Effective Cyberliability Insurance Coverage

According to a recent study, the median amount of time between a breach of a company’s cybernetwork and the discovery of that breach is 229 days. Given this lengthy amount of time, companies should consider the benefits of an expanded cyberliability insurance policy period, particularly if the company is switching from one insurance provider to another. As discussed in “Hackers Don’t Care About the Terms of Your Insurance Policy: The Importance of Retroactive Dates and Extended Reporting Periods in Effective Cyberliability Insurance Coverage,” a client alert written by Reed Smith partners Brian Himmel, Andrew Moss, David Weiss and Cristina Shea, two such options for expanding the policy period are retroactive dates (shifting the effective date of coverage back, to capture events that occurred or were occurring but were not yet discovered when the policy was purchased) and extended reporting periods (which provide additional time to report events that are not discovered until after the end of the policy period).

To read the client alert, click here.

EU Research Group Condemns EU Regulation for Restricting Growth in Life Sciences Sector; NHS Advocates Selling Confidential Patient Data For Secondary Purposes

Reed Smith’s Global Regulatory Enforcement Law blog features two posts of interest to those in the life sciences industry, both written by Reed Smith partner Cynthia O’Donoghue. “EU Research Group Condemns EU Regulation for Restricting Growth in Life Sciences Sector” discusses the opposition of a lobbying group, led by the Wellcome Trust, to amendments to the proposed General Data Protection Regulation – amendments that they believe could severely inhibit future growth of the life sciences sector in the European Union. “NHS Advocates Selling Confidential Patient Data For Secondary Purposes” discusses the criticism of the UK’s Health and Social Care Information Centre and NHS England’s new initiative known as ‘care.data,' which involves the extraction, anonymization, and aggregation of patient data from GP practices in a central database for sale to third parties such as drug and insurance companies.

Reed Smith Gearing Up For "Big Data Monetization" Conference

Next week, Reed Smith will host a conference on “Big Data Monetization” at the Quadrus Conference Center in Silicon Valley (8:30-11:30 a.m. PDT). Big Data is a term used to characterize the accumulation of data. Virtually every company, in every industry, is now an information and technology company. Companies run on Big Data, whether it be customer information, employee information, or competitive intelligence. Companies store, share, and use that information in increasingly complex ways, taking advantage of cloud-based solutions and revolutions in analytics, and finding ways to turn these massive databases into revenue. There is no doubt a plethora of opportunities in Big Data, however, using it comes with its own set of risks. The key with monetizing Big Data is striking the balance between risk and reward.

View a preview of the types of issues we’ll be tackling at the conference over on our Global Regulatory Enforcement Law Blog.

OCR Continues to Use Breach Self-Reports as an Invitation to Audit General HIPAA Compliance

Massachusetts Provider Becomes Third Seven-Figure Settlement Since March

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On September 17, 2012, the HHS Office of Civil Rights ("OCR") announced another settlement and corrective action plan following an entity’s breach self-report required by HITECH’s Breach Notification Rule. Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively "MEEI") have agreed to pay $1.5 million to settle potential violations of the HIPAA Security Rule following the theft of a physician’s unencrypted, but protected, laptop, providing additional evidence that: (1) OCR will likely view any breach notification as an opportunity to conduct a de facto audit of an entity’s general HIPAA compliance; and (2) encryption of all portable devices containing electronic protected health information ("ePHI"), though not technically "required," is a critical compliance consideration.

The information contained on the laptop, which was stolen while the physician was lecturing in South Korea in 2010, included prescriptions and clinical information for approximately 3,600 patients and research subjects. According to MEEI, although unencrypted, the laptop was password protected and contained a tracking device commonly referred to as "LoJack." Using LoJack, MEEI determined that a new operating system was installed on the computer and that the software needed to access the ePHI was not reinstalled. After concluding that retrieval of the laptop was unlikely, MEEI remotely permanently disabled the hard drive and rendered any ePHI unreadable.

Although OCR’s subsequent investigation revealed no patient harm as a result of the breach, the agency did find that the breach indicated a long-term, organizational disregard for the requirements of the Security Rule. More specifically, over an extended period of time, MEEI failed to:

  • Conduct a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices;
  • Implement security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices;
  • Adopt and implement policies, and procedures to restrict access to ePHI to authorized users of portable devices; and
  • Adopt and implement policies and procedures to address security incident identification, reporting, and response.

Following on the heels of the Alaska Department of Health and Social Services’ $1.7 million settlement in June, which also followed a breach that affected a relatively small number of individuals, OCR’s recent enforcement actions suggest that its focus is on the lack of overall HIPAA compliance that may lead to a breach and not the breach itself. This settlement also reaffirms the practical necessity of encrypting all ePHI on portable devices. According to Leon Rodriguez, Director of OCR,  "[i]n an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices."

In addition to the $1.5 million settlement, the Resolution Agreement between MEEI and OCR included a corrective action plan, which requires MEEI to review, revise, and maintain policies and procedures to ensure compliance with the Security Rule, and retain an independent monitor who will conduct assessments of MEEI’s compliance with the corrective action plan and render semi-annual reports to HHS for a 3-year period. MEEI did not admit any liability in the agreement and OCR did not concede that MEEI was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at hhs.gov.

China Life Sciences and Health Industry Client Briefing - August 2012 (September 18, 2012)

This post was written by Jay J. Yan, Hugh T. Scogin, Jr., John J. Tan, Mao Rong, Katherine Yang, May Wong, Amy Yin and Gordon B. Schatz.

Reed Smith’s Life Sciences Health Industry China Briefing provides a summary of the monthly news and legal developments relating to China's Pharmaceutical, Medical Device, and Life Sciences/ Health Care Industries.

Some important developments during August include:

  • New Regulations Concerning Hospital Procurement of Class-A Large-Scale Medical Equipment
  • MOH to Investigate Infection Events in Hospitals
  • Wenzhou Develops New Plans to Attract Private Medical Investors
  • Notice Concerning Public Hospital Reform in 2012
  • MOH to Establish EDLs for Secondary and Tertiary Hospitals
  • Pricing Developments for Drugs of Foreign Companies
  • Revised Regulations on Criminal Prosecutions for Leaks of Confidential Patient Information
  • State Council to Release Regulation Permitting Local Governments to Buy Commercial Insurance on for Serious Illnesses

To read the full briefing by Reed Smith China team members, click here.

Small Cardiology Practice to Pay $100,000 to Settle Allegations of HIPAA Violations

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On April 17, 2012, the HHS Office of Civil Rights (OCR) announced a settlement and corrective action plan with Phoenix Cardiac Surgery, P.C. (Phoenix), a small cardiology practice based in Phoenix and Prescott, Arizona. More specifically, Phoenix has agreed to pay $100,000 to settle allegations of HIPAA violations arising out of an investigation conducted by OCR.

OCR’s investigation of Phoenix followed a report that Phoenix was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR discovered the following issues:

  • Phoenix failed to implement adequate policies and procedures to appropriately safeguard patient information;
  • Phoenix failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
  • Phoenix failed to identify a security official and conduct a risk analysis; and
  • Phoenix failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its electronic protected health information.

This settlement serves as additional evidence of OCR’s increased focus on enforcement actions for alleged HIPAA violations, following just one month after the first enforcement action resulting from a breach self-report under the Breach Notification Rule. According to Leon Rodriguez, Director of OCR, he “hope[s] that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” Additionally, the settlement provides further evidence that OCR will likely view any investigation of an alleged Privacy or Security Rule infraction as an opportunity to conduct a de facto audit of the entity’s general compliance with HIPAA.

In addition to the $100,000 settlement, the Resolution Agreement between Phoenix and OCR requires Phoenix to develop and maintain written Privacy and Security policies, which will set forth, at a minimum, administrative safeguards, technical safeguards, and training of all Phoenix’s workforce members. In addition, Phoenix will provide specific training on the Privacy and Security policies within 60 days of OCR’s approval to all workforce members who use or disclose protected health information and will report any violations of those policies and procedures by a workforce member to OCR within 30 days. Phoenix did not admit any liability in the agreement and OCR did not concede that Phoenix was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.


OCR Announces First Enforcement Action Resulting From a Breach Self-Report

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On March 13, 2012, the HHS Office of Civil Rights (OCR) announced the first enforcement action resulting from a breach self-report required by HITECH’s Breach Notification Rule. Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay HHS $1,500,000 to settle potential violations of the HIPAA Privacy and Security Rules and has entered into a corrective action plan to address gaps in its HIPAA compliance program.

The HIPAA/HITECH Breach Notification Rule requires covered entities to report a breach (e.g., an impermissible use or disclosure of protected health information that compromises the security or privacy of the protected health information) to the affected individual(s), HHS and, at times, the media. OCR’s investigation of BCBST followed a breach report submitted by BCBST informing HHS that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The hard drives contained the protected health information of more than 1 million individuals, including member names, social security numbers, diagnosis code, dates of birth, and health plan identification numbers.

According to OCR’s investigation, BCBST failed to implement appropriate administrative and physical safeguards as required by the HIPAA Security Rule. More specifically, BCBST failed to perform the required security evaluation in response to operational changes and did not have adequate facility access controls.

In addition to the $1,500,000 settlement, the Resolution Agreement between BCBST and OCR requires BCBST to revise its Privacy and Security policies, conduct robust trainings for all employees, and perform monitor reviews to ensure compliance with the corrective action plan. BCBST did not admit any liability in the agreement and OCR did not concede that BCBST was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing - Health Care in the Cloud

This post was written by Vicky G. Gormanly and Joseph I. Rosenbaum.

The interest level in storing health records in digital format has grown rapidly with the lower cost and greater availability and reliability of interoperable storage mechanisms and devices. Health care providers like hospitals and health systems, physician practices, and health insurance companies are among those most likely to be considering a cloud-based solution for the storage of patient-related health information. While lower cost, ubiquitous 24/7 availability, and reliability are key drivers pushing health care providers and insurers to the cloud, a number of serious legal and regulatory issues should be considered before releasing sensitive patient data into the cloud. The issues are highlighted in the Health Care chapter  of our Cloud Computing White Paper.

CMS' Oversight of Security Rule "Not Sufficient" According to the OIG

This post was written by Gina M. Cavalier, Vicky G. Gormanly and Brad M. Rostolsky.

On May 16, 2011, the Office of Inspector General (“OIG”) published a report with the results from its nationwide review of the Centers for Medicare and Medicaid Services (“CMS’”) oversight of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). In its review, the OIG sought to determine the sufficiency of CMS’ oversight and enforcement actions pertaining to hospitals’ implementation of the HIPAA Security Rule. Pursuant to the Security Rule, covered entities, such as hospitals, must implement technical, physical, and administrative safeguards for the protection of electronic protected health information (“ePHI”). According to the OIG, CMS’ oversight and enforcement actions were “not sufficient,” leaving limited assurance of the security of hospitals’ ePHI.

The report details the results from the OIG’s audits of seven hospitals. The audits disclosed “numerous internal control weaknesses.” Specifically, the OIG identified 151 vulnerabilities in the systems and controls intended to protect ePHI. Of these vulnerabilities, 124 were categorized as “high impact.” These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk. The consequences of the high impact vulnerabilities is that it (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury. 

Final HITECH Privacy and Security Rule Expected Soon

According to a senior health information technology and privacy specialist at HHS Office for Civil Right (OCR), regulations finalizing the July 14, 2010, proposed rule implementing many of the HITECH Act's privacy, security, and enforcement requirements could be published by the end of 2010 or in early 2011.   Additionally, OCR, developing a HITECH Act required "periodic audit" plan, which will be targeted to ensure that covered entities and business associates comply with the requirements of  the Privacy and Security Rules. 

We'll keep you posted as things progress . . .

Mexico's Senate Passes Federal Law for Protection of Personal Data

This post was written by Mark S. Melodia, Cynthia O'Donoghue and Anthony S. Traymore

On April 27, 2010, the Mexican Senate passed Ley Federal de Protección de Datos Personales en Posesión de los Particulares (the Federal Law for Protection of Personal Data (FLPPA)).  President Felipe Calderon is expected to sign the FLPPA into law soon, and thereafter, the FLPPA will be published and its regulatory provisions enacted. The objective of the FLPPA is to provide regulatory mechanisms for the newly established replacement agency, Instituto Federal de Acceso a la Información y Protección de Datos (the Federal Institute of Information Access and Data Protection (FIIADP), to enforce the FLPPA in relation to any individual or entity engaging in the collection, storage and/or transfer of personal data, including life sciences and health care clients.

To read the full alert, click here.

California Health Care Update: New Laws Adopted in 2009 and Effective in 2010

This post was written by Daniel A. Cody, Paul W. Pitts and Alison B. Riddell.

Although California legislators devoted a significant amount of time and resources to addressing the state’s budget shortfall and the economic recession, the 2009 legislature debated and passed a surprising number of bills related to health care, many of which will become effective January 1, 2010. New laws impacting California health care providers include:

  • Amendments to the 2008 law requiring certain health care providers to disclose unlawful and unauthorized uses or disclosure of medical information
  • Laws requiring the Department of Public Health [www.cdph.ca.gov] to more timely process and approve applications for new or modified hospital outpatient services
  • Provisions impacting the delivery of radiologic and diagnostic imaging services, such as permitting physician assistants to provide fluoroscopy services under the supervision of a physician
  • Amendments to California’s False Claim Act that expand the types of claims subject to the law, extend the state’s prosecutorial authority, and increase the penalties for violating the statute
  • Laws stating that long-term care providers will be subject to new ownership disclosure requirements
  • Passing Assembly Bill 215, which makes California one of the first states to recognize and incorporate the controversial Five-Star Quality Rating for nursing facilities as created by the Centers for Medicare & Medicaid Services

For the full summary of major legislation impacting California physicians, hospitals, nursing facilities, and other licensed health care facilities, read our client alert.

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act

This post was written by Brad M. Rostolsky, Gina M. Cavalier, Debra L. Hutchings, Kerry A. Kearney, and Mark S. Melodia.

On Feb. 17, 2009, President Obama signed into law H.R. 1, the American Recovery and Reinvestment Act (the “ARRA”).1 This memorandum outlines significant changes and additions to the landscape of federal privacy and security law set forth in Subtitle D of the ARRA. In general, the privacy and security portions of the ARRA become effective 12 months after the enactment of the ARRA, which is approximately February 2010. It is also important to note that the ARRA directs the Secretary of the U.S. Department of Health & Human Services (“HHS”) to amend the HIPAA Privacy and Security Rules to implement the legislative changes. As such, the effective dates associated with the rulemaking process will vary.

Click here to read the full alert.