Recent OCR Enforcement Activities Cause Serious Case of Déjà Vu: Theft of Unencrypted Laptops Leads to Two Separate HIPAA Settlements

This post was written by Brad Rostolsky, Nan Bonifant and Jillian Riley

We have heard this story before: unencrypted laptop containing electronic protected health information (ePHI) is stolen. The covered entity’s subsequent breach self-report triggers not only an incident investigation by the Department of Health and Human Services, Office for Civil Rights (OCR), but a de facto HIPAA compliance audit as well. While the covered entities involved change, the consequences and enforcement message remain the same.

Now, two more covered entities have settled potential violations of the HIPAA Privacy and Security Rules arising from the theft of unencrypted laptops by paying a total of $1,975,220, and agreeing to continued oversight by OCR through Corrective Action Plans (CAPs). In both instances, the breaches were self-reported and the settlements resulted from OCR’s subsequent investigations.

On December 28, 2011, Concentra Health Services (Concentra), a national health care provider and subsidiary of Humana Inc., reported to OCR that an unencrypted laptop was stolen from one of its facilities. OCR’s subsequent investigation revealed that while Concentra previously recognized that a lack of encryption on laptops, desktops, medical equipment, and tablets presented a critical risk to ePHI, Concentra failed to fully implement necessary steps to address those vulnerabilities. OCR’s investigation further found that Concentra had insufficient security management processes in place to ensure proper safeguarding of patient information. Concentra paid OCR $1,725,220 to resolve these alleged HIPAA violations and will adopt a CAP to evidence their remediation efforts.

The second settlement, which resulted in a $250,000 payment to OCR, stemmed from the theft of an unencrypted, stolen laptop from an employee’s car on October 8, 2011. The laptop, belonging to a workforce member of QCA Health Plan, Inc. of Arkansas (QCA), contained the ePHI of 148 individuals. While QCA instituted company-wide device encryption following discovery of the breach, OCR’s subsequent investigation revealed that QCA had failed to comply with multiple requirements of the HIPAA Security Rule, beginning from the Rule’s compliance date in April 2005. In addition to the monetary settlement amount, QCA agreed to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce risks to vulnerabilities of its ePHI. QCA also agreed to retrain its workforce and document its ongoing compliance efforts.

Unfortunately, as the proliferation of portable devices in the health care industry increases, the question for most covered entities is not if a laptop or mobile device will be stolen, but when. Encryption not only provides a safe harbor under the Breach Notification Rule, but it has also become a practical necessity to HIPAA compliance. Failure to address encryption of portable devices in Security Rule risk analyses and, in most cases, failure to implement some form of encryption, will continue to expose covered entities (as well as business associates) to significant compliance risk.

Additional information about OCR’s enforcement activities can be found at

Final Rule Gives Patients a New Right under HIPAA to Access Completed Test Reports Directly from Labs

This post was written by Nan Bonifant, Brad Rostolsky, and John Wyand

On February 6, 2014, the U.S. Department of Health & Human Services’ (HHS) Centers for Medicare & Medicaid Services (CMS), Centers for Disease Control and Prevention (CDC), and Office for Civil Rights jointly published a final rule amending the HIPAA Privacy Rule and the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to provide patients with direct access to laboratory test reports. HHS believes that a right to access these test reports under HIPAA is crucial to provide patients with vital information to empower them to better manage their health and take action to prevent and control disease. The amendments to both regulations become effective April 7, 2014, and HIPAA-covered laboratories must comply with the new right by October 6, 2014.

Under the currently enforced Privacy Rule, a patient’s right to access his or her protected health information (PHI) is limited with respect to PHI maintained by a CLIA laboratory or a CLIA-exempt laboratory. This limitation was included in the Privacy Rule because the existing CLIA regulations may prohibit such laboratories from disclosing this information. Currently, a CLIA laboratory may only disclose laboratory test results to three categories of individuals or entities: (1) the “authorized person,” (2) the health care provider who will use the test results for treatment purposes, and (3) the laboratory that initially requested the test. An “authorized person” is the individual authorized under state law to order or receive test results. If a state does not authorize patients to receive their test results, the patients must receive this information from their health care providers.

The final rule modifies the CLIA regulations to allow laboratories subject to CLIA, upon the request of a patient (or the patient’s personal representative), to provide access to completed test reports that – using the laboratory’s authentication process – can be identified as belonging to that patient. With respect to the Privacy Rule, the final rule removes the exceptions to a patient’s right of access related to CLIA and CLIA-exempt laboratories. Therefore, as of October 6, 2014, HIPAA-covered laboratories will be required to provide a patient or his or her personal representative with access, upon request, to the patient’s completed test reports, as well as to other PHI maintained in a designated record set. For purposes of the final rule, test reports are not part of a designated record set until they are “complete.” A test report is considered complete when all results associated with an ordered test are finalized and ready for release. These changes to the Privacy Rule preempt any contrary state laws that prohibit a HIPAA-covered laboratory from providing patients direct access to their completed test results.

In order to comply with the amended Privacy Rule, HIPAA-covered laboratories should develop and implement a policy and procedure to receive and respond to patient requests. Processing a request for a test report, either manually or electronically, will require completion of the following steps: (1) receipt of the request from the individual; (2) authentication of the identification of the individual; (3) retrieval of test reports; (4) verification of how and where the individual wants the test report to be delivered and provision of the report by mail, fax, email or other electronic means; and (5) documentation of test report issuance. Additionally, HIPAA-covered laboratories must revise their notice of privacy practices to inform patients of their right to access completed test reports, including a brief description of how to exercise the right, and removing any statements to the contrary.

This amendment to the regulations is consistent with OCR’s focus on improving patients’ rights under the Privacy Rule, and represents another important aspect of policy change and documentation efforts for HIPAA-covered entity providers.

CMS and OIG Propose Extension of Electronic Health Record Donation Protections

This post was written by Jennifer Pike and Brad Rostolsky.

The Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) have each proposed new rules to extend existing protections that allow hospitals to donate electronic health record (EHR) technology to physicians who refer patients to their facilities. By way of background, in 2006, CMS established an exception to the Stark self-referral law to allow hospitals to donate EHR technology to physicians under certain circumstances. Likewise, in 2006, the OIG established a safe-harbor to protect such EHR donations from enforcement under the federal anti-kickback statute. While both protections are set to expire on December 31, 2013, the proposed rules would extend the provisions until the end of 2016 as a means to facilitate the adoption of EHR technology.

In addition to extending the EHR donation protections, the proposed rules would (1) remove the requirement from the original rule that donated EHR technology contain electronic prescribing capability, and (2) update the provision under which EHR technology is deemed interoperable, which would expand the types of EHR systems that qualify for the protections.

CMS’s proposed rule is available here. The OIG’s proposed rule is available here. Comments regarding both proposed rules should be submitted in writing, or electronically at, by June 10, 2013.

OCR Continues to Use Breach Self-Reports as an Invitation to Audit General HIPAA Compliance

Massachusetts Provider Becomes Third Seven-Figure Settlement Since March

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On September 17, 2012, the HHS Office of Civil Rights ("OCR") announced another settlement and corrective action plan following an entity’s breach self-report required by HITECH’s Breach Notification Rule. Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively "MEEI") have agreed to pay $1.5 million to settle potential violations of the HIPAA Security Rule following the theft of a physician’s unencrypted, but protected, laptop, providing additional evidence that: (1) OCR will likely view any breach notification as an opportunity to conduct a de facto audit of an entity’s general HIPAA compliance; and (2) encryption of all portable devices containing electronic protected health information ("ePHI"), though not technically "required," is a critical compliance consideration.

The information contained on the laptop, which was stolen while the physician was lecturing in South Korea in 2010, included prescriptions and clinical information for approximately 3,600 patients and research subjects. According to MEEI, although unencrypted, the laptop was password protected and contained a tracking device commonly referred to as "LoJack." Using LoJack, MEEI determined that a new operating system was installed on the computer and that the software needed to access the ePHI was not reinstalled. After concluding that retrieval of the laptop was unlikely, MEEI remotely permanently disabled the hard drive and rendered any ePHI unreadable.

Although OCR’s subsequent investigation revealed no patient harm as a result of the breach, the agency did find that the breach indicated a long-term, organizational disregard for the requirements of the Security Rule. More specifically, over an extended period of time, MEEI failed to:

  • Conduct a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices;
  • Implement security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices;
  • Adopt and implement policies, and procedures to restrict access to ePHI to authorized users of portable devices; and
  • Adopt and implement policies and procedures to address security incident identification, reporting, and response.

Following on the heels of the Alaska Department of Health and Social Services’ $1.7 million settlement in June, which also followed a breach that affected a relatively small number of individuals, OCR’s recent enforcement actions suggest that its focus is on the lack of overall HIPAA compliance that may lead to a breach and not the breach itself. This settlement also reaffirms the practical necessity of encrypting all ePHI on portable devices. According to Leon Rodriguez, Director of OCR,  "[i]n an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices."

In addition to the $1.5 million settlement, the Resolution Agreement between MEEI and OCR included a corrective action plan, which requires MEEI to review, revise, and maintain policies and procedures to ensure compliance with the Security Rule, and retain an independent monitor who will conduct assessments of MEEI’s compliance with the corrective action plan and render semi-annual reports to HHS for a 3-year period. MEEI did not admit any liability in the agreement and OCR did not concede that MEEI was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at

Small Cardiology Practice to Pay $100,000 to Settle Allegations of HIPAA Violations

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On April 17, 2012, the HHS Office of Civil Rights (OCR) announced a settlement and corrective action plan with Phoenix Cardiac Surgery, P.C. (Phoenix), a small cardiology practice based in Phoenix and Prescott, Arizona. More specifically, Phoenix has agreed to pay $100,000 to settle allegations of HIPAA violations arising out of an investigation conducted by OCR.

OCR’s investigation of Phoenix followed a report that Phoenix was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR discovered the following issues:

  • Phoenix failed to implement adequate policies and procedures to appropriately safeguard patient information;
  • Phoenix failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
  • Phoenix failed to identify a security official and conduct a risk analysis; and
  • Phoenix failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its electronic protected health information.

This settlement serves as additional evidence of OCR’s increased focus on enforcement actions for alleged HIPAA violations, following just one month after the first enforcement action resulting from a breach self-report under the Breach Notification Rule. According to Leon Rodriguez, Director of OCR, he “hope[s] that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” Additionally, the settlement provides further evidence that OCR will likely view any investigation of an alleged Privacy or Security Rule infraction as an opportunity to conduct a de facto audit of the entity’s general compliance with HIPAA.

In addition to the $100,000 settlement, the Resolution Agreement between Phoenix and OCR requires Phoenix to develop and maintain written Privacy and Security policies, which will set forth, at a minimum, administrative safeguards, technical safeguards, and training of all Phoenix’s workforce members. In addition, Phoenix will provide specific training on the Privacy and Security policies within 60 days of OCR’s approval to all workforce members who use or disclose protected health information and will report any violations of those policies and procedures by a workforce member to OCR within 30 days. Phoenix did not admit any liability in the agreement and OCR did not concede that Phoenix was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at


OCR Announces First Enforcement Action Resulting From a Breach Self-Report

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On March 13, 2012, the HHS Office of Civil Rights (OCR) announced the first enforcement action resulting from a breach self-report required by HITECH’s Breach Notification Rule. Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay HHS $1,500,000 to settle potential violations of the HIPAA Privacy and Security Rules and has entered into a corrective action plan to address gaps in its HIPAA compliance program.

The HIPAA/HITECH Breach Notification Rule requires covered entities to report a breach (e.g., an impermissible use or disclosure of protected health information that compromises the security or privacy of the protected health information) to the affected individual(s), HHS and, at times, the media. OCR’s investigation of BCBST followed a breach report submitted by BCBST informing HHS that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The hard drives contained the protected health information of more than 1 million individuals, including member names, social security numbers, diagnosis code, dates of birth, and health plan identification numbers.

According to OCR’s investigation, BCBST failed to implement appropriate administrative and physical safeguards as required by the HIPAA Security Rule. More specifically, BCBST failed to perform the required security evaluation in response to operational changes and did not have adequate facility access controls.

In addition to the $1,500,000 settlement, the Resolution Agreement between BCBST and OCR requires BCBST to revise its Privacy and Security policies, conduct robust trainings for all employees, and perform monitor reviews to ensure compliance with the corrective action plan. BCBST did not admit any liability in the agreement and OCR did not concede that BCBST was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at

Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing - Health Care in the Cloud

This post was written by Vicky G. Gormanly and Joseph I. Rosenbaum.

The interest level in storing health records in digital format has grown rapidly with the lower cost and greater availability and reliability of interoperable storage mechanisms and devices. Health care providers like hospitals and health systems, physician practices, and health insurance companies are among those most likely to be considering a cloud-based solution for the storage of patient-related health information. While lower cost, ubiquitous 24/7 availability, and reliability are key drivers pushing health care providers and insurers to the cloud, a number of serious legal and regulatory issues should be considered before releasing sensitive patient data into the cloud. The issues are highlighted in the Health Care chapter  of our Cloud Computing White Paper.

CMS' Oversight of Security Rule "Not Sufficient" According to the OIG

This post was written by Gina M. Cavalier, Vicky G. Gormanly and Brad M. Rostolsky.

On May 16, 2011, the Office of Inspector General (“OIG”) published a report with the results from its nationwide review of the Centers for Medicare and Medicaid Services (“CMS’”) oversight of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). In its review, the OIG sought to determine the sufficiency of CMS’ oversight and enforcement actions pertaining to hospitals’ implementation of the HIPAA Security Rule. Pursuant to the Security Rule, covered entities, such as hospitals, must implement technical, physical, and administrative safeguards for the protection of electronic protected health information (“ePHI”). According to the OIG, CMS’ oversight and enforcement actions were “not sufficient,” leaving limited assurance of the security of hospitals’ ePHI.

The report details the results from the OIG’s audits of seven hospitals. The audits disclosed “numerous internal control weaknesses.” Specifically, the OIG identified 151 vulnerabilities in the systems and controls intended to protect ePHI. Of these vulnerabilities, 124 were categorized as “high impact.” These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk. The consequences of the high impact vulnerabilities is that it (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury. 

HHS Announces First Ever Civil Money Penalty for Violations of HIPAA Privacy Rule

This post was written by Gina M. Cavalier.

Earlier today the Department of Health and Human Services' (HHS), Office for Civil Rights (OCR) announced the imposition of the first ever civil money penalty for violations of the HIPAA Privacy Rule. The penalty - which is $4.3 million - was assessed against Cignet Health of Prince Georges County, a health insurer. The underlying HIPAA violations include (1) failing to provide patients with access to their medical records, and (2) failing to cooperate with OCR's investigation into the failure to provide access. The HHS press release is available here.

To discuss this or any other HIPAA or data privacy/security issue, please contact Mark S. Melodia or Gina M. Cavalier.

Authentication Practices and Secure Communications in the Life Sciences and Health Care Industry

Information security is paramount in the life sciences and health care industry because it is subject to affirmative regulatory requirements regarding the physical and technical safeguards used to secure electronic information. It is therefore troubling that the Internet protocols that are universally used to transmit encrypted information employ an authentication process (to verify the endpoints of a communication) that is deeply flawed. The authentication process requires the parties to the communication to trust literally hundreds of unknown third parties referred to as "certificate authorities." The closer one looks at the identity of these third parties and the processes used to carry out the authentication process, the worse it gets. It is time for GCs to get involved because Encryption is Not Enough...

HITECH Privacy and Security Regulations Currently Being Drafted

The Health Information Privacy page of the U.S. Department of Health and Human Services (HHS) website has formally announced that regulations implementing the privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act will soon be published (along with a comment period) relating to (1) business associate liability; (2) new limitations on the sale of protected health information, marketing and fundraising communications; and (3) stronger individual rights to access electronic medical records and restrict the disclosure of certain information.  Although this posting is certainly welcome news, from a timing perspective the announcement only indicates that "OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions." 

Providing further evidence that the HITECH Act provisions relative to covered entities and business associates will not be enforced until after these forthcoming regulations have been finalized, HHS stated that "[a]lthough the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements."  The HITECH Act, however, is currently effective, and questions about the effective date for enforcement of the Act's privacy and security requirements may remain until published regulations specifically postpone enforcement.  Additionally, HHS reminds us that the Breach Notification Rule and the revised Enforcement Rule are currently in effect, and that covered entities and business associates must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009.

FCC Proposes Tougher Rules on Telemarketing

This post was written by Robert H. Jackson.

The Federal Communications Commission (“FCC”) has proposed changes to its Telephone Consumer Protection Act (“TCPA”) rules that would conform to the Federal Trade Commission’s Telemarketing Sales Rule (“TSR”). The primary change in the regulations would affect the sending of prerecorded messages (a/k/a “robocalls”) by barring them even to existing customers without first obtaining prior written consent. At first blush, this seems routine, but because of differences in the FCC’s and FTC’s statutory jurisdiction, there are complicated implementation issues that could trap unsuspecting companies. Other key issues for the health care industry is whether the FCC should create an exemption for prerecorded messages that are subject to Health Insurance Portability and Accountability Act (“HIPAA”) and, if so, how such exemption should be implemented. For more information about these changes, please read our client alert written by Robert Jackson.

HHS Rule Implements HITECH Act Changes to HIPAA Enforcement

On Friday, October 30, 2009, the U.S. Department of Health and Human Services ("HHS") published an interim final rule and request for comments that implements certain HIPAA enforcement changes made pursuant to the HITECH ActConsistent with the provisions of the HITECH Act, the new rule amends the HIPAA enforcement regulations applicable to violations of each of HIPAA's Administrative Simplification Rules (i.e., Privacy Rule, Security Rule, Transactions and Code Sets Rules, Standard Unique Identifier for Employers (EIN Rule), and the Standard Unique identifier for Health Care Providers (NPI Rule)) by instituting the below categories of violations and tiered penalty scheme to HIPAA violations that occur on or after February 18, 2009. 

  • Unknown violations (i.e., if a person did not know and by exercising reasonable due diligence would not have known that a violation occurred): The penalty shall be at least $100 for each violation not to exceed $25,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
  • Violations due to reasonable cause and not to willful neglect: The penalty shall be at least $1,000 for each violation not to exceed $100,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
  • Violations due to willful neglect (and the violations have been corrected): The penalty shall be at least $10,000 for each violation not to exceed $250,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
  • Violations due to willful neglect (and the violations have not been corrected): The penalty shall be at least $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.

Furthermore, the interim final rule generally amends a covered entity's ability to employ an affirmative defense against an action seeking civil monetary penalties if (i) the covered entity did not have knowledge or constructive knowledge of the violation, and (ii) the violation was not due to reasonable cause and not willful neglect. HHS is also given the authority to waive a civil monetary penalty for violations due to reasonable cause and not willful neglect if the covered entity corrects the violation within 30 days of having knowledge that the violation occurred. 

Comments on this interim final rule will be considered if received by December 29, 2009.

New HHS Regulations Impose Federal Security Breach Notification Requirements

The recently enacted Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which amends various aspects of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including the associated Privacy and Security Rules, marks a significant change in how covered entities and their business associates must respond to security breaches under HIPAA.

On August 24, 2009, the U.S. Department of Health and Human Services (“HHS”) issued its interim final rule (“the Rule”) regarding a covered entity’s obligation to notify individuals when their unsecured protected health information (“PHI”) is breached. Furthermore, and depending on the nature of the security breach, the Rule also requires a more global notification whereby covered entities must post information regarding certain breaches in newspapers and on the HHS website.

The HHS Rule is effective on September 23, 2009, however, HHS will not impose sanctions for failure to provide the required notices for breaches that are discoverable before February 22, 2010.

For additional details, read the full alert

FTC Issues Final Rule on Notifying Consumers About Breaches of Electronic Health Records

This post was written by Mark S. MelodiaMichael K. BrownJ. Ferd Convery, IIISteven J. Boranian, Brad M. Rostolsky, Shana R. Fried and Paul Bond.

Until now, the loss or theft of protected health information rarely resulted in notice to consumers. Very few state data security breach notification laws encompass medical information. The Health Insurance Portability and Accountability Act ("HIPAA") merely required an "accounting" of such events to a patient upon the patient's request.

All that has changed. Congress, in enacting the Health Information Technology for Economic and Clinical Health Act ("HITECH"), imposed breach notification obligations on many of the individuals and business entities that receive, create, or maintain patients' individually identifiable health information. Pursuant to HITECH, on Aug. 17, the Federal Trade Commission ("FTC") issued its Health Breach Notification Rule, governing the breach notification obligations of three new categories of entity: "vendors of personal health records," "PHR related entities" and "third party service providers."

To read the full alert, click here.

Health Information Privacy and Incentives, Medicaid Funding, and Other Health Care Provisions in the American Recovery and Reinvestment Act

This post was written by Karl A. Thallner, Jr., Carol C. Loepere, Debra A. McCurdy, Brad M. Rostolsky, Jacqueline B. Penrod, and Amie E. Schaadt.

On February 17, 2009, President Obama signed into law H.R. 1, the American Recovery and Reinvestment Act (the “ARRA”). The sweeping $790 billion economic stimulus package includes a number of health care policy provisions. Reed Smith's Health Care Memorandum summarizes the major health policy provisions of the Act.

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act

This post was written by Brad M. Rostolsky, Gina M. Cavalier, Debra L. Hutchings, Kerry A. Kearney, and Mark S. Melodia.

On Feb. 17, 2009, President Obama signed into law H.R. 1, the American Recovery and Reinvestment Act (the “ARRA”).1 This memorandum outlines significant changes and additions to the landscape of federal privacy and security law set forth in Subtitle D of the ARRA. In general, the privacy and security portions of the ARRA become effective 12 months after the enactment of the ARRA, which is approximately February 2010. It is also important to note that the ARRA directs the Secretary of the U.S. Department of Health & Human Services (“HHS”) to amend the HIPAA Privacy and Security Rules to implement the legislative changes. As such, the effective dates associated with the rulemaking process will vary.

Click here to read the full alert.

HIPAA Preemption

In "Ex Parte Talks Allowed Under Georgia Law For Counsel, Doctors Preempted by HIPAA" (password required), the United States Law Week discusses in detail Moreland v. Austin, Georgia Sup. Ct. No. S08G0498, a November 3, 2008 decision holding that defense attorneys who wish to engage in ex parte communications with plaintiffs' treating physicians must comply with HIPAA privacy rules. Since HIPAA affords more patient privacy than a Georgia law that permitted ex parte contact once a plaintiff put his or her medical condition at issue, the Georgia law was preempted.

Preemption giveth, and preemption taketh away.

California's New HIPAA-Like Requirements Impose New Data Privacy & Security Duties - and Create New Potential Liabilities

Data breaches can occur in any industry, but those that involve medical information create unique problems. Starting January 1, they also will carry unique penalties, at least in California. The new California laws, Senate Bill 541 (SB 541) and Assembly Bill 211 (AB 211).

Health care providers clearly need to take heed of the laws' directives that they take additional affirmative steps to prevent “unauthorized access” to patient information. But AB 211 is particularly broad in scope, covering “any person or entity" that "negligently discloses" or "knowingly or willfully obtains, discloses, or uses medical information," which mean other players in the life sciences industry probably should take note as well. A full discussion of SB 541 and AB 211, written by Janet H. Kwuon and Rachel A. Rubin, is here.

Post-Market Surveillance: FDA's "Sentinel Initiative" and Related CMS Rulemaking

This post was written by Catherine A. Durkin and Areta L. Kupchyk.

On May 22, 2008, the Food and Drug Administration (“FDA”) announced plans for what it is calling the “Sentinel System”—a new, national electronic health information surveillance system to track the performance and safety of medical products once they are on the market. See FDA, “The Sentinel Initiative: National Strategy for Monitoring Medical Product Safety” (May 2008). In addition to a whitepaper on the Sentinel Initiative, FDA has published a “Questions and Answers” document, a fact sheet, and information for the consumer that are all available at

The same day, the Centers for Medicare & Medicaid Services (“CMS”) announced a final rule allowing it to share prescription drug claims data for the 25 million Medicare Part D enrollees with other government agencies, as well as with “researchers.” Under the rule, shared data will be available for any purpose “deemed necessary and appropriate by the Secretary,” such as analysis, reporting, and public-health purposes, among other things. See 73 Fed. Reg. 30664 (May 28, 2008); CMS Fact Sheet “Medicare Part D Data Regulation” (CMS-4119-F) (May 22, 2008). The rule becomes effective June 27, 2008.

These coinciding initiatives by the two major federal health regulatory agencies are intended to improve health care quality by using information technology and data mining in new ways. However, numerous policy and strategy questions are still up for debate.

The current system for monitoring drug and device adverse events relies on health professionals and patients to: (1) recognize a potential link between an adverse event and a product; and (2) voluntarily report it, either to the manufacturer or to FDA. In recent years, controversies surrounding certain drug safety issues have contributed to criticisms by members of the public and Congress that the current system is often inadequate. To ensure that FDA would improve its current safety monitoring system, Congress passed legislation in September 2007, the Food and Drug Administration Amendments Act of 2007 (“FDAAA”), Pub. L. No. 110-85 § 905, that required FDA to obtain access to data sources, develop a system to link and analyze product safety data available through these sources, and, using these tools, establish an “active adverse event surveillance” program. The Sentinel System, as its name suggests, is intended to accomplish these goals.

As proposed, the Sentinel System would provide FDA with access to a broad range of publicly and privately maintained health data sources so that FDA could search these sources and gather intelligence on potential safety risks associated with drugs or medical devices as trends emerge. See U.S. Department of Health & Human Services, News Release, New Efforts to Help Improve Medical Products for Patient Safety and Quality of Medical Care (May 22, 2008). Through targeted queries of health information databases (such as the Medicare Part D and other claims databases), FDA claims it would be able to obtain de-identified patient data, perform analyses, and draw conclusions regarding product safety in order to improve the overall quality of medical care. FDA also states that the system would be designed to comply with appropriate security and privacy standards.

The notion that health information technology initiatives (such as electronic health records, e-prescribing, etc.) are the key to improving the quality and reducing the costs of our health care system is a major reason Congress mandated FDA’s expansion of post-approval drug and device surveillance. Although FDA has recognized various efforts (in both the public and private sectors) to collect and make use of electronic safety, performance, and other health/patient data, as listed in the Attachment to FDA’s whitepaper on the Sentinel Initiative entitled “Related Federal/Private Sector Activities,” to date, such efforts have not been coordinated or standardized. The Sentinel Initiative ultimately intends to incorporate these efforts on a national level.

Proposed Mechanics of the Sentinel System

Although FDA is still in the early stages of developing the Sentinel System and specific details are scarce, FDA proposes, at least initially, to capitalize on existing data systems, such as medical claims databases and electronic health record systems, through a “public-private partnership” rather than by creating a new, centralized database. Data sources would continue to be owned and maintained by their current owners. Data owners would either be members of the partnership, or contract with FDA and/or the partnership to provide data. The partnership would be subject to a “defined governance process” and structured according to an “established organizational framework,” both still to be determined. Aside from the Medicare Part D claims database, potential public data sources include Medicare Parts A and B, the Veterans Health Administration, the Department of Defense, and CDC’s National Electronic Injury Surveillance System (“NEISS”).

The multiple data sources would somehow be linked with one another so that they would be interoperable and part of an overall, to-be-developed “information technology architecture.” FDA would thus be able to send queries to a variety of data sources and obtain results quickly, which would be stripped of identifiers to comply with any applicable privacy and security laws and/or standards that protect personal and proprietary information. FDA would then be able to review and analyze the data, observe trends, draw conclusions regarding product safety and performance, and take appropriate measures to address concerns. Accordingly, the system is intended to provide FDA with a stronger, more proactive product safety surveillance capability. The system may also serve as a tool for many other types of research performed by other public health agencies and health researchers; for example, evaluating specific treatment outcomes, or assessing utilization trends.

Open Issues and Next Steps

Based on input from the public during a two-day public workshop FDA held in March 2007 and comment period in early 2007 (see 72 Fed. Reg. 2284 (Jan. 18, 2007)), FDA has identified the following as key issues that must be resolved prior to implementing the Sentinel System:

  • How will private and/or proprietary information be protected?
  • Who will have access to the system?
  • How will the initiative be funded?
  • What about the quality of the data, standards, and system interoperability? How will these be improved?
  • How will risks and adverse events be identified through data analysis?
  • How will a pilot for the system be developed and validated?

Although FDA has touched upon some of these issues in its whitepaper and related publications, and has raised numerous others (for example, the scientific credibility of the data analysis and the integrity and independence of the system’s management/governance structure), they remain largely unanswered. The next phase of the Sentinel Initiative will incorporate a series of discussions on the “scientific and policy issues that must be addressed.”

Further, FDA plans to begin meeting with potential partners to formalize specific action items necessary to establish the Sentinel System.

According to the CMS fact sheet on the final Part D claims data rule, CMS will hold an open door forum in June 2008 to review the new rule and discuss the claims data release process, as well as to answer questions from the public. Once this open door forum is scheduled, information will be posted here. If you would like information on how to participate in this open door forum, please contact Katie Durkin at