Category: HIPAA

OCR and FTC Detail Overlapping Interests Between HIPAA and the FTC Act

On October 21, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) issued joint guidance highlighting agencies’ common interest in protecting individuals’ health information.

The health care industry is familiar with the restrictions on use and disclosure of protected health information (PHI) imposed by HIPAA.  In general, other than as required by the HIPAA Privacy Rule or for treatment, payment or health care operations, HIPAA requires a valid, signed authorization from the individual before any further use or disclosure of their PHI can occur.   This authorization must be in “plain language,” not be combined with any other type of authorization, and include specific terms and descriptions of the information sought and the proposed use or disclosure.

The FTC’s interest in the healthcare sector’s information security practices is less well known, however.  Many may be surprised by the FTC’s longstanding position that its broad power to regulate unfair and deceptive practices under Section 5 of the FTC Act includes overlapping jurisdiction with OCR concerning the privacy and security practices of HIPAA-regulated entities.

The FTC Act prohibits a contemplated use or disclosure of health information from being a “deceptive or unfair” act or practice.  Among other things, this means that individuals may not be “mislead” about how their PHI may be being used or disclosed.   The FTC therefore recommends that entities consider all of their consumer-facing messaging to ensure it is free from any deceptive or misleading statements.   Moreover, the FTC explicitly cautions against burying key facts regarding use and disclosure of health information in links to a privacy policy, terms of use, or HIPAA authorizations.  It also warns against manipulating font sizes or colors online in a manner which would make disclosure statements deceptive.  Instead, it recommends that all disclosure statements be “clear and conspicuous” from a consumer’s perspective.

OCR and the FTC have a history of collaboration and joint enforcement in the security area.  In February 2009, OCR entered into a $2.25 million settlement agreement with CVS Pharmacy, Inc. (CVS) and required implementation of a detailed corrective action plan to ensure the proper disposal of PHI.  Simultaneously, in a separate but related agreement, CVS resolved FTC charges that it failed to implement reasonable and appropriate procedures for handling personal information about customers and employees, did not adequately train employees, did not use reasonable measures to assess compliance with its policies and procedures for disposing of personal information, and did not employ a reasonable process for discovering and remedying risks to personal information.

A year later, in July 2010, Rite Aid Corporation entered into a similar resolution agreement, paying $1 million to OCR and implementing a corrective plan of action while simultaneously settling a FTC complaint which alleged it failed to properly dispose of personal information, inadequately trained employees, did not sufficiently assess compliance with its disposal policies, and did not employ a reasonable process for discovering and remedying risks to personal information.

In addition, the FTC has not hesitated to bring enforcement actions on its own against healthcare entities.  Most notably, the FTC has doggedly pursued LabMD, a former clinical laboratory which no longer operates, for failure to protect patients’ sensitive personal information.  This resulted in a July 2016 unanimous opinion from the FTC which found LabMD’s security practices unreasonable, “lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.”  A motion to stay the FTC’s enforcement order has recently been filed in the Eleventh Circuit by LabMD. See, LabMD, Inc. v. FTC, 11th Cir., No. 16-16270, motion to stay filed, Oct. 7, 2016.

It remains to be seen whether this recent joint statement from OCR and FTC foreshadows a more robust collaboration between the two agencies which builds on their efforts in the CVS and Rite Aid cases and expands into the HIPAA Privacy Rule area.  Even if that does not immediately occur, the FTC remains active in pursuing cases on its own, such as LabMD.  Whatever the outcome, businesses in the healthcare sector should remain sensitive to the FTC’s mandates, along with those from OCR.

HIPAA Enforcement At All-Time High So Far in 2016

Still with four months to go, 2016 has been a record-setting year for HIPAA enforcement by the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Before September even begins, OCR has already levied over $20 million in fines resulting from its investigation of suspected HIPAA violations. This amount more than triples the $6.2 million in HIPAA penalties which it assessed for all of 2015. These enforcement actions included both first-ever settlement of possible HIPAA violations by a Business Associate and the largest single fine of $5.5 million for suspected HIPAA violations.

In addition, OCR has recently begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals. While Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.   The factors that OCR’s Regional Offices will consider in this manner include:

  • The type and size of the breach, including the amount nature, and sensitivity of the PHI involved
  • Whether the breach involved theft or improper disposal of unencrypted PHI;
  • Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
  • A particular covered entity or business associate’s breach history;
  • Lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.

This flurry of enforcement activity has occurred against the backdrop of “Phase 2” desk and onsite audits of approximately 200 – 250 covered entities and their business associates which will examine compliance with specific requirements of the Privacy, Security, or Breach Notification Rules. In particular, these audits will focus on Notice of Privacy Practices’ contents, individual’s rights to access protected health information, risk analysis, risk management, and timeliness and content of breach notification. There will also be a limited number of comprehensive on-site audits. All audits are expected to be completed by December 31, 2016.

Even if not selected for an audit, the covered entities and business associates would be well-advised to review the Audit Protocol available through the HHS website, ensuring their internal list of business associates is current, and reviewing, and if necessary, updating their risk analysis and risk management in light of recent developments, particularly the proliferation of ransomware attacks targeting the health industry.

OCR Issues HIPAA Guidance on Ransomware Threat to Health Care Industry

U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) has published a HIPAA Fact Sheet, outlining the multi-faceted threat which ransomware poses to the health care sector and providing insights into how this threat may affect HIPAA compliance.  In this publication, OCR states that a ransomware attack, even on encrypted devices, may result in a reportable breach of electronic Protected Health Information (“ePHI”).  In light of this, covered entities and business associates should consider revisions to their risk assessment plans specifically directed at countering ransomware attacks.

Ransomware is an increasingly rampant type of malware that encrypts data with a complex “key” known only to the hacker, making data and possibly entire information systems such EHRs or scheduling programs, inaccessible to authorized users. Once ransomware has taken hold, hackers demand a payment before providing the key required to decrypt the affected files.  Ransomware frequently infects devices and systems when unsuspecting users click on malicious website links or open infected emails attachments.

OCR’s guidance states that ransomware infections of a computer system are a “security incident” under HIPAA. As a result, once ransomware is detected, the covered entity or business associate must initiate its HIPAA-mandated security incident and response and reporting procedures.  In addition, they should also assess whether or not a “breach” has occurred.  As defined by HIPAA regulations, a breach occurs with “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [rules governing PHI] which compromises the security or privacy of the PHI.” Whether ransomware infections meet this definition is a fact-sensitive question.

According to OCR’s recent guidance, ransomware represents an unauthorized user’s attempt to encrypt the data, which amounts to an “acquisition,” and therefore impermissible disclosure, under HIPAA. At this point, a risk assessment is required to determine whether there is a “low probability” that a breach has occurred, taking into account the following factors:  (1) the nature and extent of ePHI involved; (2) the unauthorized person who used ePHI or to whom the disclosure was made; (3) whether the ePHI was actually acquired or viewed; and (4) the extent to which the risk to ePHI has been mitigated.  If a “low probability” of compromise cannot be demonstrated, then a breach has occurred and HIPAA’s Breach Notification Rule is triggered.

If encrypted data is involved, the question of whether or not a breach has occurred becomes more complicated and depends, in part, of the technical aspects of the particular encryption used. Because the Breach Notification Rule only applies to  “unsecured PHI,” meaning PHI “that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary,”  properly encrypted PHI, even if stolen, usually does not constitute a “breach.”  However, additional analysis is still required to ensure that the encryption solution, as implemented, is effective.  For example, a full disk encryption solution may render the data on a computer system’s hard drive unreadable, unusable and indecipherable to unauthorized persons while the computer system is powered down. However, once the system is operational, many full disk encryption solutions will transparently decrypt and encrypt files accessed by the user.  Thus, an authenticated user who accidentally infects the system with ransomware may cause breach of ePHI.  Thus, despite having encryption protection in place, sophisticated ransomware can result in a breach of ePHI which is reportable under HIPAA

HIPAA already requires covered entities and business associates to implement security measures to prepare for, respond to, and recover from ransomware and other malware attacks. Some of these required security measures include: implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to ePHI and implementing security measures to mitigate or remediate those identified risks; implementing procedures to guard against and detect malicious software; training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and implementing access controls to limit access to ePHI to only those persons or software programs requiring access.

With respect to recovery from a ransomware infection, covered entities should maintain offline backups of data and conduct periodic test restorations to verify the integrity of backed-up data. HIPAA requires covered entities to have a data backup plan as well as security incident procedures.

An interagency U.S. Government report reveals that there have been 4,000 daily ransomware attacks since early 2016, a remarkable 300% increase from this period last year. With health information systems containing vital information for daily operation as well as highly personal information of their patients, the health care sector has been a growing target of ransomware.  The OCR’s new guidance recognizes this threat, and clarifies the implications that it carries for covered entities and business associates.

Questions Regarding “Minimum Necessary,” Physical Controls, and Encryption Follow Insurer’s “Ongoing Search” for Six Hard Drives Containing PHI of 950,000 Individuals

A major health insurer announced an “ongoing comprehensive internal search” for six hard drives containing the PHI including the name, address, date of birth, social security number, member ID number and “health information,” of approximately 950,000 individuals who received laboratory services from 2009 through 2015. According to the announcement, the hard drives were used in an internal data project which analyzed laboratory results with the goal of improving health outcomes.

This incident raises two potential topics of interest under HIPAA. First, whether a data set containing fewer identifiers, or de-identified data could have been used for this project.  If de-identified information were used, the loss of the hard drives would be less damaging and possibly not a “breach” under HIPAA.  The post-breach risk assessment should attempt to answer this question and make policy recommendations that require a critical assessment of whether and to what extent PHI beyond the “minimum necessary” is required for future similar projects.

If it was necessary to use the complete data set of PHI contained on the lost hard drives, additional security precautions, such as enhanced physical security tracking measures and encryption, should have been considered and implemented.  Physical security tracking that restricted or linked the physical movement of the hard drives to a particular location or individual could be enhanced with a requirement that the location and custody of media containing PHI be periodically verified, especially if the PHI of nearly a million individuals is potentially in play.  Although there seems to have been some process along these lines in place in light of the “ongoing comprehensive internal search,” there is no indication of the last date on which the location of the hard drives can be verified.

In addition, the decision to apparently not encrypt the hard drives should also be examined.  Encryption remains an addressable implementation standard under HIPAA, it must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of ePHI. See, 45 CFR § 164.312(a)(2)(iv) and -(e)(2)(ii).  If the entity decides that encryption, as addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.

With the relative ease and speed of modern encryption applications that are available across a variety of platforms, from smart phones and tablets, to flash drives and individual hard drives, to back-up media, not encrypting data, whether it is in use, in motion, or at rest, is becoming increasingly difficult to defend from a technical standpoint.

The unexplained disappearance of devices or storage media containing unencrypted PHI through inadvertence, malicious theft, or other physical loss remains a vexing problem for covered entities.  Two relatively simple strategies to avoid the serious harm that could result for such an occurrence are eliminating the use of PHI when possible, and implementing robust tracking and encryption protocols for those instances when PHI is truly necessary.

OCR Assess Over $5 Million in HIPAA Penalties, Formally Announces Phase 2 Audits

Coming in like the proverbial March lion, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced two Resolution Agreements and penalties totaling over $5 million and the launch of its long-awaited 2016 Phase 2 HIPAA Audit Program.

Lack of Encryption and Other Failings, Lead to Substantial HIPAA Fines

Both recently announced resolution agreements arise from familiar facts involving the theft of an unencrypted laptop computer containing electronic protected health information (ePHI) from a vehicle.

On March 17, 2016, OCR announced the $1.55 million settlement of potential HIPAA violations arising from the theft of an unencrypted, password-protected laptop containing the ePHI of 9,497 individuals from a business associate’s locked vehicle in September 2011. Upon investigation it was discovered that no business associate agreement existed between the covered entity and its business associate which was tasked with providing payment and health care operations activities and had access to almost 300,000 patients’ data. It was further determined that the covered entity had not performed a risk assessment as required by the Security Rule to address all potential risks and vulnerabilities to the ePHI which it maintained, accessed, or transmitted across its entire IT infrastructure. In addition to the $1.55 million fine, a two-year corrective action plan and workforce retraining are required under the settlement.

The next day, on March 17, 2016 OCR announced a near-record $3.9 million settlement resolving potential HIPAA violations with a research institute arising from a laptop computer stolen in September 2012 which contained the ePHI of approximately 13,000 patients and research participants. A subsequent investigation discovered that among other deficiencies, the institution had inadequate security practices, lacked policies and procedures regarding access to ePHI, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.

As we have previously noted on this blog, robust encryption is quickly becoming industry standard, and there are few reasons not to implement it for mobile devices such as laptops. Had the laptops been properly encrypted as part of a larger risk assessment and risk management plan, these losses would not have constituted reportable “breaches” for HIPAA purposes.

2016 Phase 2 HIPAA Audit Program Formally Launches

On March 21, 2016, OCR announced the formal beginning to the long-awaited 2016 Phase 2 HIPAA Audit Program (the “Phase 2 Audits”) through which it will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.

As this blog previously reported, the Phase 2 Audits will primarily be “desk audits,” meaning that the will be conducted through information requests sent by OCR via email to selected covered entities and business associates, although a limited number of on-site audits will also be conducted.

The audit process will begin with verification of an entity’s address and contact information followed by a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools. If no response is received by email, OCR will use publically available information about the entity to create its audit subject pool. Thus, entities that do not respond to OCR emails may still be selected for an audit or be subject to a compliance review. Spam filters should be carefully reviewed to ensure that OCR communications are not inadvertently discarded.

OCR is expected to post updated audit protocols on its website which will reflect the 2013 enactment of the HIPAA Omnibus Rule. These can also be used by organizations to conduct their own internal self-audits as part of ongoing HIPAA compliance activities. More information about the 2016 Phase 2 Audits can be found on OCR’s website, including key information regarding audit selection criteria based on entity size, affiliations, type of entity, and geography and past enforcement history with OCR.

Audit selectees should keep in mind that information disclosed during the audit process may trigger a more thorough compliance review.

Two New HIPAA Enforcement Actions Emphasize Risk Analysis, Impose Multi-Year Compliance Monitoring

The Office for Civil Rights (OCR) recently announced two new HIPAA enforcement actions totaling over $4.3 million in penalties.  Both of these actions should remind Covered Entitles and their Business Associates of the importance of implementing a multi-layered approach to HIPAA compliance and serve as warning about the recent trend of OCR imposing multi-year HIPAA compliance monitoring programs.

Unsecured, Unencrypted Laptop Stolen Containing CT Images of 599 Individuals Results in $850,000 Fine and Two-Year Compliance Monitoring Program for Hospital

On November 30 2015, OCR announced a Resolution Agreement with a Massachusetts hospital arising from the overnight theft of a laptop in 2011 from an unlocked treatment room. The laptop, which was on a stand that accompanied a portable CT scanner, operated the scanner and produced CT images for viewing and contained the protected health information (PHI) of 599 individuals.  OCR’s subsequent investigation into this event indicated widespread non-compliance with the HIPAA rules, including:

  • Failure to conduct a thorough risk analysis of all of its ePHI;
  • Failure to physically safeguard a workstation that accessed ePHI;
  • Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment;
  • Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue in this incident;
  • Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident; and
  • Impermissible disclosure of 599 individuals’ PHI.

In addition to the $850,000 settlement, the hospital was required to address its history of noncompliance with the HIPAA Rules by providing OCR with a two-year comprehensive, enterprise-wide risk analysis and corresponding risk management plan, as well as reporting certain events and providing evidence of compliance to OCR.

The OCR press release and Resolution agreement are available at this link.

Multiple HIPAA Violations Result in $3.5 million Resolution Agreement, Three-Year Compliance Monitoring Program

A few days earlier, on November 24, OCR announced a Resolution Agreement with a publicly-traded insurance holding company and its subsidiaries that reported eight separate possible HIPAA breaches from 2010 through 2015. Five of these events affected 500 or more individuals.  The incidents included, but were not limited to: former employees whose intranet access was not properly terminated; vendor mistakes involving use and disclosure of PHI; former business associate employee misconduct; incorrectly stuffed envelopes which had mismatched beneficiary cards enclosed; and the improper use of beneficiary ID numbers on the exterior of mailing envelopes.

Following receipt of the aforementioned reports, the OCR initiated investigations to ascertain the entities’ compliance with HIPAA’s Privacy, Security, and Breach Notification Rules.  This investigation concluded that the entity or its subsidiaries:

  • Impermissibly disclosed beneficiaries’ PHI;
  • Failed to implement appropriate administrative, physical, and technical safeguards to protect PHI;
  • Impermissibly disclosed PHI to outside vendors with which it did not have an appropriate business associate agreement;
  • Failed to adhere to HIPAA’s “minimum necessary” standard in making disclosures to outside vendors;
  • Failed to conduct an accurate and thorough risk analysis which incorporated all IT equipment, applications, and data systems utilizing ePHI;
  • Failed to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level; and
  • Failed to implement procedures for terminating access to ePHI when the employment of a workforce member ended.

OCR agreed to accept a $3.5 million Resolution Amount in conjunction with the implementation of a three-year Corrective Action Plan which includes annual HIPAA compliance reporting to the Government.

The OCR press release and Resolution agreement are available at this link.  This is the second Resolution Agreement which covered multiple breaches announced by OCR this year, and part of a recent trend in which multi-year Corrective Action Plans were imposed.

Improvements Needed Regarding OCR’s HIPAA Oversight and Breach Follow-Up

The Office of Inspector General (OIG) recently issued two reports regarding HIPAA oversight activities performed by the Office for Civil Rights (OCR).  The first of these reports examined OCR’s oversight of covered entities’ compliance with the Privacy Rule.  The second report looked at OCR’s handling of covered entities’ reported HIPAA breaches.   Both reports included recommendations to OCR for improvement in these areas.  OCR agreed with all of OIG’s recommendations, suggesting changes to OCR oversight and enforcement activities in the near future.

Both studies were conducted by reviewing statistical samples of OCR investigations by OCR from September 2009 through March 2014, surveying OCR staff, interviewing OCR officials, reviewing OCR’s investigation policies, and reviewing documentation provided by a statistical sample of Part B providers to determine the extent to which they addressed five selected privacy standards or three selected breach administrative standards, as appropriate.

Regarding Privacy Rule compliance, OIG’s primary findings included that OCR oversight remains “primarily reactive,” in that it investigates possible HIPAA non-compliance primarily in response to complaints, and that OCR has not yet fully implemented requirements under §§ 13411 and 13432 of the HITECH Act that it proactively conduct audits of covered entities to assess their HIPAA compliance efforts.  OIG also determined that in a significant number of cases, OCR failed to fully document corrective action or whether the covered entity had been the subject of a prior HIPAA investigation.  Furthermore, OIG’s review found that OCR’s case-tracking system has limited search functionality and lacks a standard way to enter covered entities’ names in the system.

Concerning HIPAA breaches, OIG also found that although OCR would usually document corrective action for most closed so-called “large” breaches involving 500 or more individuals, almost one-quarter of such cases nonetheless had inadequate documentation of corrective action taken.  OCR also did not record small-breach information in its case-tracking system, and that this failure to document “small” breaches limited OCR’s ability to track and identify covered entities with multiple small breaches.

As a result of these findings, OIG recommended that OCR: (1) fully implement a permanent audit system; (2) enter small-breach information into its case-tracking system; (3) maintain complete documentation of correction action; (4) develop a method in its case-tracking system to search and track covered entities that were previously investigated and/or reported prior breaches; (5) develop a policy requiring staff to check whether covered entities have been previously investigated or reported prior breaches; and (6) continue to expand outreach and education efforts to covered entities.

OCR concurred in all of these recommendations, and further stated that it is moving forward with a permanent audit program, including Phase 2 HIPAA audits in early 2016 which are designed to “test the efficacy of the combination of desk reviews of policies as well as on-site reviews,” and also “target specific common areas of non-compliance,” for both covered entities and business associates.

Now that the Phase 2 HIPAA audits, which have been previously discussed on this blog, are right around the corner, it is critical that covered entities and business associates ensure that their HIPAA compliance programs are in order.  Suggested activities in this regard might include:  performing an updated risk assessment and implementing a risk management plan; conducting an inventory and audit of all business associate agreements; review of any unimplemented “addressable” Security Standards, refresher workforce training, and a careful review of security policies in general.

For full text of the recent reports from OCR, please follow the links below:

 

OCR Settlement: Risk Assessment Required Prior to Using ePHI Cloud Storage

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a resolution agreement with a major tertiary-care hospital that provided both inpatient and outpatient care (the “Hospital”) stemming from the Hospital’s use of “cloud” document storage of ePHI and a separate breach involving a laptop and USB drive.

In 2012, workforce members reported to OCR that the Hospital was using an internet-based document sharing application to store documents containing ePHI of at least 498 individuals and that the Hospital had not first analyzed the risks associated with this “software as a service.” OCR’s subsequent investigation determined that the Hospital failed to timely identify and respond to one security incident, mitigate its harmful effects, and document its outcome, all of which are required by HIPAA.

“Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications,” said OCR Director Jocelyn Samuels. “In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

Approximately two years later, in 2014, the Hospital notified OCR regarding a separate breach of unsecured ePHI stored on a workforce member’s personal laptop and USB drive, affecting 595 individuals.

On July 10, 2015, OCR announced that it and the Hospital agreed to a $218,400 settlement and implementation of a corrective plan of action as a result of these breaches which affected nearly 1,100 individuals in total.

This settlement agreement is significant for several reasons: first, it encompasses more than one breach. Although it had been widely believed that OCR would deal with multiple breaches from a single entity in a consolidated fashion, this is the first time that has actually occurred. Secondly, OCR’s investigation into the document sharing breach was prompted by reports from the Hospital’s workforce members.

That these employees reported privacy concerns to the government rather than the Hospital suggests that they were unaware, unwilling, or unable to share these concerns with the Hospital’s Privacy Officer. This could be indicative of a serious, fundamental breakdown of the privacy program at the Hospital. Third, the settlement here highlights the importance of first conducting a thorough risk assessment prior to implementing cloud-based storage or other “software as a service” programs when handling ePHI.

The full Resolution Agreement can be found at this link to the OCR website

The Case for Breach Notification by Business Associates

A business associate is an individual or entity that performs functions or activities involving the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  HIPAA requires business associates to agree, in writing, to appropriately safeguard protected health information received or created on behalf of a covered entity.

HIPAA regards a breach involving a business associate as “discovered” by the covered entity on the date that the business associate knew or should have known about it, provided that the business associate is acting as the “agent” of the covered entity.  In performing covered functions or providing covered services (such as claims processing, billing, utilization review, PBM management, or clearinghouse duties), most business associates also exercise actual or apparent authority on behalf of the covered entity; that is, with either express or implied permission from the covered entity, the business associate holds itself out to third-parties as being able to act in the place of the covered entity.  By doing so, they may qualify under federal law as “agents” of the covered entity.  The only time that a covered entity will not be charged knowledge at the time of its business associate’s breach is in the exceedingly rare circumstance where the business associate was not acting as the “agent” of the covered entity.

Regardless of agency status, HIPAA permits a business associate to delay a report of breach of PHI to the covered entity for up to 60 days.  This 60 day time period is extremely important because the HIPAA Breach Notification Rule requires individuals affected by breaches involving protected health information to receive notice of the breach within 60 days of its discovery, regardless of the number of individuals affected.  In addition, breaches involving 500 or more individuals must be reported to the media and the government, within 60 days of discovery

In most circumstances, the effect of these provisions is that a business associate does not have to notify the covered entity of a breach for up to 60 days, but each day that the covered entity remains unaware is one fewer day that it will have to report the breach to affected individuals, and possibly the government and media.  Unless the business associate contract requires the business associate to provide information regarding a breach to the covered entity within a few days, a dawdling business associate can potentially make it more difficult, if not impossible, for a covered entity to make all required notifications.  This is especially true in breaches involving 500 or more individuals which require all three forms of notification to occur within 60 days of discovery of the breach.

Because HIPAA will treat almost all breaches involving a business associate as “discovered” by the covered entity before the covered entity has actual knowledge of the breach, covered entities should consider delegating breach notification responsibility to business associates in these cases.  This can be easily done by including language in the business associate agreement to the effect that the covered entity reserves for itself the option of having the business associate provide all notifications required by HIPAA (and/or any applicable state breach notification laws) in the event of a breach.  The reason for this is twofold: first, while HIPAA permits a business associate to delay a report of breach of PHI to the covered entity for up to 60 days, in most cases, the covered entity will be “deemed to have knowledge” of the breach at the time the business associate knew, or should have known of it through the exercise of reasonable diligence.  Second, the business associate is likely to be better positioned to investigate the breach because of its proximity to the facts and individuals involved.

A business associate agreement should reflect the reality that covered entities have the ultimate responsibility to ensure that proper and timely notifications are made after a breach.  From the covered entity’s perspective, this means requiring their business associates to promptly report any breaches to the covered entity and to take the lead concerning all aspects of breach notification.   If the business associate is unequipped to provide breach response on its own, it can always outsource such functions, provided it first enters into a business associate agreement with that vendor.  If a business associate is unwilling to do either, then the covered entity may want to rethink its relationship altogether with the business associate.

The Spectre of Strict Liability For An Employee’s HIPAA Breach

On May 7, 2015, the Supreme Court of Indiana denied any further review in the matter of Walgreen Company v. Hinchy  This denial of review leaves standing the opinion of the intermediate Court of Appeals that had upheld a $1.44 million verdict against Walgreen Company for a breach of confidentiality by an employed pharmacist. Walgreen Co. v. Hinchy, 21 N.E.3d 99 (Ind. Ct. App. 2014), 29 N.E.3d 748 (Ind. Ct. App.), transfer denied, 2015 Ind. LEXIS 374 (Ind. 2015).

The pharmacist had accessed the prescription records of a woman customer who had been romantically involved with the pharmacist’s boyfriend and eventual husband and divulged information she obtained to him.   The disclosed information related to birth control prescriptions and sexually transmitted diseases and was used by the boyfriend in an attempt to have the woman relent on her paternity claims against him.  All of this came to the knowledge of the woman’s family and friends.

Hinchy is notable not only for the size of the verdict but also as another instance of the expanding number of cases finding a state-law cause of action for a HIPAA breach.  This issue has previously been identified in this blog.

But the decision is more noteworthy in its imposition of vicarious liability on the employer.  The Indiana Court of Appeals rejected out of hand the Walgreen position that the pharmacist had acted on her own and outside the scope of her employment as a pharmacist.  It did not matter to the court that Walgreen had in place policies restricting the use and disclosure of HIPAA PHI and a computer audit trail that identified the pharmacist’s accessing of the records and confirmed the breach.   Walgreen also had a training program for employees to encourage adherence to the policies regarding non-disclosure of patient confidential information.  Before jury selection, the trial judge had granted partial summary judgment in favor of Walgreen on an allegation of negligent training.   While the trial judge had denied the part of that motion challenging negligent supervision of the pharmacist by Walgreen, the Court of Appeals stated that it was not considering the supervision claim at all and that its determination of liability was based solely on respondeat superior.  It approved of the following jury instruction:

An employer is liable for the wrongful acts of its employee which are committed within the scope of employment.

An act is within the scope of employment if it is incidental to the employee’s job duties, that is to say, the employee’s wrongful act originated in activities closely associated with her job.

In deciding whether an employee’s wrongful act was incidental to her job duties or originated in activities closely associated with her job, you may consider:

1. whether the wrongful act was of the same general nature as her authorized job duties;

2. whether the wrongful act is intermingled with authorized job duties; and

3. whether the employment provided the opportunity or the means by which to commit the wrongful act.

Contrary to Hinchy is the outcome and analysis in Bagent v. Blessing Care Corp., 862 N.E.2d 985 (Ill. 2007), in which a hospital-employed phlebotomist received a fax from a facility that performed laboratory tests for the hospital at which she was employed.  The fax had the results of a pregnancy test for the plaintiff indicating that she was pregnant.  A few days later the phlebotomist was at a tavern with friends when she saw the plaintiff’s sister and asked how the sister was doing with the pregnancy assuming she knew of it.  She did not.  The Illinois Supreme Court ruled that this conduct was outside the scope of the phlebotomist’s employment.

The established doctrine of respondeat superior provides that an employer faces liability to persons harmed by employees acting in the course of their employment.  Generally, a master is not subject to liability for the torts of his or her servants acting outside the scope of their employment, unless: (a) the master intended the conduct or the consequences, or (b) the master was negligent or reckless, or (c) the conduct violated a non-delegable duty of the master, or (d) the servant purported to act or to speak on behalf of the principal and there was reliance upon apparent authority, or he or she was aided in accomplishing the tort by the existence of the agency relation. More particularly, intentional torts and crimes rarely fall within the scope of employment because an employer is not responsible for acts that are clearly inappropriate or unforeseeable in carrying out authorized tasks.  In Davis v. Devereux, 209 N.J. 269 (2010), the Supreme Court conducted an extensive review of the principles of respondeat superior with particular reference to the scope of employment issues.  In Davis as it had on several occasions, the Court noted that the determination of whether or not a particular act is within or outside the scope of employment involves a fact-specific inquiry.  That will be quite true in connection with allegations of tortious HIPAA breaches.

The Court in Davis also looked at the exception to employer vicarious liability based on a non-delegable duty.  Although the non-delegable duty doctrine has been used in a healthcare context, see Marek v. Professional Health Services, Inc., 179 N.J. Super. 433, 441-42 (App. Div. 1981), the Court underscored its reluctance to impose liability on the basis of this concept.  It results in liability regardless of whether the employer acted with care in hiring and training an employee and regardless of whether the employee acted within the scope of his or her employment.  Although the Indiana Court of Appeal did not use the terminology of “non-delegable duty,” its holding is consistent with that analysis.  Finding of a non-delegable duty in connection with HIPAA medical privacy issues will open expansive tort liability for employers.  There are a number of instances in which creative plaintiff’s attorneys have attempted to construct liability claims based on an asserted “non-delegable duty” arising out of Federal regulations.  This is something to watch out for in connection with HIPAA breach torts.  As illustrated in a number of recent state cases, including more recently Hinchy, while the source of a duty may be state law which provides the private cause of action, the standard of care is derived from the Federal regulation.  It is indeed something to watch out for.