Category: HIPAA

Breach of Medical Confidentiality and Privacy Claims

On July 12, 2017, the New Jersey Appellate Division issued an opinion in the case of Smith v. Datla, which involved the question of how much time a party has to file a lawsuit arising out of the unauthorized disclosure of private medical information. The court ruled that the appropriate statute of limitations period was two years.  In the opinion the court reiterated New Jersey’s adherence to the widely held rule that there is no private right of action under the Federal HIPAA rule but clarified that conduct that violates HIPAA regulatory provisions provides a state law claim for disclosure of the patient’s protected health information. While the decision is currently binding precedent in New Jersey, it could be appealed to the New Jersey Supreme Court for further review.

The appeal was presented on a somewhat limited factual record.  The plaintiff, identified by the pseudonym of John Smith, was a hospitalized patient.  The physician, a board-certified nephrologist, was treating the patient for acute kidney failure.  During an emergency bedside consultation with John Smith in his private hospital room, the doctor discussed his medical condition including the patient’s HIV-positive status.  It is not clear if this was an established diagnosis or newly conveyed information. The conversation took place while “an unidentified third party” was in the room.  In a footnote the court stated that “[t]he record does not reveal the third party’s identity nor his or her relationship to plaintiff.” Plaintiff claimed that the HIV disclosure was without his consent. The plaintiff further claimed that the disclosure caused him to endure pain and suffering, emotional distress, other emotional injuries and insult, and permanent injury with physiological consequences.

That third-party’s identity and relationship to the patient may become an important factor in the eventual outcome of this case.  The HIPAA Privacy Rule specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care. If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment that the patient does not object.

On an admittedly “limited record,” the court evaluated the consequences of this disclosure which took place on July 25, 2013 and with the lawsuit being filed on July 1, 2015.

Ultimately, following motion practice, the plaintiff’s amended complaint asserted three causes of action: (1) invasion of privacy based on public disclosure of private facts; (2) medical malpractice based on the improper disclosure; and (3) violation of the AIDS Assistance Act, N.J.S.A. 26:5C-1 to -14.

Defendant filed a new motion to dismiss on the grounds that all three claims were barred by the one-year statute of limitations found in N.J.S.A. 2A:14-3 where the complaint had been filed nearly two years after the incident.  Arguing that all three claims were predicated on the public disclosure of private facts, defendant contended that they should be subject to the same statute of limitations.  Defendant noted that there was no specific statute of limitations for the public disclosure of private facts, but analogized that type of invasion of privacy claim to claims for placing plaintiff in a false light in the public eye and defamation.  This motion was denied by the trial court with leave to appeal granted.

The Appellate Division engaged in an extended analysis leading to the rejection of defendant’s contention.  It invoked the classic comments of Professor William Prosser regarding invasion of privacy being “not one tort, but a complex of four.”

The law of privacy comprises four distinct kinds of invasion of four different interests of the plaintiff, which are tied together by the common name, but otherwise have almost nothing in common except that each represents an interference with the right of the plaintiff to “be left alone.” [Quoting William L. Prosser, The Law of Torts § 112 (3d ed. 1964).]

The four braches of Prosser’s taxonomy of the privacy tort included (1) intrusion, (2) public disclosure of private facts, (3) placing a person in a false light in the public eye, and (4) appropriation of the plaintiff’s name or likeness for the defendant’s benefit.  The court observed that the limitations period for the public disclosure of private facts was an “unresolved issue” in New Jersey.  In Rumbauskas v. Cantor, 138 N.J. 173 (1994), the Supreme Court had held that the limitations period for the intrusion on seclusion type of privacy tort was two years and approved the use of a six-year period for actions based on appropriation of a person’s name or likeness for the benefit of the defendant. In commenting on varying limitations periods for the different types of privacy torts, it had stated:

The limitation periods applicable to actions involving other types of invasion of privacy are not before us. … Regarding actions for public disclosure of private facts or placing one in a false light, case law in other jurisdictions indicates that such actions are subject to the limitations period for defamation claims, which is one year in New Jersey. [Id. at 183.]

 In rejecting the defense contention in Smith v. Datla for use of the one-year limitations period for public disclosure of private facts, the key factor in the court’s analysis is that the essential element of a defamation action is the dissemination of false information.  Here the private facts that were disclosed were true.  The court emphasized the heightened protection afforded to a person’s HIV and AIDS status in various contexts including the New Jersey Law Against Discrimination (LAD), the New Jersey Civil Rights Act, and actions under Section 1983 for deprivation of federally protected civil rights.  All of these claims were subject to a two-statute of limitations.

This heightened protection was also embodied in the AIDS’ Assistance Act which required that records regarding this infection were to be kept confidential and disclosed only with a person’s “prior written informed consent” in limited circumstances.  The Act provided for a private cause of action including compensatory and punitive damages as well as attorneys’ fees.  The Act did not set forth a particular statute of limitations but the court concluded that this statutory-based action was analogous to the public disclosure of private facts tort for which it had determined there was a two-year statute of limitations.

The court went through a similar analysis with regard to the medical malpractice claim.  Describing such a claim generally as a deviation from an accepted standard of care, it referred to the HIPAA requirements that health care providers protect personal medical information from unauthorized disclosure as well as the mandate of the AIDS’ Assistance Act.  Aside from these statutorily-based obligations, the court referred to “the common law duty “to maintain the confidentiality of patient records and information.”  It cited several prior cases involving breaches of physician-patient confidentiality.  Curiously, the court did not refer to Crescenzo v. Crane, 350 N.J. Super. 531, 541-44 (App. Div.), certif. denied, 174 N.J. 364 (2002) which had involved a physician releasing patient records to a lawyer in response to an improperly issued subpoena.  In concluding that there was “a viable cause of action” against the physician, the Crescenzo court had referred to the Board of Medical Examiners’ regulations mandating confidentiality of patient records.

In concluding that this claim also was within the two-year statute of limitations in N.J.S.A. 2A:14-2, the court stated:

The breach of a physician’s duty to maintain the confidentiality of his patient’s medical records is a deviation from the standard of care, giving rise to a personal injury claim based upon negligence, not defamation or placing plaintiff in a false light.

 In addition, plaintiff’s claim for medical malpractice is most analogous to the category of invasion of privacy claims that are grounded on an allegation that defendant improperly disclosed private facts concerning the plaintiff to a third party.

 The court affirmed the denial of the motion to dismiss.

The Appellate Division in its comprehensive opinion nonetheless placed too much emphasis on the categorization of the privacy tort as articulated by Professor Prosser. Prosser’s contributions to the development of tort law regarding privacy are widely acknowledged.  However, his “taxonomy” of the privacy tort has been criticized as too restrictive and omitting other important interests.  Neil M. Richards & Daniel J. Solove, Prosser’s Privacy Law: A Mixed Legacy, 98 Calif. L. Rev. 1887, 1891 (2010).  One of these omissions is the tort of breach of confidence.  “This tort provides a remedy whenever a person owes a duty of confidentiality to another and breaches that duty.” Id. at 1909. See generally Daniel J. Solove & Neil M. Richards, Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Geo. L.J. 123 (2007).  This tort is well recognized in a variety of professional settings.

At the end of the day, this case is a further illustration of the importance of sensitivity to a patient’s right of privacy.  It is difficult to accept that the defendant was informing the patient for the first time that he had AIDS and presumably the patient was already aware of that diagnosis as a backdrop for the discussion of his current condition. A brief time-out in which the physician either asked the third party to leave the room or during which the patient was asked if he wanted that person to remain during the discussion could have avoided this litigation.

OCR and FTC Detail Overlapping Interests Between HIPAA and the FTC Act

On October 21, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) issued joint guidance highlighting agencies’ common interest in protecting individuals’ health information.

The health care industry is familiar with the restrictions on use and disclosure of protected health information (PHI) imposed by HIPAA.  In general, other than as required by the HIPAA Privacy Rule or for treatment, payment or health care operations, HIPAA requires a valid, signed authorization from the individual before any further use or disclosure of their PHI can occur.   This authorization must be in “plain language,” not be combined with any other type of authorization, and include specific terms and descriptions of the information sought and the proposed use or disclosure.

The FTC’s interest in the healthcare sector’s information security practices is less well known, however.  Many may be surprised by the FTC’s longstanding position that its broad power to regulate unfair and deceptive practices under Section 5 of the FTC Act includes overlapping jurisdiction with OCR concerning the privacy and security practices of HIPAA-regulated entities.

The FTC Act prohibits a contemplated use or disclosure of health information from being a “deceptive or unfair” act or practice.  Among other things, this means that individuals may not be “mislead” about how their PHI may be being used or disclosed.   The FTC therefore recommends that entities consider all of their consumer-facing messaging to ensure it is free from any deceptive or misleading statements.   Moreover, the FTC explicitly cautions against burying key facts regarding use and disclosure of health information in links to a privacy policy, terms of use, or HIPAA authorizations.  It also warns against manipulating font sizes or colors online in a manner which would make disclosure statements deceptive.  Instead, it recommends that all disclosure statements be “clear and conspicuous” from a consumer’s perspective.

OCR and the FTC have a history of collaboration and joint enforcement in the security area.  In February 2009, OCR entered into a $2.25 million settlement agreement with CVS Pharmacy, Inc. (CVS) and required implementation of a detailed corrective action plan to ensure the proper disposal of PHI.  Simultaneously, in a separate but related agreement, CVS resolved FTC charges that it failed to implement reasonable and appropriate procedures for handling personal information about customers and employees, did not adequately train employees, did not use reasonable measures to assess compliance with its policies and procedures for disposing of personal information, and did not employ a reasonable process for discovering and remedying risks to personal information.

A year later, in July 2010, Rite Aid Corporation entered into a similar resolution agreement, paying $1 million to OCR and implementing a corrective plan of action while simultaneously settling a FTC complaint which alleged it failed to properly dispose of personal information, inadequately trained employees, did not sufficiently assess compliance with its disposal policies, and did not employ a reasonable process for discovering and remedying risks to personal information.

In addition, the FTC has not hesitated to bring enforcement actions on its own against healthcare entities.  Most notably, the FTC has doggedly pursued LabMD, a former clinical laboratory which no longer operates, for failure to protect patients’ sensitive personal information.  This resulted in a July 2016 unanimous opinion from the FTC which found LabMD’s security practices unreasonable, “lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.”  A motion to stay the FTC’s enforcement order has recently been filed in the Eleventh Circuit by LabMD. See, LabMD, Inc. v. FTC, 11th Cir., No. 16-16270, motion to stay filed, Oct. 7, 2016.

It remains to be seen whether this recent joint statement from OCR and FTC foreshadows a more robust collaboration between the two agencies which builds on their efforts in the CVS and Rite Aid cases and expands into the HIPAA Privacy Rule area.  Even if that does not immediately occur, the FTC remains active in pursuing cases on its own, such as LabMD.  Whatever the outcome, businesses in the healthcare sector should remain sensitive to the FTC’s mandates, along with those from OCR.

HIPAA Enforcement At All-Time High So Far in 2016

Still with four months to go, 2016 has been a record-setting year for HIPAA enforcement by the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Before September even begins, OCR has already levied over $20 million in fines resulting from its investigation of suspected HIPAA violations. This amount more than triples the $6.2 million in HIPAA penalties which it assessed for all of 2015. These enforcement actions included both first-ever settlement of possible HIPAA violations by a Business Associate and the largest single fine of $5.5 million for suspected HIPAA violations.

In addition, OCR has recently begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals. While Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.   The factors that OCR’s Regional Offices will consider in this manner include:

  • The type and size of the breach, including the amount nature, and sensitivity of the PHI involved
  • Whether the breach involved theft or improper disposal of unencrypted PHI;
  • Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
  • A particular covered entity or business associate’s breach history;
  • Lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.

This flurry of enforcement activity has occurred against the backdrop of “Phase 2” desk and onsite audits of approximately 200 – 250 covered entities and their business associates which will examine compliance with specific requirements of the Privacy, Security, or Breach Notification Rules. In particular, these audits will focus on Notice of Privacy Practices’ contents, individual’s rights to access protected health information, risk analysis, risk management, and timeliness and content of breach notification. There will also be a limited number of comprehensive on-site audits. All audits are expected to be completed by December 31, 2016.

Even if not selected for an audit, the covered entities and business associates would be well-advised to review the Audit Protocol available through the HHS website, ensuring their internal list of business associates is current, and reviewing, and if necessary, updating their risk analysis and risk management in light of recent developments, particularly the proliferation of ransomware attacks targeting the health industry.

OCR Issues HIPAA Guidance on Ransomware Threat to Health Care Industry

U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) has published a HIPAA Fact Sheet, outlining the multi-faceted threat which ransomware poses to the health care sector and providing insights into how this threat may affect HIPAA compliance.  In this publication, OCR states that a ransomware attack, even on encrypted devices, may result in a reportable breach of electronic Protected Health Information (“ePHI”).  In light of this, covered entities and business associates should consider revisions to their risk assessment plans specifically directed at countering ransomware attacks.

Ransomware is an increasingly rampant type of malware that encrypts data with a complex “key” known only to the hacker, making data and possibly entire information systems such EHRs or scheduling programs, inaccessible to authorized users. Once ransomware has taken hold, hackers demand a payment before providing the key required to decrypt the affected files.  Ransomware frequently infects devices and systems when unsuspecting users click on malicious website links or open infected emails attachments.

OCR’s guidance states that ransomware infections of a computer system are a “security incident” under HIPAA. As a result, once ransomware is detected, the covered entity or business associate must initiate its HIPAA-mandated security incident and response and reporting procedures.  In addition, they should also assess whether or not a “breach” has occurred.  As defined by HIPAA regulations, a breach occurs with “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [rules governing PHI] which compromises the security or privacy of the PHI.” Whether ransomware infections meet this definition is a fact-sensitive question.

According to OCR’s recent guidance, ransomware represents an unauthorized user’s attempt to encrypt the data, which amounts to an “acquisition,” and therefore impermissible disclosure, under HIPAA. At this point, a risk assessment is required to determine whether there is a “low probability” that a breach has occurred, taking into account the following factors:  (1) the nature and extent of ePHI involved; (2) the unauthorized person who used ePHI or to whom the disclosure was made; (3) whether the ePHI was actually acquired or viewed; and (4) the extent to which the risk to ePHI has been mitigated.  If a “low probability” of compromise cannot be demonstrated, then a breach has occurred and HIPAA’s Breach Notification Rule is triggered.

If encrypted data is involved, the question of whether or not a breach has occurred becomes more complicated and depends, in part, of the technical aspects of the particular encryption used. Because the Breach Notification Rule only applies to  “unsecured PHI,” meaning PHI “that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary,”  properly encrypted PHI, even if stolen, usually does not constitute a “breach.”  However, additional analysis is still required to ensure that the encryption solution, as implemented, is effective.  For example, a full disk encryption solution may render the data on a computer system’s hard drive unreadable, unusable and indecipherable to unauthorized persons while the computer system is powered down. However, once the system is operational, many full disk encryption solutions will transparently decrypt and encrypt files accessed by the user.  Thus, an authenticated user who accidentally infects the system with ransomware may cause breach of ePHI.  Thus, despite having encryption protection in place, sophisticated ransomware can result in a breach of ePHI which is reportable under HIPAA

HIPAA already requires covered entities and business associates to implement security measures to prepare for, respond to, and recover from ransomware and other malware attacks. Some of these required security measures include: implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to ePHI and implementing security measures to mitigate or remediate those identified risks; implementing procedures to guard against and detect malicious software; training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and implementing access controls to limit access to ePHI to only those persons or software programs requiring access.

With respect to recovery from a ransomware infection, covered entities should maintain offline backups of data and conduct periodic test restorations to verify the integrity of backed-up data. HIPAA requires covered entities to have a data backup plan as well as security incident procedures.

An interagency U.S. Government report reveals that there have been 4,000 daily ransomware attacks since early 2016, a remarkable 300% increase from this period last year. With health information systems containing vital information for daily operation as well as highly personal information of their patients, the health care sector has been a growing target of ransomware.  The OCR’s new guidance recognizes this threat, and clarifies the implications that it carries for covered entities and business associates.

Questions Regarding “Minimum Necessary,” Physical Controls, and Encryption Follow Insurer’s “Ongoing Search” for Six Hard Drives Containing PHI of 950,000 Individuals

A major health insurer announced an “ongoing comprehensive internal search” for six hard drives containing the PHI including the name, address, date of birth, social security number, member ID number and “health information,” of approximately 950,000 individuals who received laboratory services from 2009 through 2015. According to the announcement, the hard drives were used in an internal data project which analyzed laboratory results with the goal of improving health outcomes.

This incident raises two potential topics of interest under HIPAA. First, whether a data set containing fewer identifiers, or de-identified data could have been used for this project.  If de-identified information were used, the loss of the hard drives would be less damaging and possibly not a “breach” under HIPAA.  The post-breach risk assessment should attempt to answer this question and make policy recommendations that require a critical assessment of whether and to what extent PHI beyond the “minimum necessary” is required for future similar projects.

If it was necessary to use the complete data set of PHI contained on the lost hard drives, additional security precautions, such as enhanced physical security tracking measures and encryption, should have been considered and implemented.  Physical security tracking that restricted or linked the physical movement of the hard drives to a particular location or individual could be enhanced with a requirement that the location and custody of media containing PHI be periodically verified, especially if the PHI of nearly a million individuals is potentially in play.  Although there seems to have been some process along these lines in place in light of the “ongoing comprehensive internal search,” there is no indication of the last date on which the location of the hard drives can be verified.

In addition, the decision to apparently not encrypt the hard drives should also be examined.  Encryption remains an addressable implementation standard under HIPAA, it must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of ePHI. See, 45 CFR § 164.312(a)(2)(iv) and -(e)(2)(ii).  If the entity decides that encryption, as addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.

With the relative ease and speed of modern encryption applications that are available across a variety of platforms, from smart phones and tablets, to flash drives and individual hard drives, to back-up media, not encrypting data, whether it is in use, in motion, or at rest, is becoming increasingly difficult to defend from a technical standpoint.

The unexplained disappearance of devices or storage media containing unencrypted PHI through inadvertence, malicious theft, or other physical loss remains a vexing problem for covered entities.  Two relatively simple strategies to avoid the serious harm that could result for such an occurrence are eliminating the use of PHI when possible, and implementing robust tracking and encryption protocols for those instances when PHI is truly necessary.

OCR Assess Over $5 Million in HIPAA Penalties, Formally Announces Phase 2 Audits

Coming in like the proverbial March lion, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced two Resolution Agreements and penalties totaling over $5 million and the launch of its long-awaited 2016 Phase 2 HIPAA Audit Program.

Lack of Encryption and Other Failings, Lead to Substantial HIPAA Fines

Both recently announced resolution agreements arise from familiar facts involving the theft of an unencrypted laptop computer containing electronic protected health information (ePHI) from a vehicle.

On March 17, 2016, OCR announced the $1.55 million settlement of potential HIPAA violations arising from the theft of an unencrypted, password-protected laptop containing the ePHI of 9,497 individuals from a business associate’s locked vehicle in September 2011. Upon investigation it was discovered that no business associate agreement existed between the covered entity and its business associate which was tasked with providing payment and health care operations activities and had access to almost 300,000 patients’ data. It was further determined that the covered entity had not performed a risk assessment as required by the Security Rule to address all potential risks and vulnerabilities to the ePHI which it maintained, accessed, or transmitted across its entire IT infrastructure. In addition to the $1.55 million fine, a two-year corrective action plan and workforce retraining are required under the settlement.

The next day, on March 17, 2016 OCR announced a near-record $3.9 million settlement resolving potential HIPAA violations with a research institute arising from a laptop computer stolen in September 2012 which contained the ePHI of approximately 13,000 patients and research participants. A subsequent investigation discovered that among other deficiencies, the institution had inadequate security practices, lacked policies and procedures regarding access to ePHI, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.

As we have previously noted on this blog, robust encryption is quickly becoming industry standard, and there are few reasons not to implement it for mobile devices such as laptops. Had the laptops been properly encrypted as part of a larger risk assessment and risk management plan, these losses would not have constituted reportable “breaches” for HIPAA purposes.

2016 Phase 2 HIPAA Audit Program Formally Launches

On March 21, 2016, OCR announced the formal beginning to the long-awaited 2016 Phase 2 HIPAA Audit Program (the “Phase 2 Audits”) through which it will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.

As this blog previously reported, the Phase 2 Audits will primarily be “desk audits,” meaning that the will be conducted through information requests sent by OCR via email to selected covered entities and business associates, although a limited number of on-site audits will also be conducted.

The audit process will begin with verification of an entity’s address and contact information followed by a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools. If no response is received by email, OCR will use publically available information about the entity to create its audit subject pool. Thus, entities that do not respond to OCR emails may still be selected for an audit or be subject to a compliance review. Spam filters should be carefully reviewed to ensure that OCR communications are not inadvertently discarded.

OCR is expected to post updated audit protocols on its website which will reflect the 2013 enactment of the HIPAA Omnibus Rule. These can also be used by organizations to conduct their own internal self-audits as part of ongoing HIPAA compliance activities. More information about the 2016 Phase 2 Audits can be found on OCR’s website, including key information regarding audit selection criteria based on entity size, affiliations, type of entity, and geography and past enforcement history with OCR.

Audit selectees should keep in mind that information disclosed during the audit process may trigger a more thorough compliance review.

Two New HIPAA Enforcement Actions Emphasize Risk Analysis, Impose Multi-Year Compliance Monitoring

The Office for Civil Rights (OCR) recently announced two new HIPAA enforcement actions totaling over $4.3 million in penalties.  Both of these actions should remind Covered Entitles and their Business Associates of the importance of implementing a multi-layered approach to HIPAA compliance and serve as warning about the recent trend of OCR imposing multi-year HIPAA compliance monitoring programs.

Unsecured, Unencrypted Laptop Stolen Containing CT Images of 599 Individuals Results in $850,000 Fine and Two-Year Compliance Monitoring Program for Hospital

On November 30 2015, OCR announced a Resolution Agreement with a Massachusetts hospital arising from the overnight theft of a laptop in 2011 from an unlocked treatment room. The laptop, which was on a stand that accompanied a portable CT scanner, operated the scanner and produced CT images for viewing and contained the protected health information (PHI) of 599 individuals.  OCR’s subsequent investigation into this event indicated widespread non-compliance with the HIPAA rules, including:

  • Failure to conduct a thorough risk analysis of all of its ePHI;
  • Failure to physically safeguard a workstation that accessed ePHI;
  • Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment;
  • Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue in this incident;
  • Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident; and
  • Impermissible disclosure of 599 individuals’ PHI.

In addition to the $850,000 settlement, the hospital was required to address its history of noncompliance with the HIPAA Rules by providing OCR with a two-year comprehensive, enterprise-wide risk analysis and corresponding risk management plan, as well as reporting certain events and providing evidence of compliance to OCR.

The OCR press release and Resolution agreement are available at this link.

Multiple HIPAA Violations Result in $3.5 million Resolution Agreement, Three-Year Compliance Monitoring Program

A few days earlier, on November 24, OCR announced a Resolution Agreement with a publicly-traded insurance holding company and its subsidiaries that reported eight separate possible HIPAA breaches from 2010 through 2015. Five of these events affected 500 or more individuals.  The incidents included, but were not limited to: former employees whose intranet access was not properly terminated; vendor mistakes involving use and disclosure of PHI; former business associate employee misconduct; incorrectly stuffed envelopes which had mismatched beneficiary cards enclosed; and the improper use of beneficiary ID numbers on the exterior of mailing envelopes.

Following receipt of the aforementioned reports, the OCR initiated investigations to ascertain the entities’ compliance with HIPAA’s Privacy, Security, and Breach Notification Rules.  This investigation concluded that the entity or its subsidiaries:

  • Impermissibly disclosed beneficiaries’ PHI;
  • Failed to implement appropriate administrative, physical, and technical safeguards to protect PHI;
  • Impermissibly disclosed PHI to outside vendors with which it did not have an appropriate business associate agreement;
  • Failed to adhere to HIPAA’s “minimum necessary” standard in making disclosures to outside vendors;
  • Failed to conduct an accurate and thorough risk analysis which incorporated all IT equipment, applications, and data systems utilizing ePHI;
  • Failed to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level; and
  • Failed to implement procedures for terminating access to ePHI when the employment of a workforce member ended.

OCR agreed to accept a $3.5 million Resolution Amount in conjunction with the implementation of a three-year Corrective Action Plan which includes annual HIPAA compliance reporting to the Government.

The OCR press release and Resolution agreement are available at this link.  This is the second Resolution Agreement which covered multiple breaches announced by OCR this year, and part of a recent trend in which multi-year Corrective Action Plans were imposed.

Improvements Needed Regarding OCR’s HIPAA Oversight and Breach Follow-Up

The Office of Inspector General (OIG) recently issued two reports regarding HIPAA oversight activities performed by the Office for Civil Rights (OCR).  The first of these reports examined OCR’s oversight of covered entities’ compliance with the Privacy Rule.  The second report looked at OCR’s handling of covered entities’ reported HIPAA breaches.   Both reports included recommendations to OCR for improvement in these areas.  OCR agreed with all of OIG’s recommendations, suggesting changes to OCR oversight and enforcement activities in the near future.

Both studies were conducted by reviewing statistical samples of OCR investigations by OCR from September 2009 through March 2014, surveying OCR staff, interviewing OCR officials, reviewing OCR’s investigation policies, and reviewing documentation provided by a statistical sample of Part B providers to determine the extent to which they addressed five selected privacy standards or three selected breach administrative standards, as appropriate.

Regarding Privacy Rule compliance, OIG’s primary findings included that OCR oversight remains “primarily reactive,” in that it investigates possible HIPAA non-compliance primarily in response to complaints, and that OCR has not yet fully implemented requirements under §§ 13411 and 13432 of the HITECH Act that it proactively conduct audits of covered entities to assess their HIPAA compliance efforts.  OIG also determined that in a significant number of cases, OCR failed to fully document corrective action or whether the covered entity had been the subject of a prior HIPAA investigation.  Furthermore, OIG’s review found that OCR’s case-tracking system has limited search functionality and lacks a standard way to enter covered entities’ names in the system.

Concerning HIPAA breaches, OIG also found that although OCR would usually document corrective action for most closed so-called “large” breaches involving 500 or more individuals, almost one-quarter of such cases nonetheless had inadequate documentation of corrective action taken.  OCR also did not record small-breach information in its case-tracking system, and that this failure to document “small” breaches limited OCR’s ability to track and identify covered entities with multiple small breaches.

As a result of these findings, OIG recommended that OCR: (1) fully implement a permanent audit system; (2) enter small-breach information into its case-tracking system; (3) maintain complete documentation of correction action; (4) develop a method in its case-tracking system to search and track covered entities that were previously investigated and/or reported prior breaches; (5) develop a policy requiring staff to check whether covered entities have been previously investigated or reported prior breaches; and (6) continue to expand outreach and education efforts to covered entities.

OCR concurred in all of these recommendations, and further stated that it is moving forward with a permanent audit program, including Phase 2 HIPAA audits in early 2016 which are designed to “test the efficacy of the combination of desk reviews of policies as well as on-site reviews,” and also “target specific common areas of non-compliance,” for both covered entities and business associates.

Now that the Phase 2 HIPAA audits, which have been previously discussed on this blog, are right around the corner, it is critical that covered entities and business associates ensure that their HIPAA compliance programs are in order.  Suggested activities in this regard might include:  performing an updated risk assessment and implementing a risk management plan; conducting an inventory and audit of all business associate agreements; review of any unimplemented “addressable” Security Standards, refresher workforce training, and a careful review of security policies in general.

For full text of the recent reports from OCR, please follow the links below:

 

OCR Settlement: Risk Assessment Required Prior to Using ePHI Cloud Storage

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a resolution agreement with a major tertiary-care hospital that provided both inpatient and outpatient care (the “Hospital”) stemming from the Hospital’s use of “cloud” document storage of ePHI and a separate breach involving a laptop and USB drive.

In 2012, workforce members reported to OCR that the Hospital was using an internet-based document sharing application to store documents containing ePHI of at least 498 individuals and that the Hospital had not first analyzed the risks associated with this “software as a service.” OCR’s subsequent investigation determined that the Hospital failed to timely identify and respond to one security incident, mitigate its harmful effects, and document its outcome, all of which are required by HIPAA.

“Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications,” said OCR Director Jocelyn Samuels. “In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

Approximately two years later, in 2014, the Hospital notified OCR regarding a separate breach of unsecured ePHI stored on a workforce member’s personal laptop and USB drive, affecting 595 individuals.

On July 10, 2015, OCR announced that it and the Hospital agreed to a $218,400 settlement and implementation of a corrective plan of action as a result of these breaches which affected nearly 1,100 individuals in total.

This settlement agreement is significant for several reasons: first, it encompasses more than one breach. Although it had been widely believed that OCR would deal with multiple breaches from a single entity in a consolidated fashion, this is the first time that has actually occurred. Secondly, OCR’s investigation into the document sharing breach was prompted by reports from the Hospital’s workforce members.

That these employees reported privacy concerns to the government rather than the Hospital suggests that they were unaware, unwilling, or unable to share these concerns with the Hospital’s Privacy Officer. This could be indicative of a serious, fundamental breakdown of the privacy program at the Hospital. Third, the settlement here highlights the importance of first conducting a thorough risk assessment prior to implementing cloud-based storage or other “software as a service” programs when handling ePHI.

The full Resolution Agreement can be found at this link to the OCR website

The Case for Breach Notification by Business Associates

A business associate is an individual or entity that performs functions or activities involving the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  HIPAA requires business associates to agree, in writing, to appropriately safeguard protected health information received or created on behalf of a covered entity.

HIPAA regards a breach involving a business associate as “discovered” by the covered entity on the date that the business associate knew or should have known about it, provided that the business associate is acting as the “agent” of the covered entity.  In performing covered functions or providing covered services (such as claims processing, billing, utilization review, PBM management, or clearinghouse duties), most business associates also exercise actual or apparent authority on behalf of the covered entity; that is, with either express or implied permission from the covered entity, the business associate holds itself out to third-parties as being able to act in the place of the covered entity.  By doing so, they may qualify under federal law as “agents” of the covered entity.  The only time that a covered entity will not be charged knowledge at the time of its business associate’s breach is in the exceedingly rare circumstance where the business associate was not acting as the “agent” of the covered entity.

Regardless of agency status, HIPAA permits a business associate to delay a report of breach of PHI to the covered entity for up to 60 days.  This 60 day time period is extremely important because the HIPAA Breach Notification Rule requires individuals affected by breaches involving protected health information to receive notice of the breach within 60 days of its discovery, regardless of the number of individuals affected.  In addition, breaches involving 500 or more individuals must be reported to the media and the government, within 60 days of discovery

In most circumstances, the effect of these provisions is that a business associate does not have to notify the covered entity of a breach for up to 60 days, but each day that the covered entity remains unaware is one fewer day that it will have to report the breach to affected individuals, and possibly the government and media.  Unless the business associate contract requires the business associate to provide information regarding a breach to the covered entity within a few days, a dawdling business associate can potentially make it more difficult, if not impossible, for a covered entity to make all required notifications.  This is especially true in breaches involving 500 or more individuals which require all three forms of notification to occur within 60 days of discovery of the breach.

Because HIPAA will treat almost all breaches involving a business associate as “discovered” by the covered entity before the covered entity has actual knowledge of the breach, covered entities should consider delegating breach notification responsibility to business associates in these cases.  This can be easily done by including language in the business associate agreement to the effect that the covered entity reserves for itself the option of having the business associate provide all notifications required by HIPAA (and/or any applicable state breach notification laws) in the event of a breach.  The reason for this is twofold: first, while HIPAA permits a business associate to delay a report of breach of PHI to the covered entity for up to 60 days, in most cases, the covered entity will be “deemed to have knowledge” of the breach at the time the business associate knew, or should have known of it through the exercise of reasonable diligence.  Second, the business associate is likely to be better positioned to investigate the breach because of its proximity to the facts and individuals involved.

A business associate agreement should reflect the reality that covered entities have the ultimate responsibility to ensure that proper and timely notifications are made after a breach.  From the covered entity’s perspective, this means requiring their business associates to promptly report any breaches to the covered entity and to take the lead concerning all aspects of breach notification.   If the business associate is unequipped to provide breach response on its own, it can always outsource such functions, provided it first enters into a business associate agreement with that vendor.  If a business associate is unwilling to do either, then the covered entity may want to rethink its relationship altogether with the business associate.