity impermissibly disclosed PHI of up to 344,579 individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the machines’ hard drives. OCR further determined that Affinity (1) failed to include electronic PHI stored on photocopiers’ hard drives in its required Security Rule risk analysis, and (2) failed to implement its existing policies and procedures when returning photocopiers to its leasing agents.

In addition to the $1.2 million settlement, the Resolution Agreement between OCR and Affinity included a corrective action plan (CAP). The CAP requires Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by Affinity and that remain in the possession of the leasing agent. Affinity must also (1) conduct a comprehensive risk analysis that incorporates all electronic equipment and systems controlled, owned, or leased by Affinity; (2) develop a plan to address and mitigate security risks and vulnerabilities found in its analysis; and (3) if necessary, revise its current policies and procedures accordingly.

The global take-away from this latest enforcement action is that an entity's failure to comply with the obligation to conduct a comprehensive Security Rule risk analysis remains OCR’s primary, and most often used, trigger to take significant enforcement action. Since almost every business uses photocopiers, Affinity serves as a reminder that all covered entities and business associates should implement policies and procedures to ensure that all hard drives are scrubbed of PHI before leaving their possession. More information on safeguarding sensitive data stored in the hard drives of digital photocopiers can be found here.

For additional information on OCR’s enforcement activities, visit the U.S. Department of Health and Human Services website.  
 

OCR Continues to Use Breach Self-Reports as an Invitation to Audit General HIPAA Compliance

Massachusetts Provider Becomes Third Seven-Figure Settlement Since March

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On September 17, 2012, the HHS Office of Civil Rights ("OCR") announced another settlement and corrective action plan following an entity’s breach self-report required by HITECH’s Breach Notification Rule. Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively "MEEI") have agreed to pay $1.5 million to settle potential violations of the HIPAA Security Rule following the theft of a physician’s unencrypted, but protected, laptop, providing additional evidence that: (1) OCR will likely view any breach notification as an opportunity to conduct a de facto audit of an entity’s general HIPAA compliance; and (2) encryption of all portable devices containing electronic protected health information ("ePHI"), though not technically "required," is a critical compliance consideration.

The information contained on the laptop, which was stolen while the physician was lecturing in South Korea in 2010, included prescriptions and clinical information for approximately 3,600 patients and research subjects. According to MEEI, although unencrypted, the laptop was password protected and contained a tracking device commonly referred to as "LoJack." Using LoJack, MEEI determined that a new operating system was installed on the computer and that the software needed to access the ePHI was not reinstalled. After concluding that retrieval of the laptop was unlikely, MEEI remotely permanently disabled the hard drive and rendered any ePHI unreadable.

Although OCR’s subsequent investigation revealed no patient harm as a result of the breach, the agency did find that the breach indicated a long-term, organizational disregard for the requirements of the Security Rule. More specifically, over an extended period of time, MEEI failed to:

  • Conduct a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices;
  • Implement security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices;
  • Adopt and implement policies, and procedures to restrict access to ePHI to authorized users of portable devices; and
  • Adopt and implement policies and procedures to address security incident identification, reporting, and response.

Following on the heels of the Alaska Department of Health and Social Services’ $1.7 million settlement in June, which also followed a breach that affected a relatively small number of individuals, OCR’s recent enforcement actions suggest that its focus is on the lack of overall HIPAA compliance that may lead to a breach and not the breach itself. This settlement also reaffirms the practical necessity of encrypting all ePHI on portable devices. According to Leon Rodriguez, Director of OCR,  "[i]n an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices."

In addition to the $1.5 million settlement, the Resolution Agreement between MEEI and OCR included a corrective action plan, which requires MEEI to review, revise, and maintain policies and procedures to ensure compliance with the Security Rule, and retain an independent monitor who will conduct assessments of MEEI’s compliance with the corrective action plan and render semi-annual reports to HHS for a 3-year period. MEEI did not admit any liability in the agreement and OCR did not concede that MEEI was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at hhs.gov.

Small Cardiology Practice to Pay $100,000 to Settle Allegations of HIPAA Violations

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On April 17, 2012, the HHS Office of Civil Rights (OCR) announced a settlement and corrective action plan with Phoenix Cardiac Surgery, P.C. (Phoenix), a small cardiology practice based in Phoenix and Prescott, Arizona. More specifically, Phoenix has agreed to pay $100,000 to settle allegations of HIPAA violations arising out of an investigation conducted by OCR.

OCR’s investigation of Phoenix followed a report that Phoenix was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR discovered the following issues:

  • Phoenix failed to implement adequate policies and procedures to appropriately safeguard patient information;
  • Phoenix failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
  • Phoenix failed to identify a security official and conduct a risk analysis; and
  • Phoenix failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its electronic protected health information.

This settlement serves as additional evidence of OCR’s increased focus on enforcement actions for alleged HIPAA violations, following just one month after the first enforcement action resulting from a breach self-report under the Breach Notification Rule. According to Leon Rodriguez, Director of OCR, he “hope[s] that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” Additionally, the settlement provides further evidence that OCR will likely view any investigation of an alleged Privacy or Security Rule infraction as an opportunity to conduct a de facto audit of the entity’s general compliance with HIPAA.

In addition to the $100,000 settlement, the Resolution Agreement between Phoenix and OCR requires Phoenix to develop and maintain written Privacy and Security policies, which will set forth, at a minimum, administrative safeguards, technical safeguards, and training of all Phoenix’s workforce members. In addition, Phoenix will provide specific training on the Privacy and Security policies within 60 days of OCR’s approval to all workforce members who use or disclose protected health information and will report any violations of those policies and procedures by a workforce member to OCR within 30 days. Phoenix did not admit any liability in the agreement and OCR did not concede that Phoenix was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

 

OCR Announces First Enforcement Action Resulting From a Breach Self-Report

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On March 13, 2012, the HHS Office of Civil Rights (OCR) announced the first enforcement action resulting from a breach self-report required by HITECH’s Breach Notification Rule. Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay HHS $1,500,000 to settle potential violations of the HIPAA Privacy and Security Rules and has entered into a corrective action plan to address gaps in its HIPAA compliance program.


The HIPAA/HITECH Breach Notification Rule requires covered entities to report a breach (e.g., an impermissible use or disclosure of protected health information that compromises the security or privacy of the protected health information) to the affected individual(s), HHS and, at times, the media. OCR’s investigation of BCBST followed a breach report submitted by BCBST informing HHS that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The hard drives contained the protected health information of more than 1 million individuals, including member names, social security numbers, diagnosis code, dates of birth, and health plan identification numbers.


According to OCR’s investigation, BCBST failed to implement appropriate administrative and physical safeguards as required by the HIPAA Security Rule. More specifically, BCBST failed to perform the required security evaluation in response to operational changes and did not have adequate facility access controls.


In addition to the $1,500,000 settlement, the Resolution Agreement between BCBST and OCR requires BCBST to revise its Privacy and Security policies, conduct robust trainings for all employees, and perform monitor reviews to ensure compliance with the corrective action plan. BCBST did not admit any liability in the agreement and OCR did not concede that BCBST was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

OCR Launches Privacy and Security Audits

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

To implement the HITECH Act’s mandate for the Office for Civil Rights (OCR) to perform HIPAA audits, OCR has just announced that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase are planned to begin with an initial 20 audits between November 2011 and April 2012. The remaining audits are scheduled to conclude by December 2012. All covered entities and business associates are eligible for audits; however, OCR has indicated that it is focusing on covered entities (range in type and size) in the initial phase. Business associates will be included in future audits.

During the pilot, every audit will include a document production and onsite visit, and will result in an audit report. OCR will notify a selected covered entity in writing and request documentation of the covered entity’s privacy and security compliance efforts. The covered entity must comply within 10 business days. OCR expects to notify selected covered entities between 30 and 90 days prior to the anticipated onsite visit. Onsite visits may take between three and 10 business days, and after fieldwork is completed, the auditor will provide the covered entity with a draft final report. Selected covered entities will then have 10 business days to review and provide written comments back to the auditor. The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR.

Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem. Significantly, OCR will not post a listing of audited entities or the findings of an individual audit that clearly identifies the audited entity.

A description of the pilot program is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html

 

HHS Issues Notice of Proposed Rulemaking Regarding the HIPAA Privacy Rules Standard for Accounting of Disclosures Requirements and Access Report

This post was written by Gina M. Cavalier and Brad M. Rostolsky.

Today the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking implementing provisions of the HITECH Act related to accounting for disclosures of protected health information (PHI). Pursuant to the HITECH Act and its more general authority under HIPAA, HHS proposed to divide the Privacy Rule provisions related to an accounting into two separate individual rights: (1) an accounting and, (2) an access report.

With respect to an accounting, HHS proposes that individuals have a right to an accounting of disclosures of PHI in a designated record set made by a covered entity or a business associate: (i) for impermissible purposes, (ii) for public health activities, (iii) for judicial and administrative proceedings, (iv) for law enforcement purposes, (v) to avert a serious threat to health or safety, (vi) for military and veterans activities, and (vii) for workers compensation. The proposed compliance date for this provision is 180 days after the effective date of the final rule.

With respect to the access report, HHS proposes to provide individuals with the right to receive a report detailing who has accessed their electronic PHI in a designated record set maintained by a covered entity or its business associates. HHS proposes that covered entities and business associates provide individuals with a right to an access report beginning January 1, 2013, for electronic designated record set systems acquired after January 1, 2009, and beginning January 1, 2014 for electronic designated record set systems acquired as of January 1, 2009.

The proposed rule is posted here.

Comments are due in 60 days - August 1, 2011.

HHS Issues Notice of Proposed Rulemaking Regarding the HIPAA Privacy Rules Standard for Accounting of Disclosures Requirements

This post was written by Gina M. Cavalier, Vicky G. Gormanly and Brad M. Rostolsky.

Pursuant to the HITECH Act, covered entities and business associates must account for disclosures of PHI for treatment, payment and health care operations if the disclosures are through an electronic health record. This represents a significant change to the requirements under the current HIPAA Privacy Rule. The Department of Health and Human Services (HHS) will shortly publish a notice of proposed rulemaking to modify the Privacy Rule’s standard for accounting of disclosures of protected health information. An advance copy of the proposed rule is available here.

HHS proposes to expand the accounting requirements of the Privacy Rule to provide individuals with the right to receive an access report detailing who has accessed their electronic PHI in a designated record set. Accordingly, HHS proposes to revise an individual’s right to an accounting under the Privacy Rule by separately setting forth an individual’s right to (a) an accounting of disclosures and (2) an access report. HHS has also proposed other changes designed to improve the workability and effectiveness of the existing accounting of disclosures requirements.

 

Comments are due 60 days after the proposed rule is published in the Federal Register.

 

More to come...

Final HITECH Privacy and Security Rule Expected Soon

According to a senior health information technology and privacy specialist at HHS Office for Civil Right (OCR), regulations finalizing the July 14, 2010, proposed rule implementing many of the HITECH Act's privacy, security, and enforcement requirements could be published by the end of 2010 or in early 2011.   Additionally, OCR, developing a HITECH Act required "periodic audit" plan, which will be targeted to ensure that covered entities and business associates comply with the requirements of  the Privacy and Security Rules. 

We'll keep you posted as things progress . . .

New HITECH/HIPAA Proposed Rule Released Today

HHS has just released its proposed rule modifying the HIPAA Privacy, Security, and Enforcement Rules to implement the privacy, security, and certain enforcement provisions of subtitle D of the Health Information Technology for Economic and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act of 2009).  The advance version of the rule can be accessed here; the official version will be published July 14.  A press release should be available later this morning.

Pursuant to the announcement of the proposed rulemaking on the HHS Privacy website, the proposed modifications to the HIPAA Rules include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans. In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

Importantly, HHS has stated that the new HIPAA regulations will not be enforced until 180 days after the final rule has become effective. Comments will be due on or about September 13, 2010.

More to come . . . 

Red Flags Rule Enforcement Postponed Again

On May 28, 2010, just shy of the June 1st compliance deadline, the Federal Trade Commission announced that it would again be postponing enforcement of the Red Flags Identity Theft Prevention Rule through December 31, 2010. This delay comes at the request of Congress, which has been considering legislation (which has been referred to the Senate Committee on Banking, Housing, and Urban Affairs) that would affect the scope of entities covered by the Rule. The FTC "urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays." If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date.
 

Mexico's Senate Passes Federal Law for Protection of Personal Data

This post was written by Mark S. Melodia, Cynthia O'Donoghue and Anthony S. Traymore

On April 27, 2010, the Mexican Senate passed Ley Federal de Protección de Datos Personales en Posesión de los Particulares (the Federal Law for Protection of Personal Data (FLPPA)).  President Felipe Calderon is expected to sign the FLPPA into law soon, and thereafter, the FLPPA will be published and its regulatory provisions enacted. The objective of the FLPPA is to provide regulatory mechanisms for the newly established replacement agency, Instituto Federal de Acceso a la Información y Protección de Datos (the Federal Institute of Information Access and Data Protection (FIIADP), to enforce the FLPPA in relation to any individual or entity engaging in the collection, storage and/or transfer of personal data, including life sciences and health care clients.

To read the full alert, click here.

Ten Data Security Questions Faced by Every Company

Privacy and data security are hot topics for everyone doing business in today's rapidly developing climate, and no less for those in life science and health-related industries. With new federal statutes, new regulations from HHS and FTC, and new state laws covering private health information, now is a good time for businesses to take stock of the applicable laws and take steps to ensure that their use, transfer, and storage of private data are secure and compliant. In this article, Reed Smith's Paul Bond gives his "Ten Data Security Questions Faced by Every Company," a one-stop survey of how every business should approach these issues.

Another Postponement of FTC's Red Flags Rule

On October 30, 2009 the Federal Trade Commission (FTC) issued a News Release announcing that it is granting industries under the FTC's jurisdiction an additional 7 months (i.e., until June 1, 2010) to develop and implement their identity theft prevention programs as required under the FTC's Identify Theft Red Flags Rule. According to the FTC News Release, this additional extension has been provided at the request of members of Congress. In making this announcement, the FTC attempts to refocus the attention of creditors and financial institutions to the FTC's dedicated Red Flags Rule website, which contains various compliance guidance documents designed to assist affected industries with the development of Identity Theft Protection Programs. 

Also on October 30, 2009, the U.S. District Court for the District of Columbia ruled that the FTC may not apply the Red Flags Rule to attorneys. The FTC's New Release acknowledges this ruling, and further cautions that the FTC's additional postponement of Red Flags Rule enforcement remains distinct from whatever timeline may be associated with the aforementioned court proceeding and any possible appeals.

The announcement of the additional extension is available at www.ftc.gov, and our prior posts on the Red Flags Rule are available here.

FTC Further Postpones Identity Theft Red Flags Rule

On July 29, 2009 the Federal Trade Commission (FTC) issued a News Release announcing that it is granting industries under the FTC's jurisdiction an additional 3 months to develop and implement their identity theft prevention programs as required under the FTC's Identify Theft Red Flags Rule. Additionally, the FTC staff will "redouble" its education efforts and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.   By extending the enforcement date of the Rule until November 1, 2009, the FTC intends to give creditors and financial institutions more time to review the forthcoming guidance and to develop and implement written Identity Theft Prevention Programs. The announcement of the extension is also available at www.ftc.gov, and our prior posts on the Red Flags Rule are available here.

Identity Theft Red Flag Rule Further Postponed

This post was written by Carol Loepere.

On April 30, 2009 the Federal Trade Commission (FTC) issued a News Release announcing that it is granting industries under the FTC's jurisdiction an additional 3 months to develop and implement their identity theft prevention programs as required under the FTC's so-called Identify Theft Red Flag Rule. The FTC also stated that that some entities, particularly those that are small, non-traditional creditors, would benefit from the availability of a template Red Flags program in developing their programs. The Commission staff intends to publish such a template for low-risk entities shortly. The FTC said that the extension, coupled with the release of the template, should be sufficient to enable low-risk entities to prepare their programs without undue burden. The announcement of the extension is also available at www.ftc.gov.

Health Information Privacy and Incentives, Medicaid Funding, and Other Health Care Provisions in the American Recovery and Reinvestment Act

This post was written by Karl A. Thallner, Jr., Carol C. Loepere, Debra A. McCurdy, Brad M. Rostolsky, Jacqueline B. Penrod, and Amie E. Schaadt.

On February 17, 2009, President Obama signed into law H.R. 1, the American Recovery and Reinvestment Act (the “ARRA”). The sweeping $790 billion economic stimulus package includes a number of health care policy provisions. Reed Smith's Health Care Memorandum summarizes the major health policy provisions of the Act.

Update on FTC's Identity Theft Red Flag Regulations: Address Discrepancy Rule and Identity Theft Prevention Rule as They Apply to Health Care Providers

This Client Alert, written by Debra L. Hutchings, Paul J. Bond and Carol C. Loepere, updates information received from the Federal Trade Commission (“FTC”) concerning application of its Address Discrepancy and Red Flag rules aimed at combating identity theft as they apply to health care providers and suppliers. As reported previously these rules, collectively known as the Red Flag Regulations, 16 C.F.R. § 681.1 et seq. (“Red Flag Regulations”), apply to users of consumer reports and “creditors,” which may include many participants in the health care industry.

Past posts on this subject describe the FTC's decision to delay enforcement of a portion of the regulations and our initial discussion of the implications of the FTC's Red Flag Regulations for health care providers.

HIPAA Preemption

In "Ex Parte Talks Allowed Under Georgia Law For Counsel, Doctors Preempted by HIPAA" (password required), the United States Law Week discusses in detail Moreland v. Austin, Georgia Sup. Ct. No. S08G0498, a November 3, 2008 decision holding that defense attorneys who wish to engage in ex parte communications with plaintiffs' treating physicians must comply with HIPAA privacy rules. Since HIPAA affords more patient privacy than a Georgia law that permitted ex parte contact once a plaintiff put his or her medical condition at issue, the Georgia law was preempted.

Preemption giveth, and preemption taketh away.

A Baby Step Toward Reasonable Class Action Fees?

On Monday, the District Court of Massachusetts issued a notable attorney's fee award decision in a class action arising from a data privacy breach, In re TJX Companies Retail Securities Litig. Along with a class settlement, class counsel urged the court to approve a $6.5 million attorney's-fees award, arguing that hundreds of millions of dollars in potential value had been created for the class. However, the payout depended entirely on class members making claims, and only a small fraction of the supposed potential - $6 million - were made. The court quite reasonably rejected class counsel's suggestion that the potential (but unrealized) claims supported the requested fees. That said, the court still approved the fee request pursuant to the lodestar method ($3.3m in lodestar * 1.97 multiplier = $6.5m).

The court finished with a cautionary note, which is where the baby step comes in: "In the future . . . Plaintiff's counsel can expect that this court, when confronted with reversionary common fund or claims-made settlements, will award attorney's fees by reference to the value of benefits actually put in the hands of class members." (emphasis in original). In reality, however, it would have been entirely reasonable for the court to use this standard for attorney's fees now, without waiting for the next time.

UPDATE: Drug and Device Law also has a November 11, 2008 post about this TJX case.

California's New HIPAA-Like Requirements Impose New Data Privacy & Security Duties - and Create New Potential Liabilities

Data breaches can occur in any industry, but those that involve medical information create unique problems. Starting January 1, they also will carry unique penalties, at least in California. The new California laws, Senate Bill 541 (SB 541) and Assembly Bill 211 (AB 211).

Health care providers clearly need to take heed of the laws' directives that they take additional affirmative steps to prevent “unauthorized access” to patient information. But AB 211 is particularly broad in scope, covering “any person or entity" that "negligently discloses" or "knowingly or willfully obtains, discloses, or uses medical information," which mean other players in the life sciences industry probably should take note as well. A full discussion of SB 541 and AB 211, written by Janet H. Kwuon and Rachel A. Rubin, is here.
 

FTC Grants Six-Month Delay on Enforcement of the "Red Flag Rules"

This post was written by Carol C. Loepere.

Today, the Federal Trade Commission (FTC) issued a press release to announce that it will suspend enforcement of the new “Red Flag Rules” until May 1, 2009, to give "creditors" and financial institutions additional time in which to develop and implement written identity-theft prevention programs. Reed Smith has worked on behalf of the American Health Care Association (AHCA) to question the applicability of the rules to health care providers, and to request a delay in the effective date of the rule. For more on the possible application of the FTC's Red Flag Rules to health care providers, see our prior post

FTC's Identity Theft Red Flag Regulations: Implications for Health Care Providers

This post was written by Debra L. Hutchings, Paul J. Bond, and Carol C. Loepere.


In November 2007, the Federal Trade Commission (“FTC”) issued sweeping regulations aimed at deterring, detecting and preventing identity theft. Under these rules, known as the Red Flag Regulations, 16 C.F.R. § 681.1 et seq. and Final Rule (“Red Flag Regulations”), financial institutions and creditors of covered accounts must establish a program to detect, prevent and mitigate identity theft. While somewhat unclear and perhaps counterintuitive, the breadth of the Red Flag Regulations and the FTC’s current interpretation indicates that these rules apply to many participants in the health care industry. The rules become effective November 1, 2008.

The Red Flag Regulations have three parts, two of which pertain to the health care industry. The first part applies to anyone who uses “consumer reports” for employment, insurance or credit purposes. The second part places obligations on “creditors and financial institutions” to detect, prevent and mitigate identity theft in relation to accounts covered under the Red Flag Regulations. This Client Alert addresses each part in turn.