OCR Releases Ebola Bulletin

This post was written by Jennifer Pike.

The recent Ebola outbreak has prompted the US Department of Health and Human Services, Office for Civil Rights (“OCR”), the agency responsible for enforcing the Health Insurance Portability and Accountability Act (“HIPAA”), to release a new bulletin for covered entities and business associates regarding their privacy obligations in emergency situations. The bulletin, entitled “HIPAA Privacy In Emergency Situations,” provides an overview of the limited ways in which covered entities and business associates may use and disclose protected health information in emergencies, such as the Ebola outbreak. The bulletin is available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/hipaa-privacy-emergency-situations.pdf.

Insights About Future Use of Protected Health Information Under HIPAA

How will Protected Health Information (PHI) be used in the future? Reed Smith partner Brad Rostolsky strives to answer this question in “HIPAA Enforcement: The Next Step,” an interview and accompanying article that appeared on HealthcareInfoSecurity on October 14th. The article discusses a number of trends predicted for the near future stemming from the HIPAA Omnibus Rule introduced last year, such as an increase in the number of investigations by the Department of Health and Human Services’ Office for Civil Rights regarding the illegal use, disclosure, and sale of PHI without patient authorization, particularly when used for marketing and fundraising purposes. The article also provides recommendations for companies preparing for HIPAA compliance audits, privacy concerns related to the use of consumer health information on social media, and potential HIPAA privacy issues involving wearable consumer health devices.

To listen to the interview and read the article, click here.

Final Rule Gives Patients a New Right under HIPAA to Access Completed Test Reports Directly from Labs

This post was written by Nan Bonifant, Brad Rostolsky, and John Wyand

On February 6, 2014, the U.S. Department of Health & Human Services’ (HHS) Centers for Medicare & Medicaid Services (CMS), Centers for Disease Control and Prevention (CDC), and Office for Civil Rights jointly published a final rule amending the HIPAA Privacy Rule and the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to provide patients with direct access to laboratory test reports. HHS believes that a right to access these test reports under HIPAA is crucial to provide patients with vital information to empower them to better manage their health and take action to prevent and control disease. The amendments to both regulations become effective April 7, 2014, and HIPAA-covered laboratories must comply with the new right by October 6, 2014.

Under the currently enforced Privacy Rule, a patient’s right to access his or her protected health information (PHI) is limited with respect to PHI maintained by a CLIA laboratory or a CLIA-exempt laboratory. This limitation was included in the Privacy Rule because the existing CLIA regulations may prohibit such laboratories from disclosing this information. Currently, a CLIA laboratory may only disclose laboratory test results to three categories of individuals or entities: (1) the “authorized person,” (2) the health care provider who will use the test results for treatment purposes, and (3) the laboratory that initially requested the test. An “authorized person” is the individual authorized under state law to order or receive test results. If a state does not authorize patients to receive their test results, the patients must receive this information from their health care providers.

The final rule modifies the CLIA regulations to allow laboratories subject to CLIA, upon the request of a patient (or the patient’s personal representative), to provide access to completed test reports that – using the laboratory’s authentication process – can be identified as belonging to that patient. With respect to the Privacy Rule, the final rule removes the exceptions to a patient’s right of access related to CLIA and CLIA-exempt laboratories. Therefore, as of October 6, 2014, HIPAA-covered laboratories will be required to provide a patient or his or her personal representative with access, upon request, to the patient’s completed test reports, as well as to other PHI maintained in a designated record set. For purposes of the final rule, test reports are not part of a designated record set until they are “complete.” A test report is considered complete when all results associated with an ordered test are finalized and ready for release. These changes to the Privacy Rule preempt any contrary state laws that prohibit a HIPAA-covered laboratory from providing patients direct access to their completed test results.

In order to comply with the amended Privacy Rule, HIPAA-covered laboratories should develop and implement a policy and procedure to receive and respond to patient requests. Processing a request for a test report, either manually or electronically, will require completion of the following steps: (1) receipt of the request from the individual; (2) authentication of the identification of the individual; (3) retrieval of test reports; (4) verification of how and where the individual wants the test report to be delivered and provision of the report by mail, fax, email or other electronic means; and (5) documentation of test report issuance. Additionally, HIPAA-covered laboratories must revise their notice of privacy practices to inform patients of their right to access completed test reports, including a brief description of how to exercise the right, and removing any statements to the contrary.

This amendment to the regulations is consistent with OCR’s focus on improving patients’ rights under the Privacy Rule, and represents another important aspect of policy change and documentation efforts for HIPAA-covered entity providers.

ONC Tiger Team Takes a Bite Out of the Proposed Access Report Rule

This post was written by Jennifer Pike and Brad Rostolsky

The Privacy and Security Tiger Team (“Tiger Team”), a subcommittee of the Office of the National Coordinator for Health IT’s HIT Policy Committee, has recommended that the Office for Civil Rights of U.S. Department of Health and Human Services (“OCR”) abandon its May 2011 proposed rule to require covered entities to provide patients with a list of workforce members who have accessed protected health information (“PHI”) contained in an electronic designated record set (“access reports”). The proposed rule was meant by OCR to implement a provision of the 2009 HITECH Act requiring HHS to expand the existing accounting of disclosures requirement to include disclosures of PHI for treatment, payment and health care operations through an electronic health record.

After months of study and a day-long hearing in September 2013, the Tiger Team concluded that the proposal, which was widely unpopular from its inception, is overbroad and lacks value. In a meeting held December 4, 2013, the Tiger Team stated that it “does not believe the proposed access report meets the requirements of HITECH to take into account the interests of the patient and administration burden on covered entities.”

The Tiger Team proposed an alternative for implementing the HITECH Act’s accounting of disclosure mandate, urging OCR “to pursue a more focused approach that prioritizes quality over quantity, where the scope of disclosures and related details to be reported to patients provide information that is useful to patients, without overwhelming them or placing undue burden on [covered entities].” The Team further recommended that OCR take a “step-wise” approach to implementing the HITECH Act, and focus on data disclosed outside of a covered entity or organized health care arrangement.

In the December 4 meeting, the Tiger Team also recommended that OCR add two new “addressable” standards to the HIPAA Security Rule related to audit controls:

  1. Audit controls must record PHI-access activities to the granularity of (i) the individual user (e.g., human) accessing PHI and (ii) the individual whose PHI is accessed.
  2. Information recorded by the audit controls must be sufficient to support the information system activity review required by section 164.308(a)(1)(ii)(D) and the investigation of potential inappropriate accesses of PHI.

How HHS will respond to the Tiger Team’s recommendations, and when a final rule will be released, remains to be seen.

HHS Seeks to Reduce Gun Violence Via Modifications to the HIPAA Privacy Rule

This post was written by Nancy E. Bonifant and Jennifer L. Pike

After receiving more than 2,000 comments to its April 2013 Advance Notice of Proposed Rulemaking, the Department of Health & Human Services (“HHS”) has proposed to amend the HIPAA Privacy Rule to expressly permit certain covered entities to report to the National Instant Criminal Background Check System (“NICS”) the identities of individuals who are prohibited by federal law, for mental health reasons, from possessing firearms (commonly referred to as the “mental health prohibitor”).

The NICS is the system used to determine whether a potential firearms recipient is statutorily prohibited from possessing or receiving a firearm. The mental health prohibitor applies to individuals who have been (1) involuntarily committed to a mental institution; (2) found incompetent to stand trial or not guilty for reason of insanity; or (3) otherwise determined, through formal adjudication process, to have a severe mental condition that results in the individuals presenting a danger to themselves or others, or being incapable of managing their own affairs.

While most records related to involuntary commitments and mental health adjudications originate in entities affiliated with the criminal justice system (which are generally not subject to HIPAA), state entities outside the criminal justice system may also be involved. If these state entities are HIPAA-covered entities, or if a HIPAA-covered entity is the state repository for such records, then these records are subject to HIPAA.

Under the existing HIPAA Privacy Rule, there are circumstances where records subject to HIPAA may be reported to the NICS. For example, the Privacy Rule permits any covered entity to disclose information to the NICS to the extent such reporting is required by state law. In the absence of a state law requirement, however, reporting to the NICS is only permissible to the extent a covered entity designates itself as a hybrid-covered entity, and the relevant information is maintained and reported through the non-HIPAA regulated portion of that entity. As a result, OCR has cited concerns that the existing HIPAA Privacy Rule may be preventing some state entities (which likely perform both HIPAA-covered and non-covered functions) from reporting to the NICS the identities of individuals subject to the mental health prohibitor. Therefore, HHS has proposed to add to the Privacy Rule new provisions at 45 CFR § 164.512(k)(7), which would permit certain covered entities to disclose the minimum necessary demographic and other information for NICS reporting purposes.

Notably, this new permission would apply only to covered entities that function as repositories of information relevant to the federal mental health prohibitor on behalf of a state, or that are responsible for ordering the involuntary commitments or other adjudications that make an individual subject to the federal mental health prohibitor. Further, the new permission would strictly limit the information used or disclosed for NICS reporting purposes to the minimum necessary—HHS considers the minimum necessary information to include: (1) an individual’s name; (2) an individual’s date of birth; (3) an individual’s sex; (4) a code or notation indicating that the individual is subject to the federal mental health prohibitor; (5) a code or notation representing the reporting entity; and (6) a code identifying the agency record supporting the prohibition. The new permission would not permit the use or disclosure of clinical or diagnostic information.

HHS is seeking comments related to the proposed rule. Comments may be submitted in writing, or electronically at www.regulations.gov, on or before March 10, 2014.
 

OCR OUT OF COMPLIANCE? OIG Report Concludes OCR Slow To Enforce HIPAA Security Rule and To Comply with Federal Cybersecurity Requirements

This post was written Nancy E. Bonifant and Brad M. Rostolsky

According to a report published by the Office of the Inspector General (OIG) on November 21, 2013, the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is not adequately overseeing and enforcing the HIPAA Security Rule.

The OIG’s report, which followed an assessment of OCR’s Security Rule oversight and enforcement activities from July 2009 through May 2011, concluded that:

  • OCR failed to provide for periodic audits, as mandated by HITECH, to ensure that covered entities were in compliance with the Security Rule, and instead continued to follow the complaint-driven approach to assess the status of Security Rule compliance
     
  • OCR failed to consistently follow its investigation procedures and maintain documentation needed to support key decisions made during investigations conducted in response to reported violations of the Security Rule

To address these findings, the OIG recommended that OCR: (i) assess the risks, establish priorities, and implement controls for its HITECH auditing requirements; (ii) provide for periodic audits in accordance with HITECH to ensure Security Rule compliance at covered entities; and (iii) implement sufficient controls, such as supervisory reviews and documentation retention, to ensure policies and procedures for Security Rule investigations are followed.

Separately, the OIG also assessed OCR’s computer systems as of May 2011, and concluded that OCR had not fully complied with the cybersecurity requirements included in the National Institute of Standards and Technology (NIST) Risk Management Framework for its information systems used to process and store investigation data, because it focused on system operability to the detriment of system and data security. As a result, the OIG recommended that OCR implement the NIST Risk Management Framework for systems used to oversee and enforce the Security Rule.

In response, OCR generally concurred with the recommendations and described the actions it has taken to address the OIG’s concerns since May 2011. Notably, while OCR did initiate a pilot audit program in November 2011 and has subsequently audited 115 covered entities, OCR also explained that the funds used to support those audit activities are no longer available, and no funds have been appropriated for it to maintain a permanent audit program.

In consideration of the OIG’s report and OCR’s response, the looming questions that remain are how OCR will fund its statutorily required enforcement and compliance activities, and whether covered entities and business associates should expect increased enforcement to help subsidize OCR’s compliance going forward.

Physician Practice Caught in OCR Crossfire Following Theft of Unencrypted Flash Drive

This post was written by Brad M. Rostolsky and John E. Wyand

The theft of an unencrypted flash drive has led to an agreement by Adult & Pediatric Dermatology, P.C., of Concord, Mass. (APDerm), to pay $150,000 to the Department of Health and Human Services’ Office for Civil Rights (OCR) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. APDerm will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program. APDerm is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire.

This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of the American Recovery and Reinvestment Act of 2009. Significantly, it also marks one of the few instances where OCR has taken enforcement action against a smaller covered entity provider.

OCR opened an investigation of APDerm upon receiving a report that an unencrypted flash drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The flash drive was never recovered, and the investigation revealed that APDerm had not conducted “an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI” as part of its security management process. In other words, OCR continues to target the failure of covered entities to conduct a risk assessment under the Security Rule. Furthermore, OCR focused on APDerm’s failure to maintain appropriate policies and procedures, as well as the associated training, pursuant to the requirements of the Breach Notification Rule.

In addition to a $150,000 settlement, OCR imposed a corrective action plan requiring APDerm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.

A copy of the Resolution Agreement and Corrective Action Plan may be found here.
 

OCR Releases HIPAA Guide for Law Enforcement

This post was authored by Brad Rostolsky and Jennifer Pike.

On September 20, 2013, the Office for Civil Rights of the U.S. Department of Health & Human Services announced the addition of a new resource on its website to assist law enforcement and emergency planners when addressing information-sharing that may be subject to the HIPAA Privacy Rule. Among other things, the guide does the following:

  • Describes the Privacy Rule and identifies which entities are required to comply
  • Outlines several examples of when disclosures of health information to law enforcement is allowed

The guide is available online.

OCR Announces Enforcement Delay for CLIA Labs

This post was authored by Brad Rostolsky and Jennifer Pike.

The Office for Civil Rights (OCR) of the Department of Health & Human Services (HHS) announced September 19, 2013 that, until further notice, it is delaying enforcement of the requirement that certain HIPAA-covered labs revise their notice of privacy practices (NPPs) to comply with modifications made by the HITECH Final Rule. The enforcement delay applies to HIPAA-covered labs that are subject to Clinical Laboratory Improvement Act (CLIA), or exempt from CLIA, and that are not required to provide an individual with access to his or her lab test reports, because the reports are subject to the exceptions to the right of access at 45 C.F.R. § 164.524. The delay does not apply to labs that operate as part of a larger legal entity, and by virtue of that relationship do not have their own NPP.

By way of background, under the Privacy Rule, covered entities must promptly revise their NPPs whenever there is a material change to the privacy practices described in the NPP. The HITECH Final Rule made a number of such material changes, necessitating that covered entities revise their NPPs.

The enforcement delay is a result of HHS’ plan to amend the HIPAA Privacy Rule and CLIA regulations regarding the rights of individuals to receive their test reports directly from CLIA and CLIA-exempt labs. If finalized as proposed, the amendment would result in a material change to the labs’ privacy practices. The purpose of the delay is to decrease the burden on and expense to HIPAA-covered labs of having to revise their NPPs twice within a short period of time.
For more information about the HITECH Final Rule and its implementation, please see our previous discussion of this topic.
 

HHS Considers Amending the HIPAA Privacy Rule to Encourage Reporting of Mental Health Information to the National Instant Criminal Background Check System

This post was written by Jennifer L. Pike and Nancy E. Bonifant.

The Department of Health and Human Services (“HHS”) is seeking comments on a proposal to amend the HIPAA Privacy Rule to expressly permit covered entities to disclose certain mental health information to the National Instant Background Check System (NICS), the federal government’s background check system for the sale or transfer of firearms by licensed dealers.

Federal law prohibits the following persons from possessing or receiving firearms: (1) individuals who have been involuntarily committed to a mental institution; (2) individuals who have been found incompetent to stand trial or not guilty for reason of insanity; and (3) individuals who have been otherwise determined, through formal adjudication process, to have a severe mental condition that results in the individual presenting a danger to themselves or others or being incapable of managing their own affairs (collectively referred to in the proposed rule as the “mental health prohibitor”).  Federal agencies are required by the NICS Improvement Amendments Act of 2008 to report to NICS the identities of individuals who are subject to the mental health prohibitor.  The Act also authorizes incentives for States to provide such information when it is in their possession.  

HHS issued the proposed rule to address concerns that the HIPAA Privacy Rule may be preventing some States from reporting to NICS the identities of individuals subject to the mental health prohibitor.  Records related to involuntary commitments and mental health adjudications generally originate in entities in the criminal justice system.  Such entities are not HIPAA covered entities, and the records are therefore not subject to HIPAA.  However, there may be State entities outside the criminal justice system that are involved in some involuntary commitments or mental health adjudications, and these entities may be HIPAA covered entities.  Where a record of involuntary commitment or mental health adjudication originates with a HIPAA covered entity, or the HIPAA covered entity is the State repository for such records, those records are subject to HIPAA.  Therefore, the concern is that the individuals identified in such records are not being reported to NICS due to HIPAA compliance considerations.

To address these concerns, HHS is considering whether to amend the Privacy Rule to expressly permit covered entities to disclose limited information to NICS about the identities of individuals who are subject to the mental health prohibitor.  Pursuant to the HHS request for comments, the potential exception may limit the information disclosed to the minimum data necessary for NICS purposes, and limit permission to disclose to covered entities that order involuntary commitments, perform relevant mental health adjudications, or are otherwise designated as State repositories for NICS reporting purposes.

HHS is seeking comments on specific questions related to the proposal.  These questions are listed in HHS’ Advance Notice of Proposed Rulemaking, which is available here.  Comments should be submitted in writing, or electronically at www.regulations.gov, on or before June 7, 2013.

The Scope of HIPAA Preemption in Florida: More Questions than Answers

This post was written by Nancy E. Bonifant and Zachary A. Portin.

On April 9, 2013, the Eleventh Circuit held that HIPAA preempts a Florida statute that requires nursing homes to release medical records of deceased residents to their spouses, attorneys-in-fact and other enumerated parties who request them.  In Opis Management Resources LLC v. Secretary Florida Agency for Health Care Administration, the Florida agency that oversees nursing homes cited Opis Management, an operator of nursing homes, for refusing to release medical records to deceased residents’ spouses and attorneys-in-fact.  Opis Management challenged the citations arguing that the requesting parties were not “personal representatives” under HIPAA.

The HIPAA Privacy Rule requires disclosures of PHI in only two situations: (1) to the individual, and (2) to the Secretary of HHS.  Covered entities must also treat a deceased individual’s “personal representative,” who has authority to act on behalf of the deceased individual or his/her estate, as the individual for purposes of disclosures under the HIPAA Privacy Rule.  While HIPAA does not preempt “more stringent” state laws, it sets a floor for privacy protections and supersedes any contrary provision of state law.

The Eleventh Circuit held that HIPAA preempts the Florida statute because it “impedes the accomplishment and execution of the full purposes and objectives of HIPAA and the Privacy Rule,” particularly keeping an individual’s PHI confidential.  According to Judge Black, the Florida statute authorizes “sweeping disclosures” that made a deceased resident’s PHI available to certain individuals upon request without any need for authorization and “without regard to the authority of the individual making the request to act in the deceased’s stead.”  Interestingly, because the Florida agency failed to timely raise the argument, the court did not consider whether compliance with both laws was possible because HIPAA permits covered entities to disclose PHI as “required by law.”

Opis Management Resources highlights one of the many challenges that covered entities face in trying to achieve compliance under HIPAA and state privacy law.  Although the holding suggests that analogous Florida statutes mandating disclosures may too be preempted, the ruling is limited to licensed Florida nursing homes.  Clearly, the scope of HIPAA preemption remains unsettled and the issue will likely continue to be determined on a case-by-case basis.

Loose Lips Sink... Providers?

This post was written by Zachary A. Portin and Nancy E. Bonifant.

Can a medical corporation be directly liable under New York law for breaching its common law fiduciary duty of confidentiality when a non-physician employee acted outside the scope of his or her employment by making an unauthorized disclosure of an individual’s confidential health information?  This is the question that the U.S. Court of Appeals for the Second Circuit posed to the New York State Court of Appeals last month when it requested an advisory opinion from the state’s highest court in order to resolve Doe v. Guthrie Clinic Ltd. 

Plaintiff Doe sued various Pennsylvania-based entities (the “Guthrie Defendants”) that owned and operated the Guthrie Clinic Steuben (the “Clinic”) located in New York after one of the Clinic’s nurses sent six text messages to Doe’s girlfriend informing her that Doe was being treated for sexually transmitted diseases.  Plaintiff Doe brought several tort claims against the Guthrie Defendants, including a novel claim that the common law cause of action for breach of the fiduciary duty to keep medical records confidential runs directly against medical corporations, even when the employee responsible for the breach is not a physician and acted outside the scope of her employment.

Although HIPAA does not create a private right of action under federal law, an aggrieved patient may avail himself or herself to state law causes of action.  For example, New York imposes a general duty to maintain the confidentiality of personal health information as well as a specific common law cause of action against a physician who improperly discloses confidential information.  In 2000, the Appellate Division of the New York State Supreme Court also held that a patient was permitted to sue a health insurer whose records clerk wrongfully disclosed treatment information.  Nevertheless, the Second Circuit elected to certify the question to the Court of Appeals with regard to the Guthrie Defendants after it concluded that no controlling precedent existed. 

A favorable ruling for Plaintiff Doe threatens to vastly expand the scope of liability faced by providers and other entities involved in the delivery of healthcare.  Perhaps most concerning from the perspective of providers is the prospect of such entities facing liability under New York law for unforeseeable misconduct committed by non-physician employees.  Regardless of the Second Circuit’s ultimate disposition of this legal question, the case underscores the importance of developing and maintaining a robust compliance program to combat such misconduct.

OCR Announces Expansion of its Health Information Privacy Enforcement Team

This post was written by Brad M. Rostolsky and Jennifer Pike.

On February 27, 2013, the HHS Office for Civil Rights (“OCR”) announced the availability of several Health Information Privacy Specialist positions. This expansion of OCR’s health information privacy enforcement team signals that OCR’s increased enforcement activity during 2012 will continue in 2013. In 2012, OCR announced several enforcement actions resulting from a breach self-report required by HITECH’s Breach Notification Rule, including the $1.7 million settlement in June with the Alaska Department of Health and Social Services and the Massachusetts Eye and Ear Infirmary’s $1.5 million settlement in September. OCR’s 2012 enforcement actions, and OCR leadership comments subsequent to the release of the HITECH Final Rule, suggest that the agency’s focus will be on Security Rule compliance (specifically with regard to the whether a regulated entity has conducted a Security Rule Risk Assessment), the lack of overall HIPAA compliance that may lead to a breach (as opposed to the breach itself), and issues involving marketing or the sale of Protected Health Information. Covered entities and business associates should expect OCR enforcement, including audits, to continue to increase over the next year.

More information on these positions is available at usajobs.gov

Additional information about OCR’s enforcement activities can be found at hhs.gov

OCR Continues to Use Breach Self-Reports as an Invitation to Audit General HIPAA Compliance

Massachusetts Provider Becomes Third Seven-Figure Settlement Since March

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On September 17, 2012, the HHS Office of Civil Rights ("OCR") announced another settlement and corrective action plan following an entity’s breach self-report required by HITECH’s Breach Notification Rule. Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively "MEEI") have agreed to pay $1.5 million to settle potential violations of the HIPAA Security Rule following the theft of a physician’s unencrypted, but protected, laptop, providing additional evidence that: (1) OCR will likely view any breach notification as an opportunity to conduct a de facto audit of an entity’s general HIPAA compliance; and (2) encryption of all portable devices containing electronic protected health information ("ePHI"), though not technically "required," is a critical compliance consideration.

The information contained on the laptop, which was stolen while the physician was lecturing in South Korea in 2010, included prescriptions and clinical information for approximately 3,600 patients and research subjects. According to MEEI, although unencrypted, the laptop was password protected and contained a tracking device commonly referred to as "LoJack." Using LoJack, MEEI determined that a new operating system was installed on the computer and that the software needed to access the ePHI was not reinstalled. After concluding that retrieval of the laptop was unlikely, MEEI remotely permanently disabled the hard drive and rendered any ePHI unreadable.

Although OCR’s subsequent investigation revealed no patient harm as a result of the breach, the agency did find that the breach indicated a long-term, organizational disregard for the requirements of the Security Rule. More specifically, over an extended period of time, MEEI failed to:

  • Conduct a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices;
  • Implement security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices;
  • Adopt and implement policies, and procedures to restrict access to ePHI to authorized users of portable devices; and
  • Adopt and implement policies and procedures to address security incident identification, reporting, and response.

Following on the heels of the Alaska Department of Health and Social Services’ $1.7 million settlement in June, which also followed a breach that affected a relatively small number of individuals, OCR’s recent enforcement actions suggest that its focus is on the lack of overall HIPAA compliance that may lead to a breach and not the breach itself. This settlement also reaffirms the practical necessity of encrypting all ePHI on portable devices. According to Leon Rodriguez, Director of OCR,  "[i]n an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices."

In addition to the $1.5 million settlement, the Resolution Agreement between MEEI and OCR included a corrective action plan, which requires MEEI to review, revise, and maintain policies and procedures to ensure compliance with the Security Rule, and retain an independent monitor who will conduct assessments of MEEI’s compliance with the corrective action plan and render semi-annual reports to HHS for a 3-year period. MEEI did not admit any liability in the agreement and OCR did not concede that MEEI was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at hhs.gov.

Massachusetts Attorney General Strikes: South Shore Hospital Settles Data Breach Allegations for $750,000

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

On May 24, 2012, the Attorney General of Massachusetts announced that South Shore Hospital of South Weymouth, Massachusetts (South Shore) agreed to settle allegations that it failed to protect the personal and protected health information of more than 800,000 individuals.  The settlement resulted from the hospital’s data breach report to the Attorney General in July 2010, which was also reported to the HHS Office of Civil Rights in accordance with the HIPAA Breach Notification Rule.  Although the Attorney General reported a $750,000 settlement, South Shore was credited $275,000 for new security measures taken after the breach, bringing the actual amount to $475,000, of which $250,000 is a civil penalty and $225,000 shall be paid to an education fund to be used by the Attorney General’s Office to promote education concerning the protection of personal and protected health information.  South Shore also agreed to undergo a review and audit of its security measures and report the results to the Attorney General.

In February 2010, South Shore contracted with Archive Data Solutions (Archive Data) to erase and re-sell 473 data tapes.  According to the Attorney General, South Shore did not inform Archive Data that the tapes contained personal and protected health information, including individuals’ names, Social Security numbers, financial account numbers, and medical diagnoses.  The tapes were then shipped to a Texas subcontractor, but in June 2010, South Shore learned that only one of the three boxes of tapes arrived.  The two missing boxes were never recovered and there have been no reports of unauthorized use of the information.

Following its investigation of South Shore’s breach report, the Attorney General filed a lawsuit under the Massachusetts Consumer Protection Act and HIPAA.  State Attorney Generals have the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules, which includes obtaining damages and enjoining further violations, pursuant to HITECH, enacted as part of the American Recovery and Reinvestment Act of 2009.  In the lawsuit, the Attorney General alleged that South Shore failed to implement appropriate safeguards, policies, and procedures to protect the information, failed to have a Business Associate Agreement in place with Archive Data, and failed to properly train its workforce.

Small Cardiology Practice to Pay $100,000 to Settle Allegations of HIPAA Violations

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On April 17, 2012, the HHS Office of Civil Rights (OCR) announced a settlement and corrective action plan with Phoenix Cardiac Surgery, P.C. (Phoenix), a small cardiology practice based in Phoenix and Prescott, Arizona. More specifically, Phoenix has agreed to pay $100,000 to settle allegations of HIPAA violations arising out of an investigation conducted by OCR.

OCR’s investigation of Phoenix followed a report that Phoenix was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR discovered the following issues:

  • Phoenix failed to implement adequate policies and procedures to appropriately safeguard patient information;
  • Phoenix failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
  • Phoenix failed to identify a security official and conduct a risk analysis; and
  • Phoenix failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its electronic protected health information.

This settlement serves as additional evidence of OCR’s increased focus on enforcement actions for alleged HIPAA violations, following just one month after the first enforcement action resulting from a breach self-report under the Breach Notification Rule. According to Leon Rodriguez, Director of OCR, he “hope[s] that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” Additionally, the settlement provides further evidence that OCR will likely view any investigation of an alleged Privacy or Security Rule infraction as an opportunity to conduct a de facto audit of the entity’s general compliance with HIPAA.

In addition to the $100,000 settlement, the Resolution Agreement between Phoenix and OCR requires Phoenix to develop and maintain written Privacy and Security policies, which will set forth, at a minimum, administrative safeguards, technical safeguards, and training of all Phoenix’s workforce members. In addition, Phoenix will provide specific training on the Privacy and Security policies within 60 days of OCR’s approval to all workforce members who use or disclose protected health information and will report any violations of those policies and procedures by a workforce member to OCR within 30 days. Phoenix did not admit any liability in the agreement and OCR did not concede that Phoenix was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

 

OCR Announces First Enforcement Action Resulting From a Breach Self-Report

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On March 13, 2012, the HHS Office of Civil Rights (OCR) announced the first enforcement action resulting from a breach self-report required by HITECH’s Breach Notification Rule. Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay HHS $1,500,000 to settle potential violations of the HIPAA Privacy and Security Rules and has entered into a corrective action plan to address gaps in its HIPAA compliance program.


The HIPAA/HITECH Breach Notification Rule requires covered entities to report a breach (e.g., an impermissible use or disclosure of protected health information that compromises the security or privacy of the protected health information) to the affected individual(s), HHS and, at times, the media. OCR’s investigation of BCBST followed a breach report submitted by BCBST informing HHS that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The hard drives contained the protected health information of more than 1 million individuals, including member names, social security numbers, diagnosis code, dates of birth, and health plan identification numbers.


According to OCR’s investigation, BCBST failed to implement appropriate administrative and physical safeguards as required by the HIPAA Security Rule. More specifically, BCBST failed to perform the required security evaluation in response to operational changes and did not have adequate facility access controls.


In addition to the $1,500,000 settlement, the Resolution Agreement between BCBST and OCR requires BCBST to revise its Privacy and Security policies, conduct robust trainings for all employees, and perform monitor reviews to ensure compliance with the corrective action plan. BCBST did not admit any liability in the agreement and OCR did not concede that BCBST was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing - Health Care in the Cloud

This post was written by Vicky G. Gormanly and Joseph I. Rosenbaum.

The interest level in storing health records in digital format has grown rapidly with the lower cost and greater availability and reliability of interoperable storage mechanisms and devices. Health care providers like hospitals and health systems, physician practices, and health insurance companies are among those most likely to be considering a cloud-based solution for the storage of patient-related health information. While lower cost, ubiquitous 24/7 availability, and reliability are key drivers pushing health care providers and insurers to the cloud, a number of serious legal and regulatory issues should be considered before releasing sensitive patient data into the cloud. The issues are highlighted in the Health Care chapter  of our Cloud Computing White Paper.

Authentication Practices and Secure Communications in the Life Sciences and Health Care Industry

Information security is paramount in the life sciences and health care industry because it is subject to affirmative regulatory requirements regarding the physical and technical safeguards used to secure electronic information. It is therefore troubling that the Internet protocols that are universally used to transmit encrypted information employ an authentication process (to verify the endpoints of a communication) that is deeply flawed. The authentication process requires the parties to the communication to trust literally hundreds of unknown third parties referred to as "certificate authorities." The closer one looks at the identity of these third parties and the processes used to carry out the authentication process, the worse it gets. It is time for GCs to get involved because Encryption is Not Enough...

New HHS Regulations Impose Federal Security Breach Notification Requirements

The recently enacted Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which amends various aspects of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including the associated Privacy and Security Rules, marks a significant change in how covered entities and their business associates must respond to security breaches under HIPAA.

On August 24, 2009, the U.S. Department of Health and Human Services (“HHS”) issued its interim final rule (“the Rule”) regarding a covered entity’s obligation to notify individuals when their unsecured protected health information (“PHI”) is breached. Furthermore, and depending on the nature of the security breach, the Rule also requires a more global notification whereby covered entities must post information regarding certain breaches in newspapers and on the HHS website.

The HHS Rule is effective on September 23, 2009, however, HHS will not impose sanctions for failure to provide the required notices for breaches that are discoverable before February 22, 2010.

For additional details, read the full alert